Splunk is a powerful software that gives enterprises access to a range of feature-rich applications to make the most out of the enterprise data and turn them into observable elements in the form of charts, tables, and easy-to-understand dashboard displays. Splunk lets organizations leverage public clouds, on-premises data centers, apps and services, and third-party tools to derive useful insights from data.
Top 20+ Splunk Interview Questions for Freshers
1. What is Splunk used for?
Splunk is used for tackling issues pertaining to visualization and analysis of data. Splunk eases the task of analyzing machine data to provide business insights. Organizations also use Splunk to create a comprehensive view of all the operations on the basis of machine data. This information is then aggregated across the whole infrastructure. It is also useful in real-time machine data analysis for error detection.
2. Can you explain how Splunk works?
Splunk works in three stages, namely the data input, data storage, and data searching stage, which are elaborated below-
- Data Input Stage- Splunk consumes raw data from various sources and breaks them into 64K blocks. These blocks are then annotated with metadata keys.
- Data Storage Stage- The data is then analyzed to extract relevant data from it in the parsing phase, followed by an indexing phase, which involves writing the parsed events into the index queue.
- Data Searching Stage- This stage involves various operations, such as accessing, viewing, and using the index data by the user.
3. What are the main components of Splunk Architecture?
Following are the three key components of Splunk Architecture-
- Splunk Forwarder- The Splunk Forwarder gathers and forwards real-time data and cleanses data based on the forwarder that is used.
- Splunk Indexer- This component allows users to transform the raw data into events. It also allows storing of the data produced using the forwarder. Indexer is also responsible for real-time processing of the incoming data.
- Search Head- Search head interacts with Splunk to allow a variety of operations, such as analyzing the stored data and performing queries on them with the help of a GUI (graphical user interface).
4. Write different types of Splunk forwarder.
A Splunk forwarder is responsible for collecting logs and sending them to the indexer when deployed on IT systems. There are two types of forwarders, which are as follows-
- Universal Forwarder- With a universal forwarder, you can forward an incoming stream of data to an indexer with minimal processing. While this proves to be a faster operation, a universal forwarder may result in high performance overhead for the indexer as it might send irrelevant information to the indexer as well.
- Heavy Forwarder- A heavy forwarder sends only parsed data to the indexer by processing the data at the source, which is followed by sending this processed data to the indexer.
5. What are the advantages of getting data into a Splunk instance through Forwarders?
There are several advantages of entering data into a Splunk instance using forwarders, such as a TCP connection, an SSL connection between the indexer and forwarder that is encrypted, and bandwidth throttling. Since the forwarded data is load-balanced, using forwarders makes it possible to route the data to a different indexer instance promptly when an indexer goes down. Forwarders also create a backup of the data on a temporary basis, storing them locally before the data is forwarded.
6. What do you mean by Splunk Dashboards? Write its types.
A Splunk Dashboard helps create a visual representation of data through panels. They provide visually pleasing and easy-to-understand versions of data in the form of tables, charts, and summaries. These dashboards allow users to create multiple panels and a range of customization for several charts and reports. Here are the different types of Splunk dashboards-
- Dynamic form-based dashboards- In dynamic form-based dashboards, you can make changes to the data on the dashboard without leaving the page. And based on the selection made and input fields added, such as text boxes, time, dropdowns, etc., you can easily customize the dashboard as well. This type of dashboard is ideal for data analysis and troubleshooting.
- Static real-time dashboards- You can use a static real-time dashboard when you need a large-screen display of the data with indicators and alerts that you can respond to promptly.
- Scheduled dashboards- Scheduled dashboards allow you to share them with other team members as they can be downloaded as PDF files. This is a useful feature as active live dashboards may not be allowed to be viewed by certain users.
7. Explain Splunk Query.
Splunk queries use SPL (Search Processing Language) to communicate with a database, and they allow users to run specific operations on machine-generated data. With Splunk queries, users can extract the information they need from machine-generated data as SPL have various functions, commands, and arguments. Therefore, queries allow users to analyze, update, and change data in the databases using various functions.
8. What are the different types of Splunk License?
Splunk license specifies the features that can be used and the amount of data that can be indexed by users. Each Splunk instance requires a license for this purpose. There are various types of Splunk licenses, which are as follows-
- The Splunk Enterprise License- With a Splunk Enterprise license, users receive access to all the Splunk features. However, these features can be used for a limited amount of indexed data per day. There are also various types of Splunk Enterprise licenses, such as Splunk Enterprise Trial license, and Splunk for Industrial IoT, among others.
- The Free License- Users can use Splunk for free under the free license. However, this gives access to limited functionalities compared to the Splunk Enterprise license. This license allows indexing of limited amounts of data, and certain features like authentication are not available.
- The Forwarder License- You can forward data unlimited number of times and get access to various other Splunk Enterprise features, such as sending data, configuration management, authentication with a forwarder license.
- The Beta License- Beta license is required for each Splunk beta release, and one beta license is not valid for other beta releases of Splunk. This means, every time there’s a Splunk beta release, you will need a new Beta license for that specific beta release.
9. What is the importance of a License Master in Splunk? If the License Master is not reachable, what will happen?
License master ensures indexing of limited amounts of data as per the Splunk license that is purchased. When the license master is not reachable, searching the data becomes impossible. However, the data is still indexed while the searching of data halts. This means the Splunk deployment receives data and it is also indexed. When Splunk reaches its indexing limit, the user will receive a warning message so that the data intake can be reduced or a larger capacity license can be purchased by the user.
10. Explain License violation. How will you handle or troubleshoot a license violation warning?
When your daily volume of indexing exceeds the limit permitted by your license, you receive lice warnings. And when a series of license warnings are received and not tackled by either limiting data intake or purchasing a license with larger capacity, it results in license violation. Users with a Splunk commercial license receive 5 warnings, and those with a Free license receive 3 warnings within 30 days, followed by which, the indexer will stop triggering reports and results. There are two things that can be done to handle license violation warning, which are as follows-
- Avoiding License Warning- This can be done by closely monitoring the amount of data indexed on a daily basis so that you don’t receive a license warning. You can also keep a check on your license usage report and set an alert in the monitoring console to keep track of your daily license usage.
- Troubleshooting License Violation Warning- To troubleshoot license violation warning, you must determine the pool that witnessed the violation, the source type, the machine that sends excessive logs and why this has been happening. Once you have this information, you can troubleshoot the issue.
11. Write down some common Splunk ports.
Here are some common Splunk ports-
- Management Port- 8089
- Web port- 8000
- Network port- 514
- Index Replication port- 8080
- Indexing port- 9997
- KV store- 8191
12. Explain Splunk Database (DB) Connect.
Splunk Database (DB) Connect is a general-purpose SQL database plugin or extension used in Splunk. It is a useful extension that allows users to combine unstructured machine data and structured data from the database. You can easily integrate the Splunk report or queries with the database information, and this combined data can be used to derive useful insights using Splunk Enterprise.
13. What are different versions of the Splunk product?
There are three different versions of Splunk products, which are as given below-
- Splunk Enterprise- Splunk Enterprise allows you to search, visualize, and analyze your IT infrastructure’s data, and it is one of the most commonly used Splunk products, especially by IT companies.
- Splunk Cloud- A software as a service program, Splunk Cloud offers features similar to that of Splunk Enterprise. With Splunk Cloud, you can track and tackle issues related to lost passwords, login attempts that fail, manage user logins and server restarts.
- Splunk Light- Splunk Light version is a free product that offers certain features; however, the features available on this product are limited compared to other versions of Splunk.
14. Name some of the features that are not available in the Splunk free version.
The Splunk Free version is a great choice if you want to practice searches and other tasks. However, this version comes with limitations in terms of features. Some of the Splunk features that are not available to users when using the free version are as follows-
- The free version limits the ability to forward data through TCP or HTTP.
- Running distributed and scheduled searches and authentication are not allowed.
- Users cannot manage deployments or have access to powerful statistics and reports from real-time architecture.
15. Explain Splunk alerts and write about different options available while setting up alerts.
Splunk Alerts are useful as they notify users when there is an issue with the system. To utilize Splunk Alerts, users must specify certain criteria. When these criteria are met, Splunk alerts get activated and users get notified.
One good example of setting up a Splunk Alert is receiving email notification upon specifying a criterion, such as three unsuccessful login attempts within 24 hours. Users get a variety of options when setting up Splunk Alerts, which are as follows-
- Users can create a webhook, which sends messages to Github or Hipchat. This enables users to include various components, such as a subject, message body, and priority when sending an email to various machines.
- In order to ensure the details related to an alert that is fired and the actions taken based on the alerts, you can attach results in the form of PDF and .csf files to the email.
- You can customize the alert window to control the alerts that are sent and tickets created when an alert is triggered.
16. What do you mean by Summary Index in Splunk?
Summary indexes are useful for storing different computations by Splunk, such as reports, analyses, and summaries. With Summary Index, you can run a query for a long duration in a cost-effective manner. Summary index allows you to keep the reports and analytics even when the data gets old. When a user opts for no index, Splunk Enterprise automatically uses Summary Index.
17. What is the way to exclude certain events from being indexed by Splunk?
The best way to exclude certain events from being indexed by Splunk, for instance in case of debug messages, is to put them in the null queue. To achieve this, users need to specify a regex, which operates to match events that are necessary. As a result, rest of the events that do not match are sent to the NULL queue. You can define a null queue in transforms.conf at the forwarder level.
18. Write the commands used to start/stop the Splunk service.
Here are the commands used for starting or stopping the Splunk services-
- To start Splunk services ./splunk start
- To stop Splunk services ./splunk stop
- To restart Splunk services ./splunk restart
19. What is the importance of time zone property in Splunk?
When any data is entered in Splunk, it picks up the time zone when the entry is made. To add time zones, Splunk picks the time zone that is defined in your browser. Likewise, your browser picks up the time zone based on your computer system. It is only when you search for a particular event in the right time zone that you will be able to find it.
20. State difference between Splunk app and add-on.
While both Splunk applications and Splunk add-ons have the same extension; that is, SPL files, they are treated as two separate entities. With that said, here’s how Splunk applications are different from Splunk add-ons-
- Splunk Apps- Splunk applications use their inbuilt user interface to extend Splunk functionalities. Every Splunk application has a specific purpose, and they are all different and independent from each other. The Splunk apps are available on the Splunk Enterprise homepage, the application menu, or the apps section from settings. Splunk allows running of various Splunk applications at the same time. These Splunk applications make use of a collection of Splunk knowledge objects, such as even types, searches that are saved, lookups, tags, etc., and the apps can utilize other add-ons or apps as well.
- Splunk Add-on- If you intend to add a specific feature or functionality to an app, you can utilize Splunk add-ons which are designed on top of the Splunk platform. And since they are built to add to the features of Splunk applications, they do not function as a standalone app and would rather support other apps. For the same reason, Splunk add-ons cannot be accessed unlike Splunk applications, meaning you won’t find them on the Splunk Enterprise home page or the apps menu.
21. Mention some important configuration files in Splunk.
Following are some of the configuration files in Splunk that are quite important-
- Props.conf- It is used for configuring the indexing properties like custom source type rules, time zone offset, pattern collision property, etc.
- Indexes.conf- This configuration can be utilized for managing and configuring the index settings.
- Inputs.conf- You can set up data inputs with the help of inputs.conf.
- Transforms.conf- When you need to specify certain conditions to match the events with, you require to use transforms.conf to configure regex transformations.
- Server.conf- A server configuration is used for specifying a particular database in order to prevent corruption.
With over 20+ real-life projects and masterclasses from Caltech CTME faculty, this Post Graduate Program in DevOps can help you accelerate your DevOps career in just 9 months. Enroll today for a life-changing experience!
Software like Splunk Enterprise are extremely useful in increasing the ability of an organization to provide services and products at high velocity. As opposed to various other tools and traditional software, Splunk helps in efficient searching, monitoring, analysis, and visualization of machine data and search results. And courses, such as Simplilearn’s Post Graduate Program in DevOps in collaboration with Caltech CTME can help you develop skills to adopt the best practices and leverage powerful tools like Splunk to enhance the operational efficiency of organizations.
If you have any questions or doubts, feel free to write them down in the comments below, and our team of experts will get back to you at the earliest.