Splunk Interview Questions

What is the use of License Master in Splunk?

License Master is the used for control how much data you can index in a day. License master has a clock which tracks the data indexed by any Splunk Enterprise Infrastructure. License master is also used to block the users from accessing the search data in 24 hours once the license slave is disconnected from the license master.

 

What is the use of DB Connect in Splunk?

DB Connect in Splunk is plugin to access generic SQL databases and integrate various information and data available in those databases with Splunk queries and reports.

 

What are important components in Splunk Architecture?

Following are the core components in Splunk Architecture.

Search Head Interface – it is a graphical user interface (GUI) which enables to search using various search queries.

Indexer – it is used by the Splunk tool to index the data available in the machine.

Forwarder – this component in Splunk architecture forwards the logs to the indexer.

Server (Deployment) – with the help of this component, all the Splunk components is managed in a distributed environment.

 

How Splunk helps the enterprise?

In the midst of various tools available for managing general data, there is a need for an effective tool to manage the machine data. Splunk is more like a Google for your machine data. With the help of this engine the machine data in the system can be searched, visualized, monitored and reported easily. The tool also provides real-time insights on the machine data using representations such as charts, reports and alerts.

 

How to locate the place where default Splunk configuration is stored.

The below command can be used to access the default Splunk configuration.

$splunkhome/etc/system/default

 

How to enable and disable Splunk to boot-start using commands?

Command to enable Splunk to boot-start is:

$SPLUNK_HOME/bin/Splunk

Command to disable Splunk to boot-start is:

$SPLUNK_HOME/bin/Splunk

 

What is the use of summary index?

Summary indexes are used in Splunk Enterprise to boost the reporting efficiency. It enables the users to generate reports after processing huge volumes of machine data.

 

What are the different types of Summary Index?

Default Summary Index – used by Splunk Enterprise by default where no other summary index are specified.

Additional Summary Index – These are summary indexes defined to replace the default summary index to enable running varieties of reports.

 

What are the different working phases of Splunk Enterprise?

There are three main phases of works for Splunk. They are,

Data Gathering – This is the first phase and during this phase the tool collects the data required to solve the query from the sources specified with the query.

Process the Results – It then converts the received data into results expected for the respective query.

Displays the Information – In this last phase, the result obtained by the previous phase is displayed to the user. The display can be represented with the help of chart, report or a graph.

 

What are types of alerts in Splunk?

There are three types of alerts in Splunk. They are,

Pre-result Alerts – This alert runs in real-time and one of the commonly used alerts. They are triggered whenever the Splunk enterprise returns the results for a specified query.

Scheduled Alerts – This also a commonly used alert type that runs at a regular schedule specified by the user.

Rolling-Window Alerts – This type of alert is the combination of ‘Pre-result Alerts’ and ‘Scheduled Alerts’. It analyzes the real-time events inside the rolling window using mapping techniques and depending on the conditions; the alert is triggered in real-time or scheduled time.