Devops Splunk Interview Questions and Answers Pdf

If you’re searching for Splunk Interview Questions & Answers for Fresher’s or experienced, you are in the right place. In DevOps, there are plenty of chances of several reputed organizations in the IT environment. According to the analysis, Splunk has a demand portion of approximately 36.2%. Hence, you, however, hold an occasion to move forward in your profession in Splunk. SVR Technologies allows Advanced Splunk Interview Questions 2018 that encourages you in answering your interview & get a dream career as Splunk Developer.

In Splunk training, reporting, searching, visualizing and monitoring instantly has enhanced easily with Splunk- software for your business data. Your computer information is received as input by Splunk to transform them into strong operational intelligence by real-time penetration to your data in the mode of a chart, alerts, reports, etc. To strike higher in your career goals, you can use various certifications possible and manage the excess quantity of data.

Splunk Interview Questions:
Executing Splunk can drive your business to a succeeding level yet the question is do you maintain the skills to be a Spelunker? If yes then be well equipped for the extreme conflict and difficult interview questions DevOps training. In this blog, let’ have a glance at amazing of the several common Splunk interview questions.

The questions incorporated in this post have been shortlisted after accumulating inputs from several enterprise specialists Splunk Admin Training to aid you to ace your interview. Advanced Splunk Developer Interview Questions & Answers 2018

1. What is Splunk tool?
Answer: Splunk is a powerful platform for searching, analyzing, monitoring, visualizing and reporting of your enterprise data. It acquires important machine data and then converts it into powerful operational intelligence by giving real-time insight to your data using alerts, dashboards, and charts, etc.

2. Explain the working of Splunk?
Answer: Splunk works into three phases –

The first phase – it gathers data to solve your query from many sources as required.
The second phase – it converts that data into results that can solve your query.
The third phase – it displays the information/answers via a chart, report or graph, which is understood by large audiences.
3. What are the components of Splunk?
Answer: Splunk has four important components :

Indexer – It indexes the machine data
Forwarder – Refers to Splunk instances that forward data to the remote indexers
Search Head – Provides GUI for searching
Deployment Server –Manages the Splunk components like indexer, forwarder, and search head in a computing environment.

4. What are the types of Splunk forwarder?
Answer: Splunk has two types of Splunk forwarder which are as follows:

Universal Forwarders – It performs processing on the incoming data before forwarding it to the indexer.
Heavy Forwarders – It parses the data before forwarding them to the indexer works as an intermediate forwarder, remote collector.

5. What are alerts in Splunk?
Answer: An alert is an action that a saved search triggers on regular intervals set over a time range, based on the results of the search. When the alerts are triggered, various actions occur consequently. For instance, sending an email when a search to the predefined list of people is triggered.

Three types of alerts:

Pre-result alerts: Most commonly used alert type and runs in real-time for an all-time span. These alerts are designed such that whenever a search returns a result, they are triggered.
Scheduled alerts: The second most common- scheduled results are set up to evaluate the results of a historical search result running over a set time range on a regular schedule. You can define a time range, schedule and the trigger condition to an alert.
Rolling-window alerts: These are the hybrid of pre-result and scheduled alerts. Similar to the former, these are based on real-time search but do not trigger each time the search returns a matching result. It examines all events in real-time mapping within the rolling window and triggers the time that specific condition by that event in the window is met like the scheduled alert is triggered on a scheduled search.

6. What are Splunk buckets? Explain the bucket lifecycle?
Answer: A directory that contains indexed data is known as a Splunk bucket. It also contains events of a certain period. Bucket lifecycle includes the following stages

Hot – It contains newly indexed data and is open for writing. For each index, there are one or more hot buckets available
Warm – Data rolled from hot
Cold – Data rolled from warm
Frozen – Data rolled from cold. The indexer deletes frozen data by default but users can also archive it.
Thawed – Data restored from an archive. If you archive frozen data, you can later return it to the index by thawing (defrosting) it.

7. What command is used to enable and disable Splunk to boot start?
Answer: To enable Splunk to boot start use the following command:

$SPLUNK_HOME/bin/Splunk enable boot-start
To disable Splunk to boot start use the following command:
$SPLUNK_HOME/bin/Splunk disable boot-start

8. What is the eval command?
Answer: It evaluates an expression and consigns the resulting value into a destination field. If the destination field matches with an already existing field name, the existing field is overwritten with the eval expression. This command evaluates Boolean, mathematical and string expressions.

Using eval command:

Convert Values
Round Values
Perform Calculations
User conditional statements
Format Values

9. What are the lookup command and its use case?
Answer: The lookup command adds fields based while looking at the value in an event, referencing a lookup table, and adding the fields in matching rows in the lookup table to your event.
… | lookup user group user as local_user OUTPUT group as user_group

10. What is input lookup command?
Answer: input lookup command returns the whole lookup table as search results.
For example
…| input lookup intellipaatlookup returns a search result for every row in the table intellipaatlookup which has two field values:
Splunk Interview Questions

11. Explain the output lookup command?
Answer: This command outputs the current search results to a lookup table on the disk.
For example
…| output look-up intellipaattable.csv saves all the results into intellipaattable.csv.

12. What commands are included in the filtering results category?

where – Evaluates an expression for filtering results. If the evaluation is successful and the result is TRUE, the result is retained; otherwise, the result is discarded.
dedup – Removes subsequent results that match specified criteria.
head – Returns the first count results. Using head permits a search to stop retrieving events from disk when it finds the desired number of results.
tail – Unlike head command, this returns the last result

13. What commands are included in reporting results category?

top – Finds the most frequent tuple of values of all fields in the field list along with the count and percentage.
rare – Finds least frequent tuple of values of all fields in the field list.
stats – Calculates aggregate statistics over a dataset
chart – Creates tabular data output suitable for charting
time chart – Creates a time series chart with the corresponding table of statistics.

14. What commands are included in the grouping results category?
Answer: transaction – Groups events that meet different constraints into transactions, where transactions are the collections of events possibly from multiple sources.

15. What is the use of sort command?
Answer: It sorts search results by the specified fields.
sort [] … [desc]
… | sort num(ip), -str(URL)
It sort results by ip value in ascending order whereas URL value in descending order.

16. Explain the difference between search head pooling and search head clustering?
Answer: Search head pooling is a group of connected servers that are used to share the load, Configuration and user data Whereas Search head clustering is a group of Splunk Enterprise search heads used to serve as a central resource for searching. Since the search head cluster supports member interchangeability, the same searches and dashboards can be run and viewed from any member of the cluster.

17. Explain the function of Alert Manager?
Answer: Alert manager displays the list of most recently fired alerts, i.e. alert instances. It provides a link to view the search results from that triggered alert. It also displays the alert’s name, app, type (scheduled, real-time, or rolling window), severity and mode.

18. What is SOS?
Answer: SOS stands for Splunk on Splunk. It is a Splunk app that provides a graphical view of your Splunk environment performance and issues. It has the following purposes:

Diagnostic tool to analyze and troubleshoot problems
Examine Splunk environment performance
Solve indexing performance issues
Observe scheduler activities and issues
See the details of the scheduler and user-driven search activity
Search, view and compare configuration files of Splunk

19. What is Splunk DB connect?
Answer: It is a general SQL database plugin that permits you to easily combine database information with Splunk queries and reports. It provides reliable, scalable and real-time integration between Splunk Enterprise and relational databases.

20. What is the difference between the Splunk App Framework and Splunk SDKs?
Answer: Splunk App Framework resides within Splunk’s web server and permits you to customize the Splunk Web UI that comes with the product and develop Splunk apps using the Splunk web server. It is an important part of the features and functionalities of Splunk Software, which does not license users to modify anything in the Splunk Software.

Splunk SDKs are designed to allow you to develop applications from the ground up and not require Splunk Web or any components from the Splunk App Framework. These are separately licensed to you from the Splunk Software and do not alter the Splunk Software.

21. What is Splunk indexer and explain its stages?
Answer: The indexer is a Splunk Enterprise component that creates and manages indexes. The main functions of an indexer are:

Indexing incoming data
Searching indexed data
Splunk indexer has the following stages:

Input: Splunk Enterprise acquires the raw data from various input sources and breaks it into 64K blocks and assign them some metadata keys.

These keys include host, source and source type of the data.

Parsing: Also known as event processing, during this stage, the Enterprise analyzes and transforms the data, breaks data into streams, identifies, parses and sets timestamps, performs metadata annotation and transformation of data.
Indexing: In this phase, the parsed events are written on the disk index including both compressed data and the associated index files.
Searching: The ‘Search’ function plays a major role during this phase as it handles all searching aspects (interactive, scheduled searches, reports, dashboards, alerts) on the indexed data and stores saved searches, events, field extractions and views.

22. What is the use of replacing command?
Answer: Replace command performs a search-and-replace on specified field values with replacement values. The values in a search and replace are case sensitive. Syntax:
replace ( WITH )… [IN ]
… | replace *localhost WITH localhost IN host change any host value that ends with “localhost” to “localhost”.

23. List .conf files by priority?
Answer: File precedence in Splunk is as follows:

System local directory: top priority
App local directories
App default directories
System default directory: lowest priority
24. Where is Splunk default configuration stored?
Answer: Splunk default configuration is stored at $splunkhome/etc/system/default

25. How to reset Splunk admin password?
Answer: To reset the password, follow these steps:

Log in to server on which Splunk is installed
Rename password file at $splunk-home\etc\passwd
Restart Splunk
After the restart, you can log in using default username: admin

password: changeme.

26. How to list all the saved searches in Splunk?
Answer: Using syntax:
rest /servicesNS/-/-/saved/searches splunk_server=loca

27. State the difference between stats and event stats commands?
stats – This command produces summary statistics of all existing fields in your search results and stores them as values in new fields.
event starts – It is same as stats command except that aggregation results are added in order to every event and only if the aggregation is applicable to that event. It computes the requested statistics similar to stats but aggregates them to the original raw data.

28. What Are the Components Of Splunk/Splunk Architecture?
Answer: Below is components of Splunk:

Search head – provides GUI for searching
Indexer – indexes machine data
Forwarder -Forwards logs to Indexer
Deployment server -Manges Splunk components in a distributed environment

29. Which Is Latest Splunk Version In Use?
Answer: Splunk 6.3.

30. What Is A Splunk Forwarder And What Are Types Of Splunk Forwarder?
Answer: There are two types of Splunk forwarder as below:

universal forwarder(UF) -Splunk agent installed on the non-Splunk system to gather data locally, can’t parse or index data
Heavyweight forwarder(HWF) – a full instance of Splunk with advanced functionality.
Generally works as a remote collector, intermediate forwarder, and possible data filter because they parse data, they are not recommended for production systems

31. What Are Most Important Configuration Files Of Splunk Or Can You Tell Name Of Few Important Configuration Files In Splunk?

32. What Are Types Of Splunk Licenses?

Enterprise license
Free license
Forwarder license
Beta license
Licenses for search heads (for distributed search)
Licenses for cluster members (for index replication)

33. What Is Splunk App?
Answer: Splunk app is container/directory of configurations, searches, dashboards, etc. in Splunk

34. Where Does Splunk Default Configuration Is Stored?
Answer: $splunkhome/etc/system/default

35. What Features Are Not Available In Splunk Free?
Answer: Splunk free lacks these features:

Authentication and scheduled searches/alerting
Distributed search
Forwarding in TCP/HTTP (to non-Splunk)
Deployment management

36. What Happens If The License Master Is Unreachable?
Answer: License slave will start a 24-hour timer, after which search will be blocked on the license slave (though indexing continues). users will not be able to search for data in that slave until it can reach the license master again.

37. What Is Summary Index In Splunk?
Answer: The Summary index is the default summary index (the index that Splunk Enterprise uses if you do not indicate another one).
If you plan to run a variety of summary index reports you may need to create additional summary indexes.

38. Can You Write Down A General Regular Expression For Extracting Ip Address From Logs?
Answer: There are multiple ways we can extract ip address from logs. Below are a few examples.
Regular Expression for extracting ip address:
rex field=_raw “(?d+.d+.d+.d+)”
rex field=_raw “(?([0-9]{1,3}[.]){3}[0-9]{1,3})”

39. What Is Difference Between Stats Vs Transaction Command?

The transaction command is most useful in two specific cases:
Unique id (from one or more fields) alone is not sufficient to discriminate between two transactions. This is the case when the identifier is reused, for example, web sessions identified by cookie/client IP. In this case, time span or pauses are also used to segment the data into transactions. In other cases when an identifier is reused, say in DHCP logs, a particular message may identify the beginning or end of a transaction. When it is desirable to see the raw text of the events combined rather than analysis on the constituent fields of the events.

In other cases, it’s usually better to use stats as the performance is higher, especially in a distributed search environment. Often there is a unique id and stats can be used.

40. How To Troubleshoot Splunk Performance Issues?

Check splunkd.log for any errors

Check server performance issues i.e. CPU/memory usage, disk i/o, etc

Install SOS (Splunk on Splunk) app and check for warning and errors in dashboard

check a number of saved searches currently running and their system resources consumption install Firebug, which is a firefox extension. After it’s installed and enabled, log into Splunk (using firefox), open firebug’s panels, switch to the ‘Net’ panel (you will have to enable it).

41. Who Are The Biggest Direct Competitors To Splunk?


sumo logic etc..

42. How Does Splunk Determine 1 Day, From A Licensing Perspective?
Answer: Midnight to midnight on the clock of the license master.

43. How Are Forwarder Licenses Purchased?
Answer: They are included with Splunk, no need to purchase separately.

44. How To Disable Splunk Launch Message?
Answer: Set value OFFENSIVE=Less in splunk_launch.conf

45. What Is Stool Or How Will You Troubleshoot Splunk Configuration Files?
Answer: Splunk tool is a command-line tool that helps us to troubleshoot configuration file issues or just see what values are being used by your Splunk Enterprise installation in an existing environment.

46. What Is the Difference Between Splunk App And Splunk Add On?
Answer: Basically both contains preconfigured configuration and reports etc but Splunk add on do not have visual app. Splunk apps have preconfigured visual app.

47. What Is .conf Files Precedence In Splunk?

File precedence is as follows:

System local directory: highest priority
App local directories
App default directories
System default directory: lowest priority

48. What Is Fishbucket Or What Is Fishbucket Index?
Answer: It’s a directory or index at default location /opt/Splunk/var/lib/Splunk .It contains seek pointers and CRCs for the files you are indexing, so splunkd can tell if it has read them already. We can access it through GUI by searching for “index=_thefishbucket”

49. What Is Dispatch Directory?
Answer: $SPLUNK_HOME/var/run/Splunk/dispatch contains a directory for each search that is running or has completed. For example, a directory named 1434308943.358 will contain a CSV file of its search results, a search.log with details about the search execution, and other stuff. Using the defaults (which you can override in limits.conf), these directories will be deleted 10 minutes after the search completes – unless the user saves the search results, in which case the results will be deleted after 7 days.

50. What Is the Difference Between Search Head Pooling And Search Head Clustering?
Answer: Both are features provided Splunk for high availability of Splunk search head in case anyone search head goes down. Search head cluster is newly introduced and search head pooling will be removed in the next upcoming versions. Search head cluster is managed by captain and captain controls its slaves. Search head cluster is more reliable and efficient than search head pooling.

Note: Browse latest Devops Interview Questions and Devops training videos. Here you can check Devops Online Training details and Devops Training Videos for self learning. Contact +91 988 502 2027 for more information.

Leave a Comment

Scroll to Top