Splunk Admin Cert Flashcards
1
Q
Installing an app from a file
3
A
- Download from Splunkbase
- Install from Splunkweb OR the CLI with: splunk install app path-to-appfile
- Extract: cd SPLUNK_HOME/etc/apps tar -xf path-to-appfile
2
Q
Deleting an app command
2
A
. ./splunk remove app
- Navigate to SPLUNK_HOME/etc/apps and delete the folder
* restart server for both
3
Q
Two ways to install an add-on or app on a forwarder
A
. CLI
- Use deployment server to deploy app.
4
Q
DO UF’s(Universal Fowarder) have a web interface?
A
No, Heavy Fowarders do. They can still use apps.
5
Q
Does user have default permissions to write in search app?
A
No
6
Q
Users with read permissions can do what?
Users with write permission can do what?
A
Read: See app and use it
Write: add/delete/modify knowledge objects used in the app
7
Q
Where are apps installed?
A
SPLUNK_HOME/etc/apps
8
Q
Can UF parse data?
A
NO
9
Q
Can HF parse data?
A
YES
10
Q
Enterprise Trial License limits
3
A
- 500mb per day limit
- Valid for 60 days, at which point the other 3 license types must be activated
- Sales trial license is a trial of varying size and duration
11
Q
Enterprise License
4
A
- Purchased from Splunk
- Full functionality for indexing, search head, deployment server, etc.
- Sets daily indexing volume
- No-enforcement license, can keep searching even if in license violation period.
12
Q
Free License
2
A
- Disables alerts, authentication, clustering, distributed search, summarization and forwarding to non-splunk users.
- Allows 500mb/day of indexing and forwarding
13
Q
License Violations
A
5 warning on Enterprise, 3 on free trial, in a rolling 30-day period is a violation.
*resets at midnight
14
Q
Forwarder License
3
A
.Sets up the server as a heavy forwarder.
- Applies to non-indexing forwarders
- Allows authentication, but no indexing
15
Q
Metrics Data
A
counts against a license at a fixed 150 bytes per metric event
*draws from same license quota as event data
16
Q
If you update a .conf file but do not restart the instance of splunk, then run a btool on that .conf file, will you see your updates afters running the btool command?
A
YES
17
Q
What do license pools do?
A
Allow licenses to be subdivided amongst a group of indexers
18
Q
What is the license path?
A
SPLUNK_HOME/etc/licenses
19
Q
T/F: Splunk provides licenses for metrics and events data
A
False. They share the same license quota as event data.
20
Q
T/F: Search Heads also need an Enterprise License (or set as a slave to a License Master with an Enterprise License_ even though we have no configured any inputs.
A
True
21
Q
T/F: If you exceed the daily license quota in a pool, your license will go into a violation.
A
False
22
Q
An app is a collection of..
A
Configuration files, scripts, web assets
23
Q
Can apps be installed on any Splunk instance?
A
Yes
24
Q
T/F: Write permissions to an app means that the user’s role is able to modify the app.
A
False. User’s role with write can add/delete/modify
25
T/F: Universal forwarders don't have a web interface, but they can still benefit from an app.
True
26
Two required fields for adding native users
Username and Password
27
Optional fields for adding native users
| 4
- Full name and email address (defaults to none)
– Time zone (defaults to search head time zone)
– Default app (defaults to role default app, or home if no role default app)
– Role(s)
Defaults to user
*add password on first login
28
What does a new role inherit? (2)
Capabilities and Index Access
29
Where do you store and manage your local configs?
(SPLUNK_HOME/etc/apps/search/local)
30
How to use btool to debug monitor
splunk btool inputs list monitor:///var/log --debug
31
Where does Splunk input data?
SPLUNK_HOME/var/lib/splunk
32
What are the paths for buckets?
Hot/warm: $SPLUNK_HOME/var/lib/splunk/defaultdb/db/*
Cold: $SPLUNK_HOME/var/lib/splunk/defaultdb/colddb/*
Frozen: Directory to where I specify or deleted
Thawed:$SPLUNK_HOME/var/lib/splunk/defaultdb/thaweddb/
33
What .conf do forwarders require?
outputs.conf
34
How to check for successful connection for indexer and forwarder.
Indexer: splunk display listen
Forwarder: splunk list forward-server
35
How do distributed search peers run searches?
In parallel
36
What phase does the licensing happen?
Indexing
37
What are Knowledge Bundles distributed to and by what?
Distributed to search peers by search head when intitiated
38
Knowledge bundle directories
Search Head: SPLUNK_HOME/var/run
Search Peer: SPLUNK_HOME/var/run/searchpeers
39
Distributing indexes and search loads across multiple servers facilitates what kind of scaling?
Horizontal
40
What event breaker do you use for a single line event?
EVENT_BREAKER_ENABLE
41
What event breaker do you use for a multi-line event?
EVENT_BREAKER = regex
42
What does * do?
Matches anything in that specific directory path segment but does not go beyond that segment in the path.
43
What does ... do?
Recurses through directories and subdirectories to match
44
Where should you forward search head indexes to?
the search peer (indexer) layer
45
What files does a splunk diag produce?
tar.gz and diag.log
46
Search Head Clustering
Replicated knowledge objects across search heads
47
Indexer Clustering
Replicated buckets (data) across indexers
Can be configured as single or multi site
Allows you to balance growth, speed of recovery and overall disk usage
48
Additional Components of a cluster
```
Node
Monitoring Console
Deployment Server
Deployer
License Master
```
49
Can a splunk indexer function as a cluster?
Yes
50
Where does Authentication Method save it's settings?
authentication.conf
51
User accounts stored in directory server
– Enforces LDAP user account and password policies
– Users use the same user name and password in Splunk that they use elsewhere
– LDAP groups must be mapped to Splunk roles Or, this can be done manually in Splunk
52
Is the LDAP server rechecked each time a user logs into Splunk?
Yes
53
Can a user log in to LDAP Groups if they don't have a Splunk Role?
No
54
Can Splunk native user be edit or deleted?
Both
55
What can be changed on LDAP or other users?
Time Zone and default app
56
What does Identity Provider (IDP) do?
maintain the user credentials and handles authentication
57
What are the aliases when configuring SAML?
Role
RealName
Mail
58
When creating a SAML group, can multiple groups be mapped to a single user role?
Yes.
59
Process for Duo Authentication Log on
1. Request Splunk Login
2. Check authentication/check group mapping
3. DUO MFA
4. Create User Session
5. Log user in Splunk
60
Continuously monitoring created a stanza where?
inputs.conf
One-time indexing does not create a stanza in inputs.conf
61
What does data preview do?
displays how your processed events will be indexed
62
What phase of the distributed model does license metering happen?
Indexer Phase
63
Is the deployment client part of Splunk Enterprise or the UF?
UF
64
What can you use to change settings in Splunk .conf files?
Splunk Web, CLI, SDK, app install, and/or direct edit
65
When Splunk starts, how are config files merged together?
a single run-time model for each file type
66
At index-time merging, does local or default take precedence?
local
67
What are Input and Parsing handled by at index-time?
Input: handled at source (usually a forwarder)
Parsing: handled by indexers (or heavy forwarders)
68
How is the license meter run during the index phase?
As data and initially written to disk, prior to compression.
69
What is the index-time precedence?
1. etc/system/local
2. etc/apps/search/local
3. etc/apps/unix/local
4. etc/apps/search/default
5. etc/apps/unix/default
6. etc/system/default
70
Can you modify the sourcetype in inputs.conf or index.conf
inputs.conf
71
What does Data Preview display?
how your processed events will be indexed
72
Installing a forwarder on a remote machine to...
1. Gather data
| 2. Send it across the network to Splunk indexer(s)
73
What kind of port to indexers listen on for the forwarded data?
Receiving port
74
What do UF's gather data from and where do they send it?
From a host and send it to indexers
75
UF's are specifically designed to run on production servers. The three things for that are...
1. Minimal CPU Usage
2. Output bandwidth constrained to 256 KBps by default
3. No web interface, cannot search or index
76
UF's have a separate installation binary that has what...
built-in license with no limits
77
What is the install directory for a UF?
/opt/splunkforwarder
78
UF Configuration Steps
Sys admin 1. Set up a receiving port on each indexer. Only need to do once.
Data admin 2. Download and install UF
3. Set up forwarding on each forwarder
4. Add inputs on forwarders
79
Can Splunk run without administrator privileges?
Yes
80
Defining a target indexer command
splunk add forward-server indexer: receiving-port
* forwarder logs are automatically sent to the indexer's _internal index
81
How to check for successful connection from the indexer
GUI: index=_internal host=forwarder_hostname
CLI: splunk display listen
82
How to check for successful connection from the forwarder
View current forwarder to index config: splunk list forward-server
Remove target index setting: splunk remove forward-server indexer:port
83
Benefit of compressing the feed
- Slight increases CPU utilization
If you want to compress all feeds, set compression on indexer
If you want to compress select feeds, set compression on forwarder
84
Turning on SSL (2)
- Can increase the CPU usage
| - Automatically compresses the feed
85
What is the default certificate password?
password
86
Automatic Load balancing (3)
- Switch happens only when the forwarder detects EOF
- Time-based load balancing default frequency is 30 seconds
- Volume-based load balancing is set on how much data a forwarder send before switching
87
What is the key to making distributed search or clustering work efficiently
Load balancing
[tcpout:splunk_indexer]
server=slunk1: 9997, splunk2: 9997, splunk3: 9997
88
How should you enable the event breaker on the UF?
Per Sourcetype
89
When does a UF know when to switch to the next indexer? (2)
- an EOF is detected
| - a short break in IO activity
90
Where do you add the event breaker setting on UF?
props.conf
91
Maximum amount of data the forwarder queues if receiver isn't reached?
maxQueueSize = 500kb
92
Is Indexer Acknowledgement enable or disabled by default?
Disabled
93
By how many times does the Indexer Acknowledgement increase the maxQueueSize?
3x
94
Use cases for HF
| 4
- anonymizing or masking or incoming data before forwarding to an indexer
- predictable version of Python is needed
- No access to indexers
- Required by an app
95
What .conf file can you deploy from the deployment server?
inputs.conf
96
Splunk can receive data from other instance with what CLI command?
./splunk enable listen
97
How to configure HF as a deployment client to the DS
./splunk set deploy-poll
creates a deploymentclient.conf
98
Two ways to configure the HF to forward the data to the indexers.
- Manually using CLI
| - Deploy outputs.conf from the DS
99
Deployment Server (4)
a built-in tool for managing configuration of Splunk instances.
- Allows you to manage remote splunk instances centrally
- Requires enterprise license
- Handles job of sending configs packaged as apps
- can auto restart remote splunk instances
100
What is Forwarder Management?
a graphical interface on top of the deployment server
101
Server class
maps a client group to one or more deployment apps
- gets saved in serverclass.conf
102
Deployment clients
Splunk instances that are connected to the DS that are phoning home. You establish the connection from the DC.
103
Deployment App best practice
- create small and discrete deployment apps
- take advantage of .conf file layering
- use a naming convention
104
Apps/Add-ons
must be installed in /etc/apps
| Splunk web does no exist on a UF
105
To enable forwarder management
1. On the DS, add one or more apps in /etc/deployment-apps
2. in the Forward Management UI, create one or more server classes
3. On forwarders, run "splunk set deploy-poll
4. Verify on the DS
5. Verify on forwarders in etc/apps
106
Monitoring Console
- runs every 15 minutes by default
| - relies on internal logs
107
** A monitor input can define a directory tree as the data source. (3)
- Splunk recursively traverses through the directory structure
- All discovered text files are consumed, including compressed files
- unzips compressed files automatically before ingesting them, one at a time
- Any files added to the directory tree in the future are included
- auto detects and handles log file rotation
108
followTail
- Splunk ignores existing content in the file, but indexes new data as it arrives
- DO NOT leave followTail enabled indefinitely
109
ignoreOlderThan
- A file whose modtime falls outside this time window will not be indexed
- After a file is ignored, it will never be considered as an input again, even if it is updated
110
Monitor input options in inputs.conf
- Can contain a wildcard in stanza
- All attributes (sourcetype, host, index, etc.) are optional
- Defaults apply if omitted and default host is in etc/system/local/inputs.conf
111
Host_segment
the number at the end (e.g. host_segment = 3) uses that numbers segment of the directory path as the host name for files in that directory.
112
Editing inputs
- editing inputs.conf only changes new data
- Splunk monitor inputs are tracked by fishbucket
- Does NOT re-index when inputs.conf is edited
113
Re-index for editing inputs
- Delete old data on indexer(s)
- change the inputs.conf on the deployment server (or forwarders)
- Reset the fishbucket checkpoint on the involved forwarders
- Restart
114
What does resetting the monitor checkpoint do?
Re-indexes ALL the data, resulting in more license usage and duplicate events.
115
btprobe
- use to reset the checkpoint for an individual input
| - Requires stopping forwarder or indexer
116
Network inputs
Adds a layer of resiliency to your topology
- Buffering, load balancing, cloning, etc...
- Indexer restart will not cause data loss of TCP or UDP inputs
117
connection_host
defines how the host field is set (dns, ip, none)
118
**acceptFrom
List address rules separated by spaced or commas
- a single IPv4 or IPv6
- a CIDR block
- A DNS
- a wildcard * and !
119
queueSize
- defaults to 500kb
| - independent of the forwarder's maxQueueSize
120
Persistent Queue
- provides file-system buffering of data
- adds additional buffer space after memory buffer. Must set a queueSize.
- written to disk on the forwarder in home/var/run/splunk.
- Useful for high-volume data that must be preserved in situations where it cannot be forwarded, such as if the network is unavailable.
121
UDP
Splunk merges the UDP data until it finds a timestamp by default
-Can override during the parsing phase
122
HEC (HTTP event collector)
- secure and scalable
| - disabled by default
123
StatsD
– Network daemon that runs on the Node.js platform
– Client libraries available in many programming languages
– Primarily used to measure performance of application code
– Introduces statsd line metric protocol, often sent UDP/TCP
124
collectD
– Open source daemon that collects performance metrics from a variety of sources
– Primarily used to measure infrastructure performance
100 frontend plugins
CPU, memory, disk, network,
uptime, load, etc.
– Can send data to HEC
Using write_http_plugin
125
mcollect
| mcollect index=
• mcollect converts events into metric data points, then writes the converted metric index on the search head
• Causes new data to be written to a metric index for every run of the search
• If you are forwarding data to the indexer, your data will be inserted on the indexer instead of the search head
126
mcatalog
* mcatalog returns a list of values from all metric indexes, unless an index name is specified in the WHERE clause
* Use this command to determine the values – i.e., the metric names and dimensions – that are available for searching and analysis
127
props.conf
a config file that is referenced during all phases of Splunk data processing.
128
Where can you use wildcards and regex in props?
1. source::
| 2. hosts::
129
What do you use to override utf-8 encoding?
charset
130
Event Boundaries
automatically handles line breaking for common source types, even multi-line events
131
is SHOULD_LINE_MERGE for single or multi line events?
Single
| Set to true by default
132
Mulit-Line Events
– Looks for a new line with a date at the start
BREAK_ONLY_BEFORE_DATE = true (default)
– Allows a maximum of 256 lines per event
MAX_EVENTS = 256 (default)
– Many other options – for example,
BREAK_ONLY_BEFORE =
133
What .conf is custom timestamp extraction in?
props.conf
134
TIME_PREFIX =
matches character right BEFORE the date/timestamp.
135
MAX_TIMESTAMP_LOOKAHEAD =
specifies how many characters to look beyond the start of the line for a timestamp
136
When possible, define meta field values during the what phase?
Input phase.
137
What are the two methods of raw data transformations?
- SEDCMD: uses only props
| - Tranforms: uses props.conf and transforms.conf
138
Transformation is based on what attributes?
– SOURCE_KEY indicates which data stream to use as
the source for pattern matching (default: _raw)
– REGEX identifies the events from the SOURCE_KEY that will be processed (required)
Optionally specifies regex capture groups
– DEST_KEY indicates where to write the processed data (required)
– FORMAT controls how REGEX writes the DEST_KEY (required)
139
If Error or Warning is found in the incoming _raw, what should its index field value be changed to?
itops
140
What does (?!) mean?
ignore case
141
Indexed extractions are the what phase of what .conf
Input phase of props.conf
142
Does Splunk software parse structured data that has been forwarded to an indexer?
Nope
143
What is a lookup
A Splunk data enrichment knowledge object
- used only during search time
- lookup stanzas are defined in transforms and props
144
Four types of lookups
– File-based uses a csv file stored in the
lookups directory
– KV Store requires collections.conf that
defines fields
– External uses a python script or an executable
in the bin directory
– Geospatial uses a kmz saved in the lookups
directory to support the choropleth visualization
145
Other types of conf files
– macros.conf, tags.conf, eventtypes.conf, savedsearches.conf, etc.
