Blog

Splunk Software Interview Questions & Answers

August 5, 2020
Posted by: Laraonline2020
Category: Interview Question and Answers Splunk Technology

INTRODUCTION ON SPLUNK Software

Splunk is a software that is used widely for monitoring, searching, analyzing, and visualizing machine-generated data in real-time. It also performs capturing, indexing, and correlating real-time data in a searchable container and produces graphs, alerts, dashboards, and visualization. Splunk provides easy access to data for the whole organization. It helps in easy diagnostics and solutions to various business problems.

Listed are a few questions and answers that will help you clear any interview in regards to Splunk. This article will help any fresher or experienced person to clear their interview without any hassle.

1. Define Splunk Software?

It is a technology that is used for searching, visualizing, and monitoring machine-generated data. It monitors different types of log files and stores data in indexer.

2. What are the common ports used in Splunk Software?

Listed are the few common ports that Splunk uses:

Web port: 8000
Management Port: 8089
Network Port: 514
Index Replication Poret1:8080
Indexing Port: 9997
KV Store: 8191

3. Define the components of Splunk Software?

The main components of Splunk Software are:

Universal forward: It’s a data which inserts the lightweight components to Splunk forwarder.
Heavy forward: Don’t judge by its word heavy but is allows the require data-heavy components to be filtered
Search head: It is used to gain intelligence and to perform reporting components.
License manager: This is based on usage and volume. The license allows you to use 50 GB per day. Regular checks are performed on licensing details by Splunk.
Load Balance: This enables you to use your personalized load balance in addition to the functionality of the default Splunk loader.

4. What is Indexer mean?

This component in Splunk enterprises creates and manages the indexes.

The main functions of the indexes are:

Indexing raw data into an index
Search and manage indexed data

5. Advantages of using Splunk Software?

Few advantage tools using Splunk Software are:

It may be expensive for large data volumes.
Dashboards are functional may not be that effective as other monitoring tools are.
You will need Splunk training as the learning curve is tuff it’s a multi-tier architecture so you will need some help to learn this tool.
Some of the expressions and search syntax searchers are difficult to understand.

6. How to get data forwarders instance using Splunk Software?

The main reason to get Splunk via forwarder is TCP connection, bandwidth throttling, and secure SSL connection which transfers crucial data from forwarder to an indexer.

7. Importance of license master in Splunk Software?

This ensures that the right amount of data gets indexed and the environment remains within the limits of the purchased volumes as Splunk license depends on the data volume when it comes to the platform within a 24-hour window.

8. What are the important configuration files of Splunk Software?

Commonly used Splunk configuration files are:

Inputs file
Transforms file
Server file
Indexes file
Props file
Inputs
Deployment client

9. What is the license violation in Splunk Software?

Whenever the data limit exceeds this error occurs. This error will persist for 14 days. In normal license, you will have 5 warnings within a 1-month of rolling window.

Before the search indexer results and reports stop triggering. Only difference is in free licensing violation shows only 3 counts of warning

10. What is the use of Splunk alert?

These alerts can be used when you have to monitor or respond to specific events.

One example is while you’re sending any email notifications to the other user if there are more than three failed login attempts in 24 hours.

11. What is a map-reduced algorithm?

This technique is used by Splunk to increase the searching speed.it has been inspired by two functional programming functions such as

Reduce
Map

A map function is associated with the Mapper class and reduce function is associated with the reducer class.

12. Different types of data inputs in Splunk Software?

Types of data inputs in Splunk are:

Using files and directories as input
Configuring Network ports to receive inputs automatically
Add windows inputs.

These windows inputs are of four types:

Active directory monitor
Printer monitor
Network monitor
Registry inputs monitor

13. How to avoid duplicate log indexing in Splunk Software?

Splunk keeps the track of indexed events during a fish bucket directory. Which contains CRCs and seeks pointers for the files you’re indexing, Splunk can’t if it’s read them already.

14. Describe pivot and data models?

Pivots create the front views of your output and then choose the filter for a better view of this output. These options are better for individuals either from a semi-technical or non-technical background.

The data models are commonly used for creating a hierarchical model of data. This can be used when you have a large number of unstructured data. It helps you use the information without using complicated search queries.

15. What is the search factor and replication factor?

This factor can determine the number of data that are the indexer clusters. It regulates the numbers of searchable copies available in the bucket.

Replication can regulate the number of copies that are cluster along with the number of copies that each site maintains.

16. How does lookup command works?

This command general used when you want to get some fields from an external file that can help you to narrow the search results. It benefits to location fields in an external file that is in equal fields in your event records.

17. What are the default fields for an event in Splunk Software?

There are 5 defaults which are with every event into Splunk.

Host
Source
Source Type
Index
Timestamp

18. How can we extract fields?

We can extract fields from either sidebar events lists or the setting menu using UI.

Another way to write your regular expressions and extra fields in Splunk and expressions in a prop configuration file.

19. What is the Summary Index?

An instant index is that stores the result calculated by Splunk. It’s a quick and cheap thanks to run a question over an extended period of your time.

20. Can we prevent events from being indexed by Splunk Software?

You can prevent them from being indexed by Splunk by eliminating correct messages by stroking them within the null queue. You’ve got to stay in the e null queue in transforms.conf file.

21. Define Splunk Software DBCONTENT?

It is a plugin database of SQL which enables to import tables, rows, and columns from the database and ad the database. It helps DB to connect and also providing reliable and scalable integration between databases and Splunk enterprises.

22. What is Splunk bucket?

This is a directory used by the Splunk enterprises to store data and to index files into the data. They also contain various buckets to index files managed by the age of the data.

23. What is the major role of Alert Manager?

Splunk adds workflow to the alert manager. The main purpose of the alert manager is it provide a common app with a database to search for alerts or events.

24. Steps to troubleshoot Splunk Software performance issues?

Three ways that we can troubleshoot the performance are:

See server performance issues.
See for errors in Splunk.log.
Once you install the Splunk app you can check for warnings and errors in the dashboard.

25. Difference between index time and search time?

It’s a time when the data is consumed and the point when it is written.
It’s a search time that takes place when you search or run events as they are composed of the search.

26. How can we setup Splunk administration password?

Follow the steps to set up the password setting for Splunk.

When you log in to the server where the Splunk app is installed.
Rename the password file and then again start te Splunk
Once done with it you can sign into the server by using username either administration or admin with a password change me.

27. Name the command that is used for filtering result?

The main command which is used to the filtering category is “Where” “Sort” and “Search”.

28. Name the different types of Splunk licenses?

Listed are the few licenses.
Free license
Beta license
Search heads license
Cluster members license
Forwarder license
Enterprise license

29. What is the number of categorizing of SPL commands?

There are 5 commands used they are:

Filtering Results
Sorting results
Filtering grouping results
Adding Fields
Reporting Results

30. What is the eval command?

This command is used to calculate an expression. It is a command that evaluates the Boolean expressions, string, and a mathematical articulation. This can use multiple expressions in a single search using a comma.

31. What is the command that is included in the reporting results category?

Following are the commands that are included in the reporting results category:

Rare
Chart
Time chart
Top
Stats

32. What is SOS?

Splunk is an SOS app that helps you to analyze and troubleshoot Splunk environment performance and issues.

33. What is a replace command?

This command is used to search and replace specified field values with the replacement values.

34. Name the features that are not available in Splunk free version?

Splunk free version lacks the following features:

Distributed searching
Forwarding in HTTP or TCP
Agile statics and reporting with Real-time architecture
Allows analysis, search, and visualization capabilities to empower users of all kinds
Generate ROI faster

35. What is null queue?

This queue approaches to filter out unwanted incoming events sent by Splunk enterprise.

36. Explain the types of search modes in Splunk?

There are 3 types of search modes:

Fast mode: Searching speed increase by limiting search data.
Verbose mode: The, mode returns all possible fields and event data.
Smart mode: is a default setting in Splunk app smart mode toggles the search behavior based on transforming commands.

37. Name the companies that are using Splunk?

Well-known companies which are using Splunk tool are:

Cisco
Facebook
Bosch
Adobe
IBM
Walmart
Salesforce

38. In which domain can the knowledge objects be used?

Following are the few:

Applications Monitoring
Employee Management
Physical Security
Network Security

39. List out the layout options for a search result?

Few layout options for search result are:

List
Table
Raw

40. Difference between source and source type?

This source identifies as a source of the event in which a particular event originates. The source determines how Splunk processes the incoming data stream into events according to its nature.

41. What is the join command?

This search combines the result with the sub search with results of the actual search. The set of results should be common in the fields. Can also combine a search set of result to itself using the self-join command in Splunk.

42. How-to start and stop Splunk services?

The services can be used and stopped use the following command

/splunk start./splunk stop

12./splunk start ./splunk stop

./splunk start
./splunk stop

43. How to download splunk cloud?

This can be downloaded in the website using the link https://www.splunk.com/ to download a free trial of Splunk Cloud.

44. Difference between stats and time chart command?

Parameter	Stats	Time chart
Purpose	They remain to represent mathematical data in tabular format.	A time chart is used to represent examine result in a graphical view.
Fields usage	Stats can use additional than one field.	It uses _time as non-payment field in the graph.

45. What is deployment server?

It is a server instance that acts as a 1a centralized configuration manager. Which is used to deploy the configuration to other Splunk instances.

46. What is the time zone property in Splunk?

Yes, they do have the time zone property which provides the output for a specific time zone. Splunk takes that default time zone from the browser setting like other apps, Splunk also takes the current time zone from the computer system which is currently in use. Theses time zones are searching and correlating bulk data coming from other sources.

47. How does Splunk connect sound unit ?

It’s a plugin sound that allows adding info data with Splunk reports. It helps in providing reliable and ascendible integration that is between the database and Splunk enterprises.

48. How to install a forwarder remotely?

Forwarders can be installed using the bash script to install remotely.

49. Use of the Syslog server?

This data collects the data from various devices like routers, switches, and application logs from the webserver. We can use R Syslog or Syslog NG command to configure a Syslog server.

50. How to monitor forwarders?

This forwarders tab is available on the DNC (Distributed Management Console) that can monitor the status of forwarders and the deployment server to manage them.

51. How to use Splunk tool?

This command is designed in such a way that can solve configuration related issues.

52. What are Splunk alternatives?

Some of them are:

Sumo Logic
LogLogic
Logged
Logstash

53. Name the KV store in Splunk?

The name KV is nothing but Key-Value that allows to store and obtain data from Splunk. This key helps you to also in:

Manage job queue
Store metadata
Examine the workflow

54. What is the deployer in Splunk?

This enterprise is used to deploy apps to the cluster head. This can also be used to configure information for the app and user.

55. How can we use auto-high volume in Splunk?

When the indexes are high volume this can be used ex: 10GB of data

56. What is a stat command?

This command is used to arrange report data in tabular format.

57. What is a regex command?

It removes the result which does not match with the desired regular expression.

58. What input lookup command?

The command returns the lookup table in the search result.

59. Name the various stages of the bucket lifecycle?

There are a few listed below:

Hot
Warm
Cold
Frozen
Thawed

60. Stages of Splunk indexer?

Stages of Splunk indexer are:

Input
Parsing
Indexing
Searching

61. Difference between splunk and spark?

Parameter	Splunk	Spark
Purpose	Collect a large amount of computer-generated data.	Used for big data processing
Preference	Can be integrated easily with Hadoop	It is more preferred and can be used with apache projects.
Mode	Streaming mode	Streaming as well as batch mode

62. How does Splunk work?

Three phases in which Splunk works.

Splunk enterprises: This enterprise edition is used by many IT organizations. That helps to analyze them from various websites and applications.
Splunk Cloud: This cloud is SaaS (Software as a Service) If offers almost similar features as the enterprise version, including APIs, SDKs, and apps.
Splunk Light: It is a free version that allows you to create reports, search, and edit your log data. This light version has limited functionalities and features compared to other versions.

64. What is SLP?

It’s a language that contains functions commands and arguments this Search Processing Language is also used to get the desired output from the database.

65. What is monitoring in Splunk?

Which monitors related reports that you can visually monitor.

66. Name few roles in Splunk?

There are only three roles in Splunk:

Admin
Power
User

67. Are the search term in Splunk case sensitive?

No search terms in Splunk are not case sensitive.

68. List out the layout options for search results?

Following are a few options for search result:

List
Table
Raw

69. Name the formats that search results can be exported?

The result can be exported into JSON, CSV, XML, and PDF.

70. What are Boolean operators in Splunk?

Splunk supports three types of Boolean are:

The three major words are: AND, OR, and NOT.

Ans: This implies between two terms that you do not need to write it.

OR: It determines either one of the two arguments should be true.

Not: Which is used to filter out events having a specific word.

71. What is the use of top command in Splunk?

This top command in Splunk is used to display the common values of a field with their percentage and count.

72. What is the use of stats command?

Which calculates the aggregates statistics over a dataset, such as count, sum, and average.

73. Name the few types of alerts in Splunk?

There are three types of alerts in slunk:

Scheduled alert: this alert is based on a historical search that runs periodically which a set schedule.
Per result alert: This result alert is also based on real-time search which runs overall time.
Rolling Window alert: this is an alert based on the real-time search. it is a search that is set to run within a specific rolling time window that you define.

74. Various types of Splunk in the dashboard?

Dynamic form-based dashboards
Dashboards scheduled reports
Real-time dashboards

75. What is the use of tags in Splunk?

They are assigned names to the fields in specific field and value pairs. The filed can be event type, source type, and host.

76. How to increase the size of Splunk data storage?

To increase the size of data storage you can either add more space and index or add more indexers.

77. Difference between Splunk apps and add-ons?

Only one difference between them is Splunk apps, and add-ons that are Splunk app contains built-in reports, configuration, and dashboards. However, Splunk add-ons contain only built-in configuration they do not contain dashboards o reports.

78. What is the dispatch directory in Splunk?

That store’s status like running or completed.

79. What is the difference between stats and even stats commands?

This knowledge runs the summary information of existing fields existing in search output, and then it stores them as a value in new fields. On the other hand in even stands command accumulation results are added so that every event only if the aggregation applies to that specific events

80. What is source type Splunk?

This is the field that finds the data structure of an event. It also determines how Splunk formats the data while indexing.

81. Define calculated fields?

Designed fields that achieve the calculation of the values of two fields available in a specific event.

82. What is the search Splunk commands?

The following are the few search commands available in Splunk.

Abstract
Erex
Add totals
Accum
Fill down
Typer
Rename
Anomalies

83. How does xyseries command do?

This is the command that converts the search result into a format which is suitable for graphing.

84. What is the use of spath command?

This command is used to extract the fields from the structure data formats like JSON and XML.

85. What is a streaming manner? How to add the summary statics to all the results?

To add the summary statics in results we can use stream stats.

86. How to create knowledge objects, dashboards, and reports?

Knowledge objects, dashboards, and reports can be created in the reporting and search app.

87. How is the table command used?

This is a table command which returns to all the table in the argument list.

88. How can we remove duplicate events having common values?

The dump command can be removed by duplicate events having common values.

89. Difference between sort+ and sort-?

It displays the sort displays search in ascending order.

It displays the sort-displays search in descending order.

90. Define reports in Splunk?

These results saved from search actions that show the visualization and statics of a particular event.

91. What is the dashboard in Splunk?

It defines as a collection of views that are made of various panels.

100. What is the use of instant pivot in Splunk?

It is used to work with the data without creating any data model.

Instant pivot is available to all users.

101. Is it possible to use the host value and not IP address or the DNS name for a TCP input?

This inputs the configuration file sets the connection host to none and mentions the host value.

102. What is the full form of LDAP?

LDAP stands for Lightweight Directory Access Protocol.

103. What is search head pooling?

The servers stay connected. Those servers are managed to receive configuration, user data, and load.

104. Define search head clustering?

They are the group of Splunk enterprises search which heads the server as a central resource for searching.

105. Why do we need Splunk?

Yes, Splunk does offer plenty of benefits for an organization some of them are listed below:

enhances the GUI and real-time visibility in a dashboard
reduces the troubleshooting and resolving time offering instant results.
is best suited for root cause analysis.
allows you to generate graphs, alerts, and dashboards.
We can easily search and investigate specific results using Splunk.
The troubleshooting method helps any condition of failure for improved performance.
It helps you monitor and make any decision about business metrics.
It helps you to incorporate Artificial Intelligence into your data strategy.
This allows you to gather useful Operational intelligence from your machine data.
allows you to accept any data type like .csv, JSON, log, formats, etc.
is a powerful search analysis, and visualization capabilities to empower users of all types.
helps you to create a central repository for searching Splunk data from various sources.

106. What is Splunk Enterprise?

It is an edition used by large IT businesses. That helps you to gather and analyze the data from applications, websites, applications, etc.

107. What are the applications of Splunk?

The problem statement: Mac-Donald had no clear visibility into what it offers work best:

Offer type ( For example 20% off)
Cultural differences at a region level
Time of Purchase
The device used by the customer
Revenue generated per order

108. Full form of REST?

REST stands for Representational State Transfer.

109. What is Splunk SDKs?

Splunk SDKs are written on the base of Splunk REST APIs. Various languages supported by SDKs are:

Java
Python
JavaScript
C#.

110. What is the common numbers used by Splunk?

Below are common port numbers used by splunk, however you can change them if required

Service	Port number Used
Splunk Web Port	8000
Splunk Management Port	8089
Splunk Indexing Port	9997
Splunk Index Replication Port	8080
Splunk network port	514 (Used to get data in from netwok port i.e. UDP data)
KV store	8191

111. Difference between Splunk Vs Logstash Vs Sumo Logic:

Splunk	Logstash	Sumo Logic
It’s the log management tool space	Its an exposed source log management tool	SaaS version of Splunk
On-Premises Model	SaaS	It is used as one of the ELK stack along with ElasticSearch and Kibana
Installation: Setting it up locally	Installation: It setups a communication out to the Sumo Logic cloud	Installation: Theses settings are up on your own system
We need to plan for the hardware and the space capacities that will require	It will configure the sources that will gather and send the logs to Sumo Logic	It will configure the inputs, filters, and outputs that you will require
Extensive amount of features are available	It has similar features to Splunk	This software provides the most control over the tools between development & Community
It can create and manage your own dashboards	Uses a panel-based dashboard system	On its own, Logstash doesn’t give you dashboards at all
Dashboards can be built in either XML code or through the Splunk dashboard editor	The details are presented in a chart-based manner	As part of the ELK stack, Kibana is cast-off as frontend reporting & visualization, metrics tools, such as Graphite, Librato, and DataDog.
600+ Integration Plugins available	The growth mechanization tools, cloud platforms, OS platforms, and compliance and security tools	Logstash has a continuously growing plugin environment, over 160 plugins available
Pricing – $1800 – $60,000 per year	Pricing – Free lite type, Admission equal pricing is friendlier	Pricing – Free, avail paid subscriptions also

112. Explain about Splunk Architecture?

This image gives a combined opinion of the architecture of Splunk. You can find a detailed explanation in the links Splunk Architecture: Tutorial On Forwarder, Indexer, And Search Head.

113. What is Splunk REST API?

It offers various processes for accessing every feature available in the product. This program communicates to Splunk enterprise using HTTP or HTTPS. It’s the same protocols that any web browser uses to interact with web pages.

114. Name the security to accelerate the data model in Splunk?

Splunk Enterprise Security quickens data typical that delivers a panel, dashboard, and correlation examination outcomes. It repetitions the indexers for handling and storage. The faster data is stored within each index by default.

115. How indexer stores various indexes?

Indexers create various files that contain two types of data: 1) Raw data and 2) metadata index file. Together these documents are used to establish Splunk enterprise index.

116. What is the latest Splunk version in use?

The latest Splunk version is 6.3

117. What is the general regular expression for extracting Ip address from Logs?

There are multiple addresses few of them are listed below.

Regular Expression for extracting ip address:

rex field=_raw “(?d+.d+.d+.d+)”

rex field=_raw “(?([0-9]{1,3}[.]){3}[0-9]{1,3})”

118. Name the biggest direct competitors to Splunk?

Listed below are the competitors for Splunk:

Loggly.

LogLogic.

Sumo Logic etc.

119. Name the fish bucket index?

It’s a directory or index at the default location /opt/Splunk/var/lib/Splunk. It contains seek pointers and CRCs for the filer you are indexing, so splunkd can tell if it has read them already. We can access this through GUI by searching for “index=_thefishbucket”

120. How to exclude events from being indexed by Splunk?

This is done by defining a regex to match the necessary events and send everything else to the null queue. Here is the basic example of the same.

login In props.conf:

1::  <code>[source::/var/log/foo]

2::  # Transforms must be applied in this order

3::  # to make sure events are dropped on the

4::  # floor prior to making their way to the

5::  # index processor

6::  TRANSFORMS-set= setnull,setparsing

7::  </code>

8::  In transforms.conf

9::  [setnull] REGEX = . DEST_KEY = queue FORMAT = nullQueue

10:: [setparsing]

11:: REGEX = login

12:: DEST_KEY = queue

13:: FORMAT = indexQueue

121. How to Finish Indexing A Log File in Splunk?

By viewing statistics after Splunk’s metrics log in real-time.

index=”_internal” source=”*metrics.log” group=”per_sourcetype_thruput” series=”&lt;your_sourcetype_here&gt;” |

eval MB=kb/1024 | chart sum(MB)

or to watch everything happening split by sourcetype….

index=”_internal” source=”*metrics.log” group=”per_sourcetype_thruput” | eval MB=kb/1024 | chart sum(MB) avg(eps) over series

if you’re having trouble with the data input and you want to troubleshoot it, mainly if your whitelist/blacklist rules aren’t working the way you expect.

122. How to reset the admin password in Splunk?

Resetting Splunk Admin password depends on the version of Splunk. If we are using Splunk 7.1 and above, then we have to follow the below steps:

First, we have to stop our Splunk Enterprise
Now, we need to find the ‘password file and rename it to ‘passwd.bk’
Then, we have to create a file named ‘user-seed.conf’ in the below directory:
$SPLUNK_HOME/etc/system/local/
In the file, we will have to use the following command (here, in the place of ‘NEW_PASSWORD’, we will add our new password):
[user info]
PASSWORD = NEW_PASSWORD
After this we can just restart and use the new password in the log
Now, if we are using the versions before 7.1, we will follow the below steps:
First, stop the Splunk Enterprise
Find the password file and rename it to ‘passw.bk’
Switch to Splunk Enterprise and log in using the default credentials of admin/change me
When it says to enter the new password for our admin account, we will follow the instructions
Note: In case we have created other users earlier and know their login details, copy and paste their credentials from the password.bk file into the password file and restart Splunk.

123. Can we disable Launch Message in Splunk?

Set value OFFENSIVE=Less in splunk_launch.conf

124. What is Stool? How can we troubleshoot configuration files in Splunk?