Enterprise only content

Question 1

Splunk licensing is based …

Answer 1

on the amount of data indexed.

Question 2

The daily license quote includes the full size of data flowing through the ___, but not the disk storage.

Answer 2

parsing pipeline

Question 3

Replicated data, summary indexes, internal logs, and metadata ___ count towards license quota.

Answer 3

does not

Question 4

What are the Splunk license options?

Answer 4

Enterprise
Free
Trial
Splunk for industrial IoT license
Forward
Dev/test license

Question 5

Enterprise

Answer 5

o Can be bought for any indexing volume
o Enables all Splunk features including clustering and distributed search
o No enforcement. Users can still search after license violation
o Licenses can be stacked

Question 6

Free

Answer 6

o Includes 500mb/day indexing for life

o Disabled features include clustering, authentication, distributed search, alerting and deployment management

Question 7

Trial

Answer 7

o Full Splunk features for 60 days
o After 60 says it automatically becomes free license
o Max 500mb a day
o Sales Trial license can be provided for customised license

Question 8

Splunk for industrial IoT

Answer 8

o Not stackable

o Access to Splunk enterprise and a select premium Splunk apps

Question 9

Forward

Answer 9

o Allows forwarding of unlimited data
o Cannot be used for indexing
o No need to purchase separately
o Universal forwards automatically apply forwarder license
o Heavy forwarder must be converted to Forwarder License group

Question 10

Dev/Test

Answer 10

o For running Splunk in Non Prod environments
o Cannot be used in distributed environment
o Not stackable
o Can be used for Splunk App development

Question 11

What are the license warnings and violations?

Answer 11

• Exceeding daily volume quota results in a warning
• 5 or more warnings in a 30 day rolling period is a violation
• Searching is not disabled in violation period
• Alert logged in Messages on any Splunk Web pages

Question 12

How do you monitor for license warnings?

Answer 12

• Monitoring console
• Licensing page in Splunk web
• Usage report in Splunk Web

Question 13

How do you handle license violations?

Answer 13

• Review heavy hitters (usage report) and adjust intake
• The daily limit resets at midnight
• Buy more licenses

Question 14

How is a search performed?

Answer 14

• During indexing, Splunk indexers convert the machine data stream into searchable events which are stored in indexes
• Indexes contain compressed raw data (journal.gz) and time-series index files (TSIDX)
• Indexes store data in time-oriented buckets (hot, warm, cold and frozen)
• Indexers perform the search and return the results
• Search results and meta data are stored as search artifacts until the search job expires

Question 15

How does Splunk retrieve data?

Answer 15

• Timeframe – identify data buckets based on time range

* Bloom filter – calculate bloom filter on base search and compare against buckets bloom filter

Question 16

What is a bloom filter?

Answer 16

• Bloom filter is a bit array created by running search terms through set of hashing algorithms
• Splunk creates a bloom filter for each bucket
• When a search is run, Splunk calculates the bloom filter for the base search, and compares with the bucket bloom filter
• Only the matching buckets are opened
• Having as many filtering terms as possible in the base search improves search performance

Question 17

What is a search artifact?

Answer 17

• Contains results and metadata
• Stored on $SPLUNK_HOME/var/run/dispatch
• Deleted when the search job expires
• Each job has its own directory
• Too many search artifacts can cause performance degradation

Question 18

What is a distributed search?

Answer 18

Distributed search separates search management and presentation layer from indexing and search retrieval layer

Question 19

How does a distributed search work?

Answer 19

• Search head receives users search request
• Search head dispatches searches to the search peers (indexers)
• Search peers run the search on behalf of search heads and return the results to the search head
• Search head merges the results from all the search peers
• Search head runs additional filtering and transformation commands (if applicable) and returns the results to the user

Question 20

What are search peers?

Answer 20

• The indexers that participate in distributed search are called search peers
• Search peers must be added in search heads
• If the search head participates in indexer cluster, search peers are automatically added
• When a peer goes down, search head removes it from the peers list (default timeout 10 seconds)

Question 21

What is a knowledge bundle?

Answer 21

• Archive of knowledge objects that search head sends to all search peers
• Includes knowledge objects such as event types, saved searches
• Peers need these knowledge objects to execute searches on behalf of search heads
• Contains a subset of $SPLUNK_HOME/etc/system|apps|users

Question 22

Where is the location of a knowledge bundle?

Answer 22

• Search head – $SPLUNK_HOME/var/run (.bundle or .delta extension)
• Search peers – $SPLUNK_HOME/var/run/searchpeers

Question 23

How does does a knowledge bundle get replicated?

Answer 23

• Entire knowledge bundle

* Delta – changes since last full bundle push

Question 24

What are the four replication policies?

Answer 24

• Classic – search head directly replicates to all search peers
• Cascading – replicates to a subset of search peers which replicates to other search peers and so on
• Mounted – search head places knowledge bundle in shared storage (NOT recommended)
• Remote file storage – search head uploads knowledge bundle to a remote file system

Question 25

How can you manage knowledge bundles?

Answer 25

• You can customise what gets replicated

* Use distsearch.conf to blacklist large files you don’t need replicated

Question 26

How can you monitor knowledge bundle replication?

Answer 26

• Splunk web – settings > distributed search
• Monitoring console – search > distributed search
• Command line – $SPLUNK_HOME/bin/Splunk show bundle-replication-status
• REST API - /services/search/distributed/bundle/config

Question 27

How do you set up a distributed search?

Answer 27

• Install the same version of Splunk Enterprise in search head and search peers
• Search head and search peers must use a license master
• Setup the same indexes in all search peers
• Created a user with edit_user capability on all search peers
• Add search peers in search head via Splunk Web

Question 28

How are the indexers prepared in a distributed environment?

Answer 28

• Access – create a user with edit_user capability
• Index – ensure indexes have data coming in from forwarders
• Connectivity – ensure search head can connect to management port (8089) of the indexer

Question 29

How can a distributed search be verified?

Answer 29

• Examine the search peer in distributed search page in Splunk Web. Look for replication status
• Run a search to retrieve events from an index
• Check the internal logs on the indexer

Question 30

What is a distributed search group?

Answer 30

• Search peers configured into specific groups using distsearch.conf
• Enables to run search on targeted indexers
• User splunk_server_group option in SPL to specify the group
• Distributed search groups should be avoided in indexer clusters

Question 31

How do you use a distributed search group?

Answer 31

• Specify the distributed search group as part of SPL
• Index=infra splunk_search_group=sre
• Verify by examining splunk_server field

Question 32

What is meant by quarantining a search peer and how is it performed?

Answer 32

• You can quarantine search peer from participating in searching
• Enables to perform maintenance on the search peer without affecting searches
• User Slunk web to quarantine search peer

Question 33

What are the scaling options?

Answer 33

• Independent search heads – dedicated search heads with no communication between them
• Search head clusters – a group of search heads (min 3) in a cluster communicating with each other
• Indexer cluster – search heads that join indexer cluster can be independent or search head cluster

Question 34

What are the search head cluster considerations?

Answer 34

• Minimum 3 members required
• Always use new Splunk instances to create the cluster
• Cluster members must have the same hardware capacity
• Synchronise the clocks of all members including search peers

Question 35

What are the key benefits of search head clustering?

Answer 35

• High availability and load balancing
• Captain managers and distributes the scheduled jobs
• Configuration and search artifacts replication
• Seamless user experience

Question 36

What is a search head captain?

Answer 36

• Captain centrally coordinates all cluster-wide activities. Captain is also a member of the cluster
• Captaincy can be configured to by dynamic (default) or static
• With dynamic captaincy, the cluster automatically elects a new captain using RAFT consensus algorithm
• Captain consumes more CPU and memory

Question 37

How are scheduled jobs and artifacts handled in a clustered environment?

Answer 37

• Captain is the only scheduler
• Captain chooses the search head cluster member to run search jobs based on load
• Search artifacts are replicated by captain to other members. Ad-hoc and real-time artifacts are not replicated