Splunk Interview Questions

Splunk Interview Questions

  • What is Splunk? Why is Splunk used for analyzing machine data?

Splunk is a platform which allows people to get visibility into machine data, that is generated from hardware devices, networks, servers, IoT devices and other sources
Splunk is used for analyzing machine data because it can give insights into application management, IT operations, security, compliance, fraud detection, threat visibility etc

  • Explain how Splunk works.

The Forwarder acts like a dumb agent which will collect the data from the source and forward it to the Indexer. The Indexer will store the data locally in a host machine or on cloud. The Search Head is then used for searching, analyzing, visualizing and performing various other functions on the data stored in the Indexer.

Splunk Interview Questions

  • What are the components of Splunk?

The main components of Splunk are Forwarders, Indexers and Search Heads. You can then mention that another component called Deployment Server(or Management Console Host) will come into the picture in case of a larger environment. Deployment servers:
Act like an antivirus policy server for setting up Exceptions and Groups, so that you can map and create different set of data collection policies each for either a windows based server or a linux based server or a solaris based server
Can be used to control different applications running in different operating systems from a central location
Can be used to deploy the configurations and set policies for different applications from a central location.
Making use of deployment servers is an advantage because connotations, path naming conventions and machine naming conventions which are independent of every host/machine can be easily controlled using the deployment server.

  • Why use only Splunk? Why can’t I go for something that is open source?

Splunk has a lot of competition in the market for analyzing machine logs, doing business intelligence, for performing IT operations and providing security. But, there is no one single tool other than Splunk that can do all of these operations and that is where Splunk comes out of the box and makes a difference. With Splunk you can easily scale up your infrastructure and get professional support from a company backing the platform. Some of its competitors are Sumo Logic in the cloud space of log management and ELK in the open source category. You can refer to the below table to understand how Splunk fares against other popular tools feature-wise.

Splunk Interview Questions

  • Which Splunk Roles can share the same machine?

In case of small deployments, most of the roles can be shared on the same machine which includes Indexer, Search Head and License Master. However, in case of larger deployments the preferred practice is to host each role on stand alone hosts. Details about roles that can be shared even in case of larger deployments are mentioned below:

Strategically, Indexers and Search Heads should have physically dedicated machines. Using Virtual Machines for running the instances separately is not the solution because there are certain guidelines that need to be followed for using computer resources and spinning multiple virtual machines on the same physical hardware can cause performance degradation.
However, a License master and Deployment server can be implemented on the same virtual box, in the same instance by spinning different Virtual machines.
You can spin another virtual machine on the same instance for hosting the Cluster master as long as the Deployment master is not hosted on a parallel virtual machine on that same instance because the number of connections coming to the Deployment server will be very high.
This is because the Deployment server not only caters to the requests coming from the Deployment master, but also to the requests coming from the Forwarders.

Splunk Interview Questions

  • What are the unique benefits of getting data into a Splunk instance via Forwarders?

The benefits of getting data into Splunk via forwarders are bandwidth throttling, TCP connection and an encrypted SSL connection for transferring data from a forwarder to an indexer. The data forwarded to the indexer is also load balanced by default and even if one indexer is down due to network outage or maintenance purpose, that data can always be routed to another indexer instance in a very short time. Also, the forwarder caches the events locally before forwarding it, thus creating a temporary backup of that data.

  • What is the use of License Master in Splunk?

License master in Splunk is responsible for making sure that the right amount of data gets indexed. Splunk license is based on the data volume that comes to the platform within a 24hr window and thus, it is important to make sure that the environment stays within the limits of the purchased volume.
Consider a scenario where you get 300 GB of data on day one, 500 GB of data the next day and 1 terabyte of data some other day and then it suddenly drops to 100 GB on some other day. Then, you should ideally have a 1 terabyte/day licensing model. The license master thus makes sure that the indexers within the Splunk deployment have sufficient capacity and are licensing the right amount of data.

Splunk Interview Questions

  • What happens if the License Master is unreachable?

In case the license master is unreachable, then it is just not possible to search the data. However, the data coming in to the Indexer will not be affected. The data will continue to flow into your Splunk deployment, the Indexers will continue to index the data as usual however, you will get a warning message on top your Search head or web UI saying that you have exceeded the indexing volume and you either need to reduce the amount of data coming in or you need to buy a higher capacity of license.
Basically, the candidate is expected to answer that the indexing does not stop; only searching is halted.

  • Explain ‘license violation’ from Splunk perspective.

If you exceed the data limit, then you will be shown a ‘license violation’ error. The license warning that is thrown up, will persist for 14 days. In a commercial license you can have 5 warnings within a 30 day rolling window before which your Indexer’s search results and reports stop triggering. In a free version however, it will show only 3 counts of warning.

Splunk Interview Questions

  • Give a few use cases of Knowledge objects.

Knowledge objects can be used in many domains. Few examples are:

Physical Security: If your organization deals with physical security, then you can leverage data containing information about earthquakes, volcanoes, flooding, etc to gain valuable insights

Application Monitoring: By using knowledge objects, you can monitor your applications in real-time and configure alerts which will notify you when your application crashes or any downtime occurs

Network Security: You can increase security in your systems by blacklisting certain IPs from getting into your network. This can be done by using the Knowledge object called lookups.

Employee Management: If you want to monitor the activity of people who are serving their notice period, then you can create a list of those people and create a rule preventing them from copying data and using them outside

Easier Searching Of Data: With knowledge objects, you can tag information, create event types and create search constraints right at the start and shorten them so that they are easy to remember, correlate and understand rather than writing long searches queries. Those constraints where you put your search conditions, and shorten them are called event types.

These are some of the operations that can be done from a non-technical perspective by using knowledge objects. Knowledge objects are the actual application in business, which means Splunk interview questions are incomplete without Knowledge objects.

Splunk Interview Questions

  • Which is latest splunk version in use?

Lates Version Release – Splunk 6.3

  • What is splunk indexer? What are stages of splunk indexing?

The indexer is the Splunk Enterprise component that creates and manages indexes. The primary functions of an indexer are:
-Indexing incoming data.
-Searching the indexed data.
Splunk Interview Questions

  • What is a splunk forwarder and what are types of splunk forwarder?

There are two types of splunk forwarder as below
a)universal forwarder (UF) -Splunk agent installed on non-Splunk system to gather data locally, can’t parse or index data.
b) Heavy weight forwarder (HWF) – full instance of splunk with advance functionality generally works as a remote collector, intermediate forwarder, and possible data filter because they parse data, they are not recommended for production systems
Splunk Interview Questions

  • what are most important configuration files of splunk OR can you tell name of few important configuration files in splunk?

props.conf
indexes.conf
inputs.conf
transforms.conf
server.conf

  • What are types of splunk licenses?

Enterprise license
free license
Forwarder license
Beta license
Licenses for search heads (for distributed search)
Licenses for cluster members (for index replication)

  • What is splunk app?

Splunk app is container/directory of configurations, searches, dashboards etc in splunk.
Splunk Interview Questions

  • Where splunk default configuration does is stored?

$splunkhome/etc/system/default

  • What features are not available in splunk free?

Splunk free lacks these features:
authentication and scheduled searches/alerting
distributed search
forwarding in TCP/HTTP (to non-splunk)
deployment management

  • what is summary index in splunk?

The Summary index is the default summary index (the index that plunk Enterprise uses if you do not indicate another one). If you plan to run a variety of summary index reports you may need to create additional summary indexes.

  • What is splunk DB connect?

Splunk DB Connect is a generic SQL database plugin for Splunk that allows you to easily integrate database information with Splunk queries and reports.
Splunk Interview Questions

  • How to troubleshoot splunk performance issues?

Answer to this question would be very wide but basically interviewer would be looking for following keywords in interview:
-Check splunkd.log for any errors
-Check server performance issues i.e. cpu/memory usag,disk i/o etc
-Install SOS (Splunk on splunk) app and check for warning and errors in dashboard
-check number of saved searches currently running and their system resources consumption
– install Firebug, which is a firefox extension. After it’s installed and enabled, log into splunk (using firefox), open firebug’s panels, switch to the ‘Net’ panel (you will have to enable it).The Net panel will show you the HTTP requests and responses along with the time spent in each. This will give you a lot of information quickly over which requests are hanging splunk for a few seconds, and which are blameless. etc..

  • Who are the biggest direct competitors to Splunk?

logstash, Loggly, Loglogic, sumo logic etc..

  • Splunk licenses specify what?

How much data you can index per calendar day
Splunk Interview Questions

KyrosAcademy

This information box about the author only appears if the author has biographical information. Otherwise there is not author box shown. Follow YOOtheme on Twitter or read the blog.
+91 9952948899 info@kyrosacademy.com

Offcanvas