Splunk Interview Questions and Answers

• Forwarders
• Indexers
• Search Heads
• Deployment Server (used in complex intricate environments)

Splunk is a platform allowing people to get more reach into machine data, through various technological sources like hardware, servers, IoT enabled devices and others.

Splunk functions as three main functions, i.e. Forwarder, Indexer and Search Head. The Forwarder is acting as a data collection agent and forward the data onto the Indexer. Now, this will store data locally in a hardware host machine or on data clouds. Finally, Search Head is used for searching, visualizing, analyzing, and also performing various other functions on the data stored.

A License master in Splunk is used to make sure that the right amount of data gets indexed effectively. The Splunk license master is based on the amount of data coming to a platform within a 24-hour window and hence ensuring that the environment stays within the limits of the purchased volume throughout the time period in a balanced manner.

A license violation in Splunk is caused when you exceed the data limit. This license warning will persist for 14 business days. In a commercial license, you can have a maximum of 5 warnings in a 30-day window before your Indexer’s search results and reports stop working. In a free version, you get only 3 warnings.

Alerts can be used in Splunk when you want to be notified/alerted of any discrepancies in your system. For example, sending an automated email to the Splunk Administrator when more than three failed login attempts are encountered in a twenty-four hour time period.

Different options available while setting up alerts in Splunk:

• You can create a webhook to write to hipchat or GitHub. You could write an email to a group of machines with all your subject, priorities, and body of the message
• Add results, .csv or pdf or inline attachments within the body of the message to make sure that the recipient fully understands the nature of the alert, and follows best practices to subdue the alert.
• Create tickets and push alerts based on certain conditions like a specific MAC or IP address. For example, during a virus outbreak, you don't want to alert all systems because it will lead to many ticket generations causing an overload

Data models in Splunk are used for the creation of structured hierarchical models within your data. It is widely used in cases of large amounts of unstructured data, and also while using the data to process information without using search queries.

Pivots, give you the flexibility to build front views of your search results and then allow you to pick and choose the most specific filter for the better view of search results.

There are 4 types of data Inputs in Splunk:

• Registry Inputs Monitor
• Printer Monitor
• Network Monitor
• Active Directory Monitor

There are 5 default fields that are barcoded with all events in Splunk. They are:

• Host
• Source
• Source type
• Index
• Timestamp

In Splunk, you can extract fields using either event lists, sidebars or other settings menu through the User Interface. You could also write your own regular expressions in the props.conf configuration file.

In Splunk Roles can be shared within the same machine. When there are small deployments, most of the roles can be shared like Indexer, Search Head and License Master. However, if there are larger deployments, then the best practice is to host each role on a stand-alone host.