Practice Questions-1

Question 1

Too many forwarders to manage-what splunk instance would you add to your architecture?

Answer 1

deployment server=can group forwarders together and make them clients

Question 2

In your deployment app you are Configuring inputs.conf to bring in new data-you then search with search head and cannot find the data. What happened?

Answer 2

-didn’t send deployment apps to correct serverclass
-mistake in monitoring stanza
-did not put right index
-severclass has not phoned home
-turn monitoring on(BEST ANSWER)

Question 3

What directory must you place your outputs.conf file in-while in deployment app?

Answer 3

-local(directory)

Question 4

Command to edit configuration files

Answer 4

-vi

Question 5

You are assigned to deploy a new app to update 10 deployment input.conf files-what splunk instance would you log into? And what would you do to update them?

Answer 5

-log onto deployment server and then add app to serverclass so input.conf files get update

Question 6

What is the absolute path to get to deployment apps?

Answer 6

/opt/splunk/etc/deployment apps/appname/local/config file

Question 7

Port number used for indexer to receive data from forwarder

Answer 7

9997

Question 8

If I wanted to ensure that data isn’t being duplicated when my server goes down can you tell me where in Splunk I should look?

Answer 8

_Fishbucket index

Question 9

You notice that your newly monitored data is not in the index that you configured to be in?

Answer 9

It is in main and you would go into the file and fix the index

Question 10

Hot bucket

Answer 10

Directory where all new data enters into INDEX and is written to disk.

Question 11

Explain bucket lifecycle

Answer 11

1-Bucket lifecycle starts at the hot bucket which is the directory where all the data enters into the index and is written to disk; the most recent data is here.

2-The next tier down is the warm bucket, data comes here when Splunk is restarted or the hot bucket is full. This data shares the same path as the hot bucket and stores recent, frequently searched data on a fast disk.

3-Next, is the cold bucket where rarely searched data that has aged and is tucked away into slower and cheaper storage. While read-only and still searchable, this is considered the archive tier.

4-Lastly, is the frozen bucket in which data is pushed to dead media like tape or deleted. Not searchable-must recover files through a thawing process before the data becomes searchable again.

Question 12

Process to unthaw buckets?? And regain access??

Answer 12

Move that file into thaw directory and rename it to a name that splunk recognizes

Question 13

How to Turn off monitoring?

Answer 13

in the monitoring stanza change disable to 1

Question 14

Just finished editing all configuration files and you want to see changes take effect what to do?

Answer 14

restart splunk

Question 15

What is maxhotbuckets attribute for

Answer 15

maximum hot buckets that can be indexed and default is 10

Question 16

Tcpout in output.conf

Answer 16

TCP protocol/sends data and confirmation

Question 17

Deployment server and client relationship??

Answer 17

Manages forwarders, indexers, and searchheads by making them deployment clients. Anything that the deployment server manages is called a client. Deployment servers contain serverclasses-clients grouped in serverclasses help distinguish what set of configurations a client should get.

Question 18

How does splunk determine how much to charge

Answer 18

volume of data being indexed

Question 19

Splunk component referred to as splunk agent

Answer 19

UF

Question 20

Two types of data within indexes

Answer 20

raw data and tsidx

Question 21

What is being added to tsidx

Answer 21

metadata(host, ip address, or FQDN AND source and sourcetype)

Question 22

Co worker made unauthorized changes to server what index would you use and why

Answer 22

audit index; stores events related to activities conducted in Splunk such as file system changes and user auditing

Question 23

What is purpose of license master

Answer 23

so you wont go over data and charge you based on volume of data being indexed

Question 24

Indexing stage of splunk?

Answer 24

1.events are put into storage segments called buckets(that can be searched) 2. writing raw data and index files to disk

Question 25

Explain round robin?

Answer 25

When you enable Round Robin for a data input, it instructs Splunk to cycle through the available indexers in a circular or round-robin fashion, sending data to each indexer one after the other.

-It helps with load balancing, fault tolerance, and scalability,

Question 26

What is a distributed search?

Answer 26

key feature that allows you to search and analyze data across multiple Splunk instances or indexers in a distributed Splunk deployment. This is especially useful in large-scale environments where the volume of data to be searched and analyzed exceeds the capacity of a single Splunk instance.

Question 27

Filepath to warm??

Answer 27

$splunk_home /var/lib/splunk/defaultdb/db/

Question 28

How does data enter server

Answer 28

ports and ip address and forwarder

Question 29

What does splunk home mean for file path?

Answer 29

specifies the path where Splunk Enterprise is installed

Question 30

When is metadata applied??

Answer 30

Parsing stage

Question 31

Why is it better to configure indexes to rollover by time instead of size

Answer 31

don’t want it to rollover before you need it too

Question 32

Which splunk components parses data ?

Answer 32

Indexers and heavy forwarders

Question 33

Json vs syslog

Answer 33

both structured data and easily parsed by splunk

Question 34

Used to access splunk GUI

Answer 34

search head and ip address and port in searchbar

Question 35

Server went down for a couple hours, which index saved the day

Answer 35

internal index

Question 36

Where do you find buckets in linux file system

Answer 36

splunk_home var/lib/splunk

Question 37

Change metadata in your data-what splunk instance would you log into? And what config file you edit?

Answer 37

Log into deployment server and Edit inputs.conf(contains host,source,sourcetype)

Question 38

Configure data to roll to frozen

Answer 38

frozentimeperiodinSecs(86400 x (hot days + cold days)=retention time)

Question 39

Mutiple indexers makes searches much easier

Answer 39

add more if you ingest more data

Question 40

Find Appropriate amount of storage

Answer 40

use splunk calculator(Splunk storage sizing)

Question 41

File path for splunk exectuable files

Answer 41

opt/splunk/bin

Question 42

What is a Heavy Forwarder? And what are its limitations?

Answer 42

-An instance that is equipped with the ability to collect data input, forward them to indexers, and parse the data.

-One limitation is the HF has a smaller throughput than a UF(it can’t forward data quickly). This can cause bottlenecks and queued data to build up.

-UF is still the best, and recommended way to forward data from the source. Lightweight and simple in its design and serves only one purpose, forwarding.

-HF can be useful for data requiring index-time extractions or for the DBconnect system.