Splunk Interview Questions and Answer Part – 3

Of the following, which is the best description of Splunk?

• Splunk is a log collector.
• Splunk is a business intelligence tool.
• Splunk is operational intelligence that consumes and makes machine data useable and valuable. (Ans)
• Splunk is an alerting tool.

What are the building blocks of a Splunk App?

• Configuration files (Ans)
• Data sources
• Reports
• Pivots

Where is the best place to get help for Splunk?

• reddit.com
• answers.splunk.com (Ans)
• stackoverflow.com
• blogs

What is the primary way in which the timechart command differs from the chart command?

• There is no difference. timechart is just a shortcut for chart with a specified x-axis of _time .
• timechart does not take a span argument. chart does.
• chart forces the x-axis to be _time. timechart does not.
• timechart forces the x-axis to be _time. chart does not. (Ans)

Another way to say | is

• “take the output of the commands before it, then do this with the input.”
• “take the input of the commands before it, then do this with the output.”
• “take the output of the commands before it, then do this with the output.” (Ans)
• “take the output of the commands after it, then do this with the output.”

What is one of the differences between a heavy forwarder and a universal forwarder?

• A universal forwarder is a complete installation of Splunk; a heavy forwarder is a light agent.
• A heavy forwarder is a complete installation of Splunk; a universal forwarder is a light agent. (Ans)
• Heavy forwards are limited in their functionality, but universal forwarders can do advanced things like route data.
• The only difference is the type of machine you install the forwarder on.

Which search mode will Splunk default to if your search specifies fields?

• Fast (Ans)
• Smart
• Verbose
• Heavy

What is “the language of Splunk” known as?

• SSL: Splunk Search Language
• SQL: Splunk Query Language
• SPL: Splunk Processing Language (Ans)
• SEL: Splunk Execution Language

The default Splunk forwarding and management ports are, respectively

• 8088, 9998
• 9997, 8089 (Ans)
• 9997, 8087
• 443, 9797

Splunk assigns which three fields as default metadata?

• host, source, source type (Ans)
• host, ip, port
• host, hostname, source
• host, sourcetype, ip

What is the purpose of a lookup?

• Allows you to add custom fields to events from external sources, like csv files. (Ans)
• Allows Splunk to examine semantic knowledge objects.
• Allows users to build custom reports based on data models.
• Keeps a record of all previous searches, so that Splunk can look them up later.

Searches in the search pipeline go from

• general to specific. (Ans)
• specific to general.
• middle out.
• bottom up.

What’s wrong with this search?
host=homework user=* status=failed stats count(status) BY user | rename count(status) as “Number of Failed Logins”

• count is not a stats function.
• You need to have a | before the stats command. (Ans)
• The rename command is invalid because you cannot rename a field to a phrase.
• This search is valid.

Which type of authentication method does Splunk recommend for anything other than a small deployment?

• Local
• SAML
• LDAP/AD (Ans)
• Scripted

The rare function returns , while the top function returns .

• a visualization with _time on the x axis; a visualization with a specified field on the x axis
• limits; thresholds
• least common values; most common values (Ans)
• top ten common values; top ten uncommon values

The Enterprise Trial license is valid for , after which point it will convert to a license.

• 60 days; free (Ans)
• 30 days; limited functionality
• 30 days; free
• 60 days; limited functionality

Heavy forwards

• require a universal license.
• require an enterprise license.
• do not require a license.
• require a forwarder license. (Ans)

Of the following, which best describes the difference between a tag and an event type?

• There is no difference.
• Tags are more complex knowledge objects than event types.
• Tags are much more powerful than event types, because they can contain multiple fields.
• Event types can contain multiple fields, while tags can only contain one. (Ans)

Which of the following is not one of the four major functions of Splunk?

• Parsing
• Input
• Compressing (Ans)
• Indexing
• Searching

The structure of Splunk configuration files is:

• key=value [stanza]
• [stanza] [sub-stanza]
• [stanza] attribute=value (Ans)
• savedsearch=value [stanza]

Rajesh Kumar

I’m a DevOps/SRE/DevSecOps/Cloud Expert passionate about sharing knowledge and experiences. I have worked at Cotocus. I share tech blog at DevOps School, travel stories at Holiday Landmark, stock market tips at Stocks Mantra, health and fitness guidance at My Medic Plus, product reviews at TrueReviewNow , and SEO strategies at Wizbrand.

Do you want to learn Quantum Computing?

Please find my social handles as below;

Rajesh Kumar Personal Website
Rajesh Kumar at YOUTUBE
Rajesh Kumar at INSTAGRAM
Rajesh Kumar at X
Rajesh Kumar at FACEBOOK
Rajesh Kumar at LINKEDIN
Rajesh Kumar at WIZBRAND

Rajesh Kumar DailyLogs