HW#3

Question 1

What is Splunk?

Answer 1

A software platform used for searching, monitoring, and analyzing machine-generated data.

Question 2

What are the 3 basic components of Splunk?

Answer 2

Forwarder, Indexer, and Search Head

Question 3

What is a database? Give two examples of databases most commonly used.

Answer 3

A database is a structured collection of organized data that is stored, managed, and accessed using specialized software. Examples: Relational Database Management systems such as MySQL which stores data in structured tables with rows and columns. And NoSQL Database which handle large volumes of unstructured/semi-structured data.

Question 4

What is a forwarder and what does it do?

Answer 4

One of the three main components of Splunk; collects data at the source and sends data to indexer.

Question 5

What is an indexer and what does it do?

Answer 5

A major component of Splunk which stores and indexes incoming data; parse and break down data into smaller chunks making it easier to search.

Question 6

What is a search head and what does it do?

Answer 6

The interface through which users interact with Splunk; allows users to run searches, create dashboards, and visualize the data.

Question 7

How does data flow through Splunk?

Answer 7

Forwarder collects data from remote machines, indexer processes the data in real-time, and then the end user can interact with Splunk using the search head.

Question 8

What is the overall purpose of putting data through Splunk?

Answer 8

To gain valuable insights and actionable intelligence from collected data.

Question 9

What is a Deployment Server and what does it do?

Answer 9

Deployment server is a centralized configuration manager; manages configurations for all of its clients so that there is a centralized place for all edits.

Question 10

What is a deployment client? Give an example of one.

Answer 10

Anything that a deployment server manages is a client such as a forwarder.

Question 11

Which Splunk component contains serverclasses?

Answer 11

Deployment server

Question 12

What is a serverclass? Detailed explanation.

Answer 12

A logical grouping of Splunk components such as forwarders with similar characteristics or requirements.

Question 13

How does serverclass relate to the deployment server?

Answer 13

Serverclass helps the deployment server to distinguish what set of configurations the clients should receive.

Question 14

What is the purpose of configuration files?

Answer 14

To define and customize how various components and features of Splunk operate.

Question 15

Name the 4 configuration files you learned in class and what they do.

Answer 15

Inputs.conf=tell Splunk what data to monitor and where, Outputs.conf=tell Splunk where to send the data it has just collected, Indexes.conf=specifies the name of the index, how to store the data that has been indexed, and how long it needs to be stored, Props.conf=tell Splunk how to parse and refine the data.

Question 16

How are serverclasses, deployment servers, deployment-apps and inputs.conf all connected?

Answer 16

The deployment server uses server class and deployment app definitions to distribute configuration to appropriate instances, and inputs.conf defines how data is ingested.

Question 17

At what level is the data being stored?

Answer 17

Indexer level

Question 18

Tell me how you would install any Splunk component that is NOT a universal forwarder?

Answer 18

Use Splunk Enterprise installer package

Question 19

What is the maximum number of concurrent users per search head?

Answer 19

12

Question 20

Explain in an organized and detailed way how data flows through Splunk and how Splunk does its job using these keywords: forwarder, indexer, search head, deployment server, deployment client, serverclass and the four .conf files (inputs.conf, outputs.conf, indexes.conf, props.conf).

Answer 20

The data flow in Splunk involves forwarders collecting data and sending it to indexers.

Indexers store and index the data, while search heads interact with users, execute search queries, and display the results.

The deployment server manages configurations for deployment clients(forwarders and indexers) using server classes(logical grouping of the deployment clients) and .conf files to ensure consistent and organized deployment of configuration and apps.

Within the forwarder level configuration files, inputs.conf tells Splunk what data to monitor and where. Outputs.conf tells Splunk where to send the data it has just collected.

Indexer level configuration files like indexes.conf specifies the name of the index, how to store the data that has been indexed and how long it needs to be stored. While props.conf works to tell Splunk how to parse and refine data.