It is a software technology that is used for searching, visualizing, and monitoring machine-generated big data. It monitors and different types of log files and stores data in Indexers.

List out common ports used by Splunk.

Common ports used by Splunk are as follows:

Web Port: 8000
Management Port: 8089
Network port: 514
Index Replication Port: 8080
Indexing Port: 9997
KV store: 8191

Explain Splunk components

The fundamental components of Splunk are:

Universal forward: It is a lightweight component which inserts data to Splunk forwarder.
Heavy forward: It is a heavy component that allows you to filter the required data.
Search head: This component is used to gain intelligence and perform reporting.
License manager: The license is based on volume & usage. It allows you to use 50 GB per day. Splunk regular checks the licensing details.
Load Balancer: In addition to the functionality of default Splunk loader, it also enables you to use your personalized load balancer.

What do you mean by Splunk indexer?

It is a component of Splunk Enterprise which creates and manages indexes. The primary functions of an indexer are 1) Indexing raw data into an index and 2) Search and manage Indexed data.

What are the disadvantages of using Splunk?

Some disadvantages of using Splunk tool are:

Splunk can prove expensive for large data volumes.
Dashboards are functional but not as effective as some other monitoring tools.
Its learning curve is stiff, and you need Splunk training as it’s a multi-tier architecture. So, you need to spend lots of time to learn this tool.
Searches are difficult to understand, especially regular expressions and search syntax.

What are the pros of getting data into a Splunk instance using forwarders?

The advantages of getting data into Splunk via forwarders are TCP connection, bandwidth throttling, and secure SSL connection for transferring crucial data from a forwarder to an indexer.

What is the importance of license master in Splunk?

License master in Splunk ensures that the right amount of data gets indexed. It ensures that the environment remains within the limits of the purchased volume as Splunk license depends on the data volume, which comes to the platform within a 24-hour window.

Name some important configuration files of Splunk

Commonly used Splunk configuration files are:

Inputs file
Transforms file
Server file
Indexes file
Props file

Explain license violation in Splunk.

It is a warning error that occurs when you exceed the data limit. This warning error will persist for 14 days. In a commercial license, you may have 5 warnings within a 1-month rolling window before which your Indexer search results and reports stop triggering.

However, in a free version, license violation warning shows only 3 counts of warning.

What is the use of Splunk alert?

Alerts can be used when you have to monitor for and respond to specific events. For example, sending an email notification to the user when there are more than three failed login attempts in a 24-hour period.

Explain map-reduce algorithm

Map-reduce algorithm is a technique used by Splunk to increase data searching speed. It is inspired by two functional programming functions 1) reduce () 2) map().

Here map() function is associated with Mapper class and reduce() function is associated with a Reducer class.

Explain different types of data inputs in Splunk?

Following are different types of data inputs in Splunk:

Using files and directories as input
Configuring Network ports to receive inputs automatically
Add windows inputs. These windows inputs are of four types: 1) active directory monitor, 2) printer monitor, 3) network monitor, and 4) registry inputs monitor.

How Splunk avoids duplicate log indexing?

Splunk allows you to keeps track of indexed events in a fish buckets directory. It contains CRCs and seeks pointers for the files you are indexing, so Splunk can’t if it has read them already.

Explain pivot and data models.

Pivots are used to create the front views of your output and then choose the proper filter for a better view of this output. Both options are beneficial for the people from a semi-technical or non-technical background.

Data models are most commonly used for creating a hierarchical model of data. However, it can also be used when you have a large amount of unstructured data. It helps you make use of that information without using complicated search queries.

Explain search factor and replication factor?

Search factor determines the number of data maintained by the indexer cluster. It determines the number of searchable copies available in the bucket.

Replication factor determines the number of copies maintained by the cluster as well as the number of copies that each site maintains.

What is the use of lookup command?

Lookup command is generally used when you want to get some fields from an external file. It helps you to narrow the search results as it helps to reference fields in an external file that match fields in your event data.

Explain default fields for an event in Splunk

There are 5 default fields which are barcoded with every event into Splunk. They are: 1) host, 2) source, 3) source type, 4) index, and 5) timestamp.

How can you extract fields?

In order to extract fields from either sidebar, event lists or the settings menu using UI.

Another way to extract fields in Splunk is to write your regular expressions in a props configuration file.

What do you mean by summary index?

A summary index is a special index that stores that result calculated by Splunk. It is a fast and cheap way to run a query over a longer period of time.

How to prevent events from being indexed by Splunk?

You can prevent the event from being indexed by Splunk by excluding debug messages by putting them in the null queue. You have to keep the null queue in transforms.conf file at the forwarder level itself.

Define Splunk DB connect

It is a SQL database plugin which enables to import tables, rows, and columns from a database add the database. Splunk DB connect helps in providing reliable and scalable integration between databases and Splunk Enterprises.

Define Splunk buckets

It is the directory used by Splunk enterprise to store data and indexed files into the data. These index files contain various buckets managed by the age of the data.

What is the function of Alert Manager?

The alert manager adds workflow to Splunk. The purpose of alert manager o provides a common app with dashboards to search for alerts or events.

How can you troubleshoot Splunk performance issues?

Three ways to troubleshoot Splunk performance issue.

See server performance issues.
See for errors in splunkd.log.
Install Splunk app and check for warnings and errors in the dashboard.

What is the difference between Index time and Search time?

Index time is a period when the data is consumed and the point when it is written to disk. Search time take place while the search is run as events are composed by the search.

How to reset the Splunk administrator password?

In order to reset the administrator password, perform the following steps:

Login into the server on which Splunk is installed
Rename the password file and then again start the Splunk.
After this, you can sign into the server by using username either administrator or admin with a password change me.

Name the command which is used to the “filtering results” category

The command which is used to the “filtering results” category is: “where,” “Sort,” “rex,” and “search.”

List out different types of Splunk licenses

The types of Splunk licenses are as follows:

Free license
Beta license
Search heads license
Cluster members license
Forwarder license
Enterprise license

List out the number of categories of the SPL commands.

The SPL commands are classified into five categories:

1) Filtering Results, 2) Sorting Results, 3) Filtering Grouping Results, 4) Adding Fields, and 5) Reporting Results.

What is eval command?

This command is used to calculate an expression. Eval command evaluates boolean expressions, string, and mathematical articulations. You can use multiple eval expressions in a single search using a comma.

Name commands which are included in the reporting results category

Following are the commands which are included in the reporting results category:

Rare
Chart
time chart
Top
Stats

What is SOS?

Splunk on Splunk or SOS is a Splunk app that helps you to analyze and troubleshoot Splunk environment performance and issues.

What is a replace command?

This command searches and replaces specified field values with replacement values.

Name features which are not available in Splunk free version?

Splunk free version lacks the following features:

Distributed searching
Forwarding in HTTP or TCP
Agile statistics and reporting with Real-time architecture
Offers analysis, search, and visualization capabilities to empower users of all types.
Generate ROI faster

What is a null queue?

A null queue is an approach to filter out unwanted incoming events sent by Splunk enterprise.

Explain types of search modes in Splunk?

There are three types of search modules. They are:

Fast mode: It increases the searching speed by limiting search data.
Verbose mode: This mode returns all possible fields and event data.
Smart mode: It is a default setting in a Splunk app. Smart mode toggles the search behavior based on transforming commands.

What is the main difference between source & source type

The source identifies as a source of the event which a particular event originates, while the source type determines how Splunk processes the incoming data stream into events according to its nature.

What is a join command?

It is used to combine the results of a sub search with the results of the actual search. Here the fields must be common to each result set. You can also combine a search set of results to itself using the self join command in Splunk.

How to start and stop Splunk service?

To start and stop Splunk services use can use following commands:

1 2	./splunk start ./splunk stop

Where to download Splunk Cloud?

Visit website: https://www.splunk.com/ to download a free trial of Splunk Cloud.

What is the difference between stats and time chart command?

Define deployment server

Deployment server is a Splunk instance that acts as a centralized configuration manager. It is used to deploy the configuration to other Splunk instances.

What is Time Zone property in Splunk?

Time zone property provides the output for a specific time zone. Splunk takes the default time zone from browser settings. The browser takes the current time zone from the computer system, which is currently in use. Splunk takes that time zone when users are searching and correlating bulk data coming from other sources.

What is Splunk sound unit connect?

Splunk sound unit is a plugin which allows adding info data with Splunk reports. It helps in providing reliable and ascendible integration between relative databases and Splunk enterprises.

How to install forwarder remotely?

You can make use of a bash script in order to install forwarder remotely.

What is the use of syslog server?

Syslog server is used to collect data from various devices like routers and switches and application logs from the web server. You can use R syslog or syslog NG command to configure a Syslog server.

How to monitor forwarders?

Use the forwarder tab available on the DMC (Distributed Management Console) to monitor the status of forwarders and the deployment server to manage them.

What is the use of Splunk btool?

It is a command-line tool that is designed to solve configuration related issues.

Name Splunk alternatives

Some Splunk alternatives are:

Sumo logic
Loglogic
Loggy
Logstash

What is KV store in Splunk?

Key Value( KV) allows to store and obtain data inside Splunk. KV also helps you to:

Manage job queue
Store metadata
Examine the workflow

What do you mean by deployer in Splunk?

Deployer is a Splunk enterprise instant which is used to deploy apps to the cluster head. It can also be used to configure information for app and user.

When to use auto_high_volume in Splunk?

It is used when the indexes are of high volume, i.e., 10GB of data.

What is a stat command?

It is a Splunk command that is used to arrange report data in tabular format.

What is a regex command?

Regex command removes results which do not match with desired regular expression.

What is input lookup command?

This Splunk command returns lookup table in the search result.

What is the output lookup command?

Output lookup command searches the result for a lookup table on the hard disk.

List out various stages of bucket lifecycle

Stages of bucket lifecycle are as follows:

Hot
Warm
Cold
Frozen
Thawed

Name stages of Splunk indexer

Stages of Splunk indexer are:

Input
Parsing
Indexing
Searching

Explain how Splunk works?

There are three phases in which Splunk works:

The first phase: It generates data and solves query from various sources.
The second phase: It uses the data to solve the query.
Third phase: it displays the answers via graph, report, or chart which is understood by audiences.

What are three versions if Splunk?

Splunk is available in three different versions. These versions are 1) Splunk enterprise, 2) Splunk light, 3) Splunk cloud.

Splunk enterprise: Splunk Enterprise edition is used by many IT organizations. It helps you to analyze the data from various websites and applications.

Splunk cloud: Splunk Cloud is a SaaS (Software as a Service) It offers almost similar features as the enterprise version, including APIs, SDKs, and apps.

Splunk light: Splunk light is a free version which allows, to make a report, search and edit your log data. Splunk light version has limited functionalities and features compared to other versions.

Name companies which are using Splunk

Well known companies which are using Splunk tool are:

Cisco
Facebook
Bosch
Adobe
IBM
Walmart
Salesforce

What is SLP?

Search Processing Language or SLP is a language which contains functions, commands, and arguments. It is used to get the desired output from the database.

Define monitoring in Splunk

Monitoring is a term related to reports you can visually monitor.

Name the domain in which knowledge objects can be used

Following are a few domains in which knowledge objects can be used:

Application Monitoring
Employee Management
Physical Security
Network Security

How many roles are there in Splunk?

There are three roles in Splunk: 1) Admin, 2) Power, and 3) User.

Are search terms in Splunk case sensitive?

No, Search terms in Splunk are not case sensitive.

Can search results be used to change the existing search?

Yes, the search result can be used to make changes in an existing search.

List out layout options for search results.

Following are a few layout options for search result:

List
Table
Raw

What are the formats in which search result be exported?

The search result can be exported into JSON, CSV, XML, and PDF.

Explain types of Boolean operators in Splunk.

Splunk supports three types of Boolean operators; they are:

AND: It is implied between two terms, so you do not need to write it.
OR: It determines that either one of the two arguments should be true.
NOT: used to filter out events having a specific word.

Explain the use of top command in Splunk

The top command is used to display the common values of a field, with their percentage and count.

What is the use of stats command?

It calculates aggregate statistics over a dataset, such as count, sum, and average.

What are the types of alerts in Splunk?

There are mainly three types of alerts available in Splunk:

Scheduled alert: It is an alert that is based on a historical search. It runs periodically with a set schedule.
Per result alert: This alert is based on a real time search which runs overall time.
Rolling window alert: An alert that is based on real-time search. This search is set to run within a specific rolling time window that you define.

List various types of Splunk dashboards.

Dynamic form-based dashboards
Dashboards as scheduled reports
Real time dashboards

What is the use of tags in Splunk?

They are used to assign names to specific filed and value pairs. The filed can be event type, source, source type, and host.

How to increase the size of Splunk data storage?

In order to increase the size of data storage, you can either add more space to index or add more indexers.

Distinguish between Splunk apps and add-ons

There is only one difference between Splunk apps, and add-ons that is Splunk apps contains built-in reports, configurations, and dashboards. However, Splunk add-ons contain only built-in configurations they do not contain dashboards or reports.

Define dispatch directory in Splunk?

Dispatch directory stores status like running or completed.

What is the primary difference between stats and eventstats commands

Stats command provides summary statistics of existing fields available in search output, and then it stores them as values in new fields. On the other hand, in eventstats command aggregation results are added so that every event only if the aggregation applies to that particular event.

What do you mean by source type in Splunk?

Source field is a default field that finds the data structure of an event. It determines how Splunk formats the data while indexing.

Define calculated fields?

Calculated fields are the fields which perform the calculation which the values of two fields available in a specific event.

List out some Splunk search commands

Following are some search commands available in Splunk:

Abstract
Erex
Addtotals
Accum
Filldown
Typer
Rename
Anomalies

What does xyseries command do?

xyseries command converts the search results into a format that is suitable for graphing.

What is the use of spath command?

spath command is used to extract fields from structured data formats like JSON and XML.

How to adds summary statistics to all results in a streaming manner?

In order to add summary statistics in results, you can use streamstats.

Where to create knowledge objects, dashboards, and reports?

You can create knowledge, objects, reports, and dashboards in reporting and search app.

What is table command?

This command returns all fields of table in the argument list.

How to remove duplicate events having common values?

Use dedup command to remove duplicate events having common values.

What is the main difference between sort + and sort -?

sort + displays search in ascending order
sort – displays search in descending order.

Define reports in Splunk

They are results saved from a search action that shows the visualization and statistic of a particular event.

Define dashboard in Splunk

The dashboard is defined as a collection of views that are made of various panels.

What is the use of instant pivot in Splunk?

It is used to work with data without creating any data model.

Instant pivot is available to all users.

How is it possible to use the host value and not IP address or the DNS name for a TCP input?

Under stanza in the input configuration file, set the connection host to none and mention the host value.

What is the full form of LDAP?

LDAP stands for Lightweight Directory Access Protocol

Define search head pooling

It is a group of servers connected with each other. These servers are used to share configuration, user data, and load.

Define search head clustering

It is a group of Splunk enterprise search heads that serves as a central resource for searching.

What is the full form of REST?

The abbreviation of REST is Representational State Transfer

Explain Splunk SDKs

Splunk SDKs are written on the base of Splunk REST APIs. Various languages supported by SDKs are: 1) Java, 2) Python, 3) JavaScript, and 4) C#.

Explain Splunk REST API

The Splunk REST API offers various processes for accessing every feature available in the product. Your program communicates to Splunk enterprise using HTTP or HTTPS. It uses the same protocols that any web browser uses to interact with web pages.

What is security accelerate data model in Splunk?

Splunk Enterprise Security accelerates data model provides a panel, dashboard, and correlation search results. It uses the indexers for processing and storage. The accelerated data is stored within each index by default.

Explain how indexer stores various indexes?

Indexers create various files which contain two types of data: 1) Raw data and 2) metadata index file. Both these files are used to constitute Splunk enterprise index.

What would you use to edit contents of the file in Linux? Describe some of the important commands mode in vi editor?

Various editors in Linux file system- vi,jedit, ex line editor or nedit
Two important modes are as below – We can press ‘Esc’ to switch from one mode to another. However, we can press ‘i’ to enter insert mode-

Command mode
Insert mode

How do you log in to a remote Unix box using ssh?

ssh your_username@host_ip_address

What would you use to view contents of a large file? How to copy/remove file? How to look for help on a Linux?

tail -10 File1 it would show last 10 rows
copy file- cp file_name .
Remove file command- rm -rf directory_name
Manual/help command – man command_name

How you will uncompressed the file? How to install Splunk/app using the Splunk Enterprise .tgz file

tar -zxvf file_name.tar.gz
tar xvzf splunk_package_name.tgz -C /opt
default directory /opt/splunk

what does grep() stand for? how to find difference in two configuration files?

General Regular Expression Parser.
egrep -w ‘word1|word2’ /path/to/file
diff -u File_name1.conf File_name2.conf

Talk about Splunk architecture and various stages

Data Input Stage: [accessed from the source and turns it into 64k blocks- metadata includes keys like hostname, source, source type, _time] Data Storage Stage: [Parsing & Indexing] Data Searching Stage: [data analysis using search head] Universal forward > Heavy Forward (Optional) > Indexers > Search head
Deployment Server- [Use to distribute configuration file/Apps] License master- [Use to keep track of our indexing utilizations]

Types Of Splunk Forwarder?

⦁ Universal forwarder(UF) -Light weight Splunk instance- can’t parse or index data
⦁ Heavy forwarder(HF) – full instance of Splunk with advance functionality of parsing & indexing

Precedence in Splunk and discuss some of the important conf files

When 2 or more stanzas specify a behaviour that effects same item, then precedence is calculated based on stanza ASCI
We can use priority key to specify highest/lowest priority etc

Important conf files

props.conf
indexes.conf
inputs.conf
transforms.conf
server.conf

What is summary index in Splunk?

The Summary index is default summary which is used to store data as a result of scheduled searches over period of time. It helps to efficiently process large volume of data.

What do you mean by roles-based access control?

It is very crucial to provide only appropriate roles to appropriate team. This will prevent unauthorized access to any app or data for that matter.
It is very important that we provide access very meticulously and limit their search capability by providing access to only those indexes which needs to be. What is null queue

Null queue is an approach to trim out all the unwanted data.

Trouble shooting Splunk errors in splunk

See if the process is running – ./splunk status
IF running go and check log for any latest errors using below command- tail 20 $SPLUNK_HOME/var/log/log/splunk/splunkd.log
Splunk crash also happens because of low disk memory- sheck if tere is any crash*log files
Check log,splunkd.log,metrics.log or web*log
In order to check any conf file related concerns use btool – ./splunk btool props list –debug >/tmp/props.conf
Search for errors and warning by typing- Index=_internal | log_level=error OR log_level=warn*
Check for the search directory for recent search at – $SPLUNK_HOME/var/ran/splunk/dispatch
Enable debug mode.Splunk software has a debug parameter (–debug. that can be used when starting splunk
Check for log file OR use below search query – index=_introspection

What are the types of search modes supported in splunk?

Fast mode
Verbose mode
Smart mode

What is difference between source & source type

Source – Identifies as source of data
Source type- in general it refers to data structure of events or format of data
Different sources may have same source type
Command to restart splunk web server
/opt/splunk/bin/splunk start splunkweb

How to use btool for splunk conf file approach

/opt/splunk/bin/splunk cmd btool input list

Create new app from templet

/opt/splunk/bin/splunk create app New_App -templet sample_App

Rollback your aplunk web configuration bundle to previous version

/opt/splunk/bin/splunk rollback cluster-bundle

To specify minimum disk usage in splunk

./splunk set minfreemb = 20000
./splunk restart

Command to change splunkweb port to 9000 via CLI

./splunk set web-port 9000

How to turn down a peer without affecting any other peer of cluster?

./splunk offline

How to show which deployment server in configured to pull data from?

./splunk show deploy-poll

CLI to validate bundles

./splunk validate cluster-bundle

How to see all the license pool active in our Splunk environment?

./splunk list license

Which command is used to the “filtering results” category- explain?

“search”, “where”. “Sort” and “rex”

What is join command and what are various flavours of join command.

Join command is used to combine result of a subsearch with result of a search- One or more fields must be common to each results set
Inner join- result of inner joint do not include event with NO MATCH
Left/Outer join- It include events in the main search and matching having correct field values

..|join type=inner P_id [search source=table2] {}

Tell me the syntax of Case command

It’s a comparison & conditional function
Case (X,”Y”,…)
X- Boolean expression that are evaluated from first to last. The function defaults to NULL if non is true
..| eval description=case(statsu==20,”OK”,status==404,”NOT FOUND”

Which role can create data model?

Admin & power user

Splunk latest version

Welcome to Splunk Enterprise 7.2 – Splunk Documentation

Which app ships with splunk enterprise

Search & reporting
Home App

How do we convert unix time into string and string back to unix time format

strftime(X,Y) : Unix to string as per format
strptime(X,Y) : String to UNIX

How do we find total number of host or source type reporting splunk instance. Report should consider host across the cluster

|metadata type=hosts index=* | convert ctime(firstTime) | convert ctime(lastTime) |convert ctime(recentTime)

What is Splunk? Why Splunk is used for analysing machine data?

Splunk is a platform for analysing machine data generated from various data sources such as network, server, IOT and so on. Splunk is used for analysing machine data for following reasons

Business Intelligence
Operational visibility
Proactive monitoring
Search and Investigation

Who are the competitors of Splunk in the market? Why is Splunk efficient?

Biggest competitors of Splunk are as follows

Sumo logic
ELK
Loglogic

Splunk is efficient as it comes with many inbuilt features like visualization, analysis, apps, Splunk can also be deployed in cloud through Splunk cloud version. Other platforms require plug in to get additional features.

What are the benefits of getting data using forwarders?

Data is load balanced by default
Bandwidth throttling
Encrypted SSL connection
TCP connection

What happens if License master is unreachable?

License Slave sets 72-hour timer and try to reach License Master, after which search is blocked in specific license slave until Master is reachable.

What is the command to get list of configuration files in Splunk?

Splunk cmd btool inputs list –debug

What is the command to stop and start Splunk service?

./splunk stop
./splunk start

What is index bucket? What are all stages of buckets?

Indexed data in Splunk is stored in directory called bucket. Each bucket has certain retention period after which data is rolled to next bucket. Various stages of buckets are

Hot
Warm
Cold
Frozen
Thawed

What are important configuration files in Splunk?

Props.conf
inputs.conf
outputs.conf
transforms.conf
indexes.conf
deploymentclient.conf
serverclass.conf

What is global file precedence in Splunk?

System local directory – highest priority
App local directory
App default directory
System default directory – lowest priority

What is lookup command?

Lookup command is used to reference fields from an external csv file that matches fields in your event data.

What is the role of Deployment server?

Deployment server is a Splunk instance to deploy the configuration to other Splunk instances from a centralized location.

What are the default fields in Splunk?

Host
Source
Source type
_time
_raw

What is Search Factor (SF) and Replication Factor (RF) in Splunk?

The search factor determines the number of searchable copies of data maintained by an index cluster. The default search factor is 2.Replication factor is the number of copies of the data cluster maintains. The search factor should be always less than or equal to the Replication factor.

What is the difference between Splunk apps and add-ons?

Splunk apps contain built-in configurations, reports, and dashboards, Splunk add-ons contain only built-in configurations and not visualization (reports or dashboards)

How can you exclude some events from being indexed in Splunk?

This can be done by using nullQueue in transforms.conf file.
For Example:
transforms.conf
[setnull] REGEX = <regular expression>
DEST_KEY = queue
FOMAT = nullqueue

Where does Splunk default configuration file located?

It is located under $Splunkhome/etc/system/default

Discuss about the sequence in which splunk upgrade can be done in a clustered environment?

Upgrade Cluster Master
Upgrade Search Head Cluster
Upgrade Indexer Cluster
Upgrade Standalone Indexers
Upgrade Deployment Server

How do we sync and deploy configurational files and updates across multiple deployment servers in a large multi-layered clustered?

On one of the deployment server, use below commands-

$cd ~
$./DS_sync.sh
$/opt/splunk/bin/splunk reload deploy-server -class ServerClassName

Who is responsible for the right quantity of data?

License master in Splunk for correct facts to enter. Splunk license is constructed on the facts capacity which is on the platform in 24 hours in the window. It is necessary to confirm the atmosphere should be in the control of the obtained volume.

What restrict to find data?

When the license master is unavailable the data goes in the indicator is not concerned. The facts continue to go into the installation of Splunk. The indicator will carry on to move into the Splunk deployment. A warning message is seen on the upside of ahead of the search or the UI of the web to increase the capacity and to decreases the capacity of data.

What happens when to increase the data limitation?

A message of License violation error is shown on the screen. The warning od the license continues for 14 days. We will receive 5 warnings in 30 days on the window in the trading license. The indicators search results and reports discontinue the activation.

What is used for building a ranking?

Data models are for generating a ranking model of the data. When we contain a huge and numerous unformed data. At the time when you wish to use details without the use of difficult search questions.

For generating the reports of sale
For setting the entry
For certification

How to map the keys and values?

With the help of Lookups command. To enhance the occasion facts by attaching field-value mixture form the lookup tables. Lookup test the field-value mixture of the occasion facts with the help of field-value mixture in the outer tables of lookups. Splunk software attaches the field-value mixture of the tables to the occasion.

What is used to process huge data sets?

The Mapreduce algorithm is a programming model. A map is a function to collect the data side by side for fashion implementation. A map function is very necessary to collect the data fro your search. Now the reduce function gets the results from the function of the map for proceeding.

Define Splunk Success Framework?

It is an adaptable group of applications for increasing and getting faster speed for you has in the data with the help of Splunk software. The organization’s application contains all necessary things to apply and support a Splunk environment to target your data.

Name the items for migration?

Configuration of Custom application – The installer keeps in the default inventories on the collection of the audience. The runtime adjustment is done at the time of running the apps on the head pool of search.
Configuration for the personal user – The installer prints the user arrangements of the head. The head copies the settings to each collection by the simple way of reproducing arrangements.

What is used to track internally?

A sub-directory named fish bucket in Splunk. to guide the content distance of your file from the place to start guiding. By using these features such as seek pointers and CRCs. CRC is to notice the specific entry. And seek pointer are the characteristics of the data of the place.

How the company manages the data?

Data and hints are absorbed by the Splunk company. And changes in the search information as the events. The main procedure is viewed in the data pipeline to perform on the data at the time of recording. The procedure represents the occasions processing. You can connect the occasion with information items to improve the benefits after the data is managed into an occasion.

Explain Occasion management?

Printing and recording are the two platforms of occasion management. With the help of a parsing pipeline like the block. At the time of examining the software of Splunk disconnects the blocks into the occasion. The occasion goes to the recording pipeline. The software of Splunk changes the data at the time when we use both.

what is the use of DB connect?

To construct the columns, rows, and tables from details straightly in the Splunk company to guide the data. It helps to join the details of relative data to Splunk company. And to make the facts adaptable bt the Splunk company. It can revert the facts to the details of the relative. You can detect and view the relative’s data.

Why DB connect is important?

To obtain instantly details into Splunk
To conduct on the fly lookups for the details of warehouses
To guide the layout of saved data details in amount
To write the companies data into details in amount
To see the data again the position of proving.
To measure, allot and check details of jobs to restrict the excess load.

How to ignore the incoming data?

There are two steps for ignoring data.
First step

First, explain to Splunk the data you want.
And then you decide what Splunk has to do.
Now update props.conf file and join a rule to notice the root of the details
After this tell what to do.
Now use the transform keyword in the same rule.

Second step

Confirm to the Splunk that in which way you want to change the details
The details are guided by the Splunk by default.
You can transfer the details to nullQueue.

Explain Transaction

It is situated on the occasion to connect different limitations. It is built by the raw text of every member, the details of premature members and the group of every area of every person. It contains two areas such as duration and event count.
Event count is for viewing the counts of occasion in the transaction
Duration is for the contrast of the first and last occasion.

How to remove all the events?

With the help of the Dedup command to assume the identity mixture of values for every area which the user described. It deletes the false principles from the outcome. To show the new record for a special event. It gives back the first key principles for a special field.

Mention the use of the Dedup command of Splunk?

At the time of finding a huge capacity of data we can keep away the Dedup command. The memory is maintained when the command uses the data for each occasion. It maintains every area with the supreme number and size. When the user immediately finds the record or principles then use the command and it showed occasionally a single record or principles for a single ID.

What is single-instance storage?

Data deduplication is the way to remove unnecessary prints of facts and remove the saved overhead. It confirms a special example of data kept on saved media like tape, flash or light. The pieces of unnecessary data are placed again with the point of special facts of details.

Describe pivot?

it is used for pulling and dripping attachments to use the preset data models and items. Pivot tool helps data models to describe and separation and to fix the characters for the occasion data which you want.

What is used for collecting the logs?

The element named Splunk’s Forwarder. To gather the facts from the machine you have to manage it by the use of the scheduling Splunk’s forwarders are the separation of the principle of Splunk’s example.

Where to keep the listed data in directories?

In Splunk’s buckets. It is a directory includes the occasion.

Hot = includes fresh listed data that can be written.
Warm – includes facts moved out from hot buckets.
Frozen- moved out from a cold bucket
Cold moved out from the warm bucket.

Name the disadvantages of Splunk?

It verifies the cost of huge data capacity.
The dashboard is not impressive but it is practical
You have to take Splunk coaching because it is difficult like a multi-leveled constructer.
To recognize the searches is very complicated especially daily appearance and pattern of search.

How to connect two BLE devices?

With the help of Btool, it performs by interacting with the CC2640R2F organized to behave as a web processor with the HCI agent special command. It helps to run the Host trail representative application.

What is known as a central resource for searching?

Search head clustering, the persons can be changeable and can run a similar exploration, can view similar control panel and entry a similar outcome from the collection of any person. To gain compatibility the search head in gathering is to contribute the arrangements and applications and to fix the job.

How to recover a non-functioning group?

Without the installation of a static master at that time the group loss the majority. Unless the representative will not join again the group the cluster will not take action. The representative selects a master at the time of the majority is achieved. And then the cluster begins to functions.

Runtime arrangements
The reports planning

Effect of a non-functioning cluster?

if you lose the majority then you cannot select the master the representative carry on the function as individual search heads. They can serve only Adhoc searchers. Planned exploration and alerts may not run if the planned function is downgraded.

Name the features of a knowledge object?

It is to contribute and by the correct list of people in the company.
Formalized occasion data by applying the knowledge object naming agreement and different the matching objects.
The strategies to increase the enhancement of search and pivot.
Construct data models for pivot customers.

Name the uses of Knowledge object?

By using the software of Splunk this object is to generate and stored. It includes similar details or it not used for every customer. To manage all the problems, we need to handle objects.

For fields and field removal is the primary layer. To removes automatically the fields from the IT facts
Occasion types and Transactions for listing together with the favorite group of the same occasion.
Lookups and workflow action to classify the knowledge object that is expanded in the facts in different methods.

What is used to conduct the group of field details?

By the use of Tags and aliases is for managing and establishing the details. For combining the principle and for providing the given field tags to reverse various features of identity. When you have various origins to use various field names to mention similar data then formalize the facts with the use of aliases.

What is Splunk?

Splunk is ‘Google’ for our machine-generated data. It’s a software/engine that can be used for searching, visualizing, monitoring, reporting, etc. of our enterprise data. Splunk takes valuable machine data and turns it into powerful operational intelligence by providing real-time insights into our data through charts, alerts, reports, etc.

What are the components of Splunk? Explain Splunk architecture.

Below are the components of Splunk:

Search Head: Provides the GUI for searching
Indexer: Indexes the machine data
Forwarder: Forwards logs to the Indexer
Deployment Server: Manges Splunk components in a distributed environment

Which is the latest Splunk version in use?

Splunk 6.3

What is Splunk Indexer? What are the stages of Splunk Indexing?

Splunk Indexer is the Splunk Enterprise component that creates and manages indexes. The primary functions of an indexer are:

Indexing incoming data
Searching the indexed data
Picture

What is a Splunk Forwarder? What are the types of Splunk Forwarders?

There are two types of Splunk Forwarders as below:

Universal Forwarder (UF): The Splunk agent installed on a non-Splunk system to gather data locally; it can’t parse or index data.
Heavyweight Forwarder (HWF): A full instance of Splunk with advanced functionalities.

It generally works as a remote collector, intermediate forwarder, and possible data filter, and since it parses data, it is not recommended for production systems.

Can you name a few most important configuration files in Splunk?

props.conf
indexes.conf
inputs.conf
transforms.conf
server.conf

What are the types of Splunk Licenses?

Enterprise license
Free license
Forwarder license
Beta license
Licenses for search heads (for distributed search)
Licenses for cluster members (for index replication)

What is Splunk App?

Splunk app is a container/directory of configurations, searches, dashboards, etc. in Splunk.

Where is Splunk Default Configuration stored?

$splunkhome/etc/system/default

What are the features not available in Splunk Free?

Splunk Free does not include below features:

Authentication and scheduled searches/alerting
Distributed search
Forwarding in TCP/HTTP (to non-Splunk)
Deployment management

What happens if the License Master is unreachable?

If the license master is not available, the license slave will start a 24-hour timer, after which the search will be blocked on the license slave (though indexing continues). However, users will not be able to search for data in that slave until it can reach the license master again.

What is Summary Index in Splunk?

A summary index is the default Splunk index (the index that Splunk Enterprise uses if we do not indicate another one).

If we plan to run a variety of summary index reports, we may need to create additional summary indexes.

What is Splunk DB Connect?

Splunk DB Connect is a generic SQL database plugin for Splunk that allows us to easily integrate database information with Splunk queries and reports.

Can you write down a general regular expression for extracting the IP address from logs?

There are multiple ways in which we can extract the IP address from logs. Below are a few examples:

By using a regular expression:

rex field=_raw “(?<ip_address>\d+\.\d+\.\d+\.\d+)”

rex field=_raw “(?<ip_address>([0-9]{1,3}[\.]){3}[0-9]{1,3})”

Explain Stats vs Transaction commands.

The transaction command is the most useful in two specific cases:

When the unique ID (from one or more fields) alone is not sufficient to discriminate between two transactions. This is the case when the identifier is reused, for example, web sessions identified by a cookie/client IP. In this case, the time span or pauses are also used to segment the data into transactions.
When an identifier is reused, say in DHCP logs, a particular message identifies the beginning or end of a transaction.
When it is desirable to see the raw text of events combined rather than an analysis of the constituent fields of the events.

In other cases, it’s usually better to use stats.

As the performance of the stats command is higher, it can be used especially in a distributed search environment
If there is a unique ID, the stats command can be used

How to troubleshoot Splunk performance issues?

The answer to this question would be very wide, but mostly an interviewer would be looking for the following keywords:

Check splunkd.log for errors
Check server performance issues, i.e., CPU, memory usage, disk I/O, etc.
Install the SOS (Splunk on Splunk) app and check for warnings and errors in its dashboard
Check the number of saved searches currently running and their consumption of system resources
Install and enable Firebug, a Firefox extension. Log into Splunk (using Firefox) and open Firebug’s panels. Then, switch to the ‘Net’ panel (we will have to enable it). The Net panel will show us the HTTP requests and responses, along with the time spent in each. This will give us a lot of information quickly such as which requests are hanging Splunk, which requests are blameless, etc.

What are Buckets? Explain Splunk Bucket Lifecycle.

Splunk places indexed data in directories, called ‘buckets.’ It is physically a directory containing events of a certain period.

A bucket moves through several stages as it ages. Below are the various stages it goes through:

Hot: A hot bucket contains newly indexed data. It is open for writing. There can be one or more hot buckets for each index.
Warm: A warm bucket consists of data rolled out from a hot bucket. There are many warm buckets.
Cold: A cold bucket has data that is rolled out from a warm bucket. There are many cold buckets.
Frozen: A frozen bucket is comprised of data rolled out from a cold bucket. The indexer deletes frozen data by default, but we can archive it. Archived data can later be thawed (data in a frozen bucket is not searchable).

By default, the buckets are located in:

$SPLUNK_HOME/var/lib/splunk/defaultdb/db

We should see the hot-db there, and any warm buckets we have. By default, Splunk sets the bucket size to 10 GB for 64-bit systems and 750 MB on 32-bit systems.

What is the difference between stats and eventstats commands?

The stats command generates summary statistics of all the existing fields in the search results and saves them as values in new fields.
Eventstats is similar to the stats command, except that the aggregation results are added inline to each event and only if the aggregation is pertinent to that event. The eventstats command computes requested statistics, like stats does, but aggregates them to the original raw data.

Who are the top direct competitors to Splunk?

Logstash, Loggly, LogLogic, Sumo Logic, etc. are some of the top direct competitors to Splunk.

What do Splunk Licenses specify?

Splunk licenses specify how much data we can index per calendar day.

How does Splunk determine 1 day, from a licensing perspective?

In terms of licensing, for Splunk, 1 day is from midnight to midnight on the clock of the license master.

How are Forwarder Licenses purchased?

They are included with Splunk. Therefore, no need to purchase separately.

What is the command for restarting Splunk web server?

We can restart Splunk web server by using the following command:

splunk start splunkweb

What is the command for restarting Splunk Daemon?

Splunk Deamon can be restarted with the below command:

splunk start splunkd

What is the command used to check the running Splunk processes on Unix/Linux?

If we want to check the running Splunk Enterprise processes on Unix/Linux, we can make use of the following command:

ps aux | grep splunk

What is the command used for enabling Splunk to boot start?

To boot start Splunk, we have to use the following command:

$SPLUNK_HOME/bin/splunk enable boot-start

How to disable Splunk boot-start?

In order to disable Splunk boot-start, we can use the following:

$SPLUNK_HOME/bin/splunk disable boot-start

What is Source Type in Splunk?

Source type is Splunk way of identifying data.

How to reset Splunk Admin password?

Resetting Splunk Admin password depends on the version of Splunk. If we are using Splunk 7.1 and above, then we have to follow the below steps:

First, we have to stop our Splunk Enterprise
Now, we need to find the ‘passwd’ file and rename it to ‘passwd.bk’
Then, we have to create a file named ‘user-seed.conf’ in the below directory:

$SPLUNK_HOME/etc/system/local/

In the file, we will have to use the following command (here, in the place of ‘NEW_PASSWORD’, we will add our own new password):

[user_info]

PASSWORD = NEW_PASSWORD

After that, we can just restart the Splunk Enterprise and use the new password to log in

Now, if we are using the versions prior to 7.1, we will follow the below steps:

First, stop the Splunk Enterprise
Find the passwd file and rename it to ‘passw.bk’
Start Splunk Enterprise and log in using the default credentials of admin/changeme
Here, when asked to enter a new password for our admin account, we will follow the instructions

Note: In case we have created other users earlier and know their login details, copy and paste their credentials from the passwd.bk file into the passwd file and restart Splunk.

How to disable Splunk Launch Message?

Set value OFFENSIVE=Less in splunk_launch.conf

How to clear Splunk Search History?

We can clear Splunk search history by deleting the following file from Splunk server:

$splunk_home/var/log/splunk/searches.log

What is Btool?/How will you troubleshoot Splunk configuration files?

Splunk Btool is a command-line tool that helps us troubleshoot configuration file issues or just see what values are being used by our Splunk Enterprise installation in the existing environment.

What is the difference between Splunk App and Splunk Add-on?

In fact, both contain preconfigured configuration, reports, etc., but Splunk add-on do not have a visual app. On the other hand, a Splunk app has a preconfigured visual app.

What is .conf files precedence in Splunk?

File precedence is as follows:

System local directory — highest priority

App local directories

App default directories

System default directory — lowest priority

What is Fishbucket? What is Fishbucket Index?

Fishbucket is a directory or index at the default location:

/opt/splunk/var/lib/splunk

It contains seek pointers and CRCs for the files we are indexing, so ‘splunkd’ can tell us if it has read them already. We can access it through the GUI by searching for:

index=_thefishbucket

How do I exclude some events from being indexed by Splunk?

This can be done by defining a regex to match the necessary event(s) and send everything else to NullQueue. Here is a basic example that will drop everything except events that contain the string login:
In props.conf:

<code>[source::/var/log/foo]

# Transforms must be applied in this order

# to make sure events are dropped on the

# floor prior to making their way to the

# index processor

TRANSFORMS-set= setnull,setparsing

</code>

In transforms.conf:

[setnull] REGEX = . DEST_KEY = queue FORMAT = nullQueue

[setparsing]

REGEX = login

DEST_KEY = queue

FORMAT = indexQueue

How can I understand when Splunk has finished indexing a log file?

We can figure this out:
By watching data from Splunk’s metrics log in real time:

index=”_internal” source=”*metrics.log” group=”per_sourcetype_thruput” series=”<your_sourcetype_here>” |

eval MB=kb/1024 | chart sum(MB)

By watching everything split by source type:

index=”_internal” source=”*metrics.log” group=”per_sourcetype_thruput” | eval MB=kb/1024 | chart sum(MB) avg(eps) over series

If we are having trouble with a data input and we want a way to troubleshoot it, particularly if our whitelist/blacklist rules are not working the way we expected, we will go to the following URL:

https://yoursplunkhost:8089/services/admin/inputstatus

How to set the default search time in Splunk 6?

To do this in Splunk Enterprise 6.0, we have to use ‘ui-prefs.conf’. If we set the value in the following, all our users would see it as the default setting:

$SPLUNK_HOME/etc/system/local

For example, if our

$SPLUNK_HOME/etc/system/local/ui-prefs.conf file

includes:

[search]

dispatch.earliest_time = @d

dispatch.latest_time = now

The default time range that all users will see in the search app will be today.

The configuration file reference for ui-prefs.conf is here:

http://docs.splunk.com/Documentation/Splunk/latest/Admin/Ui-prefsconf

What is Dispatch Directory?

$SPLUNK_HOME/var/run/splunk/dispatch

contains a directory for each search that is running or has completed. For example, a directory named 1434308943.358 will contain a CSV file of its search results, a search.log with details about the search execution, and other stuff. Using the defaults (which we can override in limits.conf), these directories will be deleted 10 minutes after the search completes—unless the user saves the search results, in which case the results will be deleted after 7 days.

What is the difference between Search Head Pooling and Search Head Clustering?

Both are features provided by Splunk for the high availability of Splunk search head in case any search head goes down. However, the search head cluster is newly introduced and search head pooling will be removed in the next upcoming versions.

The search head cluster is managed by a captain, and the captain controls its slaves. The search head cluster is more reliable and efficient than the search head pooling.

If I want to add folder access logs from a windows machine to Splunk, how do I do it?

Below are the steps to add folder access logs to Splunk:

Enable Object Access Audit through group policy on the Windows machine on which the folder is located
Enable auditing on a specific folder for which we want to monitor logs
Install Splunk universal forwarder on the Windows machine
Configure universal forwarder to send security logs to Splunk indexer

How would you handle/troubleshoot Splunk License Violation Warning?

A license violation warning means that Splunk has indexed more data than our purchased license quota. We have to identify which index/source type has received more data recently than the usual daily data volume. We can check the Splunk license master pool-wise available quota and identify the pool for which the violation has occurred. Once we know the pool for which we are receiving more data, then we have to identify the top source type for which we are receiving more data than the usual data. Once the source type is identified, then we have to find out the source machine which is sending the huge number of logs and the root cause for the same and troubleshoot it, accordingly.

What is MapReduce algorithm?

MapReduce algorithm is the secret behind Splunk’s faster data searching. It’s an algorithm typically used for batch-based large-scale parallelization. It’s inspired by functional programming’s map() and reduce() functions.

How does Splunk avoid the duplicate indexing of logs?

At the indexer, Splunk keeps track of the indexed events in a directory called fishbucket with the default location:

/opt/splunk/var/lib/splunk

It contains seek pointers and CRCs for the files we are indexing, so splunkd can tell us if it has read them already.

See more at:

http://www.learnsplunk.com/splunk-indexer-configuration.html#sthash.t1ixi19P.dpuf.

What is the difference between Splunk SDK and Splunk Framework?

Splunk SDKs are designed to allow us to develop applications from scratch and they do not require Splunk Web or any components from the Splunk App Framework. These are separately licensed from Splunk and do not alter the Splunk Software.

Splunk App Framework resides within the Splunk web server and permits us to customize the Splunk Web UI that comes with the product and develop Splunk apps using the Splunk web server. It is an important part of the features and functionalities of Splunk, which does not license users to modify anything in Splunk.

For what purpose inputlookup and outputlookup are used in Splunk Search?

The inputlookup command is used to search the contents of a lookup table. The lookup table can be a CSV lookup or a KV store lookup. The inputlookup command is considered to be an event-generating command. An event-generating command generates events or reports from one or more indexes without transforming them. There are many commands that come under the event-generating commands such as metadata, loadjob, inputcsv, etc. The inputlookup command is one of them.

Syntax:

inputlookup [append=<bool>] [start=<int>] [max=<int>] [<filename> | <tablename>] [WHERE <search-query>]

Now coming to the outputlookup command, it writes the search results to a static lookup table, or KV store collection, that we specify. The outputlookup command is not being used with external lookups.

Syntax:

outputlookup [append=<bool>] [create_empty=<bool>] [max=<int>] [key_field=<field_name>]

What are types of field extraction. How to mask a data in either of case

Search time field extraction
Index time field extraction

Who analyzes data in a backup system?

With the help of online deduplication. Unnecessary prints are removed as the details have corresponded to the backup storehouse. Inline needs a little backup storehouse it occurs traffic jams.

So, this brings us to the end of the Splunk SIEM Questions blog.This Tecklearn ‘Top Splunk SIEM Interview Questions and Answers’ helps you with commonly asked questions if you are looking out for a job in Splunk SIEM or Big Data Domain. If you wish to learn Splunk SIEM and build a career in Big Data domain, then check out our interactive, Splunk SIEM Security Training, that comes with 24*7 support to guide you throughout your learning period.

https://www.tecklearn.com/course/splunk-siem-security-training/

Splunk SIEM Security Training

About the Course

Splunk SIEM (Security Information and Event Management) training is an industry-designed course for gaining expertise in Splunk Enterprise Security (ES). Splunk Security Intelligence and Enterprise Management is a top tool for enterprise security management and event management. As part of this training, you will learn how to deploy Splunk SIEM for investigating, monitoring and deploying security solutions. You will get an in-depth knowledge of these concepts and will be able to work on related demos. Upon completion of this online training, you will hold a solid understanding and hands-on experience with Splunk SIEM.

Why you take Splunk SIEM Security Training?

The average salary for an Information Security Analyst with Splunk skills is $105,000. – PayScale.com.Splunk SIEM combines patterns, machine learning and threat intelligence to verify all instances within a network. It offers greater scalability to help with network monitoring and works easily with other tools to improve defences.

What you will Learn in this Course?

Introduction to Splunk Security

Splunk security Fundamentals
Traditional security threats
Concept of Security Data model
Describing correlation searches

Investigation and Monitoring

Monitor the dashboard
Investigating of notable events using incident review dashboards
Workflow investigation and relative actions on identified flow

Investigations

Enterprise Security Model
Managing, Visualizing and Coordinating incident investigations using Deployment of ES investigation timelines
Using journals and timelines for documenting breach analysis
Efforts required to mitigate the issues
Security Posture
Incident Review

Risk Analysis and Network Analysis

Risk analysis and identification
Risk dashboard utilization
How to manage the risk scores for objects and users
Network Analysis

Web Intelligence

HTTP category analysis
HTTP user agent analysis
Analyzing traffic size for spotting new threats

About the Splunk Enterprise Security Framework

Spam Assassin Architecture
Email Filter Architecture
ES Solution Architecture
Various Templates

Threat Intelligence

Inspecting threat intelligence content with threat artefact dashboard
Monitoring malicious websites with threat activity dashboard

User Intelligence

Anomaly dashboards for user role and access logs
Identity and asset concepts

Creating and tuning correlation searches

Implementing the add-ons with Splunk

Using the Various Features of SIEM

Deploying Splunk Security Framework on AWS

Got a question for us? Please mention it in the comments section and we will get back to you.

553