Register Login

Splunk Interview Questions and Answers

Updated Mar 19, 2019

What is splunk and what does splunk do?

Splunk is a software platform that is used for analyzing, visualizing, monitoring and searching machine data generated in real time. This data can be fetched from applications, websites, sensors on specific devices and web servers. These data operations can be performed in real time and Splunk supports many formats like JSON and BSON.

How does splunk work?

Splunk pulls data from different sources and stores it in a repository form where it is able to generate graphs, business statistics, develop alerts and visualizations. It stores the data very efficiently, to be used later for developing reports and analyzing the system performance. Any changes in the data can be notified to the users through alerts.

What are some important components of Splunk?

The main components of Splunk are:

  • Splunk Forwarder
  • Splunk Indexer
  • Search Head

How to restart Splunk?

Splunk can be restarted from the Splunk Web using the following steps:

1.Go to System, then navigate to Server Controls.
2.Click on Restart Splunk.

What is index in Splunk?

The indexer in Splunk adds the data it receives in an index. An index is a repository of Splunk data. The Splunk Enterprise converts the data received into events, which is then stored in indexes.

What is a splunk forwarder?

The Splunk forwarder consists of only the required components needed to forward the data. They can be used for collecting remote data from machines. If these forwarders are installed in remote machines, the data can be forwarded to the Splunk Indexer for further processing. The two different types of Splunk forwarders are Universal Forwarder and Heavy Forwarder.

How to search logs in splunk?

Data is searched in Splunk using the SPL (Search Processing Language) by utilizing the Search & Reporting app. This application consists of a web interface and a command line interface. The Search Assistant also comes in handy while searching a log. The following steps can be used:

  • Type the search item in the Search bar.
  • The data type has to be inserted in the category for searching the items quickly.
  • From the results shown by the Search Assistant, click on the required data.

How to write search query in splunk?

Search queries can be written in a number of ways. For filtering out data from a data set, the Where filter can be used. The following is its syntax:

source=job-list | where salary >20000
Other filters that can be used are dedup and head.

What is splunk db connect?  

Splunk DB connect is a functionality that is used for working with databases. Using this, the real-time data can be integrated with structured data sources. It has the following functions:

  • Import – Tables, columns and rows can be directly imported from an external database.
  • Export – Data can be exported to other relational databases.
  • Lookups – Data fields can be searched in an external database to match with the Splunk event data.
  • Database access – Machine data and structured data can be accessed using the SQL search queries directly.

What is parsing in splunk?

Data storage in Splunk comprises 2 phases, namely parsing and indexing. In parsing, the Splunk parser examines the incoming data to extract only the relevant information. The process is also called event processing as Splunk splits the data into different events. The following steps are taken:

  • Data is broken down into separate lines.
  • Data is then identified, parsed and timestamps are set.
  • Based on the configuration, the sensitive data can be hidden or Anonymized.
  • The metadata and event data are transformed according to the regex rules.

How to search multiple ips in splunk?

Multiple IP addresses can be searched in Splunk using lookup tables.

What is the most efficient way to filter events in splunk?

The most efficient way to filter events in Splunk is by time.

How to reset splunk password?

To reset the password, access to the file where Splunk is running is necessary. Then perform the following steps:

  • Move $SPLUNK_HOME/etc/passwd file to $SPLUNK_HOME/etc/passwd.bak
  • Restart Splunk and log in with default username and password i.e. admin/changeme.
  • Reset the password and combine the password file with the backup file.

What is sourcetype in splunk?

Sourcetype in Splunk is a default data field. It is used for processing and distributing the incoming data into multiple events by Splunk software. Sourcetype is the format of the data that shows its origin. For example, .evt files originate from the event viewer. The classification of the incoming data can be done based on service, system, format and character code. The common source types are apache_error, websphere_core, apache_error and cisco_syslog.

How to use two sourcetypes in splunk? 

Two sourcetypes can be used by writing the following example code:

sourcetype=A OR sourcetype=B | lookup country.csv

Using this code, two sourcetypes can be searched in a lookup file.

What is kv store in splunk?

The KV (key value) store allows the functionality to store and obtain data inside the Splunk app. The KV store has the following functions:

  • To manage a job queue.
  • For storing metadata by the user.
  • Analysing the workflow.
  • Storing the user application state required for handling a UI session.
  • To store the results of the search queries in Splunk.
  • Maintaining a list of environment assets and checkpoint data.

What is deployer in splunk? 

A deployer is used to deploy configuration information and apps to the cluster head. The set of configuration details such as updates that the deployer sends is called configuration bundle. The deployer shares this bundle when a new cluster member joins the cluster. It handles the basic app configurations and user configurations. 

However, the latest states cannot be restored to the members of the cluster.

Which roles can create data models in splunk?

Data models can be created through admin or power roles by the users. For other users, these models can only be created if they have the write access to the application. The permissions based on the roles determine whether a user can edit or view them.

When to use auto_high_volume in splunk?

auto_high_volume is used when the indexes are of very high volume. A high volume index can get over 10GB of data.