Splunk Interview Questions and Answers – Part I

In one of our recent posts, we had discussed about Splunk. We would recommend you to read the overview post before going thru this post.

Due to high demand for this skill in the market, we were requested by one of our reader to have a Q&A on the same. In this first part of this post, we are covering some of the important questions related to Splunk. More will be added soon in the next post.

Let’s get started…

  1. What is Splunk ?

Splunk is a software platform that allows users to analyse machine-generated data (from hardware devices, networks, servers, IoT devices, etc.). Splunk is widely used for searching, visualising, monitoring, and reporting enterprise data. It processes and analyses machine data and converts it into powerful operational intelligence by offering real-time insights into the data through accurate visualisations.

Read more

  1. Name the components of Splunk architecture.

The Splunk architecture is made of the following components:

——————- advertisements ——————-

———————————————————

  • Search Head – It provides GUI for searching
  • Indexer – It indexes the machine data
  • Forwarder – It forwards logs to the Indexer
  • Deployment server – It manages the Splunk components in a distributed environment and distributes configuration apps.

 

  1. Name the common port numbers used by Splunk.

The common port numbers for Splunk are:

  • Web Port: 8000
  • Management Port: 8089
  • Network port: 514
  • Index Replication Port: 8080
  • Indexing Port: 9997
  • KV store: 8191

 

  1. What are the different types of Splunk dashboards?

There are three different kinds of Splunk dashboards:

  • Real-time dashboards
  • Dynamic form-based dashboards
  • Dashboards for scheduled reports
——————- advertisements ——————-

———————————————————

  1. Name the types of search modes supported in Splunk.

Splunk supports three types of dashboards, namely:

  • Fast mode
  • Smart mode
  • Verbose mode

 

  1. Name the different kinds of Splunk Forwarders.

There are two types of Splunk Forwarders:

  • Universal Forwarder (UF) – It is a lightweight Splunk agent installed on a non-Splunk system to gather data locally. UF cannot parse or index data.
  • Heavyweight Forwarder (HWF) – It is a heavyweight Splunk agent with advanced functionalities, including parsing and indexing capabilities. It is used for filtering data.

 

  1. What is the use of License Master in Splunk?

License master in Splunk is responsible for making sure that the right amount of data gets indexed. Splunk license is based on the data volume that comes to the platform within a 24hr window

——————- advertisements ——————-

———————————————————

  1. What happens if the License Master is unreachable?

In case the license master is unreachable, then it is just not possible to search the data. However, the data coming in to the Indexer will not be affected. The data will continue to flow into your Splunk deployment, the Indexers will continue to index the data as usual however, you will get a warning message on top your Search head or web UI.

 

  1. What is the purpose of Splunk DB Connect?

Splunk DB Connect is a generic SQL database plugin designed for Splunk. It enables users to integrate database information with Splunk queries and reports seamlessly.

 

  1. What are some of the most important configuration files in Splunk?

The most crucial configuration files in Splunk are:

  • props.conf
  • indexes.conf
  • input.conf
  • output.conf
  • transforms.conf

That’s it in this part. Please see the second part of the series for more questions. Our comments section is open for any questions/comments/feedback.

Linux basics – interview questions and answers -Booting Part 2

Our second post from the blog series on Linux basics. Hope you have gone thru the part-1 of this series already, if not, we recommend reading it. In continuation with the booting Q&A, we are adding a few more to it in this post.

Let’s get into the questions and answers

  • How to set password for single user mode.

Change the definition of the single user login shell in /etc/sysconfig/init from sushellto sulogin

#sed -i “s,^SINGLE=.*,SINGLE=/sbin/sulogin,” /etc/sysconfig/init

  • How to reinstall boot loader.

# grub-install /dev/sda Read more

  • What is initial RAM disk image.

The initial RAM disk (initrd)is an initial root file system that is mounted prior to when the real root file system is available. The initrd is bound to the kernel and loaded as part of the kernel boot procedure

  • How to create initramfs in rescue mode, what are the two utilities
——————- advertisements ——————-

———————————————————

mkinitrd utility can be used to recreate the initrd image in RHEL4 and 5

dracut utility can be used in later versions of RHEL to rebuild the initrams image

  • How to list the content of initramfs

lsinitrd

  • What will happen if grub.conf file deleted and how to recover

The system will fail to boot and fall in to the grub prompt

Need to restore the boot partition in hd0 and setup grub.

  • What is kernel module

Kernel modules are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system

  • Which package is require for kernel module utilities

module-init-tools

——————- advertisements ——————-

———————————————————

  • How to list loaded kernel modules

lsmod

  • How to get the information about module

Modinfo <module name>

  • How to load module into kernel

Modprobe

  • From which location the modprobe command will load modules

/lib/modules/’uname -r’

  • How modprobe command will resolve dependencies, Which file contains information about dependencies.

modprobe expects an up-to-date modules.dep.bin file (or fallback human readable modules.dep file), as generated by the depmod utility. This file lists what other modules each module needs (if any), and modprobe uses this to add or remove these dependencies automatically.

——————- advertisements ——————-

———————————————————

  • What is the difference between modprobe and insmod

modprobe is the intelligent version of insmod simply adds a module where modprobe looks for any dependency (if that particular module is dependent on any other module) and loads them

  • What is the two command for unload the module from kernel

Modeprobe -r <module name>

Rmmod <module name >

  • How to blacklist a module

You can modify the /etc/modprobe.d/blacklist.conf file that already exists on the system by default. However, the preferred method is to create a separate configuration file, /etc/modprobe.d/<module_name>.conf, that will contain settings specific only to the given kernel module.

  • What is udev
——————- advertisements ——————-

———————————————————

udev is a generic device manager running as a daemon on a Linux system and listening (via a netlink socket) to uevents the kernel sends out if a new device is initialized or a device is removed from the system

  • How to view the serial number of system

Dmidecode -t system

That’s it in this post. Hope you are enjoying the content. Please feel free to add your suggestions/comments/feedback in the comments section.

Linux basics – interview questions and answers -Booting Part 1

It’s been a while without a Linux/Unix post, now we are starting a series here. A series posts with some of the basics, in a Q&A format. We are attempting to help you improve your basics, which can be helpful in your revision for job interviews as well.

Here comes the first part, where we will be discussing some of the Q&As from the booting part. This will be helpful for those who are at an L1- L2 level in your Linux knowledge.

Let’s get in to the stuff…

  • Which file is responsible for Starts/kills services depending on RUNLEVEL

/etc/rc.d/  rc0 to rc6 files Read more

  • Which file is responsible for configure Ctrl+Alt+Del key combination to shutdown the system at console.

/etc/inittab è comment out the line “ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a – r now”

  • What are the two display manager?
——————- advertisements ——————-

———————————————————

GDM (GNOME Display Manager) — The default display manager for Red Hat Enterprise Linux.

KDM — KDE’s display manager which allows the user to shutdown, restart or log in to the system

  • How to switch a run level from one to another?

Init <run level>

  • What is happening when we switch into another run level

When init is requested to change the runlevel, it sends the warning signal SIGTERM to all processes that are undefined in the new runlevel. It then waits 5 seconds before forcibly terminating these processes via the SIGKILL signal

  • How to find the current run level

Who -r

  • What is rescue mode?

Rescue mode provides the ability to boot a small Red Hat Enterprise Linux environment entirely from CD-ROM, or some other boot method, instead of the system’s hard drive.

There may be times when you are unable to get Red Hat Enterprise Linux running completely enough to access files on your system’s hard drive. Using rescue mode, you can access the files stored on your system’s hard drive, even if you cannot run Red Hat Enterprise Linux from that hard drive

——————- advertisements ——————-

———————————————————

  • How to enter in to rescue mode?

To boot into rescue mode, you must be able to boot the system using one of the following methods 1:

By booting the system from an installation boot CD-ROM.

By booting the system from other installation boot media, such as USB flash    devices.

By booting the system from the Red Hat Enterprise Linux CD-ROM #1.

Once you have booted using one of the described methods, add the keyword rescue as a kernel parameter. For example, for an x86 system, type the following command at the installation boot prompt: linux rescue

  • How to load a driver at the time of booting in to rescue mode

Type linux dd at the boot prompt at the start of the installation process and press Enter

  • If a driver that is part of the Red Hat Enterprise Linux 6 distribution prevents the system from booting, How to blacklist that driver

Boot the system into rescue mode with the command linux rescue rdblacklist=name_of_driver

——————- advertisements ——————-

———————————————————

Open the /mnt/sysimage/boot/grub/grub.conf file with the vi text editor

#vi /mnt/sysimage/boot/grub/grub.conf

kernel /vmlinuz-2.6.32-71.18-2.el6.i686 ro root=/dev/sda1 rhgb quiet rdblacklist=foobar ( edit the kernel line by adding entry  rdblacklist=drivername)

Create a new file under /etc/modprobe.d/ that contains the command blacklist name_of_driver

echo “blacklist foobar” >> /mnt/sysimage/etc/modprobe.d/blacklist-foobar.conf

Reboot the system

  • What is chroot, what are the uses.

A chroot is an operation that changes the apparent root directory for the current running process and their children

  • What is single user mode, how to enter into single user mode ?

Single-user mode provides a Linux environment for a single user that allows you to recover your system from problems that cannot be resolved in networked multi-user environment. You do not need an external boot device to be able to boot into single-user mode, and you can switch into it directly while the system is running

——————- advertisements ——————-

———————————————————

At the GRUB boot screen, press any key to enter the GRUB interactive menu.

Select Red Hat Enterprise Linux with the version of the kernel that you want to boot and press the a to append the line.

Type single as a separate word at the end of the line and press Enter to exit GRUB edit mode. Alternatively, you can type 1 instead of single

  • What is emergency mode, how to enter in to emergency mode, main difference between single user mode and emergency mode

Emergency mode, provides the minimal bootable environment and allows you to repair your system even in situations when rescue mode is unavailable. In emergency mode, the system mounts only the root file system, and it is mounted as read-only. Also, the system does not activate any network interfaces and only a minimum of the essential services are set up.

At the GRUB boot screen, press any key to enter the GRUB interactive menu.

Select Red Hat Enterprise Linux with the version of the kernel that you want to boot and press the a to append the line.

Type emergency as a separate word at the end of the line and press Enter to exit GRUB edit mode.

——————- advertisements ——————-

———————————————————

In emergency mode, you are booted into the most minimal environment possible. The root file system is mounted read-only and almost nothing is set up. The main advantage of emergency mode over single-user mode is that the init files are not loaded. If init is corrupted or not working, you can still mount file systems to recover data that could be lost during a re-installation.

In single-user mode, your computer boots to runlevel 1. Your local file systems are mounted, but your network is not activated. You have a usable system maintenance shell.

Hope you have enjoyed reading this post. Please feel free to add your feedback in the comments section.