Both are features provided by Splunk for the high availability of Splunk search head in case anyone's search head goes down. Search head cluster is newly introduced and search head pooling will be removed in next upcoming versions. Search head cluster is managed by the captain and the captain controls its slaves. Search head cluster is more reliable and efficient than search head pooling.
Posted Date:- 2021-11-16 08:30:32
Splunk App is the collection of reports, dashboard, alerts, field extractions and lookups whereas Splunk Add-ons are same but they don’t have the visual components of a report or a dashboard.
Posted Date:- 2021-11-16 08:29:43
An inputlookup basically takes an input as the name suggests. For example, it would take the product price, product name as input and then match it with an internal field like a product id or an item id. Whereas, an outputlookup is used to generate an output from an existing field list. Basically, inputlookup is used to enrich the data and outputlookup is used to build their information.
Posted Date:- 2021-11-16 08:28:50
There are many commands which are used during filtering the result. Please find few of the command used below
* Rex- In simpler word it is a regular expression which helps the user to extract the data/exact field from the events which are generated. To get these info REX command is used.
* Where- EVAL expression is used by WHERE command to filter the searched result from the extracted event. WHERE command is used to deep dive in the searched results
* Sort- If the user wants the result need to be sorted by specified fields then SORT command is been used which can sort in result in ascending or descending order. Moreover even the capacity of the sorting can be defined with this command.
* Search- To retrieve the events from the indexes SEARCH command is been used. Events from the indexes can be searched by using keyword, Key, Value, quoted phrases and the wildcards.
Posted Date:- 2021-11-16 08:24:34
There are many commands which are used during filtering the result. Please find few of the command used below
* Rex- In simpler word it is a regular expression which helps the user to extract the data/exact field from the events which are generated. To get these info REX command is used.
* Where- EVAL expression is used by WHERE command to filter the searched result from the extracted event. WHERE command is used to deep dive in the searched results
* Sort- If the user wants the result need to be sorted by specified fields then SORT command is been used which can sort in result in ascending or descending order. Moreover even the capacity of the sorting can be defined with this command.
* Search- To retrieve the events from the indexes SEARCH command is been used. Events from the indexes can be searched by using keyword, Key, Value, quoted phrases and the wildcards.
Posted Date:- 2021-11-16 08:24:33
There are three types of search modes in Splunk:
* Fast mode: speeds up your search result by limiting the types of data.
* Verbose mode: Slower as compared to the fast mode, but returns the information for as many events as possible.
* Smart mode: It toggles between different modes and search behaviours to provide maximum results in the shortest period of time.
Posted Date:- 2021-11-16 08:23:26
Clustering technique has two terminologies known as Search Factor & Replication Factor.
Search factor determines what is the count of searchable copies for the data which is owned by the indexer.
Replication Factor in case of Indexer cluster, is the number of copies of data the cluster maintains and in case of a search head cluster, it is the minimum number of copies of each search artifact, the cluster maintains.
With respect to cluster Search head cluster has only a Search Factor and Indexer cluster has both a Search Factor and a Replication Factor
Moreover replication factor should not be less than search factor
Posted Date:- 2021-11-16 08:22:02
It’s a directory or index at default location /opt/Splunk/var/lib/Splunk .It contains seek pointers and CRCs for the files you are indexing, so splunkd can tell if it has read them already. We can access it through GUI by searching for “index=_thefishbucketâ€
Posted Date:- 2021-11-16 08:20:47
Basically, both contains preconfigured configuration and reports etc, but the Splunk add-on does not have a visual app. Splunk apps have preconfigured visual app.
Posted Date:- 2021-11-16 08:19:53
Splunk btool is a command-line tool that helps us to troubleshoot configuration file issues or just see what values are being used by your Splunk Enterprise installation in the existing environment.
Posted Date:- 2021-11-16 08:19:00
They are included with Splunk, no need to purchase separately
Posted Date:- 2021-11-16 08:18:14
Midnight to midnight on the clock of the license master
Posted Date:- 2021-11-16 08:17:43
The answer to this question would be very wide but basically, interviewer would be looking for the following keywords in an interview:
* Check splunkd.log for any errors
* Check server performance issues i.e. CPU/memory usage, disk i/o, etc
* Install SOS (Splunk on Splunk) app and check for warning and errors in the dashboard
* Check the number of saved searches currently running and their system resources consumption
* Install Firebug, which is a firefox extension. After it’s installed and enabled, log into Splunk (using firefox), open firebug’s panels, switch to the ‘Net’ panel (you will have to enable it). The Net panel will show you the HTTP requests and responses along with the time spent in each. This will give you a lot of information quickly over which requests are hanging Splunk for a few seconds, and which are blameless. etc..
Posted Date:- 2021-11-16 08:16:53
Please find the benefits of the data flowing from forwarders to Splunk below
1. Throttling on bandwidth
2. To collect all syslog data from the system log server
3. If any issues are been encountered on splunk the captured logs from the application server won’t be lost it will be saved in flat files on the servers.
4. SSL connection for transferring the data from forwarder to an indexer are been encrypted.
5. Data which is been pushed to splunk indexer are been load balanced by default to avoid any issue and the reason for introducing Load Balancer is if any one node of server of indexer is down then data can be routed to the other node.
6. The data are been cached by forwarder locally prior sending to indexer this cache help as temporary backup of the data. Eventually at any given point of time data won’t be lost in any circumstance.
Posted Date:- 2021-11-16 08:15:48
If the license master is not available, the license slave will start a 24-hour timer, after which the search will be blocked on the license slave (though indexing continues). However, users will not be able to search for data in that slave until it can reach the license master again.
Posted Date:- 2021-11-16 08:12:53
Splunk Free does not include below features:
Authentication and scheduled searches/alerting Distributed search Forwarding in TCP/HTTP (to non-Splunk) Deployment management
Posted Date:- 2021-11-16 08:12:12
The transaction command is most useful in two specific cases:
Unique id (from one or more fields) alone is not sufficient to discriminate between two transactions. This is the case when the identifier is reused, for example, web sessions identified by cookie/client IP. In this case, time span or pauses are also used to segment the data into transactions. In other cases when an identifier is reused, say in DHCP logs, a particular message may identify the beginning or end of a transaction.
When it is desirable to see the raw text of the events combined rather than analysis on the constituent fields of the events.
In other cases, it’s usually better to use stats as the performance is higher, especially in a distributed search environment. Often there is a unique id and stats can be used.
Posted Date:- 2021-11-16 08:11:01
Deployer is a Splunk enterprise instant which is used to deploy apps to the cluster head. It can also be used to configure information for app and user.
Posted Date:- 2021-11-16 08:10:17
There are multiple ways we can extract IP addresses from logs. Below are few examples.
Regular Expression for extracting IP address:
Expression for extracting IP address
Posted Date:- 2021-11-16 08:09:47
Key Value( KV) allows to store and obtain data inside Splunk. KV also helps you to:
* Manage job queue
* Store metadata
* Examine the workflow
Posted Date:- 2021-11-16 08:09:06
Use the forwarder tab available on the DMC (Distributed Management Console) to monitor the status of forwarders and the deployment server to manage them.
Posted Date:- 2021-11-16 08:08:03
Syslog server is used to collect data from various devices like routers and switches and application logs from the web server. You can use R syslog or syslog NG command to configure a Syslog server.
Posted Date:- 2021-11-16 08:07:35
Splunk sound unit is a plugin which allows adding info data with Splunk reports. It helps in providing reliable and ascendible integration between relative databases and Splunk enterprises.
Posted Date:- 2021-11-16 08:06:36
Time zone property provides the output for a specific time zone. Splunk takes the default time zone from browser settings. The browser takes the current time zone from the computer system, which is currently in use. Splunk takes that time zone when users are searching and correlating bulk data coming from other sources.
Posted Date:- 2021-11-16 08:06:06
Deployment server is a Splunk instance that acts as a centralized configuration manager. It is used to deploy the configuration to other Splunk instances.
Posted Date:- 2021-11-16 08:05:37
It is used to combine the results of a sub search with the results of the actual search. Here the fields must be common to each result set. You can also combine a search set of results to itself using the selfjoin command in Splunk.
Posted Date:- 2021-11-16 08:05:15
The source identifies as a source of the event which a particular event originates, while the sourcetype determines how Splunk processes the incoming data stream into events according to its nature.
Posted Date:- 2021-11-16 08:04:53
There are three types of search modules. They are:
* Fast mode: It increases the searching speed by limiting search data.
* Verbose mode: This mode returns all possible fields and event data.
* Smart mode: It is a default setting in a Splunk app. Smart mode toggles the search behavior based on transforming commands.
Posted Date:- 2021-11-16 08:04:31
A null queue is an approach to filter out unwanted incoming events sent by Splunk enterprise.
Posted Date:- 2021-11-16 08:03:53
Splunk on Splunk or SOS is a Splunk app that helps you to analyze and troubleshoot Splunk environment performance and issues.
Posted Date:- 2021-11-16 08:03:29
Following are the commands which are included in the reporting results category:
* Rare
* Chart
* time chart
* Top
* Stats
Posted Date:- 2021-11-16 08:03:07
This command is used to calculate an expression. Eval command evaluates boolean expressions, string, and mathematical articulations. You can use multiple eval expressions in a single search using a comma.
Posted Date:- 2021-11-16 08:02:32
Time Zone is an important property that helps you search for the events in case any fraud or security issue occurs. The default time zone will be taken from the browser settings or the machine you are using. Apart from event searching, it is also used in data pouring from multiple sources and aligns them based on different time zones.
Posted Date:- 2021-11-16 08:01:27
>> Search factor: The search factor (SF) decides the number of searchable copies an indexer cluster can maintain of the data/bucket. For example, the search factor value of 3 shows that the cluster can maintain up to 3 copies of each bucket.
>> Replication factor: The replication factor (RF) determines the number of users that can receive copies of your data/buckets. However, the search factor should not be greater than the replication factor.
Posted Date:- 2021-11-16 08:00:56
Alerts are the actions generated by a saved search result after a certain period of time. Once an alert has occurred, subsequent actions like email or message will also be triggered. There two
Types of alters available in Splunk:
* Real-time alerts: we can divide the real-time alerts into two parts, pre-result, and rolling-window alerts. The pre-result alert gets triggered with every search, while rolling-window alerts are triggered when a specific criterion is met by the search.
* Scheduled Alerts: As the name suggests, scheduled alerts can be initialized to trigger multiple alerts based on the set criteria.
Posted Date:- 2021-11-16 08:00:23
There are three types of dashboards available in Splunk:
* Real-time dashboards
* Dynamic form-based dashboards
* Dashboards for scheduled reports
Posted Date:- 2021-11-16 07:59:03
This topic will be present in any set of Splunk interview questions and answers. Workflow actions in Splunk are referred to as highly configurable, knowledge objects that enable you to interact with web resources and other fields. Splunk workflow actions can be used to create HTML links and use them to search field values, put HTTP post requests for specific URLs, and run secondary searches for selected events.
Posted Date:- 2021-11-16 07:58:00
Data models in Splunk are used when you have to process huge amounts of unstructured data and create a hierarchical model without executing complex search queries on the data. Data models are widely used for creating sales reports, add access levels, and create a structure of authentication for various applications.
Pivots, on the other hand, give you the flexibility to create multiple views and see the results as per the requirements. With pivots, even the managers of stakeholders from non-technical backgrounds can create views and get more details about their departments.
Posted Date:- 2021-11-16 07:57:18
Data entering in an indexer gets directories, also known as buckets. Over a period of time, these buckets roll over different stages from hot to warm, cold, frozen, and finally thawed. The indexer goes through a pipeline and this is where the event processing takes place. It occurs in two stages, Parsing breaks the in individual events, while indexing takes these events into the pipeline for the processing.
Posted Date:- 2021-11-16 06:15:27
The SPL commands are classified into five categories:
1) Filtering Results, 2) Sorting Results, 3) Filtering Grouping Results, 4) Adding Fields, and 5) Reporting Results.
Posted Date:- 2021-11-16 06:14:31
Splunk UI has a number of features that allow the administrator to make the reports more presentable. One such feature that proves to be very useful for presenting distinguished results is the custom colors. For example, if the sales of a product drop below a threshold value, then as an administrator you can set the chart to display the values in red color.
The administrator can also change chart colors in the Splunk Web UI by editing the panels from the panel settings mentioned above the dashboard. Moreover, you can write the codes and use hexadecimal values to choose a color from the palette.
Posted Date:- 2021-11-16 06:13:33
We can divide the working of Splunk into three main parts:
* Forwarder: You can see it as a dumb agent whose main task is to collect the data from various sources like remote machines and transfers it to the indexer.
* Indexer: The indexer will then process the data in real-time and store & index it on the localhost or cloud server.
* Search Head: It allows the end-user to interact with the data and perform various operations like searching, analyzing, and visualizing the information.
Posted Date:- 2021-11-16 06:13:10
Splunk SDKs are designed to allow us to develop applications from scratch and they do not require Splunk Web or any components from the Splunk App Framework. These are separately licensed from Splunk and do not alter the Splunk Software.
Splunk App Framework resides within the Splunk web server and permits us to customize the Splunk Web UI that comes with the product and develop Splunk apps using the Splunk web server. It is an important part of the features and functionalities of Splunk, which does not license users to modify anything in Splunk.
Posted Date:- 2021-11-16 06:11:03
MapReduce algorithm is the secret behind Splunk’s faster data searching. It’s an algorithm typically used for batch-based large-scale parallelization. It’s inspired by functional programming’s map() and reduce() functions.
Posted Date:- 2021-11-16 06:10:25
The command to start Splunk service is: ./splunk start
The command to stop Splunk service is: ./splunk stop
Posted Date:- 2021-11-16 06:09:52
Splunk Apps refer to the complete collection of reports, dashboards, alerts, field extractions, and lookups. However, Splunk Add-ons only contain built-in configurations – they do not have dashboards or reports.
Posted Date:- 2021-11-16 06:09:38
Splunk free lacks these features:
* authentication and scheduled searches/alerting
* distributed search
* forwarding in TCP/HTTP (to non-Splunk)
* deployment management
Posted Date:- 2021-11-16 06:08:41
A license violation warning means that Splunk has indexed more data than our purchased license quota. We have to identify which index/source type has received more data recently than the usual daily data volume. We can check the Splunk license master pool-wise available quota and identify the pool for which the violation has occurred. Once we know the pool for which we are receiving more data, then we have to identify the top source type for which we are receiving more data than the usual data. Once the source type is identified, then we have to find out the source machine which is sending the huge number of logs and the root cause for the same and troubleshoot it, accordingly.
Posted Date:- 2021-11-16 06:06:52
Buckets are directories that store the indexed data in Splunk. So, it is a physical directory that chronicles the events of a specific period. A bucket undergoes several stages of transformation over time. They are:
* Hot – A hot bucket comprises of the newly indexed data, and hence, it is open for writing and new additions. An index can have one or more hot buckets.
* Warm – A warm bucket contains the data that is rolled out from a hot bucket.
* Cold – A cold bucket has data that is rolled out from a warm bucket.
* Frozen – A frozen bucket contains the data rolled out from a cold bucket. The Splunk Indexer deletes the frozen data by default. However, there’s an option to archive it. An important thing to remember here is that frozen data is not searchable.
Posted Date:- 2021-11-16 06:06:35
Anytime you exceed the data limit, the ‘license violation’ error will show on the dashboard. This warning will remain for 14 days. For a commercial Splunk license, users can have five warnings in a 30-day window before which Indexer’s search results and reports will not trigger. However, for the free version, users get only three warning counts.
Posted Date:- 2021-11-16 06:05:51