Top 25 Splunk Interview Questions

Vikram kumar Yadav
8 min readApr 6, 2021

--

1.Basic difference between HF and UF

Ans: The HF differs from the UF is that it can parse and filter the content of the data and take actions on it. The HF can also host Splunk apps/addon, such as DB Connect or Checkpoint to pull data from cloud providers, databases, firewalls and many other sources.

2. How to setup SH, Indexer and HF separately

Ans:
SETUP HF:
Ø Login into Splunk Web as admin on the instance that will be forwarding data.
Ø Click Settings > Forwarding and receiving.
Ø At Configure forwarding, click Add new.
Ø Enter the hostname or IP address for the receiving Splunk instance(s), along with the receiving port specified when the receiver was configured. For example, you might enter receivingserver.com:9997.
Ø Click Save.
Ø Restart Splunk Web.

Configure heavy forwarders to index and forward data

Use a heavy forwarder to receive, parse and forward the data to another indexer.

Ø Log into Splunk Web as admin on the instance that will be forwarding data.
Ø Click Settings > Forwarding and receiving.
Ø Select Forwarding defaults.
Ø Select Yes to store and maintain a local copy of the indexed data on the forwarder.

SETUP SEARCH HEAD:

Ø Login to splunk Web
Ø Setting>distributed search>search peer>add new
Ø Input Peer URI <Index ip>:<nmanagement port>
Ø Remote username
Ø Password
Ø Click save
Ø Saved please check again same path to see index added to Searchead and replication status is successful.

SETUP INDEXER:

Login instance
Ø Go to settings>>forward and receiving

Configure receiving:
Ø Click Add new
Ø Input port and click Save

3. Is setup of UF different from HF.

Ans.Yes it is different.For UF we have different package which is light weight.Whereas for HF it is a same package of splunk enterprise.HF has a UI whereas a UF doesn’t have a UI.

4. Reports not accessible, where can I find it.

Ans.Step1:login to splunk

Step2:Go to setting

Step3:Knowledge>Configuartions

You can find the report.

5. Significance of default/local folder in apps

Ans. In a Splunk app the various pieces comprising the app are represented as files in the file system that are installed on the Splunk server. All of the packaged components for a given app must be located in a directory under $SPLUNK_HOME/etc/apps.

The default and local directories mirror the subdirectory structure of each other. App-specific customizations in local override corresponding items in the default directory. Packaged Splunk apps should not contain a local directory. Otherwise, a local directory could overwrite configurations that a customer made to their copy of the app. Also, during an app upgrade the default configuration will be overridden while the local directory is preserved.

6. Can I rename the report.

Ans: You cannot rename a report.

7. File precedence

Ans. File precedence is an important aspect of troubleshooting in Splunk for an administrator, developer, as well as an architect. All of Splunk’s configurations are written within plain text .conf files. There can be multiple copies present for each of these files, and thus it is important to know the role these files play when a Splunk instance is running or restarted.

To determine the priority among copies of a configuration file, Splunk software first determines the directory scheme. The directory schemes are either a) Global or b) App/user.

When the context is global (that is, where there’s no app/user context), directory priority descends in this order:

  1. System local directory — highest priority
  2. App local directories
  3. App default directories
  4. System default directory — lowest priority

When the context is app/user, directory priority descends from user to app to system:

  1. User directories for current user — highest priority
  2. App directories for currently running app (local, followed by default)
  3. App directories for all other apps (local, followed by default) — for exported settings only
  4. System directories (local, followed by default) — lowest priority

8. What if I cannot see a alert created by a colleague/user.

Ans.
Step1:
login to splunk
Step2:Go to setting
Step3:Knowledge>Configuartions
You can find the alert.

9. What if I delete a user who created a report.

Ans. Report will be Seen but the owner name will change to Nobody.

10. Best practice while writing a query.

Ans.
1.Index=<indexname> Source=<”abc.csv”> host=<hostname> sourcetype=<sourcetype>

2.Filter your data.

3.eval the search

11. Difference between report and alert.

Ans. The main difference between an alert and a report is the trigger condition. With the trigger condition an alert will only do an action under the specified circumstances. Where a scheduled report will always do it’s action if one is selected and an unscheduled report will only run when chosen.

12. What if I don’t have a specific event can I create an alert.

Ans.Yes you can create an alert.But it won’t get triggered.

13. Difference between apps vs addons.

Ans. Both are packaged and uploaded to Splunk Apps as SPL files and then to install them in your Splunk instance you simply untar the SPL file into etc/apps .But the content and purpose of Apps and Add-ons certainly differ from one another.

  • Apps package together Splunk features like saved searches, dashboards and inputs into their own GUI.
  • Splunk Apps are considered to be the entire collection of reports, dashboards, alerts, field extractions and lookups.
  • Add-ons are smaller components that don’t have their own GUI and may need some extra configuration.
  • Splunk Apps minus the visual components of a report or a dashboard are Splunk Add-ons. Lookups, field extractions, etc are examples of Splunk Add-on.

14. Different methods to install apps.

Ans.1.Log in the splunkweb and Navigate to apps>manage apps

2.click install app from file

3.Upload an file click under file and go search the app that you want to install.

4.click on upload after your restart splunk web

15. Can app be restricted upon user.

Ans.Yes it can be restricted upon user.

  • first, you create a role, and eventually put users with that role.
  • go to you app settings (manager > apps > permissions) and put the permissions to only the members of this group (and admin at least) this will also be the default permissions to any object of this app (but you can probably change individually later.

16. Difference between roles and capabilities.

Ans. When you create a user on the Splunk platform, you assign one or more roles to the user as part of the user creation process. Each role contains a set of capabilities. These capabilities define what users who hold a certain role can do.

For example, if a user ‘finn’ holds the edit_tokens_settings role, this means that ‘finn’ can make changes to the Token Authentication scheme on the instance. If they hold the admin_all_objects capability, they can make changes to any object on the instance.

You can add, edit, or remove capabilities for new, existing, and default roles. Doing this changes the kind of access that the role provides. For example, you might give a role the capability to add inputs or edit saved searches.

Capabilities are always additive in nature. There is no way to take away an ability to do something by adding a capability. If you don’t want users who hold a role to perform a certain function on your Splunk platform instance, then do not assign a capability that grants the ability to perform that function to that role.

Similarly, users who hold multiple roles receive all the benefits of any capabilities that are assigned to those roles. If you do not want a certain user to have access to all the capabilities that a role provides, do not assign that role to that user.

17. What is deployement server/Deployer/ Cluster Master.

· A deployer is used to deploy apps to a search head cluster.

· A cluster master is used to deploy apps and manage replication within an indexer cluster (single or multi-site)

· A deployment server is used to deploy apps to forwarders (and technically could be used to deploy apps to other Splunk servers)

18. Can I index a zip file.

Ans.Yes You can Index the zip file.

19. Can I Index same file twice? How to identify duplicacy.

Ans.yes you can index the same file twice

index=<indexname> | stats count values(host) values(source) values(sourcetype) values(index) by _raw | WHERE count>1

20. Where to find list of commands, does a command have args? where to find it.

Ans. The search commands that make up the Splunk Light search processing language are a subset of the Splunk Enterprise search commands. The table below lists all of the commands that make up the Splunk Light search processing language sorted alphabetically.

SPL commands consist of required and optional arguments.

· Required arguments are shown in angle brackets < >.

· Optional arguments are enclosed in square brackets [ ].

Consider this command syntax:

bin [<bins-options>…] <field> [AS <newfield>]

The required argument is <field>. To use this command, at a minimum you must specify bin <field>.

The optional arguments are [<bins-options>…] and [AS <newfield>].

21.What is splunk

Ans: Splunk is a software platform to search, analyze and visualize the machine-generated data gathered from the websites, applications, sensors, devices etc. which make up your IT infrastructure and business.

For eg:If you have machine which is generating data continuously and you want to analyze the machine state in real time you can do it using splunk.

22.Why use splunk ?why can’t you go for something which is open source

Ans:Splunk can you all the operations like analyzing machine logs,business intelligence ,performing IT operations and providing security.There is no single tool other than splunk that can do all of these operations.

23.Which splunk roles can share the same machine

Ans:In small deployment the most of the roles can be shared on same machine as as Search head,Indexer and License master.In larger deployment to host eavh host on standalone host

Ø Indexers and search head should have phsically dedicated machine using Virtual machines for running the instance separately is not the solution because there are some guidelines for it using computer resources and spinning multiple virtual machines on the same physical hardware can cause performance degradation.

Ø you can spin another VM on same instance for hosting the cluster master as long as Deployment server is not hosted parallel on a VM on that same instance because the number of connections coming to deployment srever will be very high.

Ø This is because deployment server not only caters to the request coming from deployment master but also request coming from forwarder.

24.What are the unique benefits of getting data into splunk instance via forwarder?

Ans:Benefits of getting data into splunk instance via forwarder :

Ø Bandwidth throttling

Ø TCP connection

Ø Encrypted SSL connection

For transferring data from forwarder to an indexer

The data forwarded to the indexer are load balanced by default even if one indexer is down due to network outage or maintenance purpose the data can be always routed to the another indexer instance in short time.

Also forwarder caches the event locally before forwarding it thus creates backup of data.

25.What is the use of License Master in splunk?

Ans:License master is responsible for making sure that right amount of data gets indexed.splunk license is based on the data volume that comes to the platform within 24hr window.

Eg:you get 300 gb data on day one, 500gb on second data and 1 terabyte data of on some day and suddenly it drops to 100gb on some day.Then ideally you should have 1 terabyte data licensing model.The license master thus makes sure that the indexers within the splunk deployment have sufficient capacity and licensing the right amount of data.

I hope you like this blog if you are still facing issue regarding this topic feel free to ask doubts in the comment section below and don’t forget to follow our more Splunk blogs on Avotrix,
happy Splunking >

--

--

Vikram kumar Yadav

📊Big Data Analyst - Splunk Admin & Architect 📽Youtuber 🧰Web & App Developer 🍜Foodie 🧗‍♀️Traveler 🎂23rd July 🤵Believe in yourself www.thevikramyadav.com