Splunk Flashcards

1
Q

Compare Splunk with Spark.

A

Criteria
Deployment area
Splunk: Collecting large amounts of
machine-generated data
Spark: Iterative applications and in-memory processing

Nature of tool
Splunk: Proprietary
Spark: Open-source

Working mode
Splunk: Streaming mode
Spunk: Both streaming and batch modes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is Splunk?

A

Splunk is ‘Google’ for our machine-generated data. It’s a software/engine that can be used for searching, visualizing, monitoring, reporting, etc. of our enterprise data. Splunk takes valuable machine data and turns it into powerful operational intelligence by providing real-time insights into our data through charts, alerts, reports, etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are the common port numbers used by Splunk?

A

Splunk Web port : 8000
Splunk Management port : 8089
Splunk Indexing port : 9997
Splunk Index Replication port: 8080
Splunk Network port: 514
KV Store : 8191

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q
  1. What are the components of Splunk? Explain Splunk architecture.
A

Search Head: Provides the GUI for searching
Indexer: Indexes the machine data
Forwarder: Forwards logs to the Indexer.
Deployment Server: Manages Splunk components in a distributed environment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q
  1. What is a Splunk indexer? What are the stages of Splunk indexing?
A

A Splunk indexer is the Splunk Enterprise component that creates and manages indexes. The primary functions of an indexer are mentioned below:

Indexing incoming data
Searching the indexed data
Picture

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is a Splunk forwarder? What are the types of Splunk forwarders?

A

There are two types of Splunk forwarders, which are mentioned below:

Universal Forwarder (UF): the Splunk agent installed on a non-Splunk system to gather data locally; it can’t parse or index data.
Heavyweight Forwarder (HWF): A full instance of Splunk with advanced functionalities.
It generally works as a remote collector, intermediate forwarder, and possible data filter, and since it parses data, it is not recommended for production systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Can you name a few most important configuration files in Splunk?

A

props.conf
indexes.conf
inputs.conf
transforms.conf
server.conf

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are the types of Splunk Licenses?

A

Enterprise license
Free license
Forwarder license
Beta license
Licenses for search heads (for distributed search)
Licenses for cluster members (for index replication)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is the Splunk app?

A

The Splunk app is a container or directory of configurations, searches, dashboards, etc. in Splunk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Where is the Splunk default configuration stored?

A

1
$splunkhome/etc/system/default

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What are the features not available in Splunk Free?

A

Splunk Free does not include below features:

Authentication and scheduled searches/alerting
Distributed search
Forwarding in TCP/HTTP (to non-Splunk)
Deployment management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What happens if the license master is unreachable?

A

If the license master is not available, the license slave will start a 24-hour timer, after which the search will be blocked on the license slave (though indexing continues). However, users will not be able to search for data in that slave until it can reach the license master again.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is a summary index in Splunk?

A

A summary index is the default Splunk index (the index that Splunk Enterprise uses if we do not indicate another one).

If we plan to run a variety of summary index reports, we may need to create additional summary indexes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is Splunk DB Connect?

A

Splunk DB Connect is a generic SQL database plugin for Splunk that allows us to easily integrate database information with Splunk queries and reports.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

How do I troubleshoot Splunk performance issues?

A

The answer to this question would be very wide, but, mostly, an interviewer would be looking for the following keywords:

Check splunkd.log for errors
Check server performance issues, i.e., CPU, memory usage, disk I/O, etc.
Install the SOS (Splunk on Splunk) app and check for warnings and errors in its dashboard
Check the number of saved searches currently running and their consumption of system resources
Install and enable Firebug, which is a Firefox extension. Log into Splunk (using Firefox) and open Firebug’s panels. Then, switch to the ‘Net’ panel, which we will have to enable. The Net panel will show us the HTTP requests and responses, along with the time spent on each. This will give us a lot of information quickly, such as which requests are hanging Splunk, which requests are blameless, etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What are buckets? Explain the Splunk bucket lifecycle.

A

Splunk places indexed data in directories, which are called ‘buckets.’ It is physically a directory containing events from a certain period.

A bucket moves through several stages as it ages. Below are the various stages it goes through:

Hot: A hot bucket contains newly indexed data. It is open for writing. There can be one or more hot buckets for each index.
Warm: A warm bucket consists of data rolled out from a hot bucket. There are many warm buckets.
Cold: A cold bucket has data that is rolled out from a warm bucket. There are many cold buckets.
Frozen: A frozen bucket is comprised of data rolled out from a cold bucket. The indexer deletes frozen data by default, but we can archive it. Archived data can later be thawed (data in a frozen bucket is not searchable).
By default, the buckets are located in the following location:

1
$SPLUNK_HOME/var/lib/splunk/defaultdb/db
We should see the hot-db there and any warm buckets we have. By default, Splunk sets the bucket size to 10 GB for 64-bit systems and 750 MB for 32-bit systems.

17
Q

What is the difference between stats and eventstats commands?

A

The stats command generates summary statistics of all the existing fields in the search results and saves them as values in new fields.
Eventstats is similar to the stats command, except that the aggregation results are added inline to each event and only if the aggregation is pertinent to that event. The eventstats command computes requested statistics, much like how stats do, but aggregates them to the original raw data.

18
Q

Who are the top direct competitors to Splunk?

A

Logstash, Loggly, LogLogic, Sumo Logic, etc. are some of the top direct competitors to Splunk.

19
Q

What do Splunk licenses specify?

A

Splunk licenses specify how much data we can index per calendar day.

20
Q

What is the command for restarting Splunk web server?

A

This is another frequently asked Splunk commands interview question. Get a thorough idea of commands We can restart the Splunk web server by using the following command:

1
splunk start splunkweb

21
Q

What is the command for restarting the Splunk Daemon?
Splunk Deamon can be restarted with the below command

A

splunk start splunkd

22
Q

What is the command used to check the running Splunk processes on Unix/Linux?

A

if we want to check the running Splunk Enterprise processes on Unix/Linux, we can make use of the following command:

1
ps aux | grep splunk

23
Q

What is the command used for enabling Splunk to boot start?

A

To boot start Splunk, we have to use the following command:

1
$SPLUNK_HOME/bin/splunk enable boot-start

24
Q

How to disable Splunk boot-start?

A

1
$SPLUNK_HOME/bin/splunk disable boot-start

25
Q
A