Login0

Special Offer - Enroll Now and Get 2 Course at ₹25000/- Only Explore Now!

All Courses
Splunk Interview Questions and Answers

Splunk Interview Questions and Answers

June 8th, 2019

In case you’re searching for Splunk Interview Questions and answers for Experienced or Freshers, you are at the correct place. There is a parcel of chances from many presumed organizations on the planet. The Splunk advertise is relied upon to develop to more than $5 billion by 2020, from just $180 million, as per Splunk industry gauges. In this way, despite everything you have the chance to push forward in your vocation in Splunk Development. GangBoard offers Advanced Splunk Interview Questions and answers that assist you in splitting your Splunk interview and procure dream vocation as Splunk Developer.

Best Splunk Interview Questions and Answers

Do you believe that you have the right stuff to be a section in the advancement of future Splunk, the GangBoard is here to control you to sustain your vocation. Various fortune 1000 organizations around the world are utilizing the innovation of Splunk to meet the necessities of their customers. Splunk is being utilized as a part of numerous businesses. To have a great development in Splunk work, our page furnishes you with nitty-gritty data as Splunk prospective employee meeting questions and answers. Splunk Interview Questions and answers are prepared by 10+ years experienced industry experts. Splunk Interview Questions and answers are very useful to the Fresher or Experienced person who is looking for the new challenging job from the reputed company. Our Splunk Questions and answers are very simple and have more examples for your better understanding.
By this Splunk Interview Questions and answers, many students are got placed in many reputed companies with high package salary. So utilize our Splunk Interview Questions and answers to grow in your career.

Q1) What would you use to edit contents of the file in Linux? Describe some of the important commands mode in vi editor?

Answer: Various editors in Linux file system- vi,jedit, ex line editor or nedit
Two important modes are as below – We can press ‘Esc’ to switch from one mode to another. However, we can press ‘i’ to enter insert mode-

  • Command mode
  • Insert mode

Q2) How do you log in to a remote Unix box using ssh?

Answer: ssh your_username@host_ip_address

Q3) What would you use to view contents of a large file? How to copy/remove file?  How to look for help on a Linux?

Answer:

  • tail -10 File1 it would show last 10 rows
  • copy file- cp file_name .
  • Remove file command- rm -rf directory_name
  • Manual/help command – man command_name

Q4) How you will uncompressed the file? How to install Splunk/app using the Splunk Enterprise .tgz file

Answer:

  • tar -zxvf file_name.tar.gz
  • tar xvzf splunk_package_name.tgz -C /opt
  • default directory /opt/splunk

Q5)  what does grep() stand for? how to find difference in two configuration files?

Answer:

  • General Regular Expression Parser.
  • egrep -w ‘word1|word2’ /path/to/file
  • diff -u File_name1.conf File_name2.conf

Q6) Talk about Splunk architecture and various stages

Answer:
Data Input Stage: [accessed from the source and turns it into 64k blocks- metadata includes keys like hostname, source, source type, _time] Data Storage Stage: [Parsing & Indexing] Data Searching Stage: [data analysis using search head] Universal forward > Heavy Forward (Optional) > Indexers > Search head
Deployment Server- [Use to distribute configuration file/Apps] License master- [Use to keep track of our indexing utilizations]

Q7) Types Of Splunk Forwarder?

Answer:
⦁ Universal forwarder(UF) -Light weight Splunk instance- can’t parse or index data
⦁ Heavy forwarder(HF) – full instance of Splunk with advance functionality of parsing & indexing

Q8) Precedence in Splunk and discuss some of the important conf files

Answer:

  • When 2 or more stanzas specify a behaviour that effects same item, then precedence is calculated based on stanza ASCI
  • We can use priority key to specify highest/lowest priority etc

Important conf files

  • props.conf
  • indexes.conf
  • inputs.conf
  • transforms.conf
  • server.conf

Q9)  What is summary index in Splunk?

Answer:
The Summary index is default summary which is used to store data as a result of scheduled searches over period of time. It helps to efficiently process large volume of data.

Q10) What are types of field extraction. How to mask a data in either of case

Answer:

  • Search time field extraction
  • Index time field extraction
Become a Splunk Certified Expert in 25Hours

Q11)  What do you mean by roles based access control?

Answer:  It is very crucial to provide only appropriate roles to appropriate team. This will prevent unauthorized access to any app or data for that matter.
It is very important that we provide access very meticulously and limit their search capability by providing access to only those indexes which needs to be.

Q12) What is null queue

Answer: Null queue is an approach to trim out all the unwanted data.

Q13) Trouble shooting Splunk errors in splunk

Answer:

  • See if the process is running – ./splunk status
  • IF running go and check log for any latest errors using below command- tail 20 $SPLUNK_HOME/var/log/log/splunk/splunkd.log
  • Splunk crash also happens because of low disk memory- sheck if tere is any crash*log files
  • Check log,splunkd.log,metrics.log or web*log
  • In order to check any conf file related concerns use btool – ./splunk btool props list –debug >/tmp/props.conf
  • Search for errors and warning by typing- Index=_internal | log_level=error OR log_level=warn*
  • Check for the search directory for recent search at – $SPLUNK_HOME/var/ran/splunk/dispatch
  • Enable debug mode.Splunk software has a debug parameter (–debug) that can be used when starting splunk
  • Check for log file OR use below search query – index=_introspection

Q14) What are the types of search modes supported in splunk?

Answer:

  • Fast mode
  • Verbose mode
  • Smart mode

Q15) What is difference between source & source type

Answer:
Source – Identifies as source of data
Source type- in general it refers to data structure of events or format of data
Different sources may have same source type
Command to restart splunk web server
/opt/splunk/bin/splunk start splunkweb

Q16) How to use btool for splunk conf file approach

Answer: /opt/splunk/bin/splunk cmd btool input list

Q17)  Create new app from templet

Answer: /opt/splunk/bin/splunk create app New_App -templet sample_App

Q18) Rollback your aplunk web configuration bundle to previous version

Answer: /opt/splunk/bin/splunk rollback cluster-bundle

Q19) To specify minimum disk usage in splunk

Answer:
./splunk set minfreemb = 20000
./splunk restart

Q20) Command to change splunkweb port to 9000 via CLI

Answer: ./splunk set web-port 9000

Q21) How to turn down a peer without affecting any other peer of cluster?

Answer: ./splunk offline

Q22) How to show which deployment server in configured to pull data from?

Answer: ./splunk show deploy-poll

Q23) CLI to validate bundles

Answer: ./splunk validate cluster-bundle

Q24) How to see all the license pool active in our Splunk environment?

./splunk list license

Q25) Which command is used to the “filtering results” category- explain?

Answer:  “search”, “where”. “Sort” and “rex”

Get Splunk Online Training

Q26) What is join command and what are various flavours of join command.

Answer:

  • Join command is used to combine result of a subsearch with result of a search- One or more fields must be common to each results set
  • Inner join- result of inner joint do not include event with NO MATCH
  • Left/Outer join- It include events in the main search and matching having correct field values

..|join type=inner P_id [search source=table2] {}

Q27) Tell me the syntax of Case command

Answer:
It’s a comparison & conditional function
Case (X,”Y”,…)
X- Boolean expression that are evaluated from first to last. The function defaults to NULL if non is true
..| eval description=case(statsu==20,”OK”,status==404,”NOT FOUND”

Q28)  Which role can create data model

Answer: Admin & power user

Q29) Splunk latest version

Answer: Welcome to Splunk Enterprise 7.2 – Splunk Documentation

Q30) Which app ships with splunk enterprise

Answer:

  • Search & reporting
  • Home App

Q31) How do we convert unix time into string and string back to unix time format

Answer:
strftime(X,Y) :  Unix to string as per format
strptime(X,Y) : String to UNIX

Q32) How do we find total number of host or source type reporting splunk instance. Report should consider host across the cluster

Answer:
|metadata type=hosts index=*  | convert ctime(firstTime) | convert ctime(lastTime) |convert ctime(recentTime)

Q33) What is Splunk? Why Splunk is used for analysing machine data?

Answer:
Splunk is a platform for analysing machine data generated from various data sources such as network, server, IOT and so on. Splunk is used for analysing machine data for following reasons

  • Business Intelligence
  • Operational visibility
  • Proactive monitoring
  • Search and Investigation

Q34)  Who are the competitors of Splunk in the market? Why is Splunk efficient?

Answer:
Biggest competitors of Splunk are as follows

  • Sumo logic
  • ELK
  • Loglogic

Splunk is efficient as it comes with many inbuilt features like visualization, analysis, apps, Splunk can also be deployed in cloud through Splunk cloud version. Other platforms requires plug in to get additional features.

Q35) What are the benefits of getting data using forwarders?

Answer:

  • Data is load balanced by default
  • Bandwidth throttling
  • Encrypted SSL connection
  • TCP connection

Q36) What happens if License master is unreachable?

Answer:
License Slave sets 72 hour timer and try to reach License Master, after which search is blocked in specific license slave until Master is reachable.

Q37)  What is the command to get list of configuration files in Splunk?

Answer: Splunk cmd btool inputs list –debug

Q38)   What is the command to stop and start Splunk service?

Answer:

  • ./splunk stop
  • ./splunk start

Q39)  What is index bucket? What are all stages of buckets?

Answer: Indexed data in Splunk is stored in directory called bucket. Each bucket has certain retention period after which data is rolled to next bucket. Various stages of buckets are

  • Hot
  • Warm
  • Cold
  • Frozen
  • Thawed
Get Splunk 100% Practical Training

Q40) What are important configuration files in Splunk?

Answer:

  • Props.conf
  • inputs.conf
  • outputs.conf
  • transforms.conf
  • indexes.conf
  • deploymentclient.conf
  • serverclass.conf

Q41) What is global file precedence in Splunk?

Answer:

  • System local directory – highest priority
  • App local directory
  • App default directory
  • System default directory – lowest priority

Q42) What is difference between stats and timechart command?

Answer:

Stats Timechart
Used to represent statistics data in tabular format Used to represent search result in graph
Can use multiple fields Uses _time as default field in x-axis

Q43) What is lookup command?

Answer: Lookup command is used to reference fields from an external csv file that matches fields in your event data.

Q44) What is the role of Deployment server?

Answer: Deployment server is a Splunk instance to deploy the configuration to other Splunk instances from a centralized location.

Q45) What are the default fields in Splunk?

Answer:

  • Host
  • Source
  • Source type
  • _time
  • _raw

Q46) What is Search Factor (SF) and Replication Factor (RF) in Splunk?

Answer: The search factor determines the number of searchable copies of data maintained by an index cluster. The default search factor is 2.Replication factor is the number of copies of the data cluster maintains. The search factor should be always less than or equal to the Replication factor.

Q47) What is the difference between Splunk apps and add-ons?

Answer: Splunk apps contain built-in configurations, reports, and dashboards, Splunk add-ons contain only built-in configurations and not visualization (reports or dashboards)

Q48) How can you exclude some events from being indexed in Splunk?

Answer: This can be done by using nullQueue in transforms.conf file.
For Example:
transforms.conf
[setnull] REGEX = <regular expression>
DEST_KEY = queue
FOMAT = nullqueue

Q49) Where does Splunk default configuration file located?

Answer: It is located under $Splunkhome/etc/system/default

Q50) Discuss about the sequence in which splunk upgrade can be done in a clustered environment?

Answer:

  • Upgrade Cluster Master
  • Upgrade Search Head Cluster
  • Upgrade Indexer Cluster
  • Upgrade Standalone Indexers
  • Upgrade Deployment  Server

Q51) How do we sync and deploy configurational files and updates across multiple deployment servers in a large multi-layered clustered?

Answer: On one of the deployment server, use below commands-

  • $cd ~
  • $./DS_sync.sh
  • $/opt/splunk/bin/splunk reload deploy-server -class ServerClassName

Q52) Who is responsible for the right quantity of data?

Answer- License master in Splunk for correct facts to enter. Splunk license is constructed on the facts capacity which is on the platform in 24 hours in the window. It is necessary to confirm the atmosphere should be in the control of the obtained volume.

Q52) What restrict to find data?

Answer- When the license master is unavailable the data goes in the indicator is not concerned. The facts continue to go into the installation of Splunk. The indicator will carry on to move into the Splunk deployment. A warning message is seen on the upside of ahead of the search or the UI of the web to increase the capacity and to decreases the capacity of data.

Q54) What happens when to increase the data limitation?

Answer – A message of License violation error is shown on the screen. The warning od the license continues for 14 days. We will receive 5 warnings in 30 days on the window in the trading license. The indicators search results and reports discontinue the activation.

Q55) What is used for building a ranking?

Answer – Data models are for generating a ranking model of the data. When we contain a huge and numerous unformed data. At the time when you wish to use details without the use of difficult search questions.

  • For generating the reports of sale
  • For setting the entry
  • For certification

Q56) How to map the keys and values?

Answer – With the help of Lookups command. To enhance the occasion facts by attaching field-value mixture form the lookup tables. Lookup test the field-value mixture of the occasion facts with the help of field-value mixture in the outer tables of lookups. Splunk software attaches the field-value mixture of the tables to the occasion.

Q57) What is used to process huge data sets?

Answer – The Mapreduce algorithm is a programming model. A map is a function to collect the data side by side for fashion implementation. A map function is very necessary to collect the data fro your search. Now the reduce function gets the results from the function of the map for proceeding.

Q58) Define Splunk Success Framework?

Answer – It is an adaptable group of applications for increasing and getting faster speed for you has in the data with the help of Splunk software. The organization’s application contains all necessary things to apply and support a Splunk environment to target your data.

Q59) Name the items for migration?

Answer –
Configuration of Custom application – The installer keeps in the default inventories on the collection of the audience. The runtime adjustment is done at the time of running the apps on the head pool of search.
Configuration for the personal user – The installer prints the user arrangements of the head. The head copies the settings to each collection by the simple way of reproducing arrangements.

Q60) What is used to track internally?

Answer – A sub-directory named fish bucket in Splunk. to guide the content distance of your file from the place to start guiding. By using these features such as seek pointers and CRCs. CRC is to notice the specific entry. And seek pointer are the characteristics of the data of the place.

Q61) How the company manages the data?

Answer – Data and hints are absorbed by the Splunk company. And changes in the search information as the events. The main procedure is viewed in the data pipeline to perform on the data at the time of recording. The procedure represents the occasions processing. You can connect the occasion with information items to improve the benefits after the data is managed into an occasion.

Q62) Explain Occasion management?

Answer – Printing and recording are the two platforms of occasion management. With the help of a parsing pipeline like the block. At the time of examining the software of Splunk disconnects the blocks into the occasion. The occasion goes to the recording pipeline. The software of Splunk changes the data at the time when we use both.

Q63) what is the use of DB connect?

Answer – To construct the columns, rows, and tables from details straightly in the Splunk company to guide the data. It helps to join the details of relative data to Splunk company. And to make the facts adaptable bt the Splunk company. It can revert the facts to the details of the relative. You can detect and view the relative’s data.

 Q64) Why DB connect is important?

Answer –

  • To obtain instantly details into Splunk
  • To conduct on the fly lookups for the details of warehouses
  • To guide the layout of saved data details in amount
  • To write the companies data into details in amount
  • To see the data again the position of proving.
  • To measure, allot and check details of jobs to restrict the excess load.

Q65) How to ignore the incoming data?

Answer – There are two steps for ignoring data.
First step

  • First, explain to Splunk the data you want.
  • And then you decide what Splunk has to do.
  • Now update props.conf file and join a rule to notice the root of the details
  • After this tell what to do.
  • Now use the transform keyword in the same rule.

Second step

  • Confirm to the Splunk that in which way you want to change the details
  • The details are guided by the Splunk by default.
  • You can transfer the details to nullQueue.
Get Splunk Online Training with Real-Time Projects

Q66) Explain Transaction

Answer – It is situated on the occasion to connect different limitations. It is built by the raw text of every member, the details of premature members and the group of every area of every person. It contains two areas such as duration and event count.
Event count is for viewing the counts of occasion in the transaction
Duration is for the contrast of the first and last occasion.

Q67) How to remove all the events?

Answer – With the help of the Dedup command to assume the identity mixture of values for every area which the user described. It deletes the false principles from the outcome. To show the new record for a special event. It gives back the first key principles for a special field.

Q68) Mention the use of the Dedup command of Splunk?

Answer – At the time of finding a huge capacity of data we can keep away the Dedup command. The memory is maintained when the command uses the data for each occasion. It maintains every area with the supreme number and size. When the user immediately finds the record or principles then use the command and it showed occasionally a single record or principles for a single ID.

Q69) What is single-instance storage?

Answer – Data deduplication is the way to remove unnecessary prints of facts and remove the saved overhead. It confirms a special example od data kept on saved media like tape, flash or light. The pieces of unnecessary data are placed again with the point of special facts of details.
Q70) Who analyzes data in a backup system?
Answer – With the help of online deduplication. Unnecessary prints are removed as the details have corresponded to the backup storehouse. Inline needs a little backup storehouse it occurs traffic jams.

Q71) Describe pivot?

Answer – it is used for pulling and dripping attachments to use the preset data models and items. Pivot tool helps data models to describe and separation and to fix the characters for the occasion data which you want.

Q72) What is used for collecting the logs?

Answer – The element named Splunk’s Forwarder. To gather the facts from the machine you have to manage it by the use of the scheduling Splunk’s forwarders are the separation of the principle of Splunk’s example.

Q73) Where to keep the listed data in directories?

Answer – In Splunk’s buckets. It is a directory includes the occasion.

  • Hot = includes fresh listed data that can be written.
  • Warm – includes facts moved out from hot buckets.
  • Frozen- moved out from a cold bucket
  • Cold moved out from the warm bucket.

Q74) Name the disadvantages of Splunk?

Answer –

  • It verifies the cost of huge data capacity.
  • The dashboard is not impressive but it is practical
  • You have to take Splunk coaching because it is difficult like a multi-leveled constructer.
  • To recognize the searches is very complicated especially daily appearance and pattern of search.

Q75)  How to connect two BLE devices?

Answer – With the help of Btool, it performs by interacting with the CC2640R2F organized to behave as a web processor with the HCI agent special command. It helps to run the Host trail representative application.

Q76) What is known as a central resource for searching?

Answer – Search head clustering, The persons can be changeable and can run a similar exploration, can view similar control panel and entry a similar outcome from the collection of any person. To gain compatibility the search head in gathering is to contribute the arrangements and applications and to fix the job.

Q77) How to recover a non-functioning group?

Answer – Without the installation of a static master at that time the group loss the majority. Unless the representative will not join again the group the cluster will not take action. The representative select a master at the time of the majority is achieved. And then the cluster begins to functions.

  • Runtime arrangements
  • The reports planning

Q78) Effect of a non-functioning cluster?

Answer – if you lose the majority then you cannot select the master the representative carry on the function as individual search heads. They can serve only Adhoc searchers. Planned exploration and alerts may not run if the planned function is downgraded.

Q79) Name the features of a knowledge object?

Answer –

  • It is to contribute and by the correct list of people in the company.
  • Formalized occasion data by applying the knowledge object naming agreement and different the matching objects.
  • The strategies to increase the enhancement of search and pivot.
  • Construct data models for pivot customers.

Q80) Name the uses of Knowledge object?

Answer – By using the software of Splunk this object is to generate and stored. It includes similar details or it not used for every customer. To manage all the problems we need to handle objects.

  • For fields and field removal is the primary layer. To removes automatically the fields from the IT facts
  • Occasion types and Transactions for listing together with the favorite group of the same occasion.
  • Lookups and workflow action to classify the knowledge object that is expanded in the facts in different methods.

Q81) What is used to conduct the group of field details?

Answer – By the use of Tags and aliases is for managing and establishing the details. For combining the principle and for providing the given field tags to reverse various features of identity. When you have various origins to use various field names to mention similar data then formalize the facts with the use of aliases.

Enroll Now !

Popular Categories

Looking for Online Training?

For India: +91 9707 240 250

For US: +1 201 949 7520

( Available 24x7 for Your Queries )

GangBoard WhatsApp
Request A Call Back
Drop A Querry
+91-9707240250
Schedule a Demo