INTERVIEW PREP Flashcards

1
Q

What’s minimum replication/search factor for idx cluster and sh cluster? What is replication and search factor?

A

sh default 2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Default ports?

A
8000 - web port
8191 - KV store port
8080 - Replication port (idx cluster)
8181 - search head cluster replication
9997 - receiving porg 
514 - syslog port 
8089 - mgmt port 
8088 - hec
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

How to set up search head cluster, idx cluster, multisite cluster?

A

IDX cluster:
set up replication factor, search factor, security key, and cluster label in the server.conf of the cluster master
set up manager ip, mode, and pass4symmkey on the peer nodes and search head
SH cluster:
on the deployer set up pass4symmkey, and also label sh cluster;
initialize splunk init shcluster-config command, or use server.conf to set it up
select captain;

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

How to push configurations from deployers and indexer clusters?

A
IDX cluster:
splunk validate cluster-bundle --check-restart
splunk apply cluster-bundle
SH clusteR:
splunk apply shcluster-bundle
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Where to place the configuration bundle on the deployer, DS, and CM?

A

$SPLUNK_HOME/etc/shcluster/apps
$SPLUNK_HOME/etc/deployment-apps
$SPLUNK_HOME/etc/master-apps/

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is the comapny name?

A

Symphtech

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Splunk web not working and the KV store has errors how do you troubleshoot?

A
  • see mongod.log and splunkd.log, remove mongod.lock file, see permissions for splunk.key
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Architect the growth of the cluster while ensuring the
necessary storage requirements are met and retention
policies are set appropriately.

A

1

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Schedule cronjobs using Cron Utility to automate deletion

of syslog data

A

1

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Build syslog servers for network log management

A

1

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Manage Logical Volume Manager (LVM)

A

1

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Troubleshoot disk usage and memory issues on Splunk

indexers

A

2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Monitoring system health via Monitoring Console and

custom searches and visualizations.

A

2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Build custom TAs and Apps to ingest and visualize data

from various data sources

A

2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Review onboarded logs during last phases to ensure no PII

exist, using regex and transforms.conf

A

2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Manage ingestion on our license by reviewing verbose logs
for necessity of indexing; eliminating extraneous logs by
sending them to null queue or truncating logs

A

2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Developed 12 dashboards for Financial Board members

annual presentation

A

2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Built a series of Windows Security Dashboards that included
but are not limited to, Disabled AD Accounts Re-enabled,
AD password change attempts, Brute Force Attacks, Policy
Changes, Changes to Windows Firewalls, Privilege Use, etc.

A

2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Use advanced dashboard XML and CSS customizations to

achieve specific look on reports

A

2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Wrote SOPs and established runbooks to document

procedures during incidents

A

2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Manage the use and deployment of knowledge objects like
macros, tags, eventtypes, calculated fields, field aliases to fit
specific standards of use and avoid duplication

A

2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Ongoing tuning of the CIM for new data onboarding from
various branches of the organization and develop
preliminary data model searches to kick-off the utilization
of the data when handing off to Security Operations team

A

2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Actively working with end-users to aid in building efficient

search queries

A

2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Upgraded entire Splunk infrastructure in both dev and prod -

uction environments

A

2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Administrating Splunk servers for optimal performance

A

2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Leading log ingestion efforts; formatting back end configurations

A

2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Standardizing configurations across Splunk environment

A

2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Cleaning up custom apps on deployment server; implementing naming standards, app.conf, etc.

A

2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Leading code reviews to deploy new configurations on a weekly basis; granting approvals and
denials

A

2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Staggered crons to ensure that alerting is not backed up or skipped

A

2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Optimizing search head; rewriting SPL to improve run-time performances

A

2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Setting retention periods as a standard within company

A

2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Troubleshooting failed ingestion, missing logs and outage of Splunk servers

A

2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Installing forwarders on new servers as part of ingestion work

A

2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

Designing and leading onboarding training for new hires

A

2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Reassign knowledge objects upon off-boarding Splunk users

A

2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

Configure inputs and drilldowns on dashboards

A

2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

User assistance on query development, troubleshooting, optimization

A

2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

Upgraded entire Splunk infrastructure in both dev and production environments

A

2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

Troubleshooted missing logs

A

2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

Completed wide-scale project to ingest more than 300+ network devices through syslog filtration
ensuring each host is appropriately filtered into correct directories; utilized custom
configurations to bring the data into Splunk; made new ingested data CIM compliant, and
remedied existing non-compliant data

A

2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

What is your experience with ES?

A

2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

Part of Implementation Team building out several Splunk clusters

A

2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

Ingested data to ensure monitoring of network devices, applications, including deployment of Nix
and Windows TAs to collect server logs

A

2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

Performed the ingestion of several security tools, including Nessus Vulnerability scanner,
Acunetix, Malwarebytes and Bluvector; including modifying out of the box apps for use in
destination environment

A

2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q
Worked on props, transforms, inputs, authentication, authorize and severclass configurations on
a daily basis
A

2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

Performed field extractions, look ups and macros for various data sources

A

2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

Troubleshooted data transference issues within Splunk; troubleshoot outages

A

2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

Addressed misuse of platform to prevent search head failures, rewrite multi-paneled dashboards
to use base searches, remedy resource intensive dashboards, and shorten long running searches

A

2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

Addressed misuse of platform to prevent search head failures, rewrite multi-paneled dashboards
to use base searches, remedy resource intensive dashboards, and shorten long running searches

A

2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

Principal engineer responsible for designing and maintaining production-quality dashboards,customizing XML via Source Code, including development of a collection of dashboards to
support field tech teams on monitoring the 9,000+ cameras, sensors and alert systems for
building access

A

2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q

Create savedsearches to aid Splunk non-technical users in simplifying complex queries

A

2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q

Create scheduled reports for summary indexing for 90 day trends of alert failures.

A

2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
54
Q

Created and monitored Logical Volume Manager (LVM) and Swap Space

A

2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
55
Q

Utilized Vagrant to provision servers for Developers in Testing Environment

A

2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
56
Q

Configured and administered LDAP, DNS, DHCP, TLS/SSL on Linux servers

A

2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
57
Q

Administered SSH, NFS and FTP on Linux servers

A

2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
58
Q

Administered and configured Apache

A

2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
59
Q

Perform server updates, patching, upgrades and package installations using rpm, yum and wget

A

2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
60
Q

Disk Partitioning

A

2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
61
Q

Deployed and managed virtualization technologies; KVM and VMWare

A

2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
62
Q

Deployed virtual servers using templates

A

2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
63
Q

Performed RPM and YUM package installation.

A

2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
64
Q

Checked System Logs to diagnose errors and resolve them

A

2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
65
Q

Performed system backup and compression using tar, gzip and bzip

A

2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
66
Q

Provisioned accounts: added new user accounts, removed users, changed ownerships of groups
using chown, chgrp commands. Modified file permissions using chmod, and set special
permissions using ACL.

A

2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
67
Q

Automated and scheduled jobs using Cron utility

A

2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
68
Q

Monitored and resolved service desk tickets using Jira Ticketing system

A

2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
69
Q

Created and updated Process Documentation for future reference

A

2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
70
Q

Do you have any experience migrating Splunk?

A

2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
71
Q

What are macros, and how have you used them?

A

2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
72
Q

Regex: How to match a digit? How to match a word character?

A

2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
73
Q

Where do Splunk buckets and databases reside?

A

2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
74
Q

How would you perform index time field extracion?

A

2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
75
Q

Tell us about yourself

A

2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
76
Q

What is splunk’s smart store?

A

2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
77
Q

Could you tell me something about the default configuration files?

A

2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
78
Q

When heavy forwarder is down but you have access to SSH what do you do? How would you troubleshoot this?

A

2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
79
Q

Why could a search be inefficient?

A

2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
80
Q

How would you use existing syslog server to gather the data into Splunk?

A

2

81
Q

How would you fix a slow running search?

A

2

82
Q

What do you know about props.conf?

A

2

83
Q

Difference between hot and warm buckets

A

2

84
Q

How would you create an index?

A

2

85
Q

Splunk has stopped ingesting the data and we need to fin the crash logs. Which internal logs files would you check and what path does it have?

A

2

86
Q

Which takes precedence, local, or default, and why?

A

2

87
Q

I see architecting on your resumee, can you talk about your architecting experience?

A

3

88
Q

Do you have any questions for us?

A

3

89
Q

What is splunk’s smart store?

A

3

90
Q

what is splunk s2 s3

A

3

91
Q

How would you describe how your environment uses indexes?

A

3

92
Q

Experience with data migration?

A

3

93
Q

append vs appendcols

A

3

94
Q

Can you tell me benefits of a multiside indexer cluster

A

3

95
Q

Scenario: How would you fix a problem when all your universal forwarders went down?

A

3

96
Q

Why do you lose two IP addresses in a subnet?

A

3

97
Q

How to edit a file in Vi mode?

A

3

98
Q

How many IPs in a /23 and /24?

A

3

99
Q

Have you ever costumized the dashboard and explain how you did it?

A

3

100
Q

What is your experience with regex?

A

3

101
Q

precedence orders etc

A

3

102
Q

What is better: search time or index time field extracion?

A

3

103
Q

How would you find big files in Linux?

A

3

104
Q

What is TCP and UDP? Why use one over the other?

A

3

105
Q

How to determine which process are using the most resources?

A

3

106
Q

What is significant about ports under 1024?

A

3

107
Q

What are some splunk default indexes?

A

3

108
Q

splunk internal logs

A

3

109
Q

splunk important paths

A

3

110
Q

retention policies?

A

3

111
Q

What is the OSI model?

A

3

112
Q

API data examples

A

3

113
Q

security data examples

A

3

114
Q

How to do find and replace in VI mode?

A

3

115
Q

ES experience

A

3

116
Q

How would you send internal data to the indexers?

A

3

117
Q

Difference between tstats and stats. When would you use tstats?

A

3

118
Q

What are the retention policies (by attribute names)?

A

3

119
Q

How to troubleshoot a dashboard that was once bringing in results but stopped?

A

3

120
Q

commands for summary indexing

A

3

121
Q

What are the benefits of indexer cluster?

A

3

122
Q

What is an alert?

A

3

123
Q

Splunk web not working and the KV store has errors how do you troubleshoot?

A

see mongod.log and splunkd.log, remove mongod.lock file, see permissions for splunk.key

124
Q

config precedence

A

3

125
Q

What is RAID? What is RAID 10?

A

3

126
Q

System is full on disk, how do you troubleshoot?

A

3

127
Q

What are the transforms.conf deleting specific events?

A

3

128
Q

How would you upgrade Splunk?

A

3

129
Q

What attribiutes would you use to configure retention policies?

A

3

130
Q

How would you check storage on your CLI?

A

3

131
Q

How would you add an scripted input?

A

3

132
Q

How would you add a network input?

A

3

133
Q

Give an example of character types that you can use in regex and what do they mean?

A

3

134
Q

Houw would you troubleshoot splunk configuration files?

A

3

135
Q

How do you use clean up command in your SPL?

A

3

136
Q

What kind of administrative duties you find yourself doing on the GUI?

A

3

137
Q

What is a scripted inputs, and what is your experience with them?

A

3

138
Q

You’re ingest data through API, how would you do that?

A

3

139
Q

What kind of internal fields are in splunk?

A

_raw, _time, _indextime, _cd, _bkt

140
Q

Tell me about your experience with knowledge objects. How have you worked with them?

A

3

141
Q

What summary index is, and what you ised it for?

A

3

142
Q

What syslog data have you onboarded?

A

3

143
Q

What is click name and click value etc.?

A

3

144
Q

How to restore a frozen bucket?

A
  1. Copy your archive bucket into the thawed directory:
    1. Execute the splunk rebuild command on the archive bucket to rebuild the indexes and associated files
    2. splunk restart
145
Q

How do you add index to indexer?

A

3

146
Q

What are some commands you often use in creaing content?

A

3

147
Q

Have you worked with Splunk ES?

A

3

148
Q

What is indexer discovery and how would you configure it?

A

3

149
Q

How would you install splunk?

A

3

150
Q

What is a distributed search?

A

3

151
Q

What are the benefits of a search head cluster?

A

3

152
Q

How would you set up a search head cluster?

A

3

153
Q

How would you set up an indexer cluster?

A

3

154
Q

How does licensing work in splunk?

A

3

155
Q

Do you have a process when it comes to working on dashboards for clients?

A

3

156
Q

What kind of client facing experiences you’ve had, and what were some challenges that you’ve overcome and how?

A

3

157
Q

What is your biggest challenge when it comes to managing search heads?

A

3

158
Q

Do you have a process for alert creation, and how do you manage them to make sure they are being responend to?

A

3

159
Q

Do you have any experience migrating splunk?

A

3

160
Q

How did I initiate script?

A

3

161
Q

Preferred flavor of Linux?

A

3

162
Q

How would you find big files in Linux?

A

3

163
Q

/opt is full how would you deep deeper to diagnosis?

A

3

164
Q

How to recall the last command you ran(2 ways)?

A

3

165
Q

What is TCP and UDP? Why use one over the other?

A

3

166
Q

What is the purpose of a subnet?

A

3

167
Q

How to test connectivity on a specific port or remote server?

A

3

168
Q

Why do you lose two IP addresses

A

3

169
Q

Does your environment currently run multi-side clustering, and what is it, and what’s your experience with it?

A

3

170
Q

How would you set up a new syslog server to onboard data into Splunk?

A

3

171
Q

What are the transforms.conf for changing host name?

A

3

172
Q

What splunk configurations require restart and which do not?

A

3

173
Q

How to list all processes?

A

3

174
Q

Can you share with use your experience with troubleshooting? (Troubleshooting scenarios)

A

3

175
Q

Can you elaborate on some of the command that you use regularly at your job?

A

3

176
Q

Wxplain metadata command and give examples on how you have used it?

A

3

177
Q

What is the eval command, and how have you used it at your work?

A

3

178
Q

How do you limit schedule searches for users?

A

3

179
Q

Three ways to perform field extractions in SPL and 3 ways to extract with search head

A

3

180
Q

Difference between .CSV and key valuee?

A

3

181
Q

Explain transaction command

A

3

182
Q

How would you reindex the data?

A

3

183
Q

How would you set up file monitoring?

A

3

184
Q

What is the btool and how would you use it?

A

3

185
Q

What are some dashboards that you have worked on?

A

3

186
Q

What was the most recent scripted input that you have added to your environment?

A

3

187
Q
  1. Can you tell me what tools have you used to bring data in?
A

3

188
Q
  1. If timezone is incorrectly configured where would you go to fix it?
A

3

189
Q
  1. How would you know if your configurations are correct?
A

3

190
Q

How would you install an app from Splunkbase?

A

3

191
Q

When onboarding data how would you brin all you have done from dev to prod?

A

3

192
Q

data migration

A

3

193
Q

upgrading splunk

A

3

194
Q

What is a logical grouping, capture group, and a named capture group?

A

3

195
Q

What are some security best practices?

A
  • Educating employees
  • principle of least privilage
  • updating systems and software often
  • documentation,
196
Q

What is splunk DB connect

A

Splunk DB Connect is an Add-on which allows you to query RDMBs for data and index the result sets.

197
Q

Who are the top direct competitors to Splunk?

A

Logstash, Loggly, LogLogic, Sumo Logi

198
Q

What is the command used for enabling Splunk to boot start?

A

$SPLUNK_HOME/bin/splunk enable boot-start