Splunk 101

Question 1

What is Machine Data?

Answer 1

Machine data is automatically generated by programmable things, like factory machinery, smart cars, smart city systems, IoT devices, IT infrastructure, and the smartphones we carry.

Question 2

What does Splunk software do?

Answer 2

Splunk gathers, analyzes, filters, refines, and allows to search into big piles of machine data, to aid (mostly buisness) decision making.

Question 3

What is Splunk?

Answer 3

Splunk is proprietary software that logs, stores, and analyzes enormous amounts of data quickly to derive insights from the patterns discovered.

Question 4

What are 3 basic components of Splunk?

Answer 4

Forwarder: collects data at the source and forwards it to the indexers.
Indexers: stores and organizes data, and makes it searchable
Search Head: transforms data into desired end products, such as reports and alerts

Question 5

What is a database?

Answer 5

A database is an organized collection of structured information, or data, typically stored electronically in a computer system.

Question 6

Give a few examples of databases

Answer 6

MySQL, SQL server, Oracle, Redis

Question 7

What is a forwarder and what does it do?

Answer 7

A forwarder collects data at the source and forwards it on to the indexers for processing.

Question 8

What is an indexer and what does it do?

Answer 8

An indexer parses, organizes and stores data, and maintains searchable copies of data.

Question 9

What is a search head and what does it do?

Answer 9

A search head allows a user to retrieve data and transform it into usable insights using reports and alerts.

Question 10

How does data flow through Splunk?

Answer 10

From the source, it gets collected with the forwarder, sent to the indexers for parsing, processing and storage. The users then access the search head, which will communicate with the indexers to retrieve the data that the user is looking for.

Question 11

What is a deployment server and what does it do?

Answer 11

A deployment server is a configuration manager that sends configurations (or settings that tell a server how to behave) to any cluster of servers. It can be used with all three main components: forwarders, indexers or search heads.

Question 12

What is a deployment client?

Answer 12

A deployment client is any server that receives configurations from the deployment server. That could be a forwarder, a search head or an indexer.

Question 13

What is a serverclass?

Answer 13

A serverclass is a logical grouping of a group of deployment clients that are meant to receive a set of (the same) configurations. A serverclass can be grouped by location, by machine type, by component or any of that combined.

Question 14

How does serverclass relate to the deployment server?

Answer 14

A serverclass relates to a deployment server because a deployment server must have a targeted group of servers set up to receive its configurations. We do this by putting servers into serverclasses that will all receive the same set of config files.

Question 15

What is a purpose of configuration files in Splunk?

Answer 15

Configuration files program the behavior of a server by setting attributes. This is similar to going into “Preferences” of a new cellphone to configure your preferred settings, or changing the “Settings” within a computer.

Question 16

Name the 4 basic indexer and forwarder level configuration files, and what do they do?

Answer 16

Inputs.conf - tells Splunk which files to monitor within a server
Outputs.conf - tells Splunk where to send the data that it has collected
Indexes.conf - configures the indexes and instructs the indexers on how to retain the incoming data
Props.conf - stands for “properties”, and this configures the properties of the incoming data and the way it is parsed

Question 17

How are serverclasses, deployment servers, deployment-apps and inputs.conf all connected?

Answer 17

You place an inputs.conf file within the deployment-apps directory WITHIN the deploymentserver, and this configuration file tells a server which directory to monitor.

On the deployment server, you then create a serverclass, where you place the inputs.conf. You then add the client(s) that need to receive this configuration. Once a client is added to a serverclass, it will receive whatever configurations are also placed within the serverclass.

Question 18

How would you install any Splunk component that is not a universal forwarder?

Answer 18

Via Splunk enterprise installer package, so technically I would not install a Splunk component, but configurate the package to be given Splunk component.

Question 19

What is the maximum number of concurrent users per search head?

Answer 19

12

Question 20

What is a data centre?

Answer 20

A data center is a facility used to house computer systems or servers and associated components, such as network communications and storage systems.

Question 21

What does “on-prem” mean?

Answer 21

On-premises software (also incorrectly referred to as on-premise, and alternatively abbreviated “on-prem”) is installed and runs on computers on the premises of the person or organization using the software, rather than at a remote facility such as a server farm or cloud.

Question 22

With what packages is Splunk installed?

Answer 22

Universal Forwarder Installer Package and Splunk Enterprise Installer Package

Question 23

Name a few popular network devices vendors

Answer 23

Huawei, Cisco, NVIDIA, Aruba, Dell

Question 24

What is a difference between front end users/clients and Splunk admins?

Answer 24

Front end users/clients are people who use Splunk who are not Splunk admins
Splunk admins are people with through and through knowledge about Splunk, and they manage it on front end, and back end level

Question 25

Name a few data types

Answer 25

JSON, XML, CSV, syslog

Question 26

Where do you place .conf files on deployment server?

Answer 26

[splunk home]/etc/deployment-apps/[app name]/local/[config file]

Question 27

At what level the data is being stored in Splunk?

Answer 27

Data is being stored at the indexer level.

Question 28

What do we call as an “agent” in Splunk environment?

Answer 28

The universal forwarder

Question 29

What does deployment server manages?

Answer 29

Deployment Server manages it’s clients, so other Splunk components/servers.

Question 30

How to make sure that a new changes to the configuration files are going to be saved?

Answer 30

We have to restart Splunk

Question 31

What is the maximum amount of data that can flow through Indexer daily?

Answer 31

250 gb

Question 32

How to know from monitorin stanza, if the data is being gathered on linux or windows server?

Answer 32

windows:
monitor://C:\app\log\data\catalina.out
linux:
monitor:///varl/log/secure

Question 33

Where are Splunk configuration files stored?

Answer 33

Splunk_home/etc/

Question 34

What does indexes.conf file do?

Answer 34

Specifies the name of the index, how to store the data that has been indexed and how long it needs to be stored

Question 35

What does props.conf do?

Answer 35

Tells Splunk how to parse and refine the data

Question 36

What does Inputs.conf do?

Answer 36

Tells Splunk what data to monitor and where
monitor://C:\app\log\data\catalina.out
disabled=0
sourcetype=syslog
index=security

Question 37

What does Outputs.conf do?

Answer 37

Tells Splunk where to send the data it has just collected
[tcpout:indexer_group]
disabled=false
server = [ipadress]:[port]

Question 38

What is a deployment-app?

Answer 38

It is a bundle of configuration files managed by deployment server

Question 39

Which Splunk component doesn’t have GUI?

Answer 39

The universal forwarder

Question 40

How to access search head of Splunk?

Answer 40

Through ip adress, a port, and credenstials

Question 41

What file would tell Splunk for how long to store the data for?

Answer 41

indexes.conf

Question 42

What do you see on the search head?

Answer 42

Graphs, charts, reports, dashboards, visualizations, etc…

Question 43

How does JSON data look like?

Answer 43

Check it out on google images

Question 44

How does CSV data look like?

Answer 44

Check it out on google images

Comma Seperated Values

Question 45

How does syslog data look like?

Answer 45

Check it out on google images

Question 46

How does XML data look like?

Answer 46

Check it out on google images