Transitioning to Splunk Cloud Flashcards
1
Q
What 5 things does Splunk Cloud Provide?
A
Hosted and supported by Splunk
Enterprise functionality on another’s machine
Reliability
Faster time to value
Cloud First Feature Releases
2
Q
Can Splunk Cloud Accommodate both virtual and real infrastructure?
A
Yes
3
Q
What two components can either be on prem or in the cloud with a cloud deployment?
A
-Universal Forwarder or Heavy Forwarder
-Intermediate UF/HF
4
Q
What are the customer responsibilities for the cloud deployment?
A
-Forward the data
-Manage conifgs of sourcetype, index, contextual details
-Admin and coordinate changes: users, retention, configurations, needs associated with Splunk account team or PS
5
Q
What are the two usage based license types a cloud customer can use?
A
Ingestion or Infrastructure
6
Q
Describe ingest based license
A
-capabilities at set cost of ingest
-no additional costs to increase resources, or search activities
7
Q
Describe infrastructure/workload based license
A
Splunk Virtual Core (SVC) units of data processing capacity used for a mix of ingest and search
-capabilities at a set infra size
-no ingest violations
-prioritizing index or search may impact performance
8
Q
What are the 7 cloud benefits
A
Cloud Support and Ops Provides:
advice/troubleshooting support
Asset management and automated infra deploy
Automated processing and implementation
Regular maintenance and upgrade
Monitor/alert system health/security
IT Ops and security specialists
24/7 NOC
9
Q
Does Cloud have license pooling or access through the CLI to hosted components?
A
No and there is SH GUI access only
10
Q
Can Apps be installed without a vetting process in the Cloud?
A
No, apps should comply to vetting policy
11
Q
What kind of secure forwarding does Cloud offer?
A
Secure SSL and TLS forwarding
12
Q
What are the two Cloud Experiences offered?
A
Classic and Victoria
Victoria - Does not support/need Hybrid search, Inputs data manager, modular or scripted inputs. Uses Admin config Service API for HEC. Has the option to install premium apps
13
Q
On Prem vs Cloud access differences
A
Cloud:
- no CLI
- vetted and approved apps permitted
- cant send TCP/UDP directly
- Scripted alerts only supported in approved apps
- License pooling not supported
- HEC enabled on port 443
- APi avail through API self service app or cloud support
- inbound TCP protocol only with SSL connection
14
Q
Do Splunk Cloud Users have access to the CLI?
A
No
15
Q
Can Direct TCP and syslog inputs be sent directly to Cloud?
A
Not in Cloud
16
Q
How is the HEC enabled in the Cloud?
A
Via the ELB on port 443
17
Q
What kind of network connection is supported in the cloud?
A
Inbound TCP protocol only with SSL secure connection
18
Q
What are the authentication options for managed splunk cloud?
A
Splunk Native and SAML and LDAP
19
Q
What are cloud apps installed via and deployed via?
A
Installed via search head and deployed via management app
20
Q
When can Cloud apps be installed through self service?
A
When they are vetted, on splunkbase, or if the customer accepts the liability
21
Q
With what release of cloud are most apps self service installations
A
Victoria
22
Q
What are the parameters of TCP connections needed for splunk cloud
A
TCP connections need an authorized role, secure token, credentials or certificate validation
23
Q
What is a hybrid search Head?
A
On prem SH initiated search to Cloud, can run searches to combine data from multiple locations, blended search on prem and/or cloud indexers
-not used for premium app SH
24
Q
How does Splunk Version Compatibility work for hybrid searches?
A
On prem SH must have same major.minor version as cloud
25
What are the limitations to a hybrid search topology?
Can’t search multiple cloud environments and a Cloud SH can not search on prem environments or another cloud
26
Can Hybrid SH perform scheduled searches?
No
27
With which method of searching can the search span multiple Cloud and enterprise environments?
Federated Search
28
Which method of searching requires special syntax of generating commands?
Federated Search
29
Which type of search, hybrid or federated, supports workload management
Federated
30
Describe Federated Search version control and Architecture
Splunk 8.2.x and greater, and supports all search tier management architecture ( like clustering)
31
What three admin tasks occur at the source on-prem components?
Forwarding of events, input definition/parsing (on prem parsing/masking), problem isolation
32
Through what cloud component does the cloud admin manage knowledge objects
Via splunk cloud search head
33
With what issues would a customer work with Cloud Support?
Perf and avail issues
Cloud deployment issues
Config changes and maintenance
Install and manage apps
34
What three things does the Cloud Monitoring Console (CMC) Provide?
Monitoring and details of topology
Ingestion and Search activity of data
Orientation on overall health and performance
35
How does the CMC (cloud Monitoring Console) differ from the on prem monitoring console?
CMC is pre-configured except for forwarder and workload manager
36
What is the purpose of the Cloud Migration Assessment App for Splunk?
Deploy on Monitoring Console server or SH to perform pre-checks and guidance on migration
37
What does the Phased Cloud Migration consist of?
Planning, Config and Artifact Migration, data Migration, Data collector Migration, post implementation checks
38
What is the average time for a cloud migration?
4-8 weeks
39
What does the planning phase of cloud migration consist of?
Assessing on prem splunk with health checks, gathering configs, recording priorities
40
What does the configuration phase of cloud migration consist of?
Preparing Cloud with indexes and authentications, configure cloud and IP Based access controls
41
What does the Artefact Migration phase of the cloud migration consist of?
Migrating search artefacts, apps, and workflows (dashboards, apps, alerts, field extractions etc)
42
What does the data migration phase of cloud migration consist of?
-replicate on prem data input and source types, check CIM, initiate historical data migration
-deploy credential app to forwarders, point data sources to splunk cloud, check inputs for ingest path, timestamp/linebreak/extractions
43
How is access to the cloud enabled?
With authentication credentials via the user interface
User account must be authenticated by splunk or external identity provider
Authorized by assignment to a splunk role(s)
44
What are the three ways of establishing a user account?
Native Splunk, LDAP/Active Directory, or SAML
45
What two files maintain the splunk access controls?
Authentication.conf
Is the user who they say they are
Authorization.conf
What resources they can access, tasks they can perform, limits are placed on them
46
How should customers audit or remove users?
Raise a support ticket
47
What capability is needed for user manager roles, and is default for sc admins?
Change_authentication capability
48
What authentication method is not supported by Cloud?
DUO two factor authentication
49
What is a good way to troubleshoot authentication issues?
Create a unique Splunk Native admin account`
50
When can authentication replicate?
When set up on clustered search heads
51
When using a mix of native Splunk, LDAP, & SAML users, which will take precedence?`
Splunk Native
52
What user role is reserved for Cloud Ops?
Admin Role
53
What are two additional user roles that Cloud offers?
Sc_admin and apps
54
What actions are Splunk Cloud Admin allowed to do and why?
edit/delete Splunk Native Users
Change time zone, and default app for LDAP/SAML users
Due to limited access in the Cloud
55
How are customer Identity providers connected and managed
Connected to splunk via internet and managed through splunk web
56
Does Splunk Cloud use existing customer configured accounts?
Yes, enforces user account a pw policies, and has the ability to use local usernames and pw in splunk with the option to map IdP groups to splunk roles
57
What must customers do to authenticate users in Cloud using LDAP?
-maintain read only, internet accessible LDAP servers
-authenticate and authorize in splunk
58
When does Splunk cache user data from LDAP?
The first time a user logs in AND its reloaded for subsequent logins if an update has been made
59
How many Identity Providers (IdP) can a customer using SAML have?
Limitation is currently 1 IdP
60
What type of authentication uses digitally signed XML Certificates from an IdP?
SAML
61
T/F when mapping SAML Groups to roles, only one group can be mapped to one role
False, multiple groups can be mapped to one role
62
What are the roles that users can have in splunk Cloud?
sc_admin, power, user, apps, can _delete, tokens_auth
63
What Cloud user role has the highest number of capabilities?
sc_admin
64
Which user role can add custom user roles
sc_admin
65
Which user role can manage apps and has some admin capabilities
Apps user role
66
Define the can_delete user role
Not assigned to any user role or group by default
Can use |delete command to hide data
67
Define the token_auth user role capabilities
Enables users to configure token based authorization
68
Custom user role authorization is a combination of what 5 things?
Role inheritance, capabilities, index access, restrictions and resource usage limits
69
T/F You can adjust the capabilities of inherited roles
False, inherited capabilities or access cannot be disabled
70
When creating a new user role and assigning indexes, what does selecting the ‘default’ checkbox for an index imply?
The index will be automatically searched without a user specifying “index=”
71
What are role based restrictions used for when setting up a new user role?
Used to restrict the searches a role can use: can set a default time range, indexes fields to filter, field values, concatenation option, and a specific search string to filter results
72
What do ‘Resources’ adjust when setting up a new user role?
Resources manages the
-role and user search job limit
-role search time window limit
-disk space limit
73
Can you validate or check on user capabilities in the Cloud?
Yes, using REST API, there are searches you can run to get capability info
74
What is Workload Management?
A rule-based management to allocate compute resources (CPU and Memory) to search, index, and other user workloads
75
What is the benefit of workload management?
Improve performance, resource availability and productivity:
Separate data ingest from search workload,
Prioritize critical search workloads
Isolate resource heavy searches
76
What are workload pools?
Logical containers which resources (CPU/ mem) are assigned to as part of WLM
77
What are workload Rules?
User defined set of conditions allocate a search to a workload pool automatically or to reduce impact of expensive searches
EX of assigning pool by set criteria: role=security AND search_type=adhoc
78
What are workload management Admission Rules?
Filter searches automatically before execution based on user defined conditions like running searches in a certain time range and searches that use excessive resources
79
Why is “users unable to search” a commonly reported issue>
Unrestricted user access may tie up resources impacting access/functionality
80
Where might resource availability cause performance issues?
Data replication and search performance
Disk space/storage availability
81
What measures are taken for disaster recovery in the Cloud?
Site awareness - across 3 availability zones
Automatic Index replication of which all copies are searchable
82
Splunk Cloud Users should be aware of what two indexes?
“main” - the default index accepts events not assigned an index
“lastchanceindex” pre-defined in Cloud accepting events sent to a non-existent index
83
What two key file types are within an index?
rawdata files: raw uncompressed data
tsidx files: Time series index files pointing to raw data
84
Is it best practice to use index=main when searching?
No it is best practice to segregate data into separate indexes and specify your specific index when searching
85
What type of indexes are available?
Event indexes - unstructured data stored as separate events
Metric indexes - metric data uses less storage and system resources with increased search speed
86
Describe the process of new and updated indexes are deployed in Cloud.
Done through SH UI: changes transferred to Manager Node (MN) which creates a bundle push to files on indexers
87
How do buckets role from hot to warm to cold in the indexes?
Role by exceeding:
-number of buckets
-index size
-event age
88
Which index bucket is open for write?
Hot bucket
89
What 3 options are available as data moves to the frozen state?
-purge/delete default unless archive selected
-archive events unsearchable either in splunk or customer managed archive
-thawed, archive data restored
90
Describe Splunk Managed Archive data option
Known as Dynamic Data Active Archive: disabled by default and must be purchased in 500GB increments with set retention
91
Describe Customer Managed Archive data option
Known as Dynamic Data Self Storage where data is moved to customer managed AWS S3
92
What happens to data accessibility when it is archived?
With Active Archive it is easily restored to Splunk Cloud.
With Self Storage data is no longer accessible via Splunk Cloud. Must be re-ingested
93
What happens when DDAA Dynamic Data Active Archive is full?
Buckets are deleted
94
Which storage option is best for auditing and tracking historical data/compliance?
Dynamic Data Self Storage DDSS as it is a long term option needed for those activities
95
Can data be thawed back into splunk searchable indexes from dynamic data self storage DDSS?
No, it has to be thawed in customer environment and data needs to be re-ingested to be restored and searchable in splunk cloud
96
How long is restored dynamic data active archive (DDAA) searchable for?
Searchable with 24 hours of being reinstated and searchable for up to 30 days`
97
In what increments can DDAA be purchased?
500GB
98
How can you delete an archive?`
Logging a support ticket
99
T/F You create the splunk index prior to setting up the AWS S3 bucket name
False, bucket must be created prior to creating the self storage location in splunk
100
When using the CMC, what would you check indexing performance for?
-missing events
-queue fill issues
-delayed data
101
When using the CMC,what would you check Indexes and Storage dashboard for?
-Retention and Sizing
-indexes without events
102
What are several ways missing data can occur (an issue uncovered using the CMC Monitoring Indexes and Storage dashboard)
Missing data can occur if:
-ingest volume exceeds index size
-events have aged out or exceeded searchable age limit
-data is masked using the delete command
103
For what purpose do you check the Index Detail Dashboard of the CMC?
-ingestion issues
-isolation troubleshooting (through the host source and sourcetype views available)
104
How are TCP connections permitted in Splunk Cloud?
With an authorized role, secure token, credentials or certificate validation
105
When would you use a Test server?
-standalone dev enviro for test and POC
-replicate cloud indexes/configs to test data collection, parsing and indexed event quality
106
What SPlunk functions would be part of the standalone test server?
All functions in a single instance: input, parse, index, and search
107
What is the test server deployment strategy?
Test inputs/parsing/events in dev enviro then match prod to dev enviro including versions, apps/configs and index names
108
What type of data collection method monitors local hosts to gather data?
Universal forwarder
109
What are the key differences between a universal and heavy forwarder?
HF is a full splunk enterprise instance with license and UI, with ability to parse data prior to forwarding it, and can aggregate data from other forwarders to route elsewhere
110
When would you use a HF over a UF?
Limit HF to:
-mask/filter data before going to cloud
-manage modular inputs or HEC on prem
-host apps not allowed on cloud
111
How does a user get forwarder credential apps?
Customer stacks are commissioned with them preconfigured with forwarding and secure connection settings and installed on a forwarder that outputs data to cloud
112
What does a customer welcome pack include?
Stack URL and Forwarder Credential App
113
What does the forwarder credentials app contain?
limits.conf
Data transmission limit in limits.conf
outputs.conf
Forwarder output conifgs
SSL secure connection setting
114
Why would you check the forwarder credentials app limits.conf file`
A high throughput in limits.conf can overwhelm and indexing tier, block network traffic, or cause events to be dropped so check for:
Missing events, queue fill issues, delayed data
115
How does SSL Compression work in the forwarder credentials app?
In the outputs.conf file, it must be enabled on both sides. The compression is good for network bandwidth. It has a cpu penalty
116
Why wouldnt you want unlimited throughput for your forwarders into cloud?
May cause higher forwarder resource usage so maintain a limit to control file monitoring and network usage
117
T/F UFs can access the internet without going through a firewall
False
118
What is an intermediate UF?
A UF or collection of UFs, that relay data to splunk; centralized forwarding of data to cloud
119
Why use an intermediate UF over a UF or HF?
-Limits servers with direct access to internet
-reduces overhead of updating firewall rules for each server added or removed
120
Why use multiple forwarder ingestion vs HF or intermediate forwarder?
-checkpoints for lossless data collection
-efficient to minimize bandwidth
-built in load balancing, optional encryption, and data compression
-supports multiple inputs and local management
121
What is an intermediate HF?
Full enterprise instances as a tier to parse and forward data and manage data ingestion PRIOR to indexing in cloud
122
Why use a Intermediate HF over a UF or intermediate UF?
HF can parse and perform indexer tasks in the customer controlled area
-parse and anonymize with or without writing and indexing events
-data can be removed prior to forwarding to Cloud
123
What must be considered when using an intermediate HF in terms of troubleshooting, parsing and ingesting?
-troubleshooting could be challenging because hidden intermediate modifies/parses
-parsed data not parsed again in cloud index
-ingested data may differ from original data
124
T/F For both structured and unstructured data, data parsing can occur on UF and HF
False, only structure data parsing can occur on both. Unstructured data can not be parsed on a UF
125
How can splunk Cloud get data from TCP or UDP input?
Get these inputs on a forwarder because SC cant accept direct Network Inputs or UDP traffic
126
T/F Best practice is to put network inputs on an intermediate forwarder
False, Do not put on intermediate. Collect on separate dedicated forwarders
127
Splunk merges what kind of data until it finds a timestamp by default?
UDP data
128
How do you get syslog data into splunk cloud?
Send to syslog collector writing to a directory structure and monitor the directory using host_segment`
129
How does splunk cloud handle SNMP traps
Write traps to file and monitor input. Collect on prem to parse and filter before forwarding
130
When using the CMC Monitoring Forwarder Instance, what do you want to check for?
Connection issues: review version and compatibility
Missing/delayed events: forwarder must be connected and sending _internal data
131
What is the CMC Forwarders: Instance dashboard used for?
-Drill downs into performance of active/inactive forwarders over time
-Investigate perf and connectivity
132
What is the CMC Forwarders: Deployment dashboard used for?
-shows active/inactive forwarder connecting to splunk directly
-shows connectivity
133
When using the CMC Monitoring Forwarder Deployment, what do you want to check for?
-Connection and forwarding issues: check when last connected to indexers
-Missing forwarders: check forwarder status
-Checking IDM input rate
134
What is REST API?
An application programming interface conformed to REST architectural style used by vendors to expose data and internal management end-points
135
What is a software messenger delivering requests to providers and returning responses to requesting Client?
API
136
What is REST?
Representational State Transfer - defined constraints for HTTP(s) web services and provides direct interaction with web-based clients
137
What are APIs used for?
Expose data and management endpoints providing ability to manipulate outputs or filter results to manage ingestion
138
What are some benefits of using a REST API for ingestion?
Manipulate outputs or filter results to manage ingest inflight = reduce data volume and increase ingest speed.
-use less system resources
-minimal impact on performance
139
What API tasks are restricted in Splunk Cloud?
Modifying client server configs/components
Restarting deployment or executing debug
140
What are PUSH/PULL requests when using an API?
It is how a REST Client reaches endpoints
-PUSH: source attempts to deliver data from streaming source to endpoint
-PULL: streaming or file input source where source continually publishes to an endpoint
- channel opens, Splunk connects to input and ingests the content
141
What API requests does splunk support?
GET, POST, DELETE
142
Where can Cloud REST API ingestion Apps and Add-ons be installed?
On an IDM in classic Cloud, indexers and/or SH
143
Can non-Splunk Cloud compliant REST API ingestion TAs be used?
Yes, if installed on an on-prem HF
144
What type of ingestion reduces the overhead of maintaining machines and network infrastructure?
Using REST API
145
What happens to on-prem API inputs.conf files when deployed in cloud?
They are encrypted and use a key for security
146
Describe how the API Input TA can be installed
Installed as either:
invisible app with a list of data inputs on the configure data collection page
Visible app with UI for managing and configuring inputs
147
What method is used to collect diagnostic data from OS commands?
Scripted Inputs
148
What do Scripted inputs do?
Schedule a script execution and index the output
149
Why use a scripted input instead of another ingest method
It can gather transient data that cannot be collected with monitor or network inputs
Ex: API, message queue, web service, custom transaction
150
What kind of scripts are supported with scripted inputs
Shell .sh, Batch .bat, PowerShell .ps1m Python .py
151
Where can scripts be executed from>
SPLUNK_HOME/etc/apps//bin
SPLUNK_HOME/etc/system/bin
SPLUNK_HOME/bin/scripts
152
In the inputs.conf of a scripted input, what does the the interval = <> mean?
Interval is the time period between script executions - default is 60 seconds
153
What is HEC?
HTTP Event Collector is a secure and scalable token based HTTP input.
Sends events to splunk without using forwarders
154
What method can you use to ingest info from web browsers, automation scripts or mobile apps?
HTTP Event Collector HEC
155
What method of ingestion can facilitate loggin from distributed, multimodal and or legacy environments
HEC
156
What are some considerations when using HEC in the cloud?
-HEC enabled by default
-Cant change config files because no direct access to indexers
-Doesnt support forwarding to output groups
157
T/F Using HEC will increase infrastructure Overhead
False, it will reduce infra overhead
158
How is encryption handled when using HEC?
All data is encrypted in transit using TLS 1.2+
159
What port must be used when using HEC?
Port 443 and customer cannot change
160
What is the default max content length for HEC in the cloud?
1MB
161
How do you enable HEC for Kinesis Firehose or make changes to HEC ?
Through filing a support ticket`
162
Can raw payloads be sent to HEC?
Yes, HEC allows any arbitrary payloads, not just JSON. But must use channels similar to ACK and events must be bound within a request
163
How are private apps installed on Cloud?
Uploaded and vetted via App manager, and vetted via appcert process
164
When do you contact support for Cloud app installs?
When app on splunkbase indicates request install or multiple apps need installing`
165
When should you get assisted installation on apps from splunkbase?
Apps for hidden components
Bulk installation or planned migration
Scheduling in specific maintenance windows
166
What is considered ‘unsafe practices’ when determining if an app is prohibited
Using elevated permissions
Running processes that manipulate OS, file, or security settings
167
What is categorized as prohibited behavior in a Cloud app?
Privilege escalations, precedence elevation, using local folder, reverse shells, splunk restart, OS manipulation
Cross site scripting dashboards
Config changed to core splunk ot underlying OS files
Manipulation of OS, Remote Shells, insecure comms and creds storage
Data exfiltration or export
168
What is App Inspect for a Dev Environment?
An automated vetting process that could require manual review. Offered two ways outside UI:
-CLI: uses “-- coud” tag to validate
-API: uses “-- self-service” tag to run package toolkit; can run antivirus checks
169
When do you use Splunk AppInspect API?
To validate an app for Cloud prior to install or is preparation for updated settings/configs
170
What do you use the cURL GET command for when using the AppInspect API?
Use cURL GET with a splunk username to the Splunk AppInspect API to obtain HTTP auth token
171
How do you submit an app to AppInspect using the API?
First use GET request to obtain HTTP token. Then use POST request to submit app to validation endpoint.
Produces a request_id for tracking purposes
172
How do you perform a status check of the AppInspect API?
Send a cURL GET request for either a status check or to retrieve a validation report. Both leverage the request_id produced when app was originally submitted
173
Do you need an updated version and build number to vet an upgraded/updated app?
Yes otherwise app could fail if build numbers are identical to previous checks
174
When will Splunk Cloud Classic need a restart when uploading apps
When app contains static assets, props and transforms
175
Where is a rolling restart required when installing cloud apps?
Apps or configs deployed to indexers require rolling restart
176
How is syslog data ingested in the cloud?
Logs are collected locally, then forwarded to Splunk Cloud
177
What are the 2 options to collect Syslog data into the CLoud?
Sent through an intermediate tier
- Reliable delivery via forwarder
- Requires on prem syslog server for parsing and filtering
Splunk Connect for Syslog (SC4S):
- Containerized Syslog-ng server with data source library
- Filters for ID, Parse and format
- Reduces config and management of syslog servers
- Repeatable concise and prescriptive soln
178
How can you get visibility where collection agents are prohibited?
Access streaming data, data off the wire
179
What OS is supported for collecting streaming data?
Windows, Mac, Linux
180
What ingest method uses rapid agentless deployment to collect real time data?
Streaming data / data off the wire
181
What are the 3 phases of stream data collection?
Data Collection points
Streaming data processing
Forwarding data
182
What is Splunk DSP, Data Stream Processor
DSP provides real time stream processing to collect, input connectors, process via DSP, and deliver data to splunk via output connectors
183
What is Splunk SPS, Stream Processor Service?
Cloud feature using real time stream processing to collect, process and deliver data to splunk
Flexible/scalable, using SVCs
184
What is IDM, Inputs Data Manager?
Single hosted data input component in Cloud Classic available for scripted and modular inputs
-IDM is not an app, it hosts input apps
185
How are IDM apps installed?
Via support ticket request or uploaded and added by engaging support or PS engineers
186
When is it best practice to use the IDM?
Use for Cloud Vendor Services data collection and install cloud based ingestion addons to the IDM
187
Can an IDM accept TCP/UDP inputs like syslog and inputs from HEC
No
188
What are some limitations of the IDM
Limited on scaling and ingest volume as well as concurrent searching (limit 10)
189
How do you get custom inputs on the IDM?
Create modular/scripted inputs and package configs as private app that will need to get vetted then uploaded by support/PS. Manage through IDM login
190
How do you get vendor inputs on the IDM?
find prebuilt apps/addons and have PS/support upload to IDM. Configure access controls and manage through IDM login
191
How do you parse and modify data before forwarding?
By using a Heavy Forwarder, where you can perform indexer like tasks in the customer controlled environment: parse/mask/remove data before indexing
192
What service is able to parse, modify, and filter data prior to writing events to disk?
Streaming processor Service: manage data ingestion prior to indexing in cloud
193
What main issues can impact user experience and information quality
Line breaking: lines in event exceed TRUNCATE setting
timestamp parsing: extraction unsuccessful
aggregation: exceeding number of lines per event set in MAX_EVENTS
194
What info is gathered at the input phase
Host, sourcetype, source, index
195
What actions occur at the parsing phase?
Line breaking, date/time extraction, event level processing, adjust meta fields
196
If you are changing extraction settings in sourcetype, what conf file do you need to update these changes to?
props.conf
197
What is an efficient way to break single line events when parsing?
Automatic line breaking is used but it is more efficient to set explicitly SHOULD_LINEMERGE = false
198
What is an efficient way to break multi line events when parsing ?
While splunk will attempt to find boundaries it is more efficient to set:
BREAK_ONLY_BEFORE_DATE = true (default)
BREAK_ONLY_BEFORE =
MAX_EVENTS = 256 (default)
199
What can be used to more efficiently extract date/timestamp in an event?
For the timestamp set:
TIME_PREFIX=
MAX_TIMESTAMP_LOOKAHEAD=
Specify time format and time zones
200
How can poor time extraction lead to missing events?
Ingested but unavailable in the specified time range
Events rolled off as they are outside retention period
Events not ingested because ‘dates’ beyond allowed range
201
How could you end up with duplicate events if there is a timestamp extraction issue?
Splunk assigns a timestamp from a previous event if it cant find one
202
What kind of data prep should be done before mass ingestion?
Eval event breaking and date/timestamp settings, then use a test instance onprem and cloud, then redirect to prod
203
What is splunk data preview used for?
Creating new sourcetypes and adjusting config settings
204
How can you hide or delete sensitive or identifying data prior to forwarding to Cloud?
Use an on prem Heavy Forwarder to modify _raw data
205
Why should you avoid indexing ‘dirty’ data?
Minimizes delays, improves search accuracy, data quality, and ingestion time, issues rendering dashboards
206
What can users with the can_delete capability do?
Use the |delete command to hide data from searches, but it still consumes disk space
207
For what problem do you NOT contact cloud support?
Resizing, License changes, purchases
208
For what problems should you contact cloud support?`
Unable to resolve issue or perform problem isolation
Capacity or config changes
Unable to log into cloud
209
What is the difference between a Splunk Support engineer and a Customer Support Engineer?
Customer support may troubleshoot, submits support tickets, manages expectations/best practices
Splunk support provides solns to product issues and complex issues and troubleshoots technical problems
210
When troubleshooting what are the 3 likely areas that search can fail?
Search request, data retrieval, and manipulation
211
What should you consider when you have issues with a search due to User failures?
Check user capabilities, roles, group mappings, access/resource limits
212
At what stages can data ingestion be disrupted?
Collection, forwarding, intermediate stage or at the indexing tier
213
What steps do you take if data ingestion is disrupted at the collection and forwarding stages?
Check if splunk has access to the data and find if data forwarding is configured via inputs/outputs settings
214
What steps do you take if data ingestion is disrupted at the forwarding stage?
Check the output, limits.conf, restricted bandwidth
215
What steps do you take if data ingestion is disrupted at the intermediate forwarding stages?
Is it receiving any data, confirm receive and send ports, is it parsing or indexing and parsing data?
216
The cloud monitoring console or CMC is preconfigure so long as customers do what?
Enable forwarders and workload management
217
What is Splunk Diag?
Diagnostic Screenshot providing insight to onprem splunk instance with current component configs and customization
218
When should you run a splunk diag?
Before and after upgrades, creates a backup of configs/settings, faster restore and easier change audit, for splunk cloud support to aid in troubleshooting
219
How do you collect a diag?
Run SPLUNK_HOME/bin/splunk diag
220
What is Btool?
CLI troubleshooting tool used to audit configs to see what values are being used by splunk
221
What are the limitations of Btool?
Only shows merged on-disk configs (at the restart), not the settings Splunk is currently using
