Splunk Interview Questions and Answers – Part II
In our previous post, we had covered few questions and answers on Splunk. This is the second post from that series where we will be adding a few more important technical details. Without much of an intro, let’s get directly into the details..
- What are Buckets? Explain Splunk Bucket Lifecycle.
Buckets are directories that store the indexed data in Splunk. So, it is a physical directory that chronicles the events of a specific period. A bucket undergoes several stages of transformation over time. They are:
- Hot – A hot bucket comprises of the newly indexed data, and hence, it is open for writing and new additions. An index can have one or more hot buckets.
- Warm – A warm bucket contains the data that is rolled out from a hot bucket.
- Cold – A cold bucket has data that is rolled out from a warm bucket.
- Frozen – A frozen bucket contains the data rolled out from a cold bucket. The Splunk Indexer deletes the frozen data by default. However, there’s an option to archive it. An important thing to remember here is that frozen data is not searchable.
- Define Sourcetype in Splunk.
In Splunk, Sourcetype refers to the default field that is used to identify the data structure of an incoming event. Sourcetype should be set at the forwarder level for indexer extraction to help identify different data formats. It determines how Splunk Enterprise formats the data during the indexing process.
———————————————————
- Explain the difference between Stats and Eventstats commands.
In Splunk, the Stats command is used to generate the summary statistics of all the existing fields in the search results and save them as values in newly created fields. Although the Eventstats command is pretty similar to the Stats command, it adds the aggregation results inline to each event (if only the aggregation is pertinent to that particular event). So, while both the commands compute the requested statistics, the Eventstats command aggregates the statistics into the original raw data.
- Differentiate between Splunk App and Add-on.
Splunk Apps refer to the complete collection of reports, dashboards, alerts, field extractions, and lookups. However, Splunk Add-ons only contain built-in configurations – they do not have dashboards or reports.
- What is the command to stop and start Splunk service?
The command to start Splunk service is: ./splunk start
The command to stop Splunk service is: ./splunk stop
- How can you clear the Splunk search history?
To clear the Splunk search history, you need to delete the following file from Splunk server:
$splunk_home/var/log/splunk/searches.log
———————————————————
- What is a Fishbucket and what is the Index for it?
Fishbucket is an index directory resting at the default location, that is:
/opt/splunk/var/lib/splunk
Fishbucket includes seek pointers and CRCs for the indexed files. To access the Fishbucket, you can use the GUI for searching:
index=_thefishbucket
- What is the Dispatch Directory?
The Dispatch Directory includes a directory for individual searches that are either running or have completed. The configuration for the Dispatch Directory is as follows:
$SPLUNK_HOME/var/run/splunk/dispatch
- How does Splunk avoid duplicate indexing of logs?
The Splunk Indexer keeps track of all the indexed events in a directory – the Fishbuckets directory that contains seek pointers and CRCs for all the files being indexed presently. So, if there’s any seek pointer or CRC that has been already read, splunkd will point it out.
That’s it in this post. We will soon be adding more Q&A in the next post in this series. Stay tuned.
Please share your feedback/queries in the comments section below.
