Splunk Interview Questions and Answers

Splunk Interview Questions and Answers

In case you’re searching for Splunk Interview Questions and answers for Experienced or Freshers, you are at the correct place. There is parcel of chances from many presumed organizations on the planet. The Splunk advertise is relied upon to develop to more than $5 billion by 2020, from just $180 million, as per Splunk industry gauges. In this way, despite everything you have the chance to push forward in your vocation in Splunk Development. GangBoard offers Advanced Splunk Interview Questions and answers that assist you in splitting your Splunk interview and procure dream vocation as Splunk Developer.

Best Splunk Interview Questions and Answers

Do you believe that you have the right stuff to be a section in the advancement of future Splunk, the GangBoard is here to control you to sustain your vocation. Various fortune 1000 organizations around the world are utilizing the innovation of Splunk to meet the necessities of their customers. Splunk is being utilized as a part of numerous businesses. To have a great development in Splunk work, our page furnishes you with nitty-gritty data as Splunk prospective employee meeting questions and answers. Splunk Interview Questions and answers are prepared by 10+ years experienced industry experts. Splunk Interview Questions and answers are very useful to the Fresher or Experienced person who is looking for the new challenging job from the reputed company. Our Splunk Questions and answers are very simple and have more examples for your better understanding.

By this Splunk Interview Questions and answers, many students are got placed in many reputed companies with high package salary. So utilize our Splunk Interview Questions and answers to grow in your career.

Q1) What would you use to edit contents of the file in Linux? Describe some of the important commands mode in vi editor?

Answer: Various editors in Linux file system- vi,jedit, ex line editor or nedit

Two important modes are as below – We can press ‘Esc’ to switch from one mode to another. However, we can press ‘i’ to enter insert mode-

  • Command mode
  • Insert mode

Q2) How do you log in to a remote Unix box using ssh?

Answer: ssh your_username@host_ip_address

Q3) What would you use to view contents of a large file? How to copy/remove file?  How to look for help on a Linux?


  • tail -10 File1 it would show last 10 rows
  • copy file- cp file_name .
  • Remove file command- rm -rf directory_name
  • Manual/help command – man command_name

Q4) How you will uncompressed the file? How to install Splunk/app using the Splunk Enterprise .tgz file


  • tar -zxvf file_name.tar.gz
  • tar xvzf splunk_package_name.tgz -C /opt
  • default directory /opt/splunk

Q5)  what does grep() stand for? how to find difference in two configuration files?


  • General Regular Expression Parser.
  • egrep -w ‘word1|word2’ /path/to/file
  • diff -u File_name1.conf File_name2.conf

Q6) Talk about Splunk architecture and various stages


Data Input Stage: [accessed from the source and turns it into 64k blocks- metadata includes keys like hostname, source, source type, _time]

Data Storage Stage: [Parsing & Indexing]

Data Searching Stage: [data analysis using search head]

Universal forward > Heavy Forward (Optional) > Indexers > Search head

Deployment Server- [Use to distribute configuration file/Apps]

License master- [Use to keep track of our indexing utilizations]

Q7) Types Of Splunk Forwarder?


⦁ Universal forwarder(UF) -Light weight Splunk instance- can’t parse or index data

⦁ Heavy forwarder(HF) – full instance of Splunk with advance functionality of parsing & indexing

Q8) Precedence in Splunk and discuss some of the important conf files


  • When 2 or more stanzas specify a behaviour that effects same item, then precedence is calculated based on stanza ASCI
  • We can use priority key to specify highest/lowest priority etc

Important conf files

  • props.conf
  • indexes.conf
  • inputs.conf
  • transforms.conf
  • server.conf
Q9)  What is summary index in Splunk?


The Summary index is default summary which is used to store data as a result of scheduled searches over period of time. It helps to efficiently process large volume of data.

Q10) What are types of field extraction. How to mask a data in either of case


  • Search time field extraction
  • Index time field extraction

Q11)  What do you mean by roles based access control?

Answer:  It is very crucial to provide only appropriate roles to appropriate team. This will prevent unauthorized access to any app or data for that matter.

It is very important that we provide access very meticulously and limit their search capability by providing access to only those indexes which needs to be.

Q12) What is null queue

Answer: Null queue is an approach to trim out all the unwanted data.

Q13) Trouble shooting Splunk errors in splunk


  • See if the process is running – ./splunk status
  • IF running go and check log for any latest errors using below command- tail 20 $SPLUNK_HOME/var/log/log/splunk/splunkd.log
  • Splunk crash also happens because of low disk memory- sheck if tere is any crash*log files
  • Check log,splunkd.log,metrics.log or web*log
  • In order to check any conf file related concerns use btool – ./splunk btool props list –debug >/tmp/props.conf
  • Search for errors and warning by typing- Index=_internal | log_level=error OR log_level=warn*
  • Check for the search directory for recent search at – $SPLUNK_HOME/var/ran/splunk/dispatch
  • Enable debug mode.Splunk software has a debug parameter (–debug) that can be used when starting splunk
  • Check for log file OR use below search query – index=_introspection

Q14) What are the types of search modes supported in splunk?


  • Fast mode
  • Verbose mode
  • Smart mode

Q15) What is difference between source & source type


Source – Identifies as source of data

Source type- in general it refers to data structure of events or format of data

Different sources may have same source type

Command to restart splunk web server

/opt/splunk/bin/splunk start splunkweb

Q16) How to use btool for splunk conf file approach

Answer: /opt/splunk/bin/splunk cmd btool input list

Q17)  Create new app from templet

Answer: /opt/splunk/bin/splunk create app New_App -templet sample_App

Q18) Rollback your aplunk web configuration bundle to previous version

Answer: /opt/splunk/bin/splunk rollback cluster-bundle

Q19) To specify minimum disk usage in splunk


./splunk set minfreemb = 20000

./splunk restart

Q20) Command to change splunkweb port to 9000 via CLI

Answer: ./splunk set web-port 9000

Q21) How to turn down a peer without affecting any other peer of cluster?

Answer: ./splunk offline

Q22) How to show which deployment server in configured to pull data from?

Answer: ./splunk show deploy-poll

Q23) CLI to validate bundles

Answer: ./splunk validate cluster-bundle

Q24) How to see all the license pool active in our Splunk environment?

./splunk list license

Q25) Which command is used to the “filtering results” category- explain?

Answer:  “search”, “where”. “Sort” and “rex”

Q26) What is join command and what are various flavours of join command.


  • Join command is used to combine result of a subsearch with result of a search- One or more fields must be common to each results set
  • Inner join- result of inner joint do not include event with NO MATCH
  • Left/Outer join- It include events in the main search and matching having correct field values

..|join type=inner P_id [search source=table2] {}

Q27) Tell me the syntax of Case command


It’s a comparison & conditional function

Case (X,”Y”,…)

X- Boolean expression that are evaluated from first to last. The function defaults to NULL if non is true

..| eval description=case(statsu==20,”OK”,status==404,”NOT FOUND”

Q28)  Which role can create data model

Answer: Admin & power user

Q29) Splunk latest version

Answer: Welcome to Splunk Enterprise 7.2 – Splunk Documentation

Q30) Which app ships with splunk enterprise


  • Search & reporting
  • Home App

Q31) How do we convert unix time into string and string back to unix time format


strftime(X,Y) :  Unix to string as per format

strptime(X,Y) : String to UNIX

Q32) How do we find total number of host or source type reporting splunk instance. Report should consider host across the cluster


|metadata type=hosts index=*  | convert ctime(firstTime) | convert ctime(lastTime) |convert ctime(recentTime)

Q33) What is Splunk? Why Splunk is used for analysing machine data?


Splunk is a platform for analysing machine data generated from various data sources such as network, server, IOT and so on. Splunk is used for analysing machine data for following reasons

  • Business Intelligence
  • Operational visibility
  • Proactive monitoring
  • Search and Investigation

Q34)  Who are the competitors of Splunk in the market? Why is Splunk efficient?


Biggest competitors of Splunk are as follows

  • Sumo logic
  • ELK
  • Loglogic

Splunk is efficient as it comes with many inbuilt features like visualization, analysis, apps, Splunk can also be deployed in cloud through Splunk cloud version. Other platforms requires plug in to get additional features.

Q35) What are the benefits of getting data using forwarders?


  • Data is load balanced by default
  • Bandwidth throttling
  • Encrypted SSL connection
  • TCP connection

Q36) What happens if License master is unreachable?


License Slave sets 72 hour timer and try to reach License Master, after which search is blocked in specific license slave until Master is reachable.

Q37)  What is the command to get list of configuration files in Splunk?

Answer: Splunk cmd btool inputs list –debug

Q38)   What is the command to stop and start Splunk service?


  • ./splunk stop
  • ./splunk start

Q39)  What is index bucket? What are all stages of buckets?

Answer: Indexed data in Splunk is stored in directory called bucket. Each bucket has certain retention period after which data is rolled to next bucket. Various stages of buckets are

  • Hot
  • Warm
  • Cold
  • Frozen
  • Thawed

Q40) What are important configuration files in Splunk?


  • Props.conf
  • inputs.conf
  • outputs.conf
  • transforms.conf
  • indexes.conf
  • deploymentclient.conf
  • serverclass.conf

Q41) What is global file precedence in Splunk?


  • System local directory – highest priority
  • App local directory
  • App default directory
  • System default directory – lowest priority

Q42) What is difference between stats and timechart command?


Stats Timechart
Used to represent statistics data in tabular format Used to represent search result in graph
Can use multiple fields Uses _time as default field in x-axis

Q43) What is lookup command?

Answer: Lookup command is used to reference fields from an external csv file that matches fields in your event data.

Q44) What is the role of Deployment server?

Answer: Deployment server is a Splunk instance to deploy configuration to other Splunk instances from centralized location.

Q45) What are the default fields in Splunk?


  • Host
  • Source
  • Sourcetype
  • _time
  • _raw

Q46) What is Search Factor (SF) and Replication Factor (RF) in Splunk?

Answer: Search factor determines number of searchable copies of data maintained by index cluster. Dafult search factor is 2.Replication factor is the number of copies of data cluster maintains. Search factor should be always less than or equal to Replication factor.

Q47) What is the difference between Splunk apps and add-ons?

Answer: Splunk apps contains built-in configurations, reports and dashboards, Splunk add-ons contains only built-in configurations and not visualization (reports or dashboards)

Q48) How can you exclude some events from being indexed in Splunk?

Answer: This can be done by using nullQueue in transforms.conf file.

For Example:



REGEX = <regular expression>

DEST_KEY = queue

FOMAT = nullqueue

Q49) Where does Splunk default configuration file located?

Answer: It is located under $Splunkhome/etc/system/default

Q50) Discuss about the sequence in which splunk upgrade can be done in a clustered environment?


  • Upgrade Cluster Master
  • Upgrade Search Head Cluster
  • Upgrade Indexer Cluster
  • Upgrade Standalone Indexers
  • Upgrade Deployment  Server

Q51) How do we sync and deploy configurational files and updates across multiple deployment servers in a large multi layered clustered?

Answer: On one of the deployment server, use below commands-

  • $cd ~
  • $./DS_sync.sh
  • $/opt/splunk/bin/splunk reload deploy-server -class ServerClassName

Leave a Reply

Your email address will not be published. Required fields are marked *

Looking for Online Training