Prev Next

Maven / Splunk Interview Questions

Could not find what you were looking for? send us the question and we would be happy to answer your question.

What is Machine Data? How Splunk can use it?

Machine data, sometimes called machine-generated data, is the digital information that is automatically created by the activities and operations of networked devices, including computers, mobile phones, embedded systems, and connected wearable products. In a wider context, machine data can also include information generated by websites, end-user applications, cloud-deployed programs, servers, etc.

Splunk Enterprise takes valuable machine data and turns it into powerful operational intelligence.

Main functions of Splunk.
  • Index data,
  • Search & Investigate,
  • Add knowledge to the data by categorization and enriching,
  • Monitor & Alert,
  • Report & Analyse.
What are the Splunk processing components?

There are 3 components.

  • Indexer,
  • Search Head, allows the users to use Splunk Search language.
  • and Forwarder, are Splunk enterprise instances that consume data and forward to indexers for processing.
Does Indexer process the search requests?

Yes.

Which component provides data for indexing?

Forwarders.

What are Splunk roles?

Splunk roles determine what a user is able to see, do and interact with.

There are 3 main splunk roles.

  • Admin role is the most powerful, allows to install apps and create knowledge objects for all the users.
  • Power role can create and share knowledge objects for users of an app and do realtime searches.
  • User role will only see their own knowledge objects and those shared with them.
What are the default Apps available with Splunk Enterprise?

Two apps will be available, Home App and Search & Reporting App.

What is Splunk Index?

Indices are organized hierarchical directories in which data is categoried and stored.

Does Splunk use source_type to categorize the data for indexing?

Yes.

What is a transforming command?

Commands that create statistics and visualizations are called transforming commands.

What is the order of evaluation of Boolean operations?

Not, OR and AND. To control the evaluation use parentheses.

What is the knowledge object in Splunk?

Knowledge object is a user-defined entity that enriches the existing data in Splunk Enterprise. You can use knowledge objects to get specific information about your data. When you create a knowledge object, you can keep it private or you can share it with other users.

Are the field names case-sensitive in Splunk?

Yes but field values are NOT.

Mention few efficient ways for faster Splunk search.

  • Using time (limit : earliest and latest) to narrow down the amount of data to search.
  • Use inclusion to search rather than exclusion, for example, using status = failed is better than status !=success.
Mention a few Splunk commands.
  • fields, specifies fields to be included/excluded in the result.
  • table, specifies result in tabular format.
  • rename, allows to rename fields.
  • dedup, remove duplicate values in a field.
  • and sort command, allows sorting by fields and we can also specify limit.
What are the top and rare commands in Splunk?

The top command is a transforming command that finds the most common values of a given field.

index=sales sourcetype=vendor_sales | top Vendor limit=10

The rare command has the same options as the top command except that it shows the least common values of a field set.

Which roles can Create reports?

Admin, Power and User roles.

What are Data models in Splunk?

Data models are knowledge objects that provide the data structure that drives Pivots. These are created by Admin and Power role who has knowledge of Search language and solid understanding of the data.

Different search modes in Splunk.
  • Fast mode for performance,
  • Verbose for completeness and more details,
  • Smart mode for combination of performance and additional details.
What is Search Job Inspector in Splunk?

Search Job Inspector determines which phase of a search takes the most time. It dissects the behavior of searches to help understand costs. Any search job that has not expired can be inspected.

What is an Iplocation command in Splunk?

Iplocation command lookup and add location information to events.

What is Geostats command?

Geostats command aggregates geographical data for use on a map visualization.

index=sales sourcetype=vendor_sales | geostats latfield=VendorLatitude longfield=VendorLongitude count by product_name

Name the types of search modes supported in Splunk.

Splunk supports 3 types of search modes.

  • Fast mode,
  • Smart mode,
  • and Verbose mode.
«
»
JUnit

Comments & Discussions