If you're looking for Splunk Interview Questions & Answers for Experienced or Freshers, you are at the right place. There are a lot of opportunities from many reputed companies in the world. According to research, Splunk has a market share of about 36.2%. So, You still have the opportunity to move ahead in your career in Splunk. Mindmajix offers Advanced Splunk Interview Questions 2021 that helps you in cracking your interview & acquire your dream career as Splunk Developer.
|Types of Splunk Interview Questions|
|If you want to enrich your career and become a professional in Splunk, then enroll in "Splunk Training" - This course will help you to achieve excellence in this domain.|
|Compare Splunk and Elastic Stack|
|Log Management||Highly supported||Highly supported|
|Robust Search||Capable of robust search||Capable of robust search|
|Deployment steps||Easy to deploy||Easy to deploy|
|Dashboard features||Offers more features than ELK||Relatively less when compared to Splunk|
|Community support||Highly professional community to support||Open Source has more benefits due to huge user base|
|Latest Version||Splunk 6.5||Elastic Stack 5.0|
|Pricing||Offers enterprise editions||Open Source|
|APIs supported/built on||RESTful API and 200 plus endpoints||RESTFul API and JSON|
|Third-party integrations||App portal provides 1000s of add-ons||Plethora of integrations and plugins|
Splunk is Google for your machine data. It’s a software/Engine which can be used for searching, visualizing, Monitoring, reporting etc of your enterprise data. Plunk takes valuable machine data and turns it into powerful operational intelligence by providing real-time insight to your data through charts, alerts, and reports, etc.
|Splunk Cloud||Hadoop HDFS|
|Cloud-based service||Distributed file system designed to run on commodity hardware|
|Splunk is a tool||Hadoop is a framework|
|Collect and Index Data||File System Namespace|
|Splunk is a log analysis platform||Hadoop is a BigData file system|
|Devices Supported: Windows, Android, iPhone/iPad, Mac||Devices Supported: Windows, Mac
|Splunk DB Connect||Browser Interface|
|Splunk App for Stream||DFSAdmin|
|Splunk mainly monitors, log, and analyze machine-generated big data.||Hadoop is ideal for ETL and storage of data in HDFS and streamlining analysis|
|Splunk is an integrated solution for data analysis||Hadoop is an implementation of the Map-Reduce paradigm|
Below are common port numbers used by Splunk, however, you can change them if required
|Service||Port number Used|
|Splunk Web Port||8000|
|Splunk Management Port||8089|
|Splunk Indexing Port||9997|
|Splunk Index Replication Port||8080|
|Splunk network port||514 (Used to get data in from network port i.e. UDP data)|
Below are components of Splunk architecture
Latest Version Release - Splunk 6.3
|A big player in the log management tool space||An open-source log management tool||SaaS version of Splunk|
|On-Premises Model||SaaS||Used as part of the ELK stack along with ElasticSearch and Kibana|
|Installation: Setting it up locally||Installation: Setting up a communication out to the Sumo Logic cloud||Installation: Setting it all up on your own system|
|Need to plan for the hardware and space capacities that you will need.||Need to configure the sources that will gather and send the logs to Sumo Logic||Need to configure the inputs, filters, and outputs that you’ll want|
|An extensive amount of features are available||Has a good chunk of similar features to Splunk||Logstash gives you the most control over the tools between devloepment & Community|
|Can create and manage your own dashboards||Uses a panel-based dashboard system||On its own, Logstash doesn’t give you dashboards at all|
|Dashboards can be built in either XML code or through the Splunk dashboard editor||Most of the information is presented in a chart-based manner||As part of the ELK stack, Kibana is used as frontend reporting & visualization, metrics tools, such as Graphite, Librato, and DataDog.|
|600+ Integration Plugins available||Includes development automation tools, cloud platforms, OS platforms, and compliance and security tools||Logstash has a continuously growing plugin environment, over 160 plugins available|
|Pricing - $1800 – $60,000 per year||Pricing - Free lite version, Entry-level pricing is friendlier||Pricing - Free, avail paid subscriptions also|
The indexer is the Splunk Enterprise component that creates and manages indexes. The primary functions of an indexer are:
There are two types of Splunk forwarder as below
|Check Out here for Splunk Tutorials|
Splunk app is container/directory of configurations, searches, dashboards, etc in Splunk
Splunk free lacks these features:
License slave will start a 24-hour timer, after which search will be blocked on the license slave (though indexing continues). Users will not be able to search data in that slave until it can reach license master again
The Summary index is the default summary index (the index that Splunk Enterprise uses if you do not indicate another one). If you plan to run a variety of summary index reports you may need to create additional summary indexes.
Splunk DB Connect is a generic SQL database plugin for Splunk that allows you to easily integrate database information with Splunk queries and reports.
There are multiple ways we can extract IP addresses from logs. Below are few examples.
Regular Expression for extracting IP address:
The transaction command is most useful in two specific cases:
Unique id (from one or more fields) alone is not sufficient to discriminate between two transactions. This is the case when the identifier is reused, for example, web sessions identified by cookie/client IP. In this case, time span or pauses are also used to segment the data into transactions. In other cases when an identifier is reused, say in DHCP logs, a particular message may identify the beginning or end of a transaction.
When it is desirable to see the raw text of the events combined rather than analysis on the constituent fields of the events.
In other cases, it’s usually better to use stats as the performance is higher, especially in a distributed search environment. Often there is a unique id and stats can be used.
The answer to this question would be very wide but basically, interviewer would be looking for the following keywords in an interview:
Splunk places indexed data in directories, called as “buckets”. It is physically a directory containing events of a certain period. A bucket moves through several stages as it ages:
By default, your buckets are located in $SPLUNK_HOME/var/lib/Splunk/default/db. You should see the hot-db there, and any warm buckets you have. By default, Splunk sets the bucket size to 10GB for 64bit systems and 750MB on 32bit systems.
Stats command generates summary statistics of all existing fields in your search results and saves them as values in new fields. Eventstats is similar to the stats command, except that aggregation results are added inline to each event and only if the aggregation is pertinent to that event.
event stats computes the requested statistics like stats but aggregates them to the original raw data.
logstash, Loggly, LogLogic, sumo logic, etc..
How much data you can index per calendar day
Midnight to midnight on the clock of the license master
They are included with Splunk, no need to purchase separately
Splunk start Splunk web
Splunk start Splunk
ps aux | grep Splunk
$SPLUNK_HOME/bin/Splunk enable boot-start
$SPLUNK_HOME/bin/Splunk disable boot-start
|Learn Splunk Eval Commands With Examples|
The source type is Splunk way of identifying data
o reset your password log in to the server on which Splunk is installed and rename passwd file at the below location and then restart Splunk. After restart, you can log in using default username: admin password:changeme
Set value OFFENSIVE=Less in splunk_launch.conf
Delete the following file on Splunk server
Splunk btool is a command-line tool that helps us to troubleshoot configuration file issues or just see what values are being used by your Splunk Enterprise installation in the existing environment.
|Related Article: Splunk Tool|
Basically, both contains preconfigured configuration and reports etc, but the Splunk add-on does not have a visual app. Splunk apps have preconfigured visual app.
File precedence is as follows:
It’s a directory or index at default location /opt/Splunk/var/lib/Splunk .It contains seek pointers and CRCs for the files you are indexing, so splunkd can tell if it has read them already. We can access it through GUI by searching for “index=_thefishbucket”
This can be done by defining a regex to match the necessary event(s) and send everything else to the null queue. Here is a basic example that will drop everything except events that contain the string login In props. conf:
——————————————————————– [source::/var/log/foo] # Transforms must be applied in this order # to make sure events are dropped on the # floor prior to making their way to the # index processor TRANSFORMS-set= setnull,setparsing ————————————————————————- In transforms.conf ————————————————————————————– [setnull] REGEX = . DEST_KEY = queue FORMAT = nullQueue [setparsing] REGEX = login DEST_KEY = queue FORMAT = indexQueue —————————————————————————————
By watching data from Splunk's metrics log in real-time.
index=”_internal” source=”*metrics.log” group=”per_sourcetype_thruput” series=”” | eval MB=kb/1024 | chart sum(MB)
or to watch everything happening split by source type….
index=”_internal” source=”*metrics.log” group=”per_sourcetype_thruput” | eval MB=kb/1024 | chart sum(MB) avg(eps) over series
And if you’re having trouble with data input and you want a way to troubleshoot it, particularly if your whitelist/blacklist rules aren't working the way you expect, go to this URL: HTTPS://YOURSPLUNKHOST:8089/SERVICES/ADMIN/INPUTSTATUS
To do this in Splunk Enterprise 6.0, use ui-prefs.conf. If you set the value in
$SPLUNK_HOME/etc/system/local, all your users should see it as the default setting. For example, if your
$SPLUNK_HOME/etc/system/local/ui-prefs.conf file includes:
[search] dispatch.earliest_time = @d dispatch.latest_time = now
The default time range that all users will see in the search app will be today.
The configuration file reference for ui-prefs.conf is here: HTTP://DOCS.SPLUNK.COM/DOCUMENTATION/SPLUNK/LATEST/ADMIN/UI-PREFSCONF
$SPLUNK_HOME/var/run/Splunk/dispatch contains a directory for each search that is running or has completed. For example, a directory named 1434308943.358 will contain a CSV file of its search results, a search.log with details about the search execution, and other stuff. Using the defaults (which you can override in limits.conf), these directories will be deleted 10 minutes after the search complfetes – unless the user saves the search results, in which case the results will be deleted after 7 days.
Both are features provided by Splunk for the high availability of Splunk search head in case anyone's search head goes down. Search head cluster is newly introduced and search head pooling will be removed in next upcoming versions. Search head cluster is managed by the captain and the captain controls its slaves. Search head cluster is more reliable and efficient than search head pooling.
Below are steps to add folder access logs to Splunk
License violation warning means Splunk has indexed more data than our purchased license quota. We have to identify which index/source type has received more data recently than the usual daily data volume. We can check on Splunk license master pool-wise available quota and identify the pool for which violation is occurring. Once we know the pool for which we are receiving more data then we have to identify top source type for which we are receiving more data than usual data. Once the source type is identified then we have to find outsource machine which is sending a huge number of logs and root cause for the same and troubleshoot accordingly.
MapReduce algorithm is the secret behind Splunk's fast data searching speed. It’s an algorithm typically used for batch-based large-scale parallelization. It’s inspired by functional programming’s map() and reduce () functions.
At indexer, Splunk keeps track of indexed events in a directory called fish buckets (default location /opt/Splunk/var/lib/Splunk). It contains seek pointers and CRCs for the files you are indexing, so splunkd can tell if it has read them already. – See more at: https://www.learnsplunk.com/splunk-indexer-configuration.html#sthash.t1ixi19P.dpuf.
Splunk SDKs are designed to allow you to develop applications from the ground up and not require Splunk Web or any components from the Splunk App Framework. These are separately licensed to you from the Splunk Software and do not alter the Splunk Software.
Splunk App Framework resides within Splunk’s web server and permits you to customize the Splunk Web UI that comes with the product and develop Splunk apps using the Splunk web server. It is an important part of the features and functionalities of Splunk Software, which does not license users to modify anything in the Splunk Software.
|Explore Splunk Sample Resumes! Download & Edit, Get Noticed by Top Employers!|
Madhuri is a Senior Content Creator at MindMajix. She has written about a range of different topics on various technologies, which include, Splunk, Tensorflow, Selenium, and CEH. She spends most of her time researching on technology, and startups. Connect with her via LinkedIn and Twitter .