Splunk Interview Questions and Answers for freshers and Experienced
Categories: Interview questions and answers Experienced Freshers Splunk
Question:- List out common ports used by Splunk.
Answer:- Common ports used by Splunk are as follows:
- Web Port: 8000
- Management Port: 8089
- Network port: 514
- Index Replication Port: 8080
- Indexing Port: 9997
- KV store: 8191
Question:- What do you mean by Splunk indexer?
Answer:- It is a component of Splunk Enterprise which creates and manages indexes. The primary functions of an indexer are 1) Indexing raw data into an index and 2) Search and manage Indexed data.
Question:- What are the disadvantages of using Splunk?
Answer:- Some disadvantages of using Splunk tool are:
- Splunk can prove expensive for large data volumes.
- Dashboards are functional but not as effective as some other monitoring tools.
- Its learning curve is stiff, and you need Splunk training as it’s a multi-tier architecture. So, you need to spend lots of time to learn this tool.
- Searches are difficult to understand, especially regular expressions and search syntax.
Question:- What are the pros of getting data into a Splunk instance using forwarders?
Answer:- The advantages of getting data into Splunk via forwarders are TCP connection, bandwidth throttling, and secure SSL connection for transferring crucial data from a forwarder to an indexer.
Question:- What is the importance of license master in Splunk?
Answer:- It ensures that the environment remains within the limits of the purchased volume as Splunk license depends on the data volume, which comes to the platform within a 24-hour window.
Question:- Explain license violation in Splunk.
Answer:- It is a warning error that occurs when you exceed the data limit. This warning error will persist for 14 days. In a commercial license, you may have 5 warnings within a 1-month rolling window before which your Indexer search results and reports stop triggering.
Question:- What is the use of Splunk alert?
Answer:- Alerts can be used when you have to monitor for and respond to specific events. For example, sending an email notification to the user when there are more than three failed login attempts in a 24-hour period.
Question:- How Splunk avoids duplicate log indexing?
Answer: - Splunk allows you to keeps track of indexed events in a fish buckets directory. It contains CRCs and seeks pointers for the files you are indexing, so Splunk can’t if it has read them already.
Question: - What is the use of lookup command?
Answer:- Lookup command is generally used when you want to get some fields from an external file. It helps you to narrow the search results as it helps to reference fields in an external file that match fields in your event data.
Question:- Explain default fields for an event in Splunk
Answer:- There are 5 default fields which are barcoded with every event into Splunk. They are: 1) host, 2) source, 3) source type, 4) index, and 5) timestamp.
Question:- How can you extract fields?
Answer:- In order to extract fields from either sidebar, event lists or the settings menu using UI.
Question:- What do you mean by summary index?
Answer:- A summary index is a special index that stores that result calculated by Splunk. It is a fast and cheap way to run a query over a longer period of time.
Question:- How to prevent events from being indexed by Splunk?
Answer:- You can prevent the event from being indexed by Splunk by excluding debug messages by putting them in the null queue. You have to keep the null queue in transforms.conf file at the forwarder level itself.
Question:- What is the function of Alert Manager?
Answer:- The alert manager adds workflow to Splunk. The purpose of alert manager o provides a common app with dashboards to search for alerts or events.