Splunk Interview Questions

1. What is a splunk app?

Ans: A Splunk app is a container/directory of Splunk configurations, searches, dashboards, and so on.

Interested in learning Splunk Join hkr and Learn more on Splunk Training! 

2. What features aren't available in Splunk Free?

Ans: 

Splunk Free lacks the following features:

• Authentication as well as scheduled searches and alerts
• Searching at a distance
• TCP/HTTP forwarding (to non-Splunk)
• Management of deployments

3. What actually occurs if the License Master cannot be reached?

Ans: If the license master is not available, the license slave will start a 24-hour timer, after which the license slave's search will be blocked (though indexing continues). Users will not be able to search for data in that slave until it can reconnect to the license master.

4. What exactly is the Splunk Summary Index?

Ans:  The default Splunk index is a summary index (the index that Splunk Enterprise uses if we do not indicate another one).

We may need to create additional summary indexes if we intend to run a variety of summary index reports.

5. What exactly is Splunk DB Connect?

Ans: Splunk DB Connect is a Splunk SQL database plugin that allows us to easily integrate database data with Splunk queries and reports.

6. Where can I find the Splunk Default Configuration?

Ans: $splunkhome/etc/system/default

7. Can you name a few of Splunk's most important configuration files?

Ans:

• props.conf
• indexes.conf 
• inputs.conf 
• Transforms.conf
• Server.conf

8. What are the different types of Splunk licenses?

Ans: 

• License for the enterprise
• License is provided for free.
• Licence as a forwarder
• The beta license
• Permits for search heads (for distributed search)
• Cluster members' licenses (for index replication)

9. What exactly is a Splunk Forwarder? What are the different kinds of Splunk Forwarders?

Ans: Splunk Forwarders are classified into two types, as shown below:

• The Splunk agent is installed on a non-Splunk system to gather data locally; it cannot parse or index data.
• Heavyweight Forwarder (HWF): A complete Splunk instance with advanced functionalities.
• It functions as a remote collector, intermediate forwarder, and possible data filter in general, and because it parses data, it is not recommended for production systems.

10. What is the most recent Splunk version in use?

Ans: Splunk 8.2.1 is a search engine (as of June 21, 2021)

11. What exactly is Splunk Indexer? What are the Splunk Indexing stages?

Ans: Splunk Indexer is the component of Splunk Enterprise that creates and manages indexes. An indexer's primary functions are as follows:

• Incoming data indexing
• Image Searching the Indexed Data

Splunk Training

• Master Your Craft
• Lifetime LMS & Faculty Access
• 24/7 online expert support
• Real-world & Project Based Learning

Explore Curriculum

12. What are the Splunk components? Explain the architecture of Splunk.

Ans: This is one of the most common Splunk interview questions. Splunk's components are listed below:

• Search Head: This component provides a graphical user interface for searching.
• Indexer: Indexes machine data.
• Forwarder: Sends logs to Indexer Deployment Server: Manges Components of Splunk in a distributed environment

13. What exactly is Splunk?

Ans: Splunk is the "Google" of machine-generated data. This is an application which can be used to search, visualize, monitor, and report on our enterprise data. Splunk transforms valuable machine data into powerful operational intelligence by providing real-time insights into our data via charts, alerts, reports, and so on.

14. What are the ports numbers used by the splunk?

Ans: The most common port numbers used by the splunk are:

• Splunk web port:8000
• Splunk management port:8089
• Splunk indexing port:9997
• Splunk Network port:514
• KV store:8191

Intermediate splunk interview questions:

15. Explain the difference between Stats and Transaction commands.

Ans: 

It's another commonly asked splunk interview question that will put Developer or Engineer knowledge to the test. The transaction command is most useful in two situations:

• When a single unique ID (from one or more fields) is insufficient to distinguish between two transactions. This is true when the identifier is reused, as in web sessions recognized by a cookie/client IP. The time span or pauses are also used in this case to segment the data into transactions.
• When an identifier is reused, for example, in DHCP logs, a specific message identifies the start or end of a transaction.
• When it is preferable to see all the raw text of events blended instead of an assessment of the events' component fields.

In the other cases, statistics are usually preferable.

• Because the stats command has a better performance, it could be used more effectively, particularly in a distributed search environment.
• The stats command could be used if there is indeed a unique ID.

16. Could you even create a general regular expression for retrieving IP addresses from logs?

Ans: 

We could indeed extract the IP address from logs in a variety of ways. Here are some examples:

With the help of a regular expression:

rex field= raw "(?ip address>d+.d+.d+.d+.d+.d+.d+)" OR

rex field= raw "(?ip address>([0-9]1,3[.])3[0-9]1,3]0-9]1,3]0-9]1,3]0-9]1,3]0-9]1,3]0-9]1,3]0-9]1,3]0-9]1,3]0-9]1,3]0-9]1,3]0-9]1,3]0 

Sample paragraph above Subscribe button

 We have the perfect professional Splunk Tutorial for you. Enroll now!

Subscribe to our YouTube channel to get new updates..!

Subscribe

17. How do you troubleshoot Splunk performance problems?

Ans: The answer to this question would be extremely broad, but an interviewer would primarily be looking for the following keywords:

• Examine the splunkd.log file for any errors.
• Examine server performance issues such as CPU, memory usage, disk I/O, and so on.
• Configure the SOS (Splunk on Splunk) app and confirm the dashboard for warnings and errors.
• Examine the number of and save searches that are currently active, as well as their use of system resources.
• Setup the Firebug Firefox extension. Log in to Splunk (via Firefox) and launch the Firebug panels. Then, navigate to the 'Net' panel (we will have to enable it).
• The HTTP requests and responses, as well as the time spent on each, will be displayed in the Net panel. This will provide us with a lot of information quickly, such as which requests are causing Splunk to hang, which requests are blameless, and so on.

18. What exactly are buckets? Describe the Splunk Bucket Lifecycle.

Ans:

Splunk stores indexed data in directories known as ‘buckets.' It is a physical directory that contains events from a specific time period.As it ages, a bucket goes through several stages. The following are the stages it goes through:

• A hot bucket is one that contains newly indexed data. It is now open for submissions. Each index may have one or more hot buckets.
• A warm bucket is made up of data that has been rolled out of a hot bucket. There are numerous warm buckets.
• Cold: Data in a cold bucket is rolled out from a warm bucket. There are a lot of icy buckets.
• Frozen: A frozen bucket is made up of data that has been rolled out of a cold bucket. By default, the indexer deletes frozen data, but we can archive it. Data that has been archived can be thawed at a later date (data in a frozen bucket is not searchable).

The buckets have been located in the following locations by default:

$SPLUNK HOME/var/lib/splunk/defaultdb/db

We should be able to see the hot-db and any warm buckets there. Splunk's default bucket size is 10 GB for 64-bit systems and 750 MB for 32-bit systems.

19. What's the distinction between the stats and eventstats commands?

Ans: The stats command generates summary statistics for all existing fields in the search results and saves them as new field values.Eventstats is similar to stats in that the aggregation results are added inline to each event and only if the aggregation is relevant to that event. The eventstats command, like stats, computes requested statistics but aggregates them to the original raw data.

20. Who are Splunk's main direct competitors?

Ans: Splunk's direct competitors include Logstash, Loggly, LogLogic, Sumo Logic, and others.

21. What are Splunk Licenses?

Ans: Splunk licenses limit the amount of data we can index per calendar day.

22. From a licensing standpoint, how does Splunk determine one day?

Ans: In terms of licensing, one day for Splunk is defined as midnight to midnight on the license master's clock.

23. How do you get a Forwarder License?

Ans:They come standard with Splunk. Therefore, there is no need to purchase it separately.

24. What command should be used to restart the Splunk web server?

Ans: This is another common interview question about Splunk commands. Learn everything there is to know about commands. Using the following command, we can restart the Splunk web server.

25. What command should I use to restart Splunk Daemon?

Ans:The Splunk Daemon can be restarted using the following command:

 Splunk start splunkd

26. What command is used to check the status of running Splunk processes on Unix/Linux?

Ans: If we want to inspect the Splunk Enterprise processes that are currently running on Unix/Linux, we can use the following command:

ps aux | grep splunk

27. What command is used to enable Splunk to boot up?

Ans: To get Splunk up and running, run the following command:

$SPLUNK_HOME/bin/splunk enable boot-start

28. How do I disable Splunk's boot-up?

Ans: We can use the following commands to disable Splunk boot-start:

$SPLUNK_HOME/bin/splunk disable boot-start 

29. What is Splunk's Source Type?

Ans: Splunk uses source type to identify data.

Advanced splunk interview questions:

30. How do I change my Splunk Admin password?

31. How do I turn off the Splunk Launch Message?

Ans: Set value OFFENSIVE=Less in splunk_launch.conf  

32. How Do I Delete Splunk's Search History?

Ans: We can delete the following file from the Splunk server to clear the Splunk search history:

$splunk_home/var/log/splunk/searches.log

33. What exactly is Btool? How are you going to troubleshoot Splunk configuration files?

Ans: Splunk Btool seems to be a command-line tool that allows us to troubleshoot configuration file issues or simply see what values our Splunk Enterprise installation is using in the current environment.

34. What is the distinction between the Splunk App and the Splunk Add-on?

Ans: Both contain preconfigured configuration, reports, and so on, but the Splunk add-on does not have a visual app. A Splunk app, on the other hand, comes with a preconfigured visual app.

35. What is the precedence of.conf files in Splunk?

Ans: The order of precedence for files is as follows:

1. The system local directory has the highest priority.
2. Local app directories
3. Default app directories
4. The system default directory has the lowest priority.

36. What exactly is Fishbucket? What exactly is the Fishbucket Index?

Ans: At the default location, Fishbucket is a directory or index:

/opt/splunk/var/lib/splunk

It contains seek pointers and CRCs for the files that were indexed so that ' splunkd' can tell us if it's already read them. We can find it in the GUI by searching for:

index=_thefishbucket

37. How do I prevent Splunk from indexing certain events?

Ans: This is accomplished by defining a regex to match the required event(s) and sending everything else to NullQueue. Here's a simple example that excludes all events that contain the string login:

In Props.conf:

[source::/var/log/foo]

# Transforms must be applied in this order

# to make sure events are dropped on the

# floor prior to making their way to the

# index processor

TRANSFORMS-set= setnull,setparsing

In Transforms.conf;

[setnull] REGEX = . DEST_KEY = queue FORMAT = nullQueue

[setparsing]

REGEX = login

DEST_KEY = queue

FORMAT = indexQueue

38. How do I know when Splunk has completed indexing a log file?

Ans: This is something we can figure out:

By real-time monitoring of data from Splunk's metrics log:

index="_internal" source="*metrics.log" group="per_sourcetype_thruput" series="" |

eval MB=kb/1024 | chart sum(MB)

By watching everything split by source type:

index="_internal" source="*metrics.log" group="per_sourcetype_thruput" | eval MB=kb/1024

Since we are having problems with a data input and want to troubleshoot it, especially if our whitelist/blacklist rules are not working as expected, we will go to the URL:

https://yoursplunkhost:8089/services/admin/inputstatus

39. How do you change the default search time in Splunk 6?

Ans: In Splunk Enterprise 6.0, we must use ‘ui-prefs.conf' to accomplish this. If we set the value to the following, it will be the default setting for all of our users:

$SPLUNK_HOME/etc/system/local

For example, if our

$SPLUNK_HOME/etc/system/local/ui-prefs.conf file

includes:

[search]

dispatch.earliest_time = @d

dispatch.latest_time = now

The search app's default time range for all users will be today.

The ui-prefs.conf configuration file is referenced here: http://docs.splunk.com/Documentation/Splunk/latest/Admin/Ui-prefsconf

40. What is the Dispatch Directory?

Ans: $SPLUNK_HOME/var/run/splunk/dispatch
Includes a directory for every search that's also actually running or which has been completed. A directory decided to name 1434308943.358, for instance, will encompass a CSV file containing the search results, a search.log containing details about the search execution, and other files. Using the defaults (which we can change in limits.conf), these directories will be deleted 10 minutes after the search is finished—unless the user saves the search results, in which case they will be deleted after 7 days.

41. What exactly is the distinction between Search Head Pooling and Search Head Clustering?

Ans: Both are Splunk features that ensure the high reliability of Splunk search heads in the event that any search head fails. However, the search head cluster is new, and search head pooling will be removed in future versions.

A captain commands the search head cluster, and the captain commands its slaves. The search head cluster outperforms the search head pooling in terms of dependability and efficiency.

42. How do I import folder access logs from a Windows machine into Splunk?

Ans: The following are the steps for adding folder access logs to Splunk:

• Enable Object Access Audit via group policy on the Windows machine that contains the folder.
• Enable auditing on the folder where we want to monitor logs.
• Install the Splunk universal forwarder on your Windows machine.
• Configure the universal forwarder to send Splunk indexer security logs.

43. What exactly is the MapReduce algorithm?

Ans: Splunk's fast information searching is made possible by the MapReduce algorithm. It is a common algorithm for batch-based large-scale parallelization. It is inspired by the map() and reduce() functions in functional programming.

44. How does Splunk work?

Ans: Splunk's operatio16)n can be divided into three major parts:

1. Forwarder: Think of it as a dumb agent whose main job is to collect data from various sources, such as remote machines, and send it to the indexer.
2. Indexer: The indexer will then process the data in real-time before storing and indexing it on the localhost or cloud server.
3. Search Head: It enables the end user to interact with the data and perform operations such as searching, analyzing, and visualizing the information.

45. What are Splunk pivots and data models?

Ans: Splunk data models are being used when it is important to process large amounts of unstructured data and start creating a comprehensive structure without running complex search queries on the data. Data models are widely used in the creation of sales reports, the addition of access levels, and the creation of an authorization framework for different applications.
Pivots, but on the other hand, allow you to create various viewpoints and then see the results as you need them. Even non-technical supervisors of stakeholders could indeed create views and obtain more information about their departments using pivots.

46. How many different types of dashboards are there in splunk?

Ans: Splunk offers three different types of dashboards:

1. Dashboards that are u18pdated in real time
2. Dashboards with dynamic forms
3. Scheduled report dashboards

47. How to stop/start the Splunk service?

Ans: The command for starting Splunk service:

./splunk start

The command for stopping Splunk service:

./splunk stop

48. What exactly is Splunk Administration?

Ans: Splunk is primarily used to make machine data accessible, usable, and useful to everyone. It also aids in the examination of the massive volume of machine data generated by technology infrastructure and IT systems in virtual, physical, and cloud environments.

                  Want to get certified in Splunk Learn from our experts and do excel in your career with hkr's Splunk Online Course

49. What role does Splunk play in the organization?

50. What are the prerequisites for Splunk Administration training?

Ans: There are no specific prerequisites for taking Splunk Administration training, but desired aspirants with subject knowledge skills in system administration, Linux, Windows, and so on will have an advantage.

51. Who is eligible for Splunk Administration training at reputable institutions?

Ans: Aspirants who want to become Splunk Administration experts in today's IT world can enroll in this course. IT employees, data security professionals, business analytics professionals, Splunk beginners, and Big Data technology experts can all benefit from taking the course.

52. What exactly is Splunk free?

53. How do I set up Splunk?

Ans: The Splunk configuration files are the main brains behind Splunk's operation, controlling the entire behavior of Splunk. All of the files are saved with the.conf extension and can be easily edited or read with the appropriate access.

54. How does a career in Splunk Administration look?

Ans: When compared to other techniques, Splunk's Administration career is incredibly profitable, with experts earning the best earning pay scale. Splunk careers offer a wide range of job opportunities, including system engineers, software engineers, programmer analysts, security professionals, solutions architects, and technology consulting managers.

55. Why should you use Splunk over other open-source alternatives?

Ans: Splunk administration is up against tough opposition in order to determine validity, improve business intelligence, and provide security and managing IT operations.

56. Why is Splunk administration used for machine data analysis?

57. How do you explain Splunk's operation?

Ans: Splunk administration is built around three main components: forwarded, indexer, and search head.

Lets's get started with Splunk Tutorial online !

58. What role does a deployment server play in Splunk administration?

59. Is it possible to use user authentication systems with Splunk administration?

60. What does Splunk cloud administration entail?

Ans: The Splunk cloud administrator will handle the majority of the tasks in order to make the best use of the data.

61. What exactly do you mean by Splunk Administration? What is the most recent version of the Splunk tool?

Ans: Splunk can be thought of as a platform that makes data available to users. Data generated by hardware devices, networks, servers, and other sources can be easily viewed. Splunk administration aids in the analysis of large amounts of data that are used in a variety of IT operations, security, threat detection, and fraud detection. Splunk is a critical data analytics tool used in businesses.

62. Can you delete the platform's search history?

Ans: You can clear the search history by deleting ‘$splunk home/var/log/splunk/searches.log' from the Splunk server.

63. How do you turn off the launch message that appears on the platform?

Ans: To disable the message service, set a value like ‘OFFENSIVE=Less in splunk launch.conf' on the platform

64. Which features are missing if you use a free version of Splunk?

65. What role does License Master play in Splunk?

Ans: This platform license is in charge of ensuring that the appropriate amount of data is submitted to the index. The license is activated based on the amount of data that flows into it within 24 hours. It also helps to ensure that the platform's environment stays within the volume of data that it receives.

66. How do you install and update Splunk Enterprise?

Ans: Splunk enterprise installation must be kept private, and you must verify the hardware compatibility so that the framework can be implemented efficiently. Following verification, you could indeed install the organization on operating systems like windows, Linux, MoS, and others. Furthermore, you can upgrade the enterprise when necessary.

67. How do I find or change the current LDAP configurations?

Ans: To explore or adjust the current LDAP configurations, follow these steps: Under users & authentication, click the access control button. Then click LDAP, and from the resulting page, you can easily control specific strategies, view information, and track the LDAP mappings to Splunk roles.

68. Name the common port numbers that the Splunk platform uses.

Ans. The following are the commonly used port numbers by the platform Splunk.:-

• Splunk Web Port - 8000
• Splunk Indexing Port - 9997
• Splunk Network Port - 514
• Splunk Management Port - 8089
• Splunk Index Replication Port - 8080
• VK Store - 8191

69. What is Splunk Forwarder, and what are its different types?

Ans: Splunk forwarder is a component of Splunk architecture that acts as an agent to collect logs from the remote machines. It forwards these logs to the indexer for storage and further processing. The following are the two types of Splunk Forwarders:-

• Universal Forwarder
• Heavy Forwarder

Universal Forwarder - A Universal Forwarder in Splunk is the best forwarder to send the raw data to an indexer without processing. It performs initial processing and data analysis before sending it to the indexer.

Heavy Forwarder - It is a heavy component that helps to process and filter the required data. Using a heavy forwarder can resolve many problems as it processes data at the source before forwarding the same to the indexer.

70. Explain the different types of Alerts available in Splunk.

71. Define Splunk Indexer

Ans: Splunk Indexer is a Splunk component that helps to build and manage indexes. Further, it indexes and stores the incoming data from the forwarder. The indexer helps to transform the incoming data into various events and stores the same within indexes to execute search operations effectively.

72. Distinguish between Splunk and Spark

Ans:

Splunk platform is useful for collecting huge amounts of machine-generated data and supports easy integration with Hadoop. It also makes it available for access to a large audience. Also, it works in a streaming mode. 

Spark is an open-source software used for big data processing. It is mostly used with Apache projects and works on both streaming and batch mode.

73. Explain the different versions of Splunk.

Ans: Splunk has three different versions- Splunk Enterprise, Splunk Light, and Splunk Cloud. Let us know more about these Splunk versions,

• Splunk Enterprise:- Many IT organizations use the Splunk’s Enterprise edition that helps to analyze data from different apps and websites. 
• Splunk Cloud:- This edition is a Software as a Service (SaaS) that provides similar features to Splunk Enterprise Edition.
• Splunk Light:- This free edition of Splunk software allows us to search, edit, and report users' log data. The Splunk light version has very limited features compared to the other versions.

74. Name the different Splunk Licenses types?

75. Explain the different search modes in Splunk.

Ans: There are various search modes that the Splunk platform holds, such as.

• Fast
• Verbose
• Smart

• Fast - This search mode is useful to speed up searches by limiting the data types returned by searches.
• Verbose - This search mode in Splunk is useful to return full event information, but it has a very slow search performance. 
• Smart - The smart mode toggles search behavior based on your search contains. It behaves in a fast manner when the search includes transforming commands. Otherwise, it works in verbose mode.

76. What is meant by Splunk App?

77. Name the most important Splunk configuration files.

78. Name the most important search commands in the Splunk platform.

79. Explain the MapReduce algorithm in Splunk.

Ans: MapReduce is a programming model that helps in processing large data sets. In Splunk, this algorithm is useful for fast data searching. Moreover, it helps to process large data sets through a parallel and distributed algorithm on a cluster.

Conclusion:
In the above blog post we had covered all the important splunk admin interview questions These questions help the individuals to crack the interview process easily. If you found anything not covered please drop your query in the comments section to get them answered.