Splunk Admin Cert

Question 1

Installing an app from a file

3

Answer 1

1. Download from Splunkbase
2. Install from Splunkweb OR the CLI with: splunk install app path-to-appfile
3. Extract: cd SPLUNK_HOME/etc/apps tar -xf path-to-appfile

Question 2

Deleting an app command

2

Answer 2

. ./splunk remove app

2. Navigate to SPLUNK_HOME/etc/apps and delete the folder
   * restart server for both

Question 3

Two ways to install an add-on or app on a forwarder

Answer 3

. CLI

2. Use deployment server to deploy app.

Question 4

DO UF’s(Universal Fowarder) have a web interface?

Answer 4

No, Heavy Fowarders do. They can still use apps.

Question 5

Does user have default permissions to write in search app?

Answer 5

No

Question 6

Users with read permissions can do what?

Users with write permission can do what?

Answer 6

Read: See app and use it

Write: add/delete/modify knowledge objects used in the app

Question 7

Where are apps installed?

Answer 7

SPLUNK_HOME/etc/apps

Question 8

Can UF parse data?

Answer 8

NO

Question 9

Can HF parse data?

Answer 9

YES

Question 10

Enterprise Trial License limits

3

Answer 10

1. 500mb per day limit
2. Valid for 60 days, at which point the other 3 license types must be activated
3. Sales trial license is a trial of varying size and duration

Question 11

Enterprise License

4

Answer 11

1. Purchased from Splunk
2. Full functionality for indexing, search head, deployment server, etc.
3. Sets daily indexing volume
4. No-enforcement license, can keep searching even if in license violation period.

Question 12

Free License

2

Answer 12

1. Disables alerts, authentication, clustering, distributed search, summarization and forwarding to non-splunk users.
2. Allows 500mb/day of indexing and forwarding

Question 13

License Violations

Answer 13

5 warning on Enterprise, 3 on free trial, in a rolling 30-day period is a violation.

*resets at midnight

Question 14

Forwarder License

3

Answer 14

.Sets up the server as a heavy forwarder.

2. Applies to non-indexing forwarders
3. Allows authentication, but no indexing

Question 15

Metrics Data

Answer 15

counts against a license at a fixed 150 bytes per metric event

*draws from same license quota as event data

Question 16

If you update a .conf file but do not restart the instance of splunk, then run a btool on that .conf file, will you see your updates afters running the btool command?

Answer 16

YES

Question 17

What do license pools do?

Answer 17

Allow licenses to be subdivided amongst a group of indexers

Question 18

What is the license path?

Answer 18

SPLUNK_HOME/etc/licenses

Question 19

T/F: Splunk provides licenses for metrics and events data

Answer 19

False. They share the same license quota as event data.

Question 20

T/F: Search Heads also need an Enterprise License (or set as a slave to a License Master with an Enterprise License_ even though we have no configured any inputs.

Answer 20

True

Question 21

T/F: If you exceed the daily license quota in a pool, your license will go into a violation.

Answer 21

False

Question 22

An app is a collection of..

Answer 22

Configuration files, scripts, web assets

Question 23

Can apps be installed on any Splunk instance?

Answer 23

Yes

Question 24

T/F: Write permissions to an app means that the user’s role is able to modify the app.

Answer 24

False. User’s role with write can add/delete/modify

Question 25

T/F: Universal forwarders don’t have a web interface, but they can still benefit from an app.

Answer 25

True

Question 26

Two required fields for adding native users

Answer 26

Username and Password

Question 27

Optional fields for adding native users

4

Answer 27

• Full name and email address (defaults to none)
  – Time zone (defaults to search head time zone)
  – Default app (defaults to role default app, or home if no role default app)
  – Role(s)
  Defaults to user
  *add password on first login

Question 28

What does a new role inherit? (2)

Answer 28

Capabilities and Index Access

Question 29

Where do you store and manage your local configs?

Answer 29

(SPLUNK_HOME/etc/apps/search/local)

Question 30

How to use btool to debug monitor

Answer 30

splunk btool inputs list monitor:///var/log –debug

Question 31

Where does Splunk input data?

Answer 31

SPLUNK_HOME/var/lib/splunk

Question 32

What are the paths for buckets?

Answer 32

Hot/warm: $SPLUNK_HOME/var/lib/splunk/defaultdb/db/*

Cold: $SPLUNK_HOME/var/lib/splunk/defaultdb/colddb/*

Frozen: Directory to where I specify or deleted

Thawed:$SPLUNK_HOME/var/lib/splunk/defaultdb/thaweddb/

Question 33

What .conf do forwarders require?

Answer 33

outputs.conf

Question 34

How to check for successful connection for indexer and forwarder.

Answer 34

Indexer: splunk display listen
Forwarder: splunk list forward-server

Question 35

How do distributed search peers run searches?

Answer 35

In parallel

Question 36

What phase does the licensing happen?

Answer 36

Indexing

Question 37

What are Knowledge Bundles distributed to and by what?

Answer 37

Distributed to search peers by search head when intitiated

Question 38

Knowledge bundle directories

Answer 38

Search Head: SPLUNK_HOME/var/run

Search Peer: SPLUNK_HOME/var/run/searchpeers

Question 39

Distributing indexes and search loads across multiple servers facilitates what kind of scaling?

Answer 39

Horizontal

Question 40

What event breaker do you use for a single line event?

Answer 40

EVENT_BREAKER_ENABLE

Question 41

What event breaker do you use for a multi-line event?

Answer 41

EVENT_BREAKER = regex

Question 42

What does * do?

Answer 42

Matches anything in that specific directory path segment but does not go beyond that segment in the path.

Question 43

What does … do?

Answer 43

Recurses through directories and subdirectories to match

Question 44

Where should you forward search head indexes to?

Answer 44

the search peer (indexer) layer

Question 45

What files does a splunk diag produce?

Answer 45

tar.gz and diag.log

Question 46

Search Head Clustering

Answer 46

Replicated knowledge objects across search heads

Question 47

Indexer Clustering

Answer 47

Replicated buckets (data) across indexers
Can be configured as single or multi site
Allows you to balance growth, speed of recovery and overall disk usage

Question 48

Additional Components of a cluster

Answer 48

Node
Monitoring Console
Deployment Server
Deployer
License Master

Question 49

Can a splunk indexer function as a cluster?

Answer 49

Yes

Question 50

Where does Authentication Method save it’s settings?

Answer 50

authentication.conf

Question 51

User accounts stored in directory server

Answer 51

– Enforces LDAP user account and password policies
– Users use the same user name and password in Splunk that they use elsewhere
– LDAP groups must be mapped to Splunk roles  Or, this can be done manually in Splunk

Question 52

Is the LDAP server rechecked each time a user logs into Splunk?

Answer 52

Yes

Question 53

Can a user log in to LDAP Groups if they don’t have a Splunk Role?

Answer 53

No

Question 54

Can Splunk native user be edit or deleted?

Answer 54

Both

Question 55

What can be changed on LDAP or other users?

Answer 55

Time Zone and default app

Question 56

What does Identity Provider (IDP) do?

Answer 56

maintain the user credentials and handles authentication

Question 57

What are the aliases when configuring SAML?

Answer 57

Role
RealName
Mail

Question 58

When creating a SAML group, can multiple groups be mapped to a single user role?

Answer 58

Yes.

Question 59

Process for Duo Authentication Log on

Answer 59

1. Request Splunk Login
2. Check authentication/check group mapping
3. DUO MFA
4. Create User Session
5. Log user in Splunk

Question 60

Continuously monitoring created a stanza where?

Answer 60

inputs.conf

One-time indexing does not create a stanza in inputs.conf

Question 61

What does data preview do?

Answer 61

displays how your processed events will be indexed

Question 62

What phase of the distributed model does license metering happen?

Answer 62

Indexer Phase

Question 63

Is the deployment client part of Splunk Enterprise or the UF?

Answer 63

UF

Question 64

What can you use to change settings in Splunk .conf files?

Answer 64

Splunk Web, CLI, SDK, app install, and/or direct edit

Question 65

When Splunk starts, how are config files merged together?

Answer 65

a single run-time model for each file type

Question 66

At index-time merging, does local or default take precedence?

Answer 66

local

Question 67

What are Input and Parsing handled by at index-time?

Answer 67

Input: handled at source (usually a forwarder)
Parsing: handled by indexers (or heavy forwarders)

Question 68

How is the license meter run during the index phase?

Answer 68

As data and initially written to disk, prior to compression.

Question 69

What is the index-time precedence?

Answer 69

1. etc/system/local
2. etc/apps/search/local
3. etc/apps/unix/local
4. etc/apps/search/default
5. etc/apps/unix/default
6. etc/system/default

Question 70

Can you modify the sourcetype in inputs.conf or index.conf

Answer 70

inputs.conf

Question 71

What does Data Preview display?

Answer 71

how your processed events will be indexed

Question 72

Installing a forwarder on a remote machine to…

Answer 72

1. Gather data

2. Send it across the network to Splunk indexer(s)

Question 73

What kind of port to indexers listen on for the forwarded data?

Answer 73

Receiving port

Question 74

What do UF’s gather data from and where do they send it?

Answer 74

From a host and send it to indexers

Question 75

UF’s are specifically designed to run on production servers. The three things for that are…

Answer 75

1. Minimal CPU Usage
2. Output bandwidth constrained to 256 KBps by default
3. No web interface, cannot search or index

Question 76

UF’s have a separate installation binary that has what…

Answer 76

built-in license with no limits

Question 77

What is the install directory for a UF?

Answer 77

/opt/splunkforwarder

Question 78

UF Configuration Steps

Answer 78

Sys admin 1. Set up a receiving port on each indexer. Only need to do once.
Data admin 2. Download and install UF
3. Set up forwarding on each forwarder
4. Add inputs on forwarders

Question 79

Can Splunk run without administrator privileges?

Answer 79

Yes

Question 80

Defining a target indexer command

Answer 80

splunk add forward-server indexer: receiving-port

• forwarder logs are automatically sent to the indexer’s _internal index

Question 81

How to check for successful connection from the indexer

Answer 81

GUI: index=_internal host=forwarder_hostname
CLI: splunk display listen

Question 82

How to check for successful connection from the forwarder

Answer 82

View current forwarder to index config: splunk list forward-server

Remove target index setting: splunk remove forward-server indexer:port

Question 83

Benefit of compressing the feed

Answer 83

• Slight increases CPU utilization

If you want to compress all feeds, set compression on indexer

If you want to compress select feeds, set compression on forwarder

Question 84

Turning on SSL (2)

Answer 84

• Can increase the CPU usage

- Automatically compresses the feed

Question 85

What is the default certificate password?

Answer 85

password

Question 86

Automatic Load balancing (3)

Answer 86

• Switch happens only when the forwarder detects EOF
• Time-based load balancing default frequency is 30 seconds
• Volume-based load balancing is set on how much data a forwarder send before switching

Question 87

What is the key to making distributed search or clustering work efficiently

Answer 87

Load balancing

[tcpout:splunk_indexer]
server=slunk1: 9997, splunk2: 9997, splunk3: 9997

Question 88

How should you enable the event breaker on the UF?

Answer 88

Per Sourcetype

Question 89

When does a UF know when to switch to the next indexer? (2)

Answer 89

• an EOF is detected

- a short break in IO activity

Question 90

Where do you add the event breaker setting on UF?

Answer 90

props.conf

Question 91

Maximum amount of data the forwarder queues if receiver isn’t reached?

Answer 91

maxQueueSize = 500kb

Question 92

Is Indexer Acknowledgement enable or disabled by default?

Answer 92

Disabled

Question 93

By how many times does the Indexer Acknowledgement increase the maxQueueSize?

Answer 93

3x

Question 94

Use cases for HF

4

Answer 94

• anonymizing or masking or incoming data before forwarding to an indexer
• predictable version of Python is needed
• No access to indexers
• Required by an app

Question 95

What .conf file can you deploy from the deployment server?

Answer 95

inputs.conf

Question 96

Splunk can receive data from other instance with what CLI command?

Answer 96

./splunk enable listen

Question 97

How to configure HF as a deployment client to the DS

Answer 97

./splunk set deploy-poll

creates a deploymentclient.conf

Question 98

Two ways to configure the HF to forward the data to the indexers.

Answer 98

• Manually using CLI

- Deploy outputs.conf from the DS

Question 99

Deployment Server (4)

Answer 99

a built-in tool for managing configuration of Splunk instances.

• Allows you to manage remote splunk instances centrally
• Requires enterprise license
• Handles job of sending configs packaged as apps
• can auto restart remote splunk instances

Question 100

What is Forwarder Management?

Answer 100

a graphical interface on top of the deployment server

Question 101

Server class

Answer 101

maps a client group to one or more deployment apps

• gets saved in serverclass.conf

Question 102

Deployment clients

Answer 102

Splunk instances that are connected to the DS that are phoning home. You establish the connection from the DC.

Question 103

Deployment App best practice

Answer 103

• create small and discrete deployment apps
• take advantage of .conf file layering
• use a naming convention

Question 104

Apps/Add-ons

Answer 104

must be installed in /etc/apps

Splunk web does no exist on a UF

Question 105

To enable forwarder management

Answer 105

1. On the DS, add one or more apps in /etc/deployment-apps
2. in the Forward Management UI, create one or more server classes
3. On forwarders, run “splunk set deploy-poll
4. Verify on the DS
5. Verify on forwarders in etc/apps

Question 106

Monitoring Console

Answer 106

• runs every 15 minutes by default

- relies on internal logs

Question 107

** A monitor input can define a directory tree as the data source. (3)

Answer 107

• Splunk recursively traverses through the directory structure
• All discovered text files are consumed, including compressed files
  
  • unzips compressed files automatically before ingesting them, one at a time
• Any files added to the directory tree in the future are included
  - auto detects and handles log file rotation

Question 108

followTail

Answer 108

• Splunk ignores existing content in the file, but indexes new data as it arrives
• DO NOT leave followTail enabled indefinitely

Question 109

ignoreOlderThan

Answer 109

• A file whose modtime falls outside this time window will not be indexed
  
  • After a file is ignored, it will never be considered as an input again, even if it is updated

Question 110

Monitor input options in inputs.conf

Answer 110

• Can contain a wildcard in stanza
• All attributes (sourcetype, host, index, etc.) are optional
• Defaults apply if omitted and default host is in etc/system/local/inputs.conf

Question 111

Host_segment

Answer 111

the number at the end (e.g. host_segment = 3) uses that numbers segment of the directory path as the host name for files in that directory.

Question 112

Editing inputs

Answer 112

• editing inputs.conf only changes new data
• Splunk monitor inputs are tracked by fishbucket
• Does NOT re-index when inputs.conf is edited

Question 113

Re-index for editing inputs

Answer 113

• Delete old data on indexer(s)
• change the inputs.conf on the deployment server (or forwarders)
• Reset the fishbucket checkpoint on the involved forwarders
• Restart

Question 114

What does resetting the monitor checkpoint do?

Answer 114

Re-indexes ALL the data, resulting in more license usage and duplicate events.

Question 115

btprobe

Answer 115

• use to reset the checkpoint for an individual input

- Requires stopping forwarder or indexer

Question 116

Network inputs

Answer 116

Adds a layer of resiliency to your topology

• Buffering, load balancing, cloning, etc…
• Indexer restart will not cause data loss of TCP or UDP inputs

Question 117

connection_host

Answer 117

defines how the host field is set (dns, ip, none)

Question 118

**acceptFrom

Answer 118

List address rules separated by spaced or commas

• a single IPv4 or IPv6
• a CIDR block
• A DNS
• a wildcard * and !

Question 119

queueSize

Answer 119

• defaults to 500kb

- independent of the forwarder’s maxQueueSize

Question 120

Persistent Queue

Answer 120

• provides file-system buffering of data
• adds additional buffer space after memory buffer. Must set a queueSize.
• written to disk on the forwarder in home/var/run/splunk.
• Useful for high-volume data that must be preserved in situations where it cannot be forwarded, such as if the network is unavailable.

Question 121

UDP

Answer 121

Splunk merges the UDP data until it finds a timestamp by default
-Can override during the parsing phase

Question 122

HEC (HTTP event collector)

Answer 122

• secure and scalable

- disabled by default

Question 123

StatsD

Answer 123

– Network daemon that runs on the Node.js platform
– Client libraries available in many programming languages
– Primarily used to measure performance of application code
– Introduces statsd line metric protocol, often sent UDP/TCP

Question 124

collectD

Answer 124

– Open source daemon that collects performance metrics from a variety of sources
– Primarily used to measure infrastructure performance
 100 frontend plugins
 CPU, memory, disk, network,
uptime, load, etc.
– Can send data to HEC
 Using write_http_plugin

Question 125

mcollect

Answer 125

mcollect index=
• mcollect converts events into metric data points, then writes the converted metric index on the search head
• Causes new data to be written to a metric index for every run of the search
• If you are forwarding data to the indexer, your data will be inserted on the indexer instead of the search head

Question 126

mcatalog

Answer 126

• mcatalog returns a list of values from all metric indexes, unless an index name is specified in the WHERE clause
• Use this command to determine the values – i.e., the metric names and dimensions – that are available for searching and analysis

Question 127

props.conf

Answer 127

a config file that is referenced during all phases of Splunk data processing.

Question 128

Where can you use wildcards and regex in props?

Answer 128

1. source::

2. hosts::

Question 129

What do you use to override utf-8 encoding?

Answer 129

charset

Question 130

Event Boundaries

Answer 130

automatically handles line breaking for common source types, even multi-line events

Question 131

is SHOULD_LINE_MERGE for single or multi line events?

Answer 131

Single

Set to true by default

Question 132

Mulit-Line Events

Answer 132

– Looks for a new line with a date at the start
BREAK_ONLY_BEFORE_DATE = true (default)
– Allows a maximum of 256 lines per event
MAX_EVENTS = 256 (default)
– Many other options – for example,
BREAK_ONLY_BEFORE =

Question 133

What .conf is custom timestamp extraction in?

Answer 133

props.conf

Question 134

TIME_PREFIX =

Answer 134

matches character right BEFORE the date/timestamp.

Question 135

MAX_TIMESTAMP_LOOKAHEAD =

Answer 135

specifies how many characters to look beyond the start of the line for a timestamp

Question 136

When possible, define meta field values during the what phase?

Answer 136

Input phase.

Question 137

What are the two methods of raw data transformations?

Answer 137

• SEDCMD: uses only props

- Tranforms: uses props.conf and transforms.conf

Question 138

Transformation is based on what attributes?

Answer 138

– SOURCE_KEY indicates which data stream to use as
the source for pattern matching (default: _raw)
– REGEX identifies the events from the SOURCE_KEY that will be processed (required)
 Optionally specifies regex capture groups
– DEST_KEY indicates where to write the processed data (required)
– FORMAT controls how REGEX writes the DEST_KEY (required)

Question 139

If Error or Warning is found in the incoming _raw, what should its index field value be changed to?

Answer 139

itops

Question 140

What does (?!) mean?

Answer 140

ignore case

Question 141

Indexed extractions are the what phase of what .conf

Answer 141

Input phase of props.conf

Question 142

Does Splunk software parse structured data that has been forwarded to an indexer?

Answer 142

Nope

Question 143

What is a lookup

Answer 143

A Splunk data enrichment knowledge object

• used only during search time
• lookup stanzas are defined in transforms and props

Question 144

Four types of lookups

Answer 144

– File-based uses a csv file stored in the
lookups directory
– KV Store requires collections.conf that
defines fields
– External uses a python script or an executable
in the bin directory
– Geospatial uses a kmz saved in the lookups
directory to support the choropleth visualization

Question 145

Other types of conf files

Answer 145

– macros.conf, tags.conf, eventtypes.conf, savedsearches.conf, etc.