Devops Splunk Interview Questions and Answers Pdf

1. What Is a Mapreduce Algorithm?
Answer: Mapreduce algorithm is secret behind Splunk fast data searching speed. It’s an algorithm typically used for batch-based large scale parallelization. It’s inspired by functional programming’s map() and reduce () functions.

2. If I Want Add/onboard Folder Access Logs From A Windows Machine To Splunk How Can I Add Same?
Answer: Below is steps to add folder access logs to Splunk:

Enable Object Access Audit through group policy on a windows machine on which folder is located
Enable auditing on a specific folder for which you want to monitor logs
Install Splunk universal forwarder on a Windows machine
Configure universal forwarder to send security logs to Splunk indexer

3. How Would You Handle/troubleshoot Splunk License Violation Warning Error?
Answer: License violation warning means Splunk has indexed more data than our purchased license quota. We have to identify which index/source type has received more data recently than usual daily data volume. We can check on Splunk license master pool wise available quota and identify the pool for which violation is occurring. Once we know the pool for which we are receiving more data then we have to identify top source type for which we are receiving more data than usual data. Once source type is identified then we have to find an outsource machine which is sending huge number of logs and root cause for the same and troubleshoot accordingly.

4. How Splunk Avoids Duplicate Indexing Of Logs?
Answer: At indexer splunk keeps track of indexed events in a directory called fish buckets (default location /opt/splunk/var/lib/splunk).

It contains seek pointers and CRCs for the files you are indexing, so splunk can tell if it has read them already.

5. What Is the Difference Between Splunk Sdk And Splunk Framework?
Answer: Splunk SDKs are designed to allow you to develop applications from the ground up and not require Splunk Web or any components from the Splunk App Framework. These are separately licensed to you from the Splunk Software and do not alter the Splunk Software. Splunk App Framework resides within Splunk’s web server and permits you to customize the Splunk Web UI that comes with the product and develop Splunk apps using the Splunk web server. It is an important part of the features and functionalities of Splunk Software, which does not license users to modify anything in the Splunk Software. (e learning portal)

6. If I want to add/onboard folder access logs from a windows machine to splunk how can I add same?
Answer: Below are steps to add folder access logs to splunk

Enable Object Access Audit through group policy on a windows machine on which folder is located
Enable auditing on a specific folder for which you want to monitor logs
Install splunk universal forwarder on a windows machine
Configure universal forwarder to send security logs to splunk indexer.

7. How would you handle/trou/able shoot splunk license violation warning error?
Answer: License violation warning means splunk has indexed more data than our purchased license quota. We have to identify which index/sourcetype has received more data recently than usual daily data volume. We can check on splunk license master pool wise available quota and identify the pool for which violation is occurring. Once we know the pool for which we are receiving more data then we have to identify top sourcetype for which we are receiving more data than usual data. Once sourcetype is identified then we have to find an outsource machine which is sending huge number of logs and root cause for the same and troubleshoot accordingly.

8. What is MapReduce algorithm?
Answer: MapReduce algorithm is secret behind splunk fast data searching speed. It’s an algorithm typically used for batch-based large scale parallelization. It’s inspired by functional programming’s map() and reduce () functions.

9. How splunk avoids duplicate indexing of logs?
Answer: At indexer splunk keeps track of indexed events in a directory called fish buckets (default location /opt/splunk/var/lib/splunk).

It contains seek pointers and CRCs for the files you are indexing, so splunkd can tell if it has read them already.

10. What is the difference between splunk SDK and splunk framework?
Answer: Splunk SDKs are designed to allow you to develop applications from the ground up and not require Splunk Web or any components from the Splunk App Framework. These are separately licensed to you from the Splunk Software and do not alter the Splunk Software. Splunk App Framework resides within Splunk’s web server and permits you to customize the Splunk Web UI that comes with the product and develop Splunk apps using the Splunk web server. It is an important part of the features and functionalities of Splunk Software, which does not license users to modify anything in the Splunk Software.