Module 1: Splunk Cloud Overview

Question 1

What are the three core components of Splunk?

Answer 1

• Indexer
• Search head
• Universal forwarder

Question 2

What is an indexer?

Answer 2

receives, parses and stores machine data in files. Serves search requests

Question 3

What is a search head?

Answer 3

web interface for the users. Dispatch searches to indexe

Question 4

What is a universal forwarder?

Answer 4

collects data from the clients and forwards for indexing

Question 5

What are the features of a License Master?

Answer 5

o manages Splunk licenses.
o Other Splunk components are license slaves
o Can be a co-located with other components such as Monitoring console
o Licenses can be managed through Splunk Web

Question 6

What are the features of a Deployment Server?

Answer 6

o Managed configuration files on the deployment clients
o Maintains configuration is serverclass.conf
o Alternative such as ansible / puppet can be used
o Configuration files are packaged as apps
o Deployment clients periodically poll Deployment server

Question 7

What are the features of a Cluster master?

Answer 7

o Managed the indexer cluster
o There is only one cluster master
o Maintains data bucket status and handles replication
o Distributes configuration files and apps to Cluster members

Question 8

What are the features of a Search head deployer?

Answer 8

o Distributes apps and configuration files to search head cluster members
o Keeps the files in $SPLUNK_HOME/etc/shd-apps
o Cannot run on the same instance as a cluster member

Question 9

What are the features of a Monitoring console?

Answer 9

o A Web apps that helps to monitor the system health
o Rich set of charts and stats
o One-stop-shop to monitor everything
o Only admins have access

Question 10

What are the features of a Heavy Forwarder?

Answer 10

o Can parse data before forwarding to indexer
o Full Splunk enterprise binary with distributed search disabled
o Can also index data locally
o Smaller footprint compared to indexer