T-Forms(post E3 #1)

Question 1

what is transforms.conf

Answer 1

where we specify transformations and lookups that can then be applied to any event.

These transforms and lookups are referenced by name in props.

Question 2

main difference between props and transforms

Answer 2

-props is responsible for how data breaks and parses

-transforms is responsible for how data looks

Question 3

Props and Transfroms work together

Answer 3

Transforms will not work without props
-props says “do this, but go see transforms for instruction”
-transforms says, “this is how you do it”

Question 4

Name more functions of Transforms.conf

Answer 4

-Manipulates data before it gets indexed
-Transforms and alters raw data
-Has the ability to change metadata

Question 5

List the common uses of Transfroms

Answer 5

-Sending events to Null queue
-Separating a single sourcetype into multiple sourcetypes
-Host and source overrides based on Regex
-Delimiter-based field extractions
-Anonymizing data

Question 6

what is a splunk pipeline

Answer 6

In Splunk, a pipeline refers to the sequence of data processing stages that data goes through as it is ingested, indexed, and made available for searching and analysis.

Question 7

what is a splunk queue

Answer 7

queues are designed to help manage data flow, ensure data integrity, and handle system load efficiently.

Question 8

What is Splunkd considered and what are its subprocesses?

Answer 8

*Considered a main process
*the core Splunk process that runs on all Splunk components

1-Parsing queue/parsing pipeline
(linebreaking occurs)
2-Aggregation queue/merging pipeline
(Line merging & Time extraction)
3-Typing queue/typing pipeline
(More Regex occurs here than in parsing pipeline)
4-Indexing queue/indexing pipeline
(syslog out,tcp out, indexer)Final stop is disk after this

Question 9

What is the solution for when you do not want to index unwanted data?

Answer 9

Send events to null queue

Question 10

Why do we want to prevent unwanted data from indexing ?

Answer 10

Do not want extra work, takes more time processing, and is a waste of storage

Question 11

List all 4 Splunk pipelines in order

Answer 11

1. Parsing pipeline
2. Merging pipeline
3. Typing pipeline
4. Index pipeline

Question 12

Explain process of Splunk pipeline and queues

Answer 12

see class notes

Question 13

What should you do if backlog is caused because process is frozen?

Answer 13

Restart Instance

Question 14

Facts about Regex in Splunk pipeline

Answer 14

-More Regex happening in Typing pipeline than parsing pipeline
-More Regex in transfroms.conf(mostly in typing pipeline)

Question 15

What configurations do we control in Splunk pipeline?

Answer 15

props.conf and transforms.conf

Question 16

what is a debug event in splunk

Answer 16

a log entry or event that contains information about the internal workings, troubleshooting details, or debugging information related to the Splunk platform itself.

Question 17

how do you generate a debug event in splunk

Answer 17

command-line tool called logger -located in the bin directory

use it to log custom messages or debug information.

Question 18

Define transforms.conf stanza

Answer 18

-DEST_KEY= destination key telling splunk what you want to send to queue

• FORMAT = specify which queue

-REGEX=DEBUG is looking for any event associated with that match

Question 19

Filepath for transfroms.conf and props.conf

Answer 19

Forwarder Level- $SPLUNK_HOME/etc/deployment-apps/app-name/local/props.conf

Indexer Level
$SPLUNK_HOME/etc/master-apps/app-name/local/props.conf

Question 20

Why would we want to split a single sourcetype into multiples ?

Answer 20

-a log might contain events that are kind of different from each other

-sometimes logs are just written in a messed up and funny way

Question 21

Explain the process of splitting single sourcetype into multiples

Answer 21

1. First make a reference in props.conf
2. Then, define in transforms.conf
   (See class notes for pic)

**Same exact steps for Host and source override

Question 22

What is a delimiter? and What is a field extraction?

Answer 22

Delimiter=limit
Field Extraction=key value pair

Delimiter-based field extractions in Splunk are used to extract fields from data that is separated by delimiters. Delimiters are characters that are used to separate fields in data, such as commas, spaces, or tabs.

Question 23

Where does transforms.conf go on the searchhead level?

Answer 23

$SPLUNK_HOME/etc/apps/app-name/local/transforms.conf

OR

$SPLUNK_HOME/etc/shcluster/apps/<app>/local/transforms.conf</app>

Question 24

What must you use when setting delimiter-based field extractions ?

Answer 24

REPORT instead of Transforms.conf

Question 25

Types of data that should be anonymized

Answer 25

Title 13 Data = Class of protected data containing private business or personal information

PII = Personal Identifying Information

PHI = Protected Health Information

Title 26 Data = Class protected data containing Federal Tax Information

Question 26

Review how to set up anonymization

Answer 26

Look at class notes

Question 27

At what point or stage is anonymizing done?

Answer 27

It is done before the indexing pipeline where data is written to disk –i.e. private information is never stored in Splunk.

Anonymizing happens in the typing pipeline.

$SPLUNK_HOME/etc/master-apps/<same_app_name_>/local/props.conf</same_app_name_>

$SPLUNK_HOME/etc/master-apps/<same_app_name_>/local/transforms.conf</same_app_name_>

Question 28

Where else can anonymizing occur?

Answer 28

Heavy Forwarder

Clients of the DS:
$SPLUNK_HOME/etc/deployment-apps/<same_app_name_>/local/props.conf</same_app_name_>

$SPLUNK_HOME/etc/deployment-apps/<same_app_name_>/local/transforms.conf</same_app_name_>

Standalone HFs:
$SPLUNK_HOME/etc/apps/<same_app_name_>/local/props.conf</same_app_name_>

$SPLUNK_HOME/etc/apps/<same_app_name_>/local/transforms.conf</same_app_name_>

Question 29

What do you use to hash data?

Answer 29

props.conf only + SEDCMD

Question 30

Explain how to hash data with props.conf only + SEDCMD

Answer 30

See class notes

Question 31

What should you do when your Splunk pipeline has a fill ratio of 100%?

Answer 31

When you have a fill ratio of 100% and a backlog you can open up a second pipeline and direct overfill of events to it

Set number of events a queue can hold = Fill Ratio