Splunk Flashcards
Compare Splunk with Spark.
Criteria
Deployment area
Splunk: Collecting large amounts of
machine-generated data
Spark: Iterative applications and in-memory processing
Nature of tool
Splunk: Proprietary
Spark: Open-source
Working mode
Splunk: Streaming mode
Spunk: Both streaming and batch modes
What is Splunk?
Splunk is ‘Google’ for our machine-generated data. It’s a software/engine that can be used for searching, visualizing, monitoring, reporting, etc. of our enterprise data. Splunk takes valuable machine data and turns it into powerful operational intelligence by providing real-time insights into our data through charts, alerts, reports, etc.
What are the common port numbers used by Splunk?
Splunk Web port : 8000
Splunk Management port : 8089
Splunk Indexing port : 9997
Splunk Index Replication port: 8080
Splunk Network port: 514
KV Store : 8191
- What are the components of Splunk? Explain Splunk architecture.
Search Head: Provides the GUI for searching
Indexer: Indexes the machine data
Forwarder: Forwards logs to the Indexer.
Deployment Server: Manages Splunk components in a distributed environment.
- What is a Splunk indexer? What are the stages of Splunk indexing?
A Splunk indexer is the Splunk Enterprise component that creates and manages indexes. The primary functions of an indexer are mentioned below:
Indexing incoming data
Searching the indexed data
Picture
What is a Splunk forwarder? What are the types of Splunk forwarders?
There are two types of Splunk forwarders, which are mentioned below:
Universal Forwarder (UF): the Splunk agent installed on a non-Splunk system to gather data locally; it can’t parse or index data.
Heavyweight Forwarder (HWF): A full instance of Splunk with advanced functionalities.
It generally works as a remote collector, intermediate forwarder, and possible data filter, and since it parses data, it is not recommended for production systems.
Can you name a few most important configuration files in Splunk?
props.conf
indexes.conf
inputs.conf
transforms.conf
server.conf
What are the types of Splunk Licenses?
Enterprise license
Free license
Forwarder license
Beta license
Licenses for search heads (for distributed search)
Licenses for cluster members (for index replication)
What is the Splunk app?
The Splunk app is a container or directory of configurations, searches, dashboards, etc. in Splunk.
Where is the Splunk default configuration stored?
1
$splunkhome/etc/system/default
What are the features not available in Splunk Free?
Splunk Free does not include below features:
Authentication and scheduled searches/alerting
Distributed search
Forwarding in TCP/HTTP (to non-Splunk)
Deployment management
What happens if the license master is unreachable?
If the license master is not available, the license slave will start a 24-hour timer, after which the search will be blocked on the license slave (though indexing continues). However, users will not be able to search for data in that slave until it can reach the license master again.
What is a summary index in Splunk?
A summary index is the default Splunk index (the index that Splunk Enterprise uses if we do not indicate another one).
If we plan to run a variety of summary index reports, we may need to create additional summary indexes.
What is Splunk DB Connect?
Splunk DB Connect is a generic SQL database plugin for Splunk that allows us to easily integrate database information with Splunk queries and reports.
How do I troubleshoot Splunk performance issues?
The answer to this question would be very wide, but, mostly, an interviewer would be looking for the following keywords:
Check splunkd.log for errors
Check server performance issues, i.e., CPU, memory usage, disk I/O, etc.
Install the SOS (Splunk on Splunk) app and check for warnings and errors in its dashboard
Check the number of saved searches currently running and their consumption of system resources
Install and enable Firebug, which is a Firefox extension. Log into Splunk (using Firefox) and open Firebug’s panels. Then, switch to the ‘Net’ panel, which we will have to enable. The Net panel will show us the HTTP requests and responses, along with the time spent on each. This will give us a lot of information quickly, such as which requests are hanging Splunk, which requests are blameless, etc.