Splunk Interview Questions and Answers – Part II

In our previous post, we had covered few questions and answers on Splunk. This is the second post from that series where we will be adding a few more important technical details. Without much of an intro, let’s get directly into the details..

  • What are Buckets? Explain Splunk Bucket Lifecycle.

Buckets are directories that store the indexed data in Splunk. So, it is a physical directory that chronicles the events of a specific period. A bucket undergoes several stages of transformation over time. They are:

  1. Hot – A hot bucket comprises of the newly indexed data, and hence, it is open for writing and new additions. An index can have one or more hot buckets.
  2. Warm – A warm bucket contains the data that is rolled out from a hot bucket.
  3. Cold – A cold bucket has data that is rolled out from a warm bucket.
  4. Frozen – A frozen bucket contains the data rolled out from a cold bucket. The Splunk Indexer deletes the frozen data by default. However, there’s an option to archive it. An important thing to remember here is that frozen data is not searchable.

Read more

  • Define Sourcetype in Splunk.

In Splunk, Sourcetype refers to the default field that is used to identify the data structure of an incoming event. Sourcetype should be set at the forwarder level for indexer extraction to help identify different data formats. It determines how Splunk Enterprise formats the data during the indexing process.

——————- advertisements ——————-


  • Explain the difference between Stats and Eventstats commands.

In Splunk, the Stats command is used to generate the summary statistics of all the existing fields in the search results and save them as values in newly created fields. Although the Eventstats command is pretty similar to the Stats command, it adds the aggregation results inline to each event (if only the aggregation is pertinent to that particular event). So, while both the commands compute the requested statistics, the Eventstats command aggregates the statistics into the original raw data.

  • Differentiate between Splunk App and Add-on.

Splunk Apps refer to the complete collection of reports, dashboards, alerts, field extractions, and lookups. However, Splunk Add-ons only contain built-in configurations – they do not have dashboards or reports.

  • What is the command to stop and start Splunk service?

The command to start Splunk service is: ./splunk start

The command to stop Splunk service is: ./splunk stop

  • How can you clear the Splunk search history?

To clear the Splunk search history, you need to delete the following file from Splunk server:


——————- advertisements ——————-


  • What is a Fishbucket and what is the Index for it?

Fishbucket is an index directory resting at the default location, that is:


Fishbucket includes seek pointers and CRCs for the indexed files. To access the Fishbucket, you can use the GUI for searching:


  • What is the Dispatch Directory?

The Dispatch Directory includes a directory for individual searches that are either running or have completed. The configuration for the Dispatch Directory is as follows:


  • How does Splunk avoid duplicate indexing of logs?

The Splunk Indexer keeps track of all the indexed events in a directory – the Fishbuckets directory that contains seek pointers and CRCs for all the files being indexed presently. So, if there’s any seek pointer or CRC that has been already read, splunkd will point it out.

That’s it in this post. We will soon be adding more Q&A in the next post in this series. Stay tuned.

Please share your feedback/queries in the comments section below.

Linux basics – interview questions and answers -Booting Part 2

Our second post from the blog series on Linux basics. Hope you have gone thru the part-1 of this series already, if not, we recommend reading it. In continuation with the booting Q&A, we are adding a few more to it in this post.

Let’s get into the questions and answers

  • How to set password for single user mode.

Change the definition of the single user login shell in /etc/sysconfig/init from sushellto sulogin

#sed -i “s,^SINGLE=.*,SINGLE=/sbin/sulogin,” /etc/sysconfig/init

  • How to reinstall boot loader.

# grub-install /dev/sda Read more

  • What is initial RAM disk image.

The initial RAM disk (initrd)is an initial root file system that is mounted prior to when the real root file system is available. The initrd is bound to the kernel and loaded as part of the kernel boot procedure

  • How to create initramfs in rescue mode, what are the two utilities
——————- advertisements ——————-


mkinitrd utility can be used to recreate the initrd image in RHEL4 and 5

dracut utility can be used in later versions of RHEL to rebuild the initrams image

  • How to list the content of initramfs


  • What will happen if grub.conf file deleted and how to recover

The system will fail to boot and fall in to the grub prompt

Need to restore the boot partition in hd0 and setup grub.

  • What is kernel module

Kernel modules are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system

  • Which package is require for kernel module utilities


——————- advertisements ——————-


  • How to list loaded kernel modules


  • How to get the information about module

Modinfo <module name>

  • How to load module into kernel


  • From which location the modprobe command will load modules

/lib/modules/’uname -r’

  • How modprobe command will resolve dependencies, Which file contains information about dependencies.

modprobe expects an up-to-date modules.dep.bin file (or fallback human readable modules.dep file), as generated by the depmod utility. This file lists what other modules each module needs (if any), and modprobe uses this to add or remove these dependencies automatically.

——————- advertisements ——————-


  • What is the difference between modprobe and insmod

modprobe is the intelligent version of insmod simply adds a module where modprobe looks for any dependency (if that particular module is dependent on any other module) and loads them

  • What is the two command for unload the module from kernel

Modeprobe -r <module name>

Rmmod <module name >

  • How to blacklist a module

You can modify the /etc/modprobe.d/blacklist.conf file that already exists on the system by default. However, the preferred method is to create a separate configuration file, /etc/modprobe.d/<module_name>.conf, that will contain settings specific only to the given kernel module.

  • What is udev
——————- advertisements ——————-


udev is a generic device manager running as a daemon on a Linux system and listening (via a netlink socket) to uevents the kernel sends out if a new device is initialized or a device is removed from the system

  • How to view the serial number of system

Dmidecode -t system

That’s it in this post. Hope you are enjoying the content. Please feel free to add your suggestions/comments/feedback in the comments section.

Linux basics – interview questions and answers -Booting Part 1

It’s been a while without a Linux/Unix post, now we are starting a series here. A series posts with some of the basics, in a Q&A format. We are attempting to help you improve your basics, which can be helpful in your revision for job interviews as well.

Here comes the first part, where we will be discussing some of the Q&As from the booting part. This will be helpful for those who are at an L1- L2 level in your Linux knowledge.

Let’s get in to the stuff…

  • Which file is responsible for Starts/kills services depending on RUNLEVEL

/etc/rc.d/  rc0 to rc6 files Read more

  • Which file is responsible for configure Ctrl+Alt+Del key combination to shutdown the system at console.

/etc/inittab è comment out the line “ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a – r now”

  • What are the two display manager?
——————- advertisements ——————-


GDM (GNOME Display Manager) — The default display manager for Red Hat Enterprise Linux.

KDM — KDE’s display manager which allows the user to shutdown, restart or log in to the system

  • How to switch a run level from one to another?

Init <run level>

  • What is happening when we switch into another run level

When init is requested to change the runlevel, it sends the warning signal SIGTERM to all processes that are undefined in the new runlevel. It then waits 5 seconds before forcibly terminating these processes via the SIGKILL signal

  • How to find the current run level

Who -r

  • What is rescue mode?

Rescue mode provides the ability to boot a small Red Hat Enterprise Linux environment entirely from CD-ROM, or some other boot method, instead of the system’s hard drive.

There may be times when you are unable to get Red Hat Enterprise Linux running completely enough to access files on your system’s hard drive. Using rescue mode, you can access the files stored on your system’s hard drive, even if you cannot run Red Hat Enterprise Linux from that hard drive

——————- advertisements ——————-


  • How to enter in to rescue mode?

To boot into rescue mode, you must be able to boot the system using one of the following methods 1:

By booting the system from an installation boot CD-ROM.

By booting the system from other installation boot media, such as USB flash    devices.

By booting the system from the Red Hat Enterprise Linux CD-ROM #1.

Once you have booted using one of the described methods, add the keyword rescue as a kernel parameter. For example, for an x86 system, type the following command at the installation boot prompt: linux rescue

  • How to load a driver at the time of booting in to rescue mode

Type linux dd at the boot prompt at the start of the installation process and press Enter

  • If a driver that is part of the Red Hat Enterprise Linux 6 distribution prevents the system from booting, How to blacklist that driver

Boot the system into rescue mode with the command linux rescue rdblacklist=name_of_driver

——————- advertisements ——————-


Open the /mnt/sysimage/boot/grub/grub.conf file with the vi text editor

#vi /mnt/sysimage/boot/grub/grub.conf

kernel /vmlinuz-2.6.32-71.18-2.el6.i686 ro root=/dev/sda1 rhgb quiet rdblacklist=foobar ( edit the kernel line by adding entry  rdblacklist=drivername)

Create a new file under /etc/modprobe.d/ that contains the command blacklist name_of_driver

echo “blacklist foobar” >> /mnt/sysimage/etc/modprobe.d/blacklist-foobar.conf

Reboot the system

  • What is chroot, what are the uses.

A chroot is an operation that changes the apparent root directory for the current running process and their children

  • What is single user mode, how to enter into single user mode ?

Single-user mode provides a Linux environment for a single user that allows you to recover your system from problems that cannot be resolved in networked multi-user environment. You do not need an external boot device to be able to boot into single-user mode, and you can switch into it directly while the system is running

——————- advertisements ——————-


At the GRUB boot screen, press any key to enter the GRUB interactive menu.

Select Red Hat Enterprise Linux with the version of the kernel that you want to boot and press the a to append the line.

Type single as a separate word at the end of the line and press Enter to exit GRUB edit mode. Alternatively, you can type 1 instead of single

  • What is emergency mode, how to enter in to emergency mode, main difference between single user mode and emergency mode

Emergency mode, provides the minimal bootable environment and allows you to repair your system even in situations when rescue mode is unavailable. In emergency mode, the system mounts only the root file system, and it is mounted as read-only. Also, the system does not activate any network interfaces and only a minimum of the essential services are set up.

At the GRUB boot screen, press any key to enter the GRUB interactive menu.

Select Red Hat Enterprise Linux with the version of the kernel that you want to boot and press the a to append the line.

Type emergency as a separate word at the end of the line and press Enter to exit GRUB edit mode.

——————- advertisements ——————-


In emergency mode, you are booted into the most minimal environment possible. The root file system is mounted read-only and almost nothing is set up. The main advantage of emergency mode over single-user mode is that the init files are not loaded. If init is corrupted or not working, you can still mount file systems to recover data that could be lost during a re-installation.

In single-user mode, your computer boots to runlevel 1. Your local file systems are mounted, but your network is not activated. You have a usable system maintenance shell.

Hope you have enjoyed reading this post. Please feel free to add your feedback in the comments section.

Top 50 CISCO ACI interview questions & answers

Cisco ACI is a part of Software Defined Network (SDN) product portfolio from Cisco . Cisco ACI is an emerging technology on DC build up and disruptive technology for traditional networking .This Question and Answers guide will help you to understand Cisco ACI from basics to advanced level and give confidence to tackling the interviews with positive result . You can download PDF of 50 Q&A from here by contributing small amount of money for our effort.

Read more

1.What is Cisco ACI.?
Cisco ACI, the industry-leading software-defined networking solution, facilitates application agility and data center automation with two important concepts from SDN solution, overlays and centralized control. ACI is a is a well defined architecture with centralised automation and policy-driven application profiles. ACI uses a centralised controller called the Application Policy Infrastructure Controller (APIC),It is the controller that creates application policies for the data center infrastructure.

2. What are the three components of ACI architecture .?
Application Network Profile (ANP)– a collection of end-point groups (EPG), their connections, and the policies that define those connections
Application Policy Infrastructure Controller (APIC)– a centralized software controller that manages downstream switches and act as management plane.
ACI fabric : This is connection of Spine and Leaf switches. In the ACI world Spine and Leaf are the Cisco Nexus 9000 Series Switches (N9k) , and they are act as Control and the Data plane of the ACI. It is running re written version of NX-OS in ACI mode.

3. Describe about ACI Fabric connection terminology.?
• You should use One or more spine switches to be connected to each Leaf, Models supported are Cisco Nexus 9336PQ, 9504, 9508, or 9516 switches
• You should use One or more leaf switches to be connected to End Points and APIC cluster , Models supported are Cisco Nexus 93128TX, 9332PQ, 9372PX, 9372PX-E, 9372TX, 9396PX, or 9396TX etc switches
• Spin switches can be connected to leaf switches but not each other.
• Leaf switches can be connected only to spine switches and endpoint devices including APIC devices , so this means APIC will be connected only to Leaf switches
• ACI Switches are not running spanning tree.
• Minimum 3 APIC controller should require in ACI fabric
• Max APIC can be used are 5
• Max Spine switches can be used are 6
• Max Leaf switches can be used are 200

4. What is the use of Application Policy Infrastructure Controller (APIC) on ACI Fabric.?
This is the network controller is responsible for provisioning policies to physical and virtual devices that belong to an ACI fabric. Minimum a cluster of three controllers is used. Following are the main APIC features.

  • Application and topology monitoring and troubleshooting
  • APIC shows Physical and logical topology (who is connected to whome)
  • Third-party integration (Layer 4 through Layer 7 [L4-L7] services & VMware vCenter/ vShield)
  • Image management (spine and leaf)
  • Cisco ACI inventory and configuration
  • Implementation on a distributed framework across a cluster of appliances
  • Health scores for critical managed objects (tenants, application profiles, switches, etc.)
  • Fault, event, and performance management
  • Cisco Application Virtual Switch (AVS), which can be used as a virtual leaf switch

5. How Cisco ACI differs from other SDN controllers.?
Open SDN architecture separates control plane and data plane . Control plane resides on the central controller and data plane resides on switches. If the switches lost connection to controller, it won’t function for new connections and applying traffic policies. In CIsco ACI architecture , the APIC is not control plane, rather switches still hold control plane and data plane and can function properly if the controller down.

6. What are the different object model implementation in ACI.?
Within the ACI object model, there are essentially three stages of implementation of the model, the Logical Model, the Resolved Model, and the Concrete Model.
Logical Model: The logical model is the interface for the system. Administrators are interacting with the logical model through the API, CLI, or GUI. This is a Policy layer which include endpoint configuration on the controller .Changes to the logical model are then pushed down to the concrete model, which becomes the hardware and software configuration.
Resolved Model : The Resolved Model is the abstract model expression that the APIC resolves from the logical model. This is essentially the elemental configuration components that would be delivered to the physical infrastructure when the policy must be executed (such as when an endpoint connects to a leaf)
Concrete Model : The Concrete Model is the actual in-state configuration delivered to each individual fabric member based on the resolved model and the Endpoints attached to the fabric.This is include actual configuration of device and resides on fabric (spines and leafes )

7.What is Policy layer and Concrete Layer in ACI model.?
Concrete layer is the ACI fabric and policy layer is controllers

8.What you mean by Tenant .?
Basically a Tenant (fvTenant) is logical container for application policies to isolate switching and routing function. A tenant represents a unit of isolation from a policy perspective, but it does not represent a private network. Tenants can represent a customer in a service provider setting, an organisation or domain in an enterprise setting, or just a convenient grouping of policies.
Four types of Tenant available

  1. User
  2. Common
  3. Management
  4. Infra

9 . Difference between management tenant and infrastructure tenant.?
Management Tenant : Used for infrastructure discovery and also used for all communication/integration with virtual machine controllers. It has separate Out Of Band (OOB) address space for APIC to Fabric communication, it is using to connect all fabric management interfaces
Infrastructure Tenant : It governs operation of fabric resources like allocating VXLAN overlays and allows fabric administrator to deploy selective shared services to tenants

10.What you mean by Context/VRF on ACI .?
The top level network construct within an ACI tenant is the VRF or Context . It is called as tenant network and available as ‘private network’ in the ACI GUI .Following are the important point about VRF’s
• A VRF defines Layer 3 address domain
• One or more bridge domain can associated with VRF
• All of the endpoints within the Layer 3 domain (VRF) must have unique IP addresses because it is possible to forward packets directly between these devices if the policy allows it.
• A tenant can contain multiple VRFs How ARP handled by ACI.?

Below are some of the additional questions available on PDF

  • How ARP and broadcast handled by ACI.?
  • Why and when you require contract in ACI Fabric.?
  • How to perform unicast routing on ACI.?
  • In Fabric, which switch will act as default gateway for pertucler subnet.?
  • How Cisco ACI differentiate Layer 2 traffic and Layer 3 traffic.?
  • How VLAN working in Cisco ACI.?
  • How can you configure trunk and access port on ACI.?
  • What is micro segmentation and how to configure.?
  • How to configure inter-VRF and Inter-tenant communication.?
  • How can you integrate Cisco ACI with VmWare.?
  • Explain about ACI fabric discovery process .?
  • Explain about traffic flow lookup on ACI fabric.?

Interested to know about the detailed answers of above questions along with other exclusive commonly asked 30 interview questions.? You can download PDF copy of 50 interview Q&A from here by contributing small perks to support our efforts. Please send email to ‘beginnersforum@gmail.com‘ for PayPal payment option.

Hope you have enjoyed reading. Kindly share your feedback/suggestions in the comments section. For Q&A posts on other topics, please click here.