Interview Questions

Question 1

When you’re standing up a brand new indexer, what is the overall process for adding it to a cluster?

Answer 1

1. Go to settings
2. Go to indexer clustering
3. Make the instance a peer node
4. Connect to the cluster master through management port (8089)
5. Indicate the peer replication port (8080)
6. Add security key
7. Enable peer node

Question 2

What is the process for adding an index to an environment?

Answer 2

1. Go to settings
2. Go to Indexes
3. Go to new index
4. Name the index
5. Save

Question 3

How can you make data CIM compliant?

Answer 3

1. Create tags

Example: Let’s say you have Office A, Office B, and Office C. You want to be able to find events quickly that are associated with hosts in Office B. You would create a tag with the IP addresses of all hosts for Office B. The tag would allow you to reference Office B events quickly.

2. Create field aliases

Example: My data model has a field called http_fallon. However in my source data, let’s say my name is spelled incorrectly. I would use a field alias to capture the misspelling of my name in the source data and map it to the correct field name

Question 4

What extension do you use in developing dashboards?

Answer 4

XML extensions which are cascading style sheets

Question 5

What tools do you use to monitor the health of your system?

Answer 5

Monitoring Console

Question 6

Where are Splunk logs located in Linux?

Answer 6

splunk_home/var/log/splunk

Question 7

What is the purpose of a monitoring console?

Answer 7

Allows you to monitor the performance health (or just health) of your Splunk environment

Question 8

What is the difference between replication factor and search factor?

Answer 8

Replication factor specifies how many total copies of raw data the cluster should maintain. Search factor specifies how many copies are searchable.

Question 9

What is the purpose of the security key?

Answer 9

Authenticates communication between the cluster nodes.

Question 10

Walk me through the process of adding a license master and cluster master to an environment.

Answer 10

1. Go to settings
2. Go to licensing
3. Add the license by uploading it into the system (select install)
4. Restart Splunk
5. To make the server a cluster master go to settings
6. Go to indexer clustering
7. Select master node
8. Select next
9. Specify the replication factor and search factor
10. specify what the security key is
11. enable the master node and restart

Question 11

Walk me through the process of pointing servers to the license master.

Answer 11

1. go to settings
2. licensing
3. change the instance to a slave instance
4. enter the license master URI
5. save and restart

Question 12

Walk me through creating an indexing cluster.

Answer 12

For each indexer, do the following

1. settings
2. indexer clustering
3. enable indexer clustering
4. click peer node, click next
5. connect the peer node to the cluster master by putting the master URI in and the management port in (8089)
6. indicate what the peer replication port is
7. specify what the security key is and enable the peer node

Question 13

How do you configure the indexers to receive logs sent from the forwarders?

Answer 13

1. settings
2. forwarding and receiving
3. configure receiving
4. indicate what the listening port is (9997)
5. save

Question 14

How would you troubleshoot if the forwarder is not communicating with the deployment server?

Answer 14

Run splunk status on the forwarder. Then make the sure the IP address in the deployment client.conf file is for your deployment server.

Question 15

What are two ways to filter out unwanted data?

Answer 15

Send events to null queue in transforms.conf file or black listing.

Question 16

If you have issues with Splunk where would you go to see what is the problem?

Answer 16

Splunkd.log which is the primary log for the splunk server

Question 17

Explain the importance of CIM

Answer 17

Splunk CIM is used to normalize data for matching basic or common fields in a dataset

Question 18

Splunk has stopped indexing your data, and we need to find crash logs. Which internal log file do you check, and what is the path to that log?

Answer 18

splunkd.log, which would be found in: /$SPLUNK_HOME/var/log/splunk/splunkd.log

Question 19

Name the 3 main Splunk components.

Answer 19

Forwarder
Indexer
Search Head

Question 20

Name all of the Splunk components.

Answer 20

Universal Forwarder
Indexer
Search head
Deployment server
Deployer
Cluster master
License master
Heavy Forwarder

Question 21

What does the indexer do?

Answer 21

parse and store data

Question 22

What is a deployment server responsible for?

Answer 22

The Splunk system that distributes apps and configurations to universal forwarders and heavy forwarders.

Question 23

What do you need to do in order to create a deployment server?

Answer 23

Create a serverclass.conf file in the etc/system/local directory of your instance.

Question 24

What is the function of a deployer?

Answer 24

Used to distribute apps and other configuration updates to search head cluster members.

Question 25

What is an undistributed environment?

Answer 25

In an undistributed environment, you will have Splunk Enterprise installed on a single server instance—this single machine handles all of the indexing of data and searches of that data

Question 26

What is a distributed environment?

Answer 26

In a distributed environment, indexing and search functions are divided across at least two machines—an indexer on one server that receives and indexes data, and a search head on a separate server that communicates with the indexer to service search requests – two instances, each performing a different function.

Question 27

What is a clustered environment?

Answer 27

In a clustered environment, you would combine multiple indexers and/or search heads into an indexing/search head cluster for high availability (in case a server goes down) and data redundancy (storing more than one copy of the data across the indexing cluster).

Question 28

What would you do if you wanted to provide even better disaster recovery for a clustered environment?

Answer 28

You can build a multisite cluster wherein you have two indexing and/or search head clusters at different physical locations or sites

Question 29

If a client does not want to bring data into their environment from a universal forwarder or heavy forwarder what other options do they have to send data to splunk?

Answer 29

HEC (HTTP Event Collector)
Apps and Ad-ons
Syslog

Question 30

HTTP Event Collector is a method for onboarding data. Describe it.

Answer 30

Enables data to be sent over HTTP (HyperText Transfer Protocol) directly to Splunk Enterprise or Splunk Cloud Platform from our application.

Question 31

Syslog is a method for onboarding data. Describe it.

Answer 31

Used to process data from machines that we cannot install a Splunk forwarder on, such as network devices. Examples include logs from firewalls, switches, routers, etc.

Question 32

What does Splunk DB Connect allow you to do?

Answer 32

Allows us to import tables, rows, and columns from a database directly into Splunk Enterprise, which indexes the data.

Question 33

What is the props.conf file used for?

Provide two examples of what happens with data in the props.conf file.

Answer 33

To parse data and make sense out of data

event breaking takes place, timesheet stamping takes place, truncation takes place

Question 34

Describe what happens during the data parsing process.

Answer 34

data that you need is extracted, data is normalized

Question 35

What is phoning home?

Answer 35

Forwarders way of communicating with the deployment server.

Question 36

Name three web ports.

Answer 36

8000 – Splunk Web port
8089 – management port

9997 – indexers listen on port to receive data from forwarders

8080 – replication port

Question 37

What is the outputs.conf file used for?

Answer 37

Used by forwarder to forward data to the indexer

Question 38

What is white list?
What is blacklist?

Answer 38

White list – IP address that’s permitted to access the network

Black list – IP address that’s blocked from accessing the network

Question 39

An executive looks at a dashboard every morning. The dashboard pulls data from your environment and it looks at a 24 hour period.

This morning nothing came up. The executive is upset and wondering where their report is. You go to the dashboard to investigate. The dashboard itself has not changed. What are next steps in troubleshooting why the report isn’t producing results?

Answer 39

Check the extractions and fields that you’re using to make sure that they have values

Question 40

Name 3 ways that you can optimize searches?

Answer 40

Narrow the time window

Specify what the index, source, and sourcetype are

Be specific in your search (avoid using wildcards)

Limit the number of events retrieved (i.e. use the head command)

Question 41

Provide examples of knowledge objects and explain what they are.

Answer 41

saved searches (search that’s made available for later use)

alert (runs in real time or on a schedule specified by the user, triggered when results meet user defined conditions, once it’s triggered it can initialize one or more alert actions)

Question 42

What kind of servers do you run in your environment?

Answer 42

Linux servers

Question 43

What does a fishbucket do?

Answer 43

monitors data so it’s not duplicated

helps to prevent reindexing

Question 44

What is an intermediary forwarder used for?

Answer 44

Used for security purposes. If there is a security breach, the intermediary forwarder would keep data from being easily accessed on the indexers

Question 45

What is your favorite Linux command? What does it allow you to do in the command line?

Answer 45

chown

allows you to change ownership of a file