Splunk SH Clustering & App Building Flashcards
What is Search Head Clustering?
A search head cluster is a group of Splunk Enterprise search heads that serve as a central resource for searching. You can access the same searches, dashboards, reports and so on, from any member of the cluster. In a cluster each search head has the same information, just as each indexer has the same indexes (in clusters) A search head cluster: - Minimum of THREE nodes - Share the same search artifacts - Share the same configurations - Allows more users to access the same data - If one search head goes down, searching and data high availability will continue
Where does ES (enterprise security) typically reside?
At the search head server, which is not part of a cluster.
How search heads within a cluster are often reffered as?
“core”
What is Horizontal Scaling?
Also known as Scaling out, which is adding more equivalently functional components in parallel to spread out a load. In splunk it means adding more specific components to the environment, so for example adding more search heads to SH cluster.
What does “scaling up” and “scaling out” means?
Scaling out is adding more equivalently functional components in parallel to spread out a load. This would be going from two load-balanced web server instances to three instances. Scaling up, in contrast, is making a component larger or faster to handle a greater load.
How to make a search head run faster?
Scale it up (add more CPU’s to the server)
Why Use Search Head Clustering?
What are search peers?
Search peers are indexers that the SH in SH cluster ran searches on.
What is the captain (in splunk)?
The captain is in charge of managing search head activities, such as coordinating search jobs nad results distribution. The captain role can move between cluster members. It decides who does the job based of the current load. It pushes knowledge objects to indexes. It coordinates the replication of objects. It also ensures that all members of SH cluster have the same configurations.
If you create a report on one SH, the captain will replicate that report to every other search head within the cluster. The captain coordinates itself, as well as performs duties as regular search head.
What is a job in splunk?
job = search
What is the knowledge object in Splunk?
A user-defined entity that enriches the existing data in Splunk Enterprise. You can use knowledge objects to get specific information about your data. When you create a knowledge object, you can keep it private or you can share it with other users. (check google for more info as I still don’t understand what it is.)
Knowledge objects are the way Splunk gives form to the chaos of raw data. They are how you can create a multi-dimensional data structure that enables you to infer meaning and actionable insights from a steady stream of raw data.
Knowledge objects are a diverse set of classifications and constructs that make up Splunk’s data enrichment structure. They are how Splunk organizes meaning and stores it in a reusable form so you can share efforts and build upon the ideas of others. Fields, searches, and reports are all examples of knowledge objects.
The data is first stored in an indexer and then you can write search queries and perform various operations on the data. You can set up knowledge objects to make operations smarter & to bring intelligence to your systems. These knowledge objects will monitor your events & give notifications when certain conditions occur. These results can be collated and visualized by creating reports and timecharts. Summing it up, knowledge objects are at the heart of enriching your data and creating intelligence.
Knowledge objects are user-defined entities used for extracting knowledge from existing or run-time data in order to enrich data.
What are types of captains we have?
- Static captain - we pick a server and we assigned the search head to the role of captain
- Dynamic captain - the search heads in the cluster select the SH which is the least busy at the time, and assign the role of SH captain to that component
What is the distributed environment?
DS managing SH, IDX, Forwarders without clustering.
What is a load balancer?
A server that manages the workload between multiple machines and resides between the users and the cluster members. With a load balancer in place, users can access the set of search heads through a single interface, withoud needing to specify a particular one. Eg.: we have a user, and he wants to search something. The load balancer’s job is to decide, which of the search heads is the least busiest, and to direct user to that search head.
What is a Deployer?
It Is a Splunk Enterprise instance whose sole purpose is to deploy configurations to SH nodes.
It stands outside of the cluster. Sometimes this componet can share an instance with a LM and a DS (but never another cluster node)
What .conf file every app must have?
What are Guidelines for app creating?
What are base apps?
How we need to configure 3 main components?
