Splunk Interview Questions with Answers
Question: 1. What Is Splunk?
Answer:
Splunk is Google to your system facts.It’s a software program/Engine which can be used for searching, visualizing, Monitoring, reporting and so forth of your company data. Splunk takes precious system statistics and turns it into effective operational intelligence with the aid of supplying actual time perception in your records thru charts,alerts,reviews and many others.
Question: 2. What Are Components Of Splunk/splunk Architecture?
Answer:
Below are additives of splunk:
Search head – affords GUI for searching
Indexer – indexes machine information
Forwarder -Forwards logs to Indexer
Deployment server -Manges splunk components in disbursed surroundings
Python Interview Questions
Question three. Which Is Latest Splunk Version In Use?
Answer:
Splunk 6.3.
Question: 4. What Is Splunk Indexer?What Are Stages Of Splunk Indexing?
Answer:
The indexer is the Splunk Enterprise thing that creates and manages indexes. The number one features of an indexer are:
Indexing incoming information.
Searching the listed information.
Python Tutorial
Question 5. What Is A Splunk Forwarder And What Are Types Of Splunk Forwarder?
Answer:
There are two styles of splunk forwarder as underneath:
frequent forwarder(UF) -Splunk agent set up on non-Splunk machine to gather facts regionally, can’t parse or indexdata
Heavy weight forwarder(HWF) – complete example of splunk with develop functionality.
Generally works as a far flung collector, intermediate forwarder, and possible statistics clear out because they parse data, they may be not recommended for manufacturing structures
Informatica Interview Questions
Question 6. What Are Most Important Configuration Files Of Splunk Or Can You Tell Name Of Few Important Configuration Files In Splunk?
Answer:
props.Conf
indexes.Conf
inputs.Conf
transforms.Conf
server.Conf
Question 7. What Are Types Of Splunk Licenses?
Answer:
Enterprise license
Free license
Forwarder license
Beta license
Licenses for seek heads (for distributed search)
Licenses for cluster contributors (for index replication)
Informatica Tutorial Adv Java Interview Questions
Question eight. What Is Splunk App?
Answer:
Splunk app is field/directory of configurations,searches,dashboards and many others. In splunk
Question: nine. Where Does Splunk Default Configuration Is Stored?
Answer:
$splunkhome/etc/machine/default
Hadoop Interview Questions
Question 10. What Features Are Not Available In Splunk Free ?
Answer:
Splunk unfastened lacks these features:
Authentication and scheduled searches/alerting
Distributed search
Forwarding in TCP/HTTP (to non-splunk)
Deployment control
Adv Java Tutorial
Question eleven. What Happens If The License Master Is Unreachable?
Answer:
License slave will start a 24-hour timer, after which seek will be blocked at the license slave (although indexing maintains). Customers Will no longer be able to seek data in that slave until it is able to attain license grasp once more.
Qlik View Interview Questions
Question 12. What Is Summary Index In Splunk?
Answer:
The Summary index is the default precis index (the index that Splunk Enterprise uses if you do now not suggest some other one).
If you plan to run a variety of precis index reports you may need to create additional precis indexes.
Python Interview Questions
Question thirteen. What Is Splunk Db Connect?
Answer:
Splunk DB Connect is a customary SQL database plugin for Splunk that permits you to without problems integrate database facts with Splunk queries and reports.
Hadoop Tutorial
Question 14. Can You Write Down A General Regular Expression For Extracting Ip Address From Logs?
Answer:
There are more than one approaches we can extract ip address from logs.Below are few examples.
Regular Expression for extracting ip address:
rex area=_raw “(?
OR
rex discipline=_raw “(?
Question: 15. What Is Difference Between Stats Vs Transaction Command?
Answer:
The transaction command is most beneficial in two specific instances:
Unique identification (from one or more fields) by myself isn’t sufficient to discriminate among transactions. This is the case when the identifier is reused, for example internet classes diagnosed by cookie/purchaser IP. In this case, time span or pauses also are used to segment the facts into transactions. In other instances when an identifier is reused, say in DHCP logs, a selected message might also pick out the start or end of a transaction. When it’s miles applicable to look the uncooked textual content of the events combined rather than analysis at the constituent fields of the occasions.
In different instances, it’s usually better to apply stats as the overall performance is better, in particular in a allotted seek surroundings. Often there is a completely unique identity and stats can be used.
Mobile Testing Interview Questions
Question sixteen. How To Troubleshoot Splunk Performance Issues?
Answer:
Check splunkd.Log for any errors
Check server performance problems i.E. Cpu/memory usage,disk i/o etc
Install SOS (Splunk on splunk) app and check for warning and errors in dashboard
check range of stored searches presently strolling and their device assets consumption set up Firebug, that is a firefox extension. After it’s installed and enabled, log into splunk (the use of firefox), open firebug’s panels, transfer to the ‘Net’ panel (you’ll have to allow it).The Net panel will display you the HTTP requestsand responses at the side of the time spent in each. This will come up with a variety of facts fast over which requests are striking splunk for a few seconds, and that are innocent. And many others..
Qlik View Tutorial
Question 17. What Are Buckets? Explain Splunk Bucket Lifecycle?
Answer:
Splunk locations indexed information in directories, referred to as as “buckets”. It is bodily a listing containing activities of a certain period.
A bucket moves through several ranges because it a while:
Hot: Contains newly listed statistics. Open for writing. One or more hot buckets for every index.
Warm: Data rolled from hot. There are many heat buckets.
Colld: Data rolled from warm. There are many cold buckets.
Frozen: Data rolled from cold. The indexer deletes frozen information through default, but you could additionally archive it. Archived facts can later be thawed (Data in frozenbuckets isn’t always searchable)
By default, your buckets are positioned in $SPLUNK_HOME/var/lib/splunk/defaultdb/db. You should see the recent-db there, and any heat buckets you have got.By default, Splunk sets the bucket length to 10GB for 64bit structures and 750MB on 32bit structures.
Hadoop Administration Interview Questions
Question 18. What Is The Difference Between Stats And Eventstats Commands?
Answer:
Stats command generate precis information of all existing fields on your search effects and save them as values in new fields. Eventstats is much like the stats command, except that aggregation results are brought inline to every occasion and best if the aggregation is pertinent to that event. Eventstats computes the requested data like stats, but aggregates them to the original raw records.
Informatica Interview Questions
Question 19. Who Are The Biggest Direct Competitors To Splunk?
Answer:
logstash
Loggly
Loglogic
sumo good judgment and many others..
Mobile Testing Tutorial
Question 20. Splunk Licenses Specify What ?
Answer:
How tons statistics you could index according to calendar day.?
NoSQL Interview Questions
Question 21. How Does Splunk Determine 1 Day, From A Licensing Perspective ?
Answer:
Midnight to midnight at the clock of the license master.
Question: 22. How Are Forwarder Licenses Purchased ?
Answer:
They are covered with splunk, no need to buy one at a time.
Web analytics Tutorial
Question 23. What Is Command For Restarting Just The Splunk Webserver?
Answer:
Splunk start splunkweb
Mobile Developer Interview Questions
Question 24. What Is Command For Restarting Just The Splunk Daemon?
Answer:
Splunk start splunkd.
Adv Java Interview Questions
Question 25. What Is Command To Check For Running Splunk Processes On Unix/linux ?
Answer:
ps aux enable boot-begin.
Web analytics Interview Questions
Question 27. How To Disable Splunk Boot Start?
Answer:
$SPLUNK_HOME/bin/splunk disable boot-start
Hadoop Interview Questions
Question 28. What Is Sourcetype In Splunk?
Answer:
Sourcetype is splunk manner of figuring out records
Question: 29. How To Reset Splunk Admin Password?
Answer:
To reset your password log in to server on which splunk is mounted and rename passwd document at beneath vicinity after which restart splunk.After restart you can login the use of default username: admin password: changeme
$splunk-homeetcpasswd
Check Point Certified Security Administrator (CCSA) Interview Questions
Question 30. How To Disable Splunk Launch Message?
Answer:
Set price OFFENSIVE=Less in splunk_launch.Conf
Question: 31. How To Clear Splunk Search History?
Answer:
Delete following record on splunk server :
$splunk_home/var/log/splunk/searches.Log
Question: 32. What Is Btool Or How Will You Troubleshoot Splunk Configuration Files?
Answer:
Splunk btool is a command line tool that helps us to troubleshoot configuration document issues or simply see what values are being utilized by your Splunk Enterprise installation in present environment
Advanced SAS Interview Questions
Question 33. What Is Difference Between Splunk App And Splunk Add On?
Answer:
Basically both incorporates preconfigured configuration and reports etc but splunk add on do now not have visible app. Splunk apps have preconfigured visual app.
Qlik View Interview Questions
Question 34. What Is .Conf Files Precedence In Splunk?
Answer:
File priority is as follows:
System nearby listing: maximum priority
App local directories
App default directories
System default directory: lowest precedence
Question 35. What Is Fishbucket Or What Is Fishbucket Index?
Answer:
It’s a directory or index at default region /choose/splunk/var/lib/splunk .It incorporates are seeking hints and CRCs for the files you’re indexing, so splunkd can tell if it has study them already.We can access it via GUI by seraching for “index=_thefishbucket”
Question: 36. How Do I Exclude Some Events From Being Indexed By Splunk?
Answer:
This may be achieved by way of defining a regex to healthy the necessary event(s) and ship the whole lot else to nullqueue.Here is a basic instance in an effort to drop everything besides activities that include the string login In props.Conf:[source::/var/log/foo]
# Transforms must be carried out on this order
# to make certain occasions are dropped on the
# floor previous to making their way to the
# index processor
TRANSFORMS-set= setnull,setparsing
In transforms.Conf
[setnull] REGEX = . DEST_KEY = queue FORMAT = nullQueue
[setparsing]
REGEX = login
DEST_KEY = queue
FORMAT = indexQueue
Mobile Testing Interview Questions
Question 37. How Can I Tell When Splunk Is Finished Indexing A Log File?
Answer:
By watching information from splunk’s metrics log in actual-time.
Index=”_internal” source=”*metrics.Log” institution=”per_sourcetype_thruput” series
eval MB=kb/1024 to look at the whole thing going on cut up by way of sourcetype….
Index=”_internal” supply=”*metrics.Log” institution=”per_sourcetype_thruput” series
And in case you’re having hassle with a facts input and you want a way to troubleshoot it, especially in case your whitelist/blacklist rules aren’t working the way you anticipate.
Question: 38. What Is Dispatch Directory?
Answer:
$SPLUNK_HOME/var/run/splunk/dispatch contains a directory for each search this is strolling or has completed. For instance, a directory named 1434308943.358 will comprise a CSV document of its search outcomes, a search.Log with information about the quest execution, and different stuff. Using the defaults (which you could override in limits.Conf), those directories might be deleted 10 mins after the quest completes – until the consumer saves the quest results, in which case the consequences will be deleted after 7 days.
Question: 39. What Is Difference Between Search Head Pooling And Search Head Clustering?
Answer:
Both are capabilities furnished splunk for high availability of splunk search head in case someone seek head is going down.Search head cluster is newly delivered and seek head pooling will be removed in subsequent upcoming versions.Search head cluster is managed by using captain and captain controls its slaves.Search head cluster is greater dependable and green than seek head pooling.
Question: forty. If I Want Add/onboard Folder Access Logs From A Windows Machine To Splunk How Can I Add Same?
Answer:
Below are steps to feature folder get entry to logs to splunk:
Enable Object Access Audit thru institution coverage on home windows system on which folder is positioned
Enable auditing on precise folder for which you need to screen logs
Install splunk prevalent forwarder on home windows device
Configure time-honored forwarder to ship safety logs to splunk indexer
Hadoop Administration Interview Questions
Question 41. How Would You Handle/troubleshoot Splunk License Violation Warning Error?
Answer:
License violation warning method splunk has indexed extra facts than our bought license quota.We have to perceive which index/sourcetype has obtained greater facts currently than common each day records volume.We can take a look at on splunk license master pool wise to be had quota and perceive the pool for which violation is happening.Once we recognise the pool for which we’re receiving extra statistics then we have to discover pinnacle sourcetype for which we are receiving extra facts than usual facts.Once sourcetype is diagnosed then we need to find out supply device that’s sending huge wide variety of logs and root purpose for the same and troubleshoot consequently.
Question: forty two. What Is Mapreduce Algorithm?
Answer:
Mapreduce algorithm is secret in the back of splunk fast data looking pace.It’s an algorithm usually used for batch based totally huge scale parallelization.It’s stimulated through useful programming’s map() and reduce () features.
NoSQL Interview Questions
Question 43. How Splunk Avoids Duplicate Indexing Of Logs ?
Answer:
At indexer splunk maintains tune of indexed occasions in a directory called fish buckets (default location /opt/splunk/var/lib/splunk).
It incorporates are seeking recommendations and CRCs for the files you are indexing, so splunkd can tell if it has study them already.
Question: forty four. What Is Difference Between Splunk Sdk And Splunk Framework?
Answer:
Splunk SDKs are designed to assist you to increase applications from the ground up and now not require Splunk Web or any additives from the Splunk App Framework. These are one by one certified to you from the Splunk Software and do not modify the Splunk Software.Splunk App Framework resides within Splunk’s net server and permits you to customize the Splunk Web UI that comes with the product and increase Splunk apps using the Splunk internet server. It is an vital part of the features and functionalities of Splunk Software , which does now not license customers to alter something within the Splunk Software.
allow=”accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture” allowfullscreen=””>