Data Collection

Question 1

Describe different ways data can be ingested by an indexer

Answer 1

• Universal Forwarder, Heavy Forwarder
• Monitor Files
• Scripted Inputs
• Network Inputs (TCP, UDP)
• HEC
• WindowsEventLog,admon,perfmon,regmon
• FirstInFirstOut (FIFO)

Question 2

What firewall rules needs to be defined for Splunks applicationserver (default port 8065)

Answer 2

None. It is a loopback port only for internal communication.

Question 3

List the types of Forwarder

Answer 3

• Universal Forwarder (smallest footprint)
• Heavy Forwarder (medium footprint)
• Light Forwarder [deprecated since v6] (smaller footprint)

Question 4

What is the chunk size of data send from an Universal Forwarder to an Indexer?

Answer 4

A forwarder sends data in 64kb blocks (unparsed)

Question 5

How do you make sure that data from a Universal Forwarder does not arrive truncated or trashed on the indexer tier?

Answer 5

Always configure EVENT_BREAKER and EVENT_BREAKER_ENABLE. The regex can be copied from LINE_BREAKER. This makes sure that the the Universal Forwarder does send properly broken data chunks to the indexer tier.

Question 6

List the most common pre-trained sourcetypes

Answer 6

• Application Server (log4j, Websphere)
• Mailserver (sendmail, postfix)
• OS (Linux, Windows, OSX)
• Network (Cisco)
• Datebases (DB2, mysql)
• Webserver (access_combined, apache)

Question 7

What is the fishbucket?

Answer 7

Splunk remembers in here what it has read

Question 8

Is the _fishbucket index an real index?

Answer 8

It used to be a real index until version 3.x. It still lives in the $SPLUNK_DB directory but it has its own structure, based on a btree database.

Question 9

How can you reset a file to be re-indexed again?

Answer 9

Stop splunk
-------------------
./splunk cmd btprobe -d $SPLUNK_HOME/var/lib/splunk/fishbucket/splunk_private_db 
--file  --reset 
-------------------
Start splunk

Question 10

Describe steps to troubleshoot data inputs?

Answer 10

• Checking splunkd log
• Using btool (splunk btool –debug input list)
• Activating debugging
• Check permissions on the source file
• Check input format (e.g. binaries, non-utf8 conform)
• Check if file exists
• Check network connection
• Check CRC of the file
• Tailing processor can be checked with ./splunk _internal call /services/admin/inputstatus/TailingProcessor:FileStatus

Question 11

How do you clean the eventtdata from an index?

Answer 11

Stop splunk
-------------------
./splunk clean eventdata -index  
( to clean all indexes, just drop off -index  )
-------------------
Start splunk

Question 12

What happens if you remove the fishbucket index on a Universal Forwarder?

Answer 12

It kicks of a process to re-index all eventdata. Be very careful to proceed with this step. Only recommended in a well planned scenario.

Question 13

What is a oneshot?

Answer 13

Copy the file directly into Splunk. This uploads the file once, but Splunk Enterprise does not continue to monitor it.

You cannot use the oneshot command against a remote Splunk Enterprise instance. You also cannot use the command with either recursive folders or wildcards as a source. Specify the exact source path of the file you want to monitor.

This is a common method for PS consultants to test and validate props/transforms configurations.

Question 14

What are the great eight?

Answer 14

EVENT_BREAKER_ENABLE = true
EVENT_BREAKER = \r\n
MAX_TIMESTAMP_LOOKAHEAD = 30
TIME_PREFIX = ^
TIME_FORMAT = %Y-%m-%d %H-%M-%S
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)
TRUNCATE = 100000

Question 15

Why the great eight are recommended to use?

Answer 15

Because it improves the data process significant. Splunk gets everything what it needs to know to parse data. There is no need to detect the settings by itself, which redues the load. It is best practise to always use the great eight.

Question 16

How does a monitor input configuration looks like if you want to index two files from /var/log/, based on best practises?

Answer 16

inputs.conf:

[monitor:///var/log]
whitelist = (openvpnas.log.|secure.)$
index=syslog

props.conf

[source::…openvpnas.log*]
sourcetype = openvpn:log

[source::…secure*]
sourcetype = linux:secure

This configuration makes sure that there is no overlapping in reading the inputs.

Question 17

How do you configure a heavy forwarder properly?

Answer 17

By activating the default app /apps/SplunkForwarder on a full instance

Question 18

How do you configure a light forwarder properly?

Answer 18

By activating the default app /apps/SplunkLightForwarder on a full instance

Question 19

When should a batch input not be used?

Answer 19

This should not be used for files that continue to be written to

Question 20

Is WMI the way to go to index Windows data?

Answer 20

No, it is not recommended to use WMI. There are security concerns related to WMI. There are also effiency reasons. There are informations that WMI did not get any improvments since Windows Server 2008.

Question 21

Does the HEC inputs.conf can live under its own app context?

Answer 21

No, that is not possible. HEC inputs.conf always needs to live in the app context of of $SPLUNK_HOME/splunk_httpinput/local/inputs.conf to work properly.

Question 22

How does Splunk know where to put the incoming data from a HEC input?

Answer 22

It is defined by the HEC token. The token gets associated with sourcetype/index while it gets generated.

Question 23

What else (next to defining the destination index and sourcetype) can the HEC token do?

Answer 23

It is also the authentication method

Question 24

What is the definition of cooked data?

Answer 24

Cooked data covers a parsed and unparsed data stream (but not raw data).

Question 25

What is crcSalt?

Answer 25

If set to ‘source’ , the full directory path to the source file is added to the CRC. This ensures that each file being monitored has a unique CRC.

Not recommended for rotating files.

Question 26

When Splunk checks a file for changes, how many characters does Splunk look into the file to check for changes?

Answer 26

The first 256 bytes (default)