Practice Questions-1 Flashcards
Too many forwarders to manage-what splunk instance would you add to your architecture?
deployment server=can group forwarders together and make them clients
In your deployment app you are Configuring inputs.conf to bring in new data-you then search with search head and cannot find the data. What happened?
-didn’t send deployment apps to correct serverclass
-mistake in monitoring stanza
-did not put right index
-severclass has not phoned home
-turn monitoring on(BEST ANSWER)
What directory must you place your outputs.conf file in-while in deployment app?
-local(directory)
Command to edit configuration files
-vi
You are assigned to deploy a new app to update 10 deployment input.conf files-what splunk instance would you log into? And what would you do to update them?
-log onto deployment server and then add app to serverclass so input.conf files get update
What is the absolute path to get to deployment apps?
/opt/splunk/etc/deployment apps/appname/local/config file
Port number used for indexer to receive data from forwarder
9997
If I wanted to ensure that data isn’t being duplicated when my server goes down can you tell me where in Splunk I should look?
_Fishbucket index
You notice that your newly monitored data is not in the index that you configured to be in?
It is in main and you would go into the file and fix the index
Hot bucket
Directory where all new data enters into INDEX and is written to disk.
Explain bucket lifecycle
1-Bucket lifecycle starts at the hot bucket which is the directory where all the data enters into the index and is written to disk; the most recent data is here.
2-The next tier down is the warm bucket, data comes here when Splunk is restarted or the hot bucket is full. This data shares the same path as the hot bucket and stores recent, frequently searched data on a fast disk.
3-Next, is the cold bucket where rarely searched data that has aged and is tucked away into slower and cheaper storage. While read-only and still searchable, this is considered the archive tier.
4-Lastly, is the frozen bucket in which data is pushed to dead media like tape or deleted. Not searchable-must recover files through a thawing process before the data becomes searchable again.
Process to unthaw buckets?? And regain access??
Move that file into thaw directory and rename it to a name that splunk recognizes
How to Turn off monitoring?
in the monitoring stanza change disable to 1
Just finished editing all configuration files and you want to see changes take effect what to do?
restart splunk
What is maxhotbuckets attribute for
maximum hot buckets that can be indexed and default is 10
Tcpout in output.conf
TCP protocol/sends data and confirmation
Deployment server and client relationship??
Manages forwarders, indexers, and searchheads by making them deployment clients. Anything that the deployment server manages is called a client. Deployment servers contain serverclasses-clients grouped in serverclasses help distinguish what set of configurations a client should get.
How does splunk determine how much to charge
volume of data being indexed
Splunk component referred to as splunk agent
UF
Two types of data within indexes
raw data and tsidx
What is being added to tsidx
metadata(host, ip address, or FQDN AND source and sourcetype)
Co worker made unauthorized changes to server what index would you use and why
audit index; stores events related to activities conducted in Splunk such as file system changes and user auditing
What is purpose of license master
so you wont go over data and charge you based on volume of data being indexed
Indexing stage of splunk?
1.events are put into storage segments called buckets(that can be searched) 2. writing raw data and index files to disk
Explain round robin?
When you enable Round Robin for a data input, it instructs Splunk to cycle through the available indexers in a circular or round-robin fashion, sending data to each indexer one after the other.
-It helps with load balancing, fault tolerance, and scalability,
What is a distributed search?
key feature that allows you to search and analyze data across multiple Splunk instances or indexers in a distributed Splunk deployment. This is especially useful in large-scale environments where the volume of data to be searched and analyzed exceeds the capacity of a single Splunk instance.
Filepath to warm??
$splunk_home /var/lib/splunk/defaultdb/db/
How does data enter server
ports and ip address and forwarder
What does splunk home mean for file path?
specifies the path where Splunk Enterprise is installed
When is metadata applied??
Parsing stage
Why is it better to configure indexes to rollover by time instead of size
don’t want it to rollover before you need it too
Which splunk components parses data ?
Indexers and heavy forwarders
Json vs syslog
both structured data and easily parsed by splunk
Used to access splunk GUI
search head and ip address and port in searchbar
Server went down for a couple hours, which index saved the day
internal index
Where do you find buckets in linux file system
splunk_home var/lib/splunk
Change metadata in your data-what splunk instance would you log into? And what config file you edit?
Log into deployment server and Edit inputs.conf(contains host,source,sourcetype)
Configure data to roll to frozen
frozentimeperiodinSecs(86400 x (hot days + cold days)=retention time)
Mutiple indexers makes searches much easier
add more if you ingest more data
Find Appropriate amount of storage
use splunk calculator(Splunk storage sizing)
File path for splunk exectuable files
opt/splunk/bin
What is a Heavy Forwarder? And what are its limitations?
-An instance that is equipped with the ability to collect data input, forward them to indexers, and parse the data.
-One limitation is the HF has a smaller throughput than a UF(it can’t forward data quickly). This can cause bottlenecks and queued data to build up.
-UF is still the best, and recommended way to forward data from the source. Lightweight and simple in its design and serves only one purpose, forwarding.
-HF can be useful for data requiring index-time extractions or for the DBconnect system.
