Deploying Splunk Flashcards
What is considered as a ‘Splunk Validated Architecture’ (SVAs) ?
Splunk Validated Architectures (SVAs) are proven reference architectures for stable, efficient, and repeatable Splunk deployments
SVAs offer topology options that consider a wide array of organizational requirements, so you can easily understand and find a topology that is right for your requirements
It does not contain implementation choices (baremetal, virtual etc), nor deployment sizing.
Why an intermediate forwarder should be avoided and only used in specific cases?
1) A large data stream from many endpoints is funneled through a single pipe that exhausts your system and network resources.
2) Limited failover targets for the endpoints in case of IFfailure (your outage risk is reverse proportional to the number of IFs)
3) Small number of indexers are served at any given point in time. Searches over short time periods will not benefit from parallelization as much as they could otherwise.
Why you should use an odd number when you deploy a SHC?
SHC captain election is peformed using a majority-based protocol. An odd number of nodes ensures that a SHC can never be split into even numbers of nodes during network failures.
Explain what the category M14 means?
- Multi-Site Indexer Cluster
* Multi-Site SearchHead Cluster and add. SearchHead Cluster for ES (contained within a site)
Explain what the category C13 means?
- Single-Site Indexer Cluster
* Single-Site SearchHead Cluster with a dedicated SearchHead Cluster for ES
Explain what the category M12 means?
- Multi-Site Indexer Cluster
* Multiple SearchHeads (non-clustered) and a dedicated single SearchHead for ES
How can you easily check if the network latency for multi-site indexer is within the recommendations of <100ms ?
Simply do a long-term (which needs to cover peak business hours) ping from site A indexer to site B indexer. You can output the ping data into file and index it via oneshot to analyze it (not in production environment)
What is the difference between category M13 and M14 in terms of SearchHead clustering?
In category M13, the SHCs are standalone and the search artifacts are not replicated between the sites.
M14 is consideres as the most complex implementation, it contains a streched SearchHead Cluster over all sites.
If a device logs only via API and software can not be installed, which input technology would be best practise to use?
Splunk HEC
What is a DCN?
A data collection node (eg Heavy Forwarder)
What is the meaning of DR?
Set of processes necessary to ensure recovery of service after a disaster
How can a manual DR be archieved in Splunk?
Backup of
> Splunk configurations (/etc/*)
> Indexes (introduce a specific backup concept for clustered indexer)
How can an automatic DR be implemented in Splunk?
Through introducing multiple sites (if one site goes down, the other site still have all data available (only if the replication factor is set accordingly))
What is the meaning of HA?
A design methodology whereby a system is continuously operational, bounded by a set of predetermined tolerances
Why an all-in-one Splunk instance could grow to a distributed environment?
- End of testing
- End of the PoC
- System reached its search and index limitations
- Introduction of failover strategies
- Dedicated teams for dedicated SearchHeads
