Splunk Interview Questions for Experienced/Splunk Interview Questions and Answers for Freshers & Experienced

What is the difference between search head pooling and search head clustering?

Both are features provided by Splunk for the high availability of Splunk search head in case anyone's search head goes down. Search head cluster is newly introduced and search head pooling will be removed in next upcoming versions. Search head cluster is managed by the captain and the captain controls its slaves. Search head cluster is more reliable and efficient than search head pooling.

What is the difference between Splunk App and Add-on?

Splunk App is the collection of reports, dashboard, alerts, field extractions and lookups whereas Splunk Add-ons are same but they don’t have the visual components of a report or a dashboard.

What is a inputlookup command?

An inputlookup basically takes an input as the name suggests. For example, it would take the product price, product name as input and then match it with an internal field like a product id or an item id. Whereas, an outputlookup is used to generate an output from an existing field list. Basically, inputlookup is used to enrich the data and outputlookup is used to build their information.

What are the basic commands are included in ‘filtering results’ category in Splunk

There are many commands which are used during filtering the result. Please find few of the command used below

* Rex- In simpler word it is a regular expression which helps the user to extract the data/exact field from the events which are generated. To get these info REX command is used.
* Where- EVAL expression is used by WHERE command to filter the searched result from the extracted event. WHERE command is used to deep dive in the searched results
* Sort- If the user wants the result need to be sorted by specified fields then SORT command is been used which can sort in result in ascending or descending order. Moreover even the capacity of the sorting can be defined with this command.
* Search- To retrieve the events from the indexes SEARCH command is been used. Events from the indexes can be searched by using keyword, Key, Value, quoted phrases and the wildcards.

What are the basic commands are included in ‘filtering results’ category in Splunk

There are many commands which are used during filtering the result. Please find few of the command used below

* Rex- In simpler word it is a regular expression which helps the user to extract the data/exact field from the events which are generated. To get these info REX command is used.
* Where- EVAL expression is used by WHERE command to filter the searched result from the extracted event. WHERE command is used to deep dive in the searched results
* Sort- If the user wants the result need to be sorted by specified fields then SORT command is been used which can sort in result in ascending or descending order. Moreover even the capacity of the sorting can be defined with this command.
* Search- To retrieve the events from the indexes SEARCH command is been used. Events from the indexes can be searched by using keyword, Key, Value, quoted phrases and the wildcards.

How many types of search modes are there in Splunk?

There are three types of search modes in Splunk:

* Fast mode: speeds up your search result by limiting the types of data.
* Verbose mode: Slower as compared to the fast mode, but returns the information for as many events as possible.
* Smart mode: It toggles between different modes and search behaviours to provide maximum results in the shortest period of time.

What is Search Factor (SF) & Replication Factor (RF)

Clustering technique has two terminologies known as Search Factor & Replication Factor.

Search factor determines what is the count of searchable copies for the data which is owned by the indexer.

Replication Factor in case of Indexer cluster, is the number of copies of data the cluster maintains and in case of a search head cluster, it is the minimum number of copies of each search artifact, the cluster maintains.

With respect to cluster Search head cluster has only a Search Factor and Indexer cluster has both a Search Factor and a Replication Factor

Moreover replication factor should not be less than search factor

What is a fish bucket or what is a fish bucket index?

It’s a directory or index at default location /opt/Splunk/var/lib/Splunk .It contains seek pointers and CRCs for the files you are indexing, so splunkd can tell if it has read them already. We can access it through GUI by searching for “index=_thefishbucket”

What is the difference between the Splunk app and Splunk add-on?

Basically, both contains preconfigured configuration and reports etc, but the Splunk add-on does not have a visual app. Splunk apps have preconfigured visual app.

What is btool or how will you troubleshoot Splunk configuration files?

Splunk btool is a command-line tool that helps us to troubleshoot configuration file issues or just see what values are being used by your Splunk Enterprise installation in the existing environment.

How are forwarder licenses purchased?

They are included with Splunk, no need to purchase separately

How does Splunk determine 1 day, from a licensing perspective?

Midnight to midnight on the clock of the license master

How to troubleshoot Splunk performance issues?

The answer to this question would be very wide but basically, interviewer would be looking for the following keywords in an interview:

* Check splunkd.log for any errors
* Check server performance issues i.e. CPU/memory usage, disk i/o, etc
* Install SOS (Splunk on Splunk) app and check for warning and errors in the dashboard
* Check the number of saved searches currently running and their system resources consumption
* Install Firebug, which is a firefox extension. After it’s installed and enabled, log into Splunk (using firefox), open firebug’s panels, switch to the ‘Net’ panel (you will have to enable it). The Net panel will show you the HTTP requests and responses along with the time spent in each. This will give you a lot of information quickly over which requests are hanging Splunk for a few seconds, and which are blameless. etc..

What is the advantage of getting the data Splunk through Forwarders?

Please find the benefits of the data flowing from forwarders to Splunk below

1. Throttling on bandwidth
2. To collect all syslog data from the system log server
3. If any issues are been encountered on splunk the captured logs from the application server won’t be lost it will be saved in flat files on the servers.
4. SSL connection for transferring the data from forwarder to an indexer are been encrypted.
5. Data which is been pushed to splunk indexer are been load balanced by default to avoid any issue and the reason for introducing Load Balancer is if any one node of server of indexer is down then data can be routed to the other node.
6. The data are been cached by forwarder locally prior sending to indexer this cache help as temporary backup of the data. Eventually at any given point of time data won’t be lost in any circumstance.

What happens if the License Master is unreachable?

If the license master is not available, the license slave will start a 24-hour timer, after which the search will be blocked on the license slave (though indexing continues). However, users will not be able to search for data in that slave until it can reach the license master again.

What are the features not available in Splunk Free?

Splunk Free does not include below features:

Authentication and scheduled searches/alerting Distributed search Forwarding in TCP/HTTP (to non-Splunk) Deployment management

What is the difference between stats vs transaction command?

The transaction command is most useful in two specific cases:

Unique id (from one or more fields) alone is not sufficient to discriminate between two transactions. This is the case when the identifier is reused, for example, web sessions identified by cookie/client IP. In this case, time span or pauses are also used to segment the data into transactions. In other cases when an identifier is reused, say in DHCP logs, a particular message may identify the beginning or end of a transaction.

When it is desirable to see the raw text of the events combined rather than analysis on the constituent fields of the events.

In other cases, it’s usually better to use stats as the performance is higher, especially in a distributed search environment. Often there is a unique id and stats can be used.

What is the difference between stats vs transaction command?

Deployer is a Splunk enterprise instant which is used to deploy apps to the cluster head. It can also be used to configure information for app and user.

Can you write down a general regular expression for extracting ip address from logs?

There are multiple ways we can extract IP addresses from logs. Below are few examples.
Regular Expression for extracting IP address:
Expression for extracting IP address

What is KV store in Splunk?

Key Value( KV) allows to store and obtain data inside Splunk. KV also helps you to:

* Manage job queue
* Store metadata
* Examine the workflow

How to monitor forwarders?

Use the forwarder tab available on the DMC (Distributed Management Console) to monitor the status of forwarders and the deployment server to manage them.

What is the use of syslog server?

Syslog server is used to collect data from various devices like routers and switches and application logs from the web server. You can use R syslog or syslog NG command to configure a Syslog server.

What is Splunk sound unit connect?

Splunk sound unit is a plugin which allows adding info data with Splunk reports. It helps in providing reliable and ascendible integration between relative databases and Splunk enterprises.

What is Time Zone property in Splunk?

Time zone property provides the output for a specific time zone. Splunk takes the default time zone from browser settings. The browser takes the current time zone from the computer system, which is currently in use. Splunk takes that time zone when users are searching and correlating bulk data coming from other sources.

Define deployment server

Deployment server is a Splunk instance that acts as a centralized configuration manager. It is used to deploy the configuration to other Splunk instances.

What is a join command?

It is used to combine the results of a sub search with the results of the actual search. Here the fields must be common to each result set. You can also combine a search set of results to itself using the selfjoin command in Splunk.

What is the main difference between source & source type

The source identifies as a source of the event which a particular event originates, while the sourcetype determines how Splunk processes the incoming data stream into events according to its nature.

Explain types of search modes in Splunk?

There are three types of search modules. They are:

* Fast mode: It increases the searching speed by limiting search data.
* Verbose mode: This mode returns all possible fields and event data.
* Smart mode: It is a default setting in a Splunk app. Smart mode toggles the search behavior based on transforming commands.

What is a null queue?

A null queue is an approach to filter out unwanted incoming events sent by Splunk enterprise.

What is SOS?

Splunk on Splunk or SOS is a Splunk app that helps you to analyze and troubleshoot Splunk environment performance and issues.

Name commands which are included in the reporting results category

Following are the commands which are included in the reporting results category:

* Rare
* Chart
* time chart
* Top
* Stats

What is eval command?

This command is used to calculate an expression. Eval command evaluates boolean expressions, string, and mathematical articulations. You can use multiple eval expressions in a single search using a comma.

What is the use of Time Zone property in Splunk?

Time Zone is an important property that helps you search for the events in case any fraud or security issue occurs. The default time zone will be taken from the browser settings or the machine you are using. Apart from event searching, it is also used in data pouring from multiple sources and aligns them based on different time zones.

Define the term “Search factor” and “Replication factor”

>> Search factor: The search factor (SF) decides the number of searchable copies an indexer cluster can maintain of the data/bucket. For example, the search factor value of 3 shows that the cluster can maintain up to 3 copies of each bucket.

>> Replication factor: The replication factor (RF) determines the number of users that can receive copies of your data/buckets. However, the search factor should not be greater than the replication factor.

What are the types of alerts available in Splunk?

Alerts are the actions generated by a saved search result after a certain period of time. Once an alert has occurred, subsequent actions like email or message will also be triggered. There two

Types of alters available in Splunk:

* Real-time alerts: we can divide the real-time alerts into two parts, pre-result, and rolling-window alerts. The pre-result alert gets triggered with every search, while rolling-window alerts are triggered when a specific criterion is met by the search.

* Scheduled Alerts: As the name suggests, scheduled alerts can be initialized to trigger multiple alerts based on the set criteria.

How many types of dashboards are available in Splunk?

There are three types of dashboards available in Splunk:

* Real-time dashboards
* Dynamic form-based dashboards
* Dashboards for scheduled reports

Explain Workflow Actions?

This topic will be present in any set of Splunk interview questions and answers. Workflow actions in Splunk are referred to as highly configurable, knowledge objects that enable you to interact with web resources and other fields. Splunk workflow actions can be used to create HTML links and use them to search field values, put HTTP post requests for specific URLs, and run secondary searches for selected events.

What are pivots and data models in Splunk?

Data models in Splunk are used when you have to process huge amounts of unstructured data and create a hierarchical model without executing complex search queries on the data. Data models are widely used for creating sales reports, add access levels, and create a structure of authentication for various applications.

Pivots, on the other hand, give you the flexibility to create multiple views and see the results as per the requirements. With pivots, even the managers of stakeholders from non-technical backgrounds can create views and get more details about their departments.

How the Data Ages in Splunk?

Data entering in an indexer gets directories, also known as buckets. Over a period of time, these buckets roll over different stages from hot to warm, cold, frozen, and finally thawed. The indexer goes through a pipeline and this is where the event processing takes place. It occurs in two stages, Parsing breaks the in individual events, while indexing takes these events into the pipeline for the processing.

List out the number of categories of the SPL commands.

The SPL commands are classified into five categories:

1) Filtering Results, 2) Sorting Results, 3) Filtering Grouping Results, 4) Adding Fields, and 5) Reporting Results.

How to add the colors in Splunk UI based on the field names?

Splunk UI has a number of features that allow the administrator to make the reports more presentable. One such feature that proves to be very useful for presenting distinguished results is the custom colors. For example, if the sales of a product drop below a threshold value, then as an administrator you can set the chart to display the values in red color.

The administrator can also change chart colors in the Splunk Web UI by editing the panels from the panel settings mentioned above the dashboard. Moreover, you can write the codes and use hexadecimal values to choose a color from the palette.

Explain how Splunk works?

We can divide the working of Splunk into three main parts:

* Forwarder: You can see it as a dumb agent whose main task is to collect the data from various sources like remote machines and transfers it to the indexer.
* Indexer: The indexer will then process the data in real-time and store & index it on the localhost or cloud server.
* Search Head: It allows the end-user to interact with the data and perform various operations like searching, analyzing, and visualizing the information.

What is the difference between Splunk SDK and Splunk Framework?

Splunk SDKs are designed to allow us to develop applications from scratch and they do not require Splunk Web or any components from the Splunk App Framework. These are separately licensed from Splunk and do not alter the Splunk Software.

Splunk App Framework resides within the Splunk web server and permits us to customize the Splunk Web UI that comes with the product and develop Splunk apps using the Splunk web server. It is an important part of the features and functionalities of Splunk, which does not license users to modify anything in Splunk.

What is MapReduce algorithm?

MapReduce algorithm is the secret behind Splunk’s faster data searching. It’s an algorithm typically used for batch-based large-scale parallelization. It’s inspired by functional programming’s map() and reduce() functions.

What is the command to stop and start Splunk service?

The command to start Splunk service is: ./splunk start

The command to stop Splunk service is: ./splunk stop

Differentiate between Splunk App and Add-on.

Splunk Apps refer to the complete collection of reports, dashboards, alerts, field extractions, and lookups. However, Splunk Add-ons only contain built-in configurations – they do not have dashboards or reports.

What features are not available in Splunk free?

Splunk free lacks these features:

* authentication and scheduled searches/alerting
* distributed search
* forwarding in TCP/HTTP (to non-Splunk)
* deployment management

How would you handle/troubleshoot Splunk License Violation Warning?

A license violation warning means that Splunk has indexed more data than our purchased license quota. We have to identify which index/source type has received more data recently than the usual daily data volume. We can check the Splunk license master pool-wise available quota and identify the pool for which the violation has occurred. Once we know the pool for which we are receiving more data, then we have to identify the top source type for which we are receiving more data than the usual data. Once the source type is identified, then we have to find out the source machine which is sending the huge number of logs and the root cause for the same and troubleshoot it, accordingly.

What are Buckets? Explain Splunk Bucket Lifecycle.

Buckets are directories that store the indexed data in Splunk. So, it is a physical directory that chronicles the events of a specific period. A bucket undergoes several stages of transformation over time. They are:

* Hot – A hot bucket comprises of the newly indexed data, and hence, it is open for writing and new additions. An index can have one or more hot buckets.
* Warm – A warm bucket contains the data that is rolled out from a hot bucket.
* Cold – A cold bucket has data that is rolled out from a warm bucket.
* Frozen – A frozen bucket contains the data rolled out from a cold bucket. The Splunk Indexer deletes the frozen data by default. However, there’s an option to archive it. An important thing to remember here is that frozen data is not searchable.

Explain ‘license violation’ in the Splunk perspective.

Anytime you exceed the data limit, the ‘license violation’ error will show on the dashboard. This warning will remain for 14 days. For a commercial Splunk license, users can have five warnings in a 30-day window before which Indexer’s search results and reports will not trigger. However, for the free version, users get only three warning counts.

Search
R4R Team
R4R provides Splunk Freshers questions and answers (Splunk Interview Questions and Answers) .The questions on R4R.in website is done by expert team! Mock Tests and Practice Papers for prepare yourself.. Mock Tests, Practice Papers,Splunk Interview Questions for Experienced,Splunk Freshers & Experienced Interview Questions and Answers,Splunk Objetive choice questions and answers,Splunk Multiple choice questions and answers,Splunk objective, Splunk questions , Splunk answers,Splunk MCQs questions and answers Java, C ,C++, ASP, ASP.net C# ,Struts ,Questions & Answer, Struts2, Ajax, Hibernate, Swing ,JSP , Servlet, J2EE ,Core Java ,Stping, VC++, HTML, DHTML, JAVASCRIPT, VB ,CSS, interview ,questions, and answers, for,experienced, and fresher R4r provides Python,General knowledge(GK),Computer,PHP,SQL,Java,JSP,Android,CSS,Hibernate,Servlets,Spring etc Interview tips for Freshers and Experienced for Splunk fresher interview questions ,Splunk Experienced interview questions,Splunk fresher interview questions and answers ,Splunk Experienced interview questions and answers,tricky Splunk queries for interview pdf,complex Splunk for practice with answers,Splunk for practice with answers You can search job and get offer latters by studing r4r.in .learn in easy ways .