1. What is Splunk?
Splunk is a big data tool or software platform which gathers machine generated data from different sources like Application Servers,Web Sites,Router etc. and provides Google like search engine to the Data.It can be used for searching, visualizing, monitoring, reporting, etc. of machine generated data. Splunk turns the valuable machine data into powerful operational intelligence by providing real-time insights through charts, alerts, reports, etc.
2. List out the number of categories of the SPL commands.
There are 6 major categories for all the search commands.
- Distributed Streaming Command
- Centralized Streaming Command
- Transforming Command
- Generating Command
- Orchestrating Command
- Dataset Processing Command
Please refer to the link below to get more insight: Types of Command
3. What is eval command used for?
- Eval command is used for calculating an expression like mathematical expressions, Boolean expressions,String etc.
- You can use multiple eval expressions in a single search using a comma.
4. What is replace command?
This command is used to replace specified field values with required values.
5. What is the usage of stats command?
It calculates statistical aggregation of a dataset, such as count, sum, and average with the help of its functions(eg: count, sum,avg etc.)
6. What is table command?
This command returns the tabular view of the resultset.
7. What does xyseries command do?
xyseries command converts the search results into a format that is suitable for graphical visualizations (eg: line chart, area chart,column chart etc.)
8. What is the use of spath command?
spath command is used to extract fields from structured data formats like JSON and XML.
9. How can we use sort command to get Ascending order and Descending order search?
sort + / sort displays search in ascending order
sort – displays search in descending order.
10. What is a join command?
It is used to combine the results of a sub search with the results of the actual search. Here the fields must be common to each result set. You can also combine a search set of results to itself using the selfjoin command in Splunk.
11. What is the difference between stats and timechart command?
i) Stats command is use to aggregate statistical calculation using functions like count,sum,avg etc.
timechart command is used to give search results in a graphical view according to the _time field.
ii) Stats command can be used with more than one field for grouping by.
Timechart command can be used with only field for grouping by.
12. What is a regex command?
Regex command gives results which only match with desired regular expression
13. What is input lookup command?
Inputlookup command is used to return lookup table in search result.
14. What is the output lookup command?
Outputlookup command is used to return the resultset in a lookup table.
15. Explain the use of top command in Splunk?
The top command is used to display the count and percentage of occurrence of values [by default 10 values, we can change it using limit attribute] of a field in the result set.
16. What is the primary difference between stats and eventstats commands?
Stats command provides summary statistics of existing fields available in search output, and then it stores them as values in new fields. On the other hand, in eventstats command aggregation results are added so that every event only if the aggregation applies to that particular event.
17. What is the use of lookup command?
Lookup command is generally used to compare your event data with external file. It helps you to narrow the search results as it helps to reference fields in an external file that match fields in your event data.
18. Explain Stats vs Transaction commands.
The transaction command is used when the unique ID (from one or more fields) alone is not sufficient to discriminate between two transactions
As an example mail server’s logs contain the sender id and the recipient id in different event for same MID. In this case we can use transaction command to get all the event together for the same MID.
In other cases, it’s usually better to use stats.
As the performance of the stats command is higher, it can be used especially in a distributed search environment
If there is a unique ID, the stats command can be used.
19. What is the use of Splunk alert?
Alerts can be used when you want to monitor for and respond to specific events. For example, sending an email notification to the user when there are more than five failed login attempts in a 24-hour period.
20. How can you extract fields?
There are mainly two ways to extract fields in Splunk from GUI.
- Interactive Field Extractor (IFX)
- Regular Expression (using rex command)
21. Explain pivot and data models.
Pivots are used to create the front views of your output and then choose the proper filter for a better view of this output. Both options are beneficial for the people from a semi-technical or non-technical background.
Data models are most commonly used for creating a hierarchical model of data. However, it can also be used when you have a large amount of unstructured data. It helps you make use of that information without using complicated search queries.
22. What are the default fields for an event in Splunk?
There are 5 default fields which are hard coded with every event into Splunk. They are: 1) host, 2) source, 3) source type, 4) index, and 5) timestamp.
23. What do you mean by summary index?
A summary index is a special index that stores the result calculated by any scheduled search in Splunk. It derives the result set of any query faster than normal.
24. Name features which are not available in Splunk free version?
- Splunk free version lacks the following features:
- Distributed searching
- Forwarding in HTTP or TCP
- Agile statistics and reporting with Real-time architecture
- Offers analysis, search, and visualization capabilities to empower users of all types.
- Generate ROI faster
25. Explain types of search modes in Splunk?
There are three types of search modules. They are:
Fast mode: It increases the searching speed by limiting search data.
Verbose mode: This mode returns all possible fields and event data.
Smart mode: It is a default setting in a Splunk app. Smart mode toggles the search behavior based on transforming commands.
26. What is the main difference between source & sourcetype ?
The source identifies as a source of the event which a particular event originates, while the sourcetype determines the logical segregation of incoming data stream into events according to its nature.
27. What are the alternatives and competitors of Splunk?
- Sumo logic
28. What are the versions of Splunk?
Splunk is available in three different versions. These versions are
- Splunk enterprise
- Splunk light
- Splunk cloud.
29. Are search terms in Splunk case sensitive?
No, Search terms in Splunk are not case sensitive.
30. Can search results be used to change the existing search?
Yes, the search result can be used to make changes in an existing search.
31. List out layout options for search results.
Following are a few layout options for search result:
32. List various types of Splunk dashboards.
- Dynamic form-based dashboards
- Dashboards as scheduled reports
- Real time dashboards
33. Explain types of Boolean operators in Splunk.
Splunk supports three Boolean operators; they are:
- AND: It is implied between two terms, so you do not need to write it.
- OR: It determines that either one of the two arguments should be true.
- NOT: It used to filter out events having a specific word.
34. What are the formats in which search result be exported?
Splunk search result can be exported into JSON, CSV, XML, and PDF format.
35. What is the usage of tags in Splunk?
Tags are nothing but giving name to specific field value pairs. The filed can be event type, source, source type, and host or any others.
36. Define calculated fields?
Calculated fields are the fields which perform the calculation which the values of two fields available in a specific event.
37. How to add summary statistics to all results in a streaming manner?
Streamstats command can be used to add summary statistics in results
38). How to remove duplicate events having common values?
dedup command is used to remove duplicate events having common values
39. Define reports in Splunk.
Reports are results saved from a search action that shows the visualization and statistic of a particular event.
40. Define dashboard in Splunk.
Dashboard can be defined as a collection of views that are made of various panels.