Transitioning to Splunk Cloud Flashcards
What 5 things does Splunk Cloud Provide?
Hosted and supported by Splunk
Enterprise functionality on another’s machine
Reliability
Faster time to value
Cloud First Feature Releases
Can Splunk Cloud Accommodate both virtual and real infrastructure?
Yes
What two components can either be on prem or in the cloud with a cloud deployment?
-Universal Forwarder or Heavy Forwarder
-Intermediate UF/HF
What are the customer responsibilities for the cloud deployment?
-Forward the data
-Manage conifgs of sourcetype, index, contextual details
-Admin and coordinate changes: users, retention, configurations, needs associated with Splunk account team or PS
What are the two usage based license types a cloud customer can use?
Ingestion or Infrastructure
Describe ingest based license
-capabilities at set cost of ingest
-no additional costs to increase resources, or search activities
Describe infrastructure/workload based license
Splunk Virtual Core (SVC) units of data processing capacity used for a mix of ingest and search
-capabilities at a set infra size
-no ingest violations
-prioritizing index or search may impact performance
What are the 7 cloud benefits
Cloud Support and Ops Provides:
advice/troubleshooting support
Asset management and automated infra deploy
Automated processing and implementation
Regular maintenance and upgrade
Monitor/alert system health/security
IT Ops and security specialists
24/7 NOC
Does Cloud have license pooling or access through the CLI to hosted components?
No and there is SH GUI access only
Can Apps be installed without a vetting process in the Cloud?
No, apps should comply to vetting policy
What kind of secure forwarding does Cloud offer?
Secure SSL and TLS forwarding
What are the two Cloud Experiences offered?
Classic and Victoria
Victoria - Does not support/need Hybrid search, Inputs data manager, modular or scripted inputs. Uses Admin config Service API for HEC. Has the option to install premium apps
On Prem vs Cloud access differences
Cloud:
- no CLI
- vetted and approved apps permitted
- cant send TCP/UDP directly
- Scripted alerts only supported in approved apps
- License pooling not supported
- HEC enabled on port 443
- APi avail through API self service app or cloud support
- inbound TCP protocol only with SSL connection
Do Splunk Cloud Users have access to the CLI?
No
Can Direct TCP and syslog inputs be sent directly to Cloud?
Not in Cloud
How is the HEC enabled in the Cloud?
Via the ELB on port 443
What kind of network connection is supported in the cloud?
Inbound TCP protocol only with SSL secure connection
What are the authentication options for managed splunk cloud?
Splunk Native and SAML and LDAP
What are cloud apps installed via and deployed via?
Installed via search head and deployed via management app
When can Cloud apps be installed through self service?
When they are vetted, on splunkbase, or if the customer accepts the liability
With what release of cloud are most apps self service installations
Victoria
What are the parameters of TCP connections needed for splunk cloud
TCP connections need an authorized role, secure token, credentials or certificate validation
What is a hybrid search Head?
On prem SH initiated search to Cloud, can run searches to combine data from multiple locations, blended search on prem and/or cloud indexers
-not used for premium app SH
How does Splunk Version Compatibility work for hybrid searches?
On prem SH must have same major.minor version as cloud
What are the limitations to a hybrid search topology?
Can’t search multiple cloud environments and a Cloud SH can not search on prem environments or another cloud
Can Hybrid SH perform scheduled searches?
No
With which method of searching can the search span multiple Cloud and enterprise environments?
Federated Search
Which method of searching requires special syntax of generating commands?
Federated Search
Which type of search, hybrid or federated, supports workload management
Federated
Describe Federated Search version control and Architecture
Splunk 8.2.x and greater, and supports all search tier management architecture ( like clustering)
What three admin tasks occur at the source on-prem components?
Forwarding of events, input definition/parsing (on prem parsing/masking), problem isolation
Through what cloud component does the cloud admin manage knowledge objects
Via splunk cloud search head
With what issues would a customer work with Cloud Support?
Perf and avail issues
Cloud deployment issues
Config changes and maintenance
Install and manage apps
What three things does the Cloud Monitoring Console (CMC) Provide?
Monitoring and details of topology
Ingestion and Search activity of data
Orientation on overall health and performance
How does the CMC (cloud Monitoring Console) differ from the on prem monitoring console?
CMC is pre-configured except for forwarder and workload manager
What is the purpose of the Cloud Migration Assessment App for Splunk?
Deploy on Monitoring Console server or SH to perform pre-checks and guidance on migration
What does the Phased Cloud Migration consist of?
Planning, Config and Artifact Migration, data Migration, Data collector Migration, post implementation checks
What is the average time for a cloud migration?
4-8 weeks
What does the planning phase of cloud migration consist of?
Assessing on prem splunk with health checks, gathering configs, recording priorities
What does the configuration phase of cloud migration consist of?
Preparing Cloud with indexes and authentications, configure cloud and IP Based access controls
What does the Artefact Migration phase of the cloud migration consist of?
Migrating search artefacts, apps, and workflows (dashboards, apps, alerts, field extractions etc)
What does the data migration phase of cloud migration consist of?
-replicate on prem data input and source types, check CIM, initiate historical data migration
-deploy credential app to forwarders, point data sources to splunk cloud, check inputs for ingest path, timestamp/linebreak/extractions
How is access to the cloud enabled?
With authentication credentials via the user interface
User account must be authenticated by splunk or external identity provider
Authorized by assignment to a splunk role(s)
What are the three ways of establishing a user account?
Native Splunk, LDAP/Active Directory, or SAML
What two files maintain the splunk access controls?
Authentication.conf
Is the user who they say they are
Authorization.conf
What resources they can access, tasks they can perform, limits are placed on them
How should customers audit or remove users?
Raise a support ticket
What capability is needed for user manager roles, and is default for sc admins?
Change_authentication capability
What authentication method is not supported by Cloud?
DUO two factor authentication
What is a good way to troubleshoot authentication issues?
Create a unique Splunk Native admin account`
When can authentication replicate?
When set up on clustered search heads
When using a mix of native Splunk, LDAP, & SAML users, which will take precedence?`
Splunk Native
What user role is reserved for Cloud Ops?
Admin Role
What are two additional user roles that Cloud offers?
Sc_admin and apps
What actions are Splunk Cloud Admin allowed to do and why?
edit/delete Splunk Native Users
Change time zone, and default app for LDAP/SAML users
Due to limited access in the Cloud
How are customer Identity providers connected and managed
Connected to splunk via internet and managed through splunk web
Does Splunk Cloud use existing customer configured accounts?
Yes, enforces user account a pw policies, and has the ability to use local usernames and pw in splunk with the option to map IdP groups to splunk roles
What must customers do to authenticate users in Cloud using LDAP?
-maintain read only, internet accessible LDAP servers
-authenticate and authorize in splunk
When does Splunk cache user data from LDAP?
The first time a user logs in AND its reloaded for subsequent logins if an update has been made
How many Identity Providers (IdP) can a customer using SAML have?
Limitation is currently 1 IdP
What type of authentication uses digitally signed XML Certificates from an IdP?
SAML
T/F when mapping SAML Groups to roles, only one group can be mapped to one role
False, multiple groups can be mapped to one role
What are the roles that users can have in splunk Cloud?
sc_admin, power, user, apps, can _delete, tokens_auth
What Cloud user role has the highest number of capabilities?
sc_admin
Which user role can add custom user roles
sc_admin
Which user role can manage apps and has some admin capabilities
Apps user role
Define the can_delete user role
Not assigned to any user role or group by default
Can use |delete command to hide data
Define the token_auth user role capabilities
Enables users to configure token based authorization
Custom user role authorization is a combination of what 5 things?
Role inheritance, capabilities, index access, restrictions and resource usage limits
T/F You can adjust the capabilities of inherited roles
False, inherited capabilities or access cannot be disabled
When creating a new user role and assigning indexes, what does selecting the ‘default’ checkbox for an index imply?
The index will be automatically searched without a user specifying “index=<index_name>”</index_name>
What are role based restrictions used for when setting up a new user role?
Used to restrict the searches a role can use: can set a default time range, indexes fields to filter, field values, concatenation option, and a specific search string to filter results
What do ‘Resources’ adjust when setting up a new user role?
Resources manages the
-role and user search job limit
-role search time window limit
-disk space limit
Can you validate or check on user capabilities in the Cloud?
Yes, using REST API, there are searches you can run to get capability info
What is Workload Management?
A rule-based management to allocate compute resources (CPU and Memory) to search, index, and other user workloads
What is the benefit of workload management?
Improve performance, resource availability and productivity:
Separate data ingest from search workload,
Prioritize critical search workloads
Isolate resource heavy searches
What are workload pools?
Logical containers which resources (CPU/ mem) are assigned to as part of WLM
What are workload Rules?
User defined set of conditions allocate a search to a workload pool automatically or to reduce impact of expensive searches
EX of assigning pool by set criteria: role=security AND search_type=adhoc
What are workload management Admission Rules?
Filter searches automatically before execution based on user defined conditions like running searches in a certain time range and searches that use excessive resources
Why is “users unable to search” a commonly reported issue>
Unrestricted user access may tie up resources impacting access/functionality
Where might resource availability cause performance issues?
Data replication and search performance
Disk space/storage availability
What measures are taken for disaster recovery in the Cloud?
Site awareness - across 3 availability zones
Automatic Index replication of which all copies are searchable
Splunk Cloud Users should be aware of what two indexes?
“main” - the default index accepts events not assigned an index
“lastchanceindex” pre-defined in Cloud accepting events sent to a non-existent index
What two key file types are within an index?
rawdata files: raw uncompressed data
tsidx files: Time series index files pointing to raw data
Is it best practice to use index=main when searching?
No it is best practice to segregate data into separate indexes and specify your specific index when searching
What type of indexes are available?
Event indexes - unstructured data stored as separate events
Metric indexes - metric data uses less storage and system resources with increased search speed
Describe the process of new and updated indexes are deployed in Cloud.
Done through SH UI: changes transferred to Manager Node (MN) which creates a bundle push to files on indexers
How do buckets role from hot to warm to cold in the indexes?
Role by exceeding:
-number of buckets
-index size
-event age
Which index bucket is open for write?
Hot bucket
