Splunk

What is Splunk and How it works? An Overview and Its Use Cases

March 23, 2022 Leave a Comment

History & Origin of Splunk

Rob Das and Eric Swan co-founded this technology in the year 2003 as a solution to all the questions raised while investigating the information caves that most companies face. The name ‘Splunk’ is derived from the word ‘spelunking’, which means exploring information caves. It was developed as a search engine for log files stored in a system’s infrastructure. The first version of Splunk was launched in 2004 which was well received by its end users. Slowly and gradually, it became viral among most of the companies, and they started buying its enterprise licenses. The founders’ main goal is to market this developing technology in bulk so that it can be deployed in almost all types of use cases.

What is Splunk?

Splunk is an advanced, scalable, and effective technology that indexes and searches the log files stored in the system. It analyzes the machine-generated data to provide operational intelligence. The main advantage of using Splunk is that it does not require a database to store its data, as it makes extensive use of its indexes to store the data. Splunk is a software primarily used to discover, monitor, and investigate machine-generated Big Data through a web-style interface. Splunk captures, indexes, and correlates real-time data into a searchable container from which it can generate graphs, reports, alerts, dashboards, and visualizations. Its purpose is to make machine-generated data available on an organization and capable of recognizing data patterns, producing metrics, diagnosing problems, and providing intelligence for business operations purposes. Splunk is a technology that is used for application management, security, and compliance, as well as business and web analytics.

Features of Splunk

  • Visibility: it allows us to collect non-security and security data across organizational silos and multi-cloud environments for better investigations and incident response.
  • Efficiency and context: it allows to de-duplicate, collect, aggregate, and prioritize the threat intelligence from different sources improving the security investigations and efficiency as security operations are streamlined.
  • Flexibility: it is a modern platform of big data that allows you to solve and scale security use cases for your security operations center, compliance, and security operations. It is quite flexible and can be deployed on the cloud, on-premises, or hybrid environment.
  • Behavioral analytics: by making use of machine learning detected issues you can optimize the security operations and speed up the investigation, reduce complexity, and respond to attacks and threats faster.

Benefits of Splunk

  • Get access to create dashboards, graphs, and alerts
  • Faster troubleshooting with instant results
  • Best suited for root cause analysis
  • Enhanced GUI with dashboards
  • Monitor business metrics for informed decision making
  • Investigate and search for specific results
  • Better log management from multiple sources
  • It is artificial intelligence coupled with traditional SIEM as a Service.
  • Accepts data in multiple formats
  • Can create one central repository for Splunk data collected from multiple sources

Why use Splunk?

Below is the list of top 10 uses of Splunk are as follows:

  1. Search Processing Language
  2. It provides a variety of Apps, Add-ons and Data sources
  3. Indexes and Events
  4. It is Scalable and has no Backend
  5. Reporting and Alerting
  6. Monitoring and Diagnosis made easy
  7. Troubleshooting made easier
  8. Analyze system performance
  9. Dashboards to visualize and analyze results
  10. Store and retrieve data

Advantages of Splunk

A few benefits of using Splunk are:

  • Increased efficiencies across the business
  • Good visibility
  • Huge time saving
  • Improved resource utilization

Disadvantages of an Splunk

It can get expensive for large data volumes.
Optimizing searches for speed is more art than science.
Dashboards are functional but not as nice as tableau
IT is constantly embarking on attempts to replace it with open source alternatives, which is a distraction

Best Splunk Alternative

  • SolarWinds Security Event Manager (SEM)
  • Elastic Stack (ELK Stack)
  • Sumo Logic
  • Fluentd
  • Sentry
  • LogFaces

Best Resources to Learn Splunk

https://www.youtube.com/

https://www.devopsschool.com/blog/

Free Video Tutorials Splunk

Splunk Interview Questions and Answers

Question 1. What Is Splunk?
Answer: Splunk is Google for your machine data. It’s a software/Engine which can be used for searching, visualizing, monitoring, reporting, etc of your enterprise data. Splunk takes valuable machine data and turns it into powerful operational intelligence by providing real-time insight to your data through charts, alerts, reports, etc.

Question 2. What Are Components Of Splunk/Splunk Architecture?
Answer: Below are components of Splunk:
Search head – provides GUI for searching
Indexer – indexes machine data
Forwarder -Forwards logs to Indexer
Deployment server -Manges Splunk components in a distributed environment
Python Interview Questions

Question 3. Which Is Latest Splunk Version In Use?
Answer: Splunk 6.3.

Question 4. What Is Splunk Indexer? what Are Stages Of Splunk Indexing?
Answer: The indexer is the Splunk Enterprise component that creates and manages indexes. The primary functions of an indexer are:
Indexing incoming data.
Searching the indexed data.
Python Tutorial

Question 5. What Is A Splunk Forwarder And What Are Types Of Splunk Forwarder?
Answer: There are two types of Splunk forwarder as below:
universal forwarder(UF) -Splunk agent installed on the non-Splunk system to gather data locally, can’t parse or index data
Heavyweight forwarder(HWF) – a full instance of Splunk with advanced functionality.
Generally works as a remote collector, intermediate forwarder, and possible data filter because they parse data, they are not recommended for production systems.

Question 6. What Are the Most Important Configuration Files Of Splunk Or Can You Tell Name Of Few Important Configuration Files In Splunk?
Answer :

props.conf
indexes.conf
inputs.conf
transforms.conf
server.conf

Question 7. What Are Types Of Splunk Licenses?
Answer :
Enterprise license
Free license
Forwarder license
Beta license
Licenses for search heads (for distributed search)
Licenses for cluster members (for index replication)
Informatica Tutorial Adv Java Interview Questions

Question 8. What Is Splunk App?
Answer: Splunk app is a container/directory of configurations, searches, dashboards, etc.

Question 9. Where Does Splunk Default Configuration Is Stored?
Answer : $splunkhome/etc/system/default

Question 10. What Features Are Not Available In Splunk Free?
Answer: Splunk free lacks these features:

Authentication and scheduled searches/alerting
Distributed search
Forwarding in TCP/HTTP (to non-Splunk)
Deployment management
Adv Java Tutorial

Question 11. What Happens If The License Master Is Unreachable?
Answer: License slave will start a 24-hour timer, after which search will be blocked on the license slave (though indexing continues). users Will is not able to search data in that slave until it can reach license master again.

Question 12. What Is Summary Index In Splunk?
Answer: The Summary index is the default summary index (the index that Splunk Enterprise uses if you do not indicate another one).
If you plan to run a variety of summary index reports you may need to create additional summary indexes.

Question 13. What Is Splunk Db Connect?
Answer: Splunk DB Connect is a generic SQL database plugin for Splunk that allows you to easily integrate database information with Splunk queries and reports.

Question 14. Can You Write Down A General Regular Expression For Extracting Ip Address From Logs?
Answer: There are multiple ways we can extract IP addresses from logs. Below are a few examples.

Regular Expression for extracting ip address:

rex field=_raw “(?d+.d+.d+.d+)”
OR
rex field=_raw “(?([0-9]{1,3}[.]){3}[0-9]{1,3})”

Question 15. What Is Difference Between Stats Vs Transaction Command?

Answer: The transaction command is most useful in two specific cases:

Unique id (from one or more fields) alone is not sufficient to discriminate between two transactions. This is the case when the identifier is reused, for example, web sessions identified by cookie/client IP. In this case, time spans or pauses are also used to segment the data into transactions. In other cases when an identifier is reused, say in DHCP logs, a particular message may identify the beginning or end of a transaction. When it is desirable to see the raw text of the events combined rather than analysis on the constituent fields of the events.

In other cases, it’s usually better to use stats as the performance is higher, especially in a distributed search environment. Often there is a unique id and stats can be used.

Question 16. How To Troubleshoot Splunk Performance Issues?

Answer :
Check splunkd.log for any errors
Check server performance issues i.e. cpu/memory usage, disk i/o, etc
Install SOS (Splunk on Splunk) app and check for warnings and errors in the dashboard

check a number of saved searches currently running and their system resources consumption install Firebug, which is a firefox extension. After it’s installed and enabled, log into Splunk (using firefox), open firebug’s panels, switch to the ‘Net’ panel (you will have to enable it). The Net panel will show you the HTTP requests and responses along with the time spent in each. This will give you a lot of information quickly over which requests are hanging Splunk for a few seconds, and which are blameless. etc…

Question 17. What Are Buckets? Explain Splunk Bucket Lifecycle?
Answer: Splunk places indexed data in directories, called “buckets”. It is physically a directory containing events of a certain period.
A bucket moves through several stages as it ages:

Hot: Contains newly indexed data. Open for writing. One or more hot buckets for each index.
Warm: Data rolled from hot. There are many warm buckets.
Colld: Data rolled from warm. There are many cold buckets.
Frozen: Data rolled from cold. The indexer deletes frozen data by default, but you can also archive it. Archived data can later be thawed (Data in frozen buckets is not searchable)
By default, your buckets are located in $SPLUNK_HOME/var/lib/Splunk/defaultdb/DB. You should see the hot-db there, and any warm buckets you have. By default, Splunk sets the bucket size to 10GB for 64bit systems and 750MB on 32bit systems.

Question 18. What Is The Difference Between Stats And Eventstats Commands?
Answer: Stats command generates summary statistics of all existing fields in your search results and saves them as values in new fields. Eventstats is similar to the stats command, except that aggregation results are added inline to each event and only if the aggregation is pertinent to that event. event stats computes the requested statistics like stats but aggregates them to the original raw data.

Question 19. Who Are The Biggest Direct Competitors To Splunk?
Answer :
logstash
Loggly
LogLogic
sumo logic etc.

Question 20. How Does Splunk Determine 1 Day, From A Licensing Perspective?
Answer: Midnight to midnight on the clock of the license master.

Rajesh Kumar
Follow me
Latest posts by Rajesh Kumar (see all)
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x