Section 5.1

Question 1

What does the Indexing Layer do?

Answer 1

Allows you to clean up data.

Allows you to refine data.

Allows you to store data.

Question 2

What is Index clustering?

Answer 2

When multiple indexers are connected in order to replicate copies of the indexers buckets (data).

Question 3

Where is data stored?

Answer 3

In indexes on the indexer that have buckets.

Question 4

What is automatic failover?

Answer 4

Basically backing up data. If one indexer fails, the others will pickup the slack and maintain continuity.

Question 5

High availability means…

Answer 5

Data is highly available for searching.

Question 6

Index Clustering in summary means

Answer 6

Data is protected from sudden loss

More copies are available for users who are actively searching

Indexer activities will continue in the event an indexer goes down

Question 7

Replication Factor determines

Answer 7

How many copies are maintained within an indexer cluster.

Deafult RF is 3

Maximum RF is determined by the number of indexers you have or nodes.

Question 8

Search Factor determines

Answer 8

How many of these copies are immediately searchable.

Default SF is 2

Question 9

In a clustering environment you need a minimum of ____ Indexers

Answer 9

3

Question 10

Most important fact about a Search Factor (SF)

Answer 10

The Search Factor can never be more than the Replication Factor.

Question 11

Explain RF & SF

Answer 11

RF factor tells us how many times we want the data to be copied over. Two of those copies are highly available and just incase something happens to the first copy. If both copies go down, the third copy is usually stored at an offsite location.

Question 12

When does the Cluster Master come in?

Answer 12

The Cluster Master comes into play when we start copying our data (when the environment becomes clustered).

Question 13

Cluster Master Manages what layer?

Answer 13

It manages the indexing layer.

Question 14

What is the Cluster Master?

Answer 14

A centralized configuration Manager who’s job is to manage the indexer cluster.

Question 15

Once the environment becomes clustered, the Deployment Server….

Answer 15

Only manages the forwarders.

Question 16

What does a Cluster Master do?

Answer 16

Manages cluster activities (adding peers, distributing configurations, determines the number of copies to maintain).

Maintains memory of peers, their buckets, and configs

Tells search head where to request data.

Question 17

What are Peers (Cluster Peer)?

Answer 17

Peers are Indexers

Question 18

What do Peer Nodes do?

Answer 18

Peers receive and index incoming data typically from forwarders)

Replicate data to other peers

Respond to incoming searches by supplying search results

Question 19

A clustered architecture is called ..

Answer 19

A distributed search

Question 20

Clustering is Smart because it provides….

Answer 20

Data Availability
Data Fidelity
Data Resiliency
Disaster Recovery
Search Affinity

Question 21

Multi-site clustering =

Answer 21

Storing copies of your data at a different site

Question 22

Data fidelity =

Answer 22

The act of not losing data; reliability

Question 23

Benefits of Clustering =

Answer 23

1.Data Availability & fast recovery
2.Easier overall administration
3.Scalability of indexing
4.No additional cost for data replication

Question 24

Cons of clustering =

Answer 24

1.Increased storage requirements
2.Increased processing load
3.Requires additional Splunk instances
4.Indexers require the same OS and versions

Question 25

When you enable a search head in cluster environment you must specify what?

Answer 25

Cluster settings (i.e. Master Node) and the port on which it receives data.

Question 26

Transforms.conf=

Answer 26

specify transformations and lookups that can then be applied to any event

Question 27

What is the filepath of the CM that sends apps to its peers ?

Answer 27

splunkhome/etc/master-apps

Question 28

Where do bundles reside for cluster peer?

Answer 28

splunkhome/etc/slave-apps

Question 29

Splunkhome etc slave apps =

Answer 29

where you will always find pushed configuration files (sent from CM to indexer)

Question 30

Config changes that require restart?

Answer 30

A.Changes to indexes.conf,inputs.conf
B.Home path changes to Indexes.conf
C.Deleting an existing app

Question 31

Configuration changes that do not need a restart ?

Answer 31

Adding a new index or new app with reloadable configs

Changes or additions to transforms.conf or props.conf

Question 32

Tell me about your environment

Answer 32

In my environment we have a current quota of about 50TB, and we are currently ingesting about 49TB per day with 600 users. We have about 290 indexers, with close to 32,000 forwarders and about 12 search heads.

Question 33

Environment with too many forwarders for you to manage one at a time-what Splunk instance would you install and how would you configure it to manage all the forwarders?

Answer 33

Use Deployment Server and put the forwarder in serverclass and create deployment apps to configure all of them.

Question 34

In your deployment app you are Configuring inputs.conf to bring in new data-you then search with search head and cannot find the data. What happened?

Answer 34

-didn’t send deployment apps to correct serverclass
-mistake in monitoring stanza
-did not put right index
-severclass has not phoned home
-turn monitoring on(BEST ANSWER)
-Splunk does not have permissions to read source file

Question 35

what directory must you place your inputs.conf file in the deployment app

Answer 35

local directory

Question 36

indexer uses what port

Answer 36

9997

Question 37

fishbucket index importance

Answer 37

allows you to see how far into a file indexing has occurred-helps to avoid duplicates and comes in handy after server shutdown or connection errors.

Question 38

advantages of indexer clustering

Answer 38

1.Data Availability & fast recovery
2.Easier overall administration
3.Scalability of indexing
4.No additional cost for data replication

A. Data Availability = how often your data is available to be utilized.

B. Data Fidelity = the act of not losing data.

C. Data Reliability = refers to the accuracy, consistency, and dependability of the data being ingested, indexed, and queried within the platform.

D. Data Resiliency = platform’s ability to maintain data availability, integrity, and accessibility even in the face of unexpected failures.

E. Disaster Recovery = set of processes and strategies put in place to ensure availability and continuity of Splunk services and data.

F. Search Affinity = search local sites; mechanism for intelligently routing and distributing search jobs across a distributed Splunk environment.

Question 39

explain data availability

Answer 39

how often your data is available to be utilized

Question 40

who manages all indexes in cluster environment? Explain

Answer 40

Cluster Master/Master Node

Question 41

how would you configure hot bucket to roll over by time

Answer 41

Maxhotspansecs

Question 42

default port used for replication

Answer 42

8080 is replication, 8089 is the management port(goes between config manager and clients-ds vs clients and then CM vs indexers-to ANY client it is managing), and 9997 is the data (receiving port)

Question 43

what is metadata and what does it contain?

Answer 43

Meta data=bar code=tells you where a product is coming from (ip address, log path, and format of data)

Question 44

What is source

Answer 44

name of the event or other input from which the event originates

Question 45

give examples of sourcetypes you worked with

Answer 45

json and syslog or CSV

Question 46

what is the largest sourcetype you have worked with?

Answer 46

syslog is network data and large

Question 47

high availability

Answer 47

-High availability=when we are replicating data within our indexers
-Multiple copies available for searching
-Data gets into our indexers in round robin fashion

Question 48

distributed search?

Answer 48

key feature that allows you to search and analyze data across multiple Splunk instances or indexers in a distributed Splunk deployment. This is especially useful in large-scale environments where the volume of data to be searched and analyzed exceeds the capacity of a single Splunk instance.

Question 49

how replicated buckets are stored in indexers

Answer 49

1.once the data comes to the indexers the method of distributing data will be round-robin 2.once the data is written on the indexers 3.then the process of replicating data will move from indexer to indexer trying to find a healthy one to store that specific data.

Question 50

how does forwarder distribute data among indexers without replication (regular data)

Answer 50

round robin fashion

Question 51

reloading vs restarting DS

Answer 51

When updating clients of the DS-reload deployment server

when you make updates for DS itself you restart DS.

Question 52

when increasing ingestion in cluster environment

Answer 52

add more indexers to the cluster

Question 53

some considerations to consider when going into clustered environment

Answer 53

cost of more splunk instances

ingestion of data

storage requirements

processing requirements

Question 54

You notice that your newly monitored data is not in the index that you have configured it to be in. Where is data possibly being stored and how would you troubleshoot it?

Answer 54

Go to the inputs.conf and validate that the ‘index’ is correct.

If index is wrong it will be in the main index

Question 55

Recently got fresh new data in the splunk

Answer 55

Hot bucket

Question 56

Under what circumstances would the data in the hotbucket stop writing?

Answer 56

If the hot bucket is too full or if their is restart.

Question 57

In order to have have splunk search head what would you need to download?

Answer 57

Splunk Enterprise

Question 58

Maximum number of concurrent users per search head

Answer 58

12

Question 59

What is Maxhotbucket?

Answer 59

Maximum hot bucket that can be in an index

Question 60

Which default port is for replication?

Answer 60

8080 port

Question 61

What is the thawing process

Answer 61

Frozen data has to be unthawed and sent back to cold

Move that file into thaw directory and rename it to a name that splunk recognizes

Question 62

What must happen before indexer can be part of a cluster?

Answer 62

Indexer must become cluster member

Question 63

Cluster Master/Master Node

Answer 63

You only need ONE

Question 64

Internal Index?

Answer 64

Used for troubleshooting; stores all Splunk components’ internal logs and processing metrics.

Searches for logs that say ERROR or WARN

Question 65

Monitoring stanza in Windows vs Linux

Answer 65

Windows = [monitor://C:\app\log\data\catalina.out]

Linux = [monitor:///another/random/path]

Question 66

Two types of files indexes consist of

Answer 66

raw data (full log files) and indexed files (tsidx)

Question 67

To disable the monitor to stop sending logs

Answer 67

Go to monitoring and change disable to true or 1

Question 68

Explain summary index

Answer 68

Summary indexing allows you to run fast searches over a large data set by scheduling Splunk to summarize data then import data into the summary index over time

Question 69

When increasing ingestion of data by 2 TB what will you have to do? In clustered environment-how would you accommodate it.

Answer 69

Adding indexers to the cluster to accommodate growth.

Question 70

What directory are apps deployed to in a clustered environment

Answer 70

slave-apps filepath

Question 71

When will you use management port?-8089

Answer 71

when CM is communicating with with its clients or slaves