Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Splunk Enterprise/Cloud Administration > Module 2: Index Management > Flashcards

Module 2: Index Management Flashcards

1
Q

Splunk stores data in ___, which are organised in directories and files in disk.

A

indexes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are the features of a Splunk index?

A
  • Indexes are stored in $SPLUNK_HOME/var/lib/Splunk
  • the directory location is customisable for each index
  • Indexes contain raw data and index files
  • Indexes can be created by an admin
  • There are many prebuilt indexes such as_internal, _audit and main.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is inside a Splunk index?

A
  • Raw data stored in a compressed format
  • Tdsidx files - time series index files that point to the raw data
  • Metadata – files such a sources.data, sourcetypes.data and hosts.data
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Indexes store data in ___. __ are a set of directories organised by age.

A

Buckets

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are the bucket types?

A

Bucket types are hot, warm, cold. froze, thawed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Hot buckets

A
  • newest data
  • open for read and write
  • can be more than one hot bucket in an index
  • searchable
  • roll to warm when reaching certain size, or upon a Splunk restart
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Warm buckets

A
  • created when hot buckets roll
  • not open for writing, but searchable
  • reside in the same directory as hot buckets but renamed
  • roll to cold buckets when exceeding max setting.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Cold buckets

A
  • Starting from the oldest bucket (based on time), warm buckets roll to cold
  • Reside in different directory from hot and warm
  • Searchable
  • The directory location can be configured
  • Possible to save cost by using cheaper storage.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Frozen buckets

A
  • After cold buckets age out based on policy, the roll to frozen
  • Default action is to delete, but can be configured to archive.
  • coldToFrozenDir or coldToFrozenScript in indexes.conf configures archiving
  • Archived frozen buckets are not searchable
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Thawed buckets

A
  • Frozen buckets can be thawed
  • Thawed buckets are rebuilt into index and searchable
  • Location can be configured in indexes.conf
  • No age restriction
  • Use Splunk rebuild command to rebuild data into the index
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Where is the bucket location of hot/warm buckets?

A

$SPLUNK_HOME/var/lib/Splunk/indexname/db

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Where is the bucket location of cold buckets?

A

$SPLUNK_HOME/var/lib/Splunk/indexname/colddb

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Where is the bucket location of frozen buckets?

A

• Frozen buckets are deleted by default. Can be optionally archived

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Where is the bucket location of thawed buckets?

A

$SPLUNK_HOME/var/lib/Splunk/indexname/thaweddb

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

How are hot buckets named?

A

hot_v1_

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

How are warm buckets named?

A

• Warm – db_newesttime_oldesttime_localid
o Local id is the ID of the bucket
o Newest and oldest time are in UTC epoch time in seconds

17
Q

Why create multiple indexes?

A
  • Security – RBAC options set by index

* Retention policies are applied at index level

18
Q

What is index data integrity?

A
  • Set in GUI, or enableDataIntegrityControl=true in indexes.conf
  • Allows to ensure indexed data has not been tampered with
  • Creates hash files (SHA 256) as the data is indexed
  • Check intregrity: ./Splunk check-intregrity -index [index name]
  • Regenerate hash: ./Splunk generate-hash-files -index [index name]
  • Hash files are stored in the rawdata directory within the index
19
Q

___.conf is used to configure Splunk indexes and their properties

A

indexes

20
Q

Where is the default indexes.conf saved?

A

default indexes.conf in $SPLUNK_HOME/etc/system/default, but do not edit this. Create a new indexes.conf in $SPLUNK_HOME/etc/system/local

21
Q

What is the structure of indexes.conf?

A
  • Default stanza for defining global properties
  • If a property is defined outside of any specific stanza, at the top of the file, it is considered a global property
  • If a property is defined at both global level and in a specific stanza, value in the specific stanza takes precedence
  • If there are multiple definitions of the same settings in a stanza, last setting wins
22
Q

What is the fishbucket?

A
  • fishbucket is a special Splunk internal index that is automatically created
  • keeps track of ingestion progress of monitored files and directories
  • located in $SPLUNK_HOME/var/lib/Splunk/fishbucket
  • upon restart, using fishbucket, Splunk can start ingesting from where it left off.
23
Q

How can you use the fishbucket to reindex files?

A

• reindex a particular file (btprob command)
o ./Splunk cmd btprob -d $SPLUNK_HOME/var/lib/Splunk/fishbucket/splunk_private_db –file –reset
• Reindex all monitored files (remove entire fishbucket directory)
o Rm -rf /opt/Splunk/var/lib/Splunk/fishbucket
o You must restart Splunk forwarder

24
Q

What is data retention?

A
  • must define a retention policy for the data indexed
  • retention policy applied at index level
  • set maxTotalDataSizeMB and/or frozenTimePeriodInSecs. maxTotal overrides frozenTime
  • indexes.conf is used to configure retention policy
25
Q

the frozenTimePeriodinSecs is set to _ __ by default.

A

6 years

26
Q

What happens to expired data?

A

• When the bucket rolls from cold to frozen, by default the data is deleted
• If coldToFrozenScript is configured, the scrip is executred
• If coldToFrozenDir is configured, Splunk moves the expired buckets to this directory. This is what you do if you want to archive frozen buckets
• To restore expired data, copy the archived buckets to thaweddb location and rebuild
o ./Splunk rebuild $SPLUNK_HOME/var/lib/Splunk//thaweddb/

27
Q

How do you back up Splunk?

A
  • must regularly back Splunk
  • back up warm and cold buckets, and entire etc directory
  • hot buckets can’t be backed up without stopping Splunk, as Splunk is actively writing to them
  • in a clustered environment, you may not need to back up data as it is replicated.
  • in distributed environments, ensure you backup search heads and heavy forwarders
28
Q

How do you delete events in a Splunk index?

A
  • best way is to let the data expire instead of deleting
  • can only do a virtual delete, not removed from disk
  • even admins can’t delete data by default
  • create a user with a can_delete capability
  • run a search to list the desired events to be deleted, pipe the delete command
29
Q

How do you delete ALL events from a Splunk index?

A
  • extremely dangerous command in production
  • Destroys index data from disk
  • Syntax: Splunk clean all -index
  • If you do not specifiy an index name, all indexes are considered for deletion

Splunk Enterprise/Cloud Administration (12 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions