{"id":8831,"date":"2020-01-16T10:06:54","date_gmt":"2020-01-16T10:06:54","guid":{"rendered":"https:\/\/www.devopsschool.com\/blog\/?p=8831"},"modified":"2021-11-13T10:57:42","modified_gmt":"2021-11-13T10:57:42","slug":"splunk-interview-questions-and-answer-part-2-2","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/blog\/splunk-interview-questions-and-answer-part-2-2\/","title":{"rendered":"Splunk Interview Questions and Answer Part \u2013 3"},"content":{"rendered":"\n<p><strong>Of the following, which is the best description of Splunk?<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Splunk is a log collector.<\/li><li>Splunk is a business intelligence tool.<\/li><li><strong>Splunk is operational intelligence that consumes and makes machine data useable and valuable. (Ans)<\/strong><\/li><li>Splunk is an alerting tool.<\/li><\/ul>\n\n\n\n<p><strong>What are the building blocks of a Splunk App?<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>Configuration files (Ans)<\/strong><\/li><li>Data sources<\/li><li>Reports<\/li><li>Pivots<\/li><\/ul>\n\n\n\n<p><strong>Where is the best place to get help for Splunk?<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>reddit.com<\/li><li><strong>answers.splunk.com (Ans)<\/strong><\/li><li>stackoverflow.com<\/li><li>blogs<\/li><\/ul>\n\n\n\n<p><strong>What is the primary way in which the timechart command differs from the chart  command?<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>There is no difference. timechart  is just a shortcut for chart  with a specified x-axis of _time .<\/li><li>timechart does not take a span  argument. chart  does.<\/li><li>chart forces the x-axis to be _time. timechart does not.<\/li><li><strong>timechart forces the x-axis to be _time. chart  does not. (Ans)<\/strong><\/li><\/ul>\n\n\n\n<p><strong>Another way to say |  is<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>&#8220;take the output of the commands before it, then do this with the input.&#8221;<\/li><li>&#8220;take the input of the commands before it, then do this with the output.&#8221;<\/li><li><strong>&#8220;take the output of the commands before it, then do this with the output.&#8221; (Ans)<\/strong><\/li><li>&#8220;take the output of the commands after it, then do this with the output.&#8221;<\/li><\/ul>\n\n\n\n<p><strong>What is one of the differences between a heavy forwarder and a universal forwarder?<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>A universal forwarder is a complete installation of Splunk; a heavy forwarder is a light agent. <\/li><li><strong>A heavy forwarder is a complete installation of Splunk; a universal forwarder is a light agent. (Ans)<\/strong><\/li><li>Heavy forwards are limited in their functionality, but universal forwarders can do advanced things like route data.<\/li><li>The only difference is the type of machine you install the forwarder on.<\/li><\/ul>\n\n\n\n<p><strong>Which search mode will Splunk default to if your search specifies fields?<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>Fast  (Ans)<\/strong><\/li><li>Smart<\/li><li>Verbose<\/li><li>Heavy<\/li><\/ul>\n\n\n\n<p><strong>What is &#8220;the language of Splunk&#8221; known as?<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>SSL: Splunk Search Language<\/li><li>SQL: Splunk Query Language<\/li><li><strong>SPL: Splunk Processing Language (Ans)<\/strong><\/li><li>SEL: Splunk Execution Language<\/li><\/ul>\n\n\n\n<p><strong>The default Splunk forwarding and management ports are, respectively<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>8088, 9998<\/li><li><strong>9997, 8089 (Ans)<\/strong><\/li><li>9997, 8087<\/li><li>443, 9797<\/li><\/ul>\n\n\n\n<p><strong>Splunk assigns which three fields as default metadata?<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>host, source, source type (Ans)<\/strong><\/li><li>host, ip, port<\/li><li>host, hostname, source<\/li><li>host, sourcetype, ip<\/li><\/ul>\n\n\n\n<p><strong>What is the purpose of a lookup?<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>Allows you to add custom fields to events from external sources, like csv files. (Ans)<\/strong><\/li><li>Allows Splunk to examine semantic knowledge objects.<\/li><li>Allows users to build custom reports based on data models.<\/li><li>Keeps a record of all previous searches, so that Splunk can look them up later.<\/li><\/ul>\n\n\n\n<p><strong>Searches in the search pipeline go from<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>general to specific. (Ans)<\/strong><\/li><li>specific to general.<\/li><li>middle out.<\/li><li>bottom up.<\/li><\/ul>\n\n\n\n<p><strong>What&#8217;s wrong with this search?<br> host=homework user=* status=failed stats count(status) BY user | rename count(status) as &#8220;Number of Failed Logins&#8221; <\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>count is not a stats function.<\/li><li><strong>You need to have a |  before the stats  command. (Ans)<\/strong><\/li><li>The rename command is invalid because you cannot rename a field to a phrase.<\/li><li>This search is valid.<\/li><\/ul>\n\n\n\n<p><strong>Which type of authentication method does Splunk recommend for anything other than a small deployment?<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Local<\/li><li>SAML<\/li><li><strong>LDAP\/AD (Ans)<\/strong><\/li><li>Scripted<\/li><\/ul>\n\n\n\n<p><strong>The rare function returns , while the top function returns <\/strong>.<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>a visualization with _time  on the x axis; a visualization with a specified field on the x axis<\/li><li>limits; thresholds<\/li><li><strong>least common values; most common values (Ans)<\/strong><\/li><li>top ten common values; top ten uncommon values<\/li><\/ul>\n\n\n\n<p><strong>The Enterprise Trial license is valid for , after which point it will convert to a  license.<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>60 days; free (Ans)<\/strong><\/li><li>30 days; limited functionality<\/li><li>30 days; free<\/li><li>60 days; limited functionality<\/li><\/ul>\n\n\n\n<p><strong>Heavy forwards<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>require a universal license.<\/li><li>require an enterprise license.<\/li><li>do not require a license.<\/li><li><strong>require a forwarder license. (Ans)<\/strong><\/li><\/ul>\n\n\n\n<p><strong>Of the following, which best describes the difference between a tag and an event type?<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>There is no difference.<\/li><li>Tags are more complex knowledge objects than event types.<\/li><li>Tags are much more powerful than event types, because they can contain multiple fields.<\/li><li><strong>Event types can contain multiple fields, while tags can only contain one. (Ans)<\/strong><\/li><\/ul>\n\n\n\n<p><strong>Which of the following is not one of the four major functions of Splunk?<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Parsing<\/li><li>Input<\/li><li><strong>Compressing (Ans)<\/strong><\/li><li>Indexing<\/li><li>Searching<\/li><\/ul>\n\n\n\n<p><strong>The structure of Splunk configuration files is:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>key=value                                                                                                                            [stanza]   <\/li><li> [stanza]                                                                                                                             [sub-stanza]  <\/li><li>  <strong>[stanza]                                                                                                                              attribute=value  (Ans)<\/strong><\/li><li> savedsearch=value                                                                                                                            [stanza]                                                                                 <\/li><\/ul>\n\n\n<div class=\"epyt-gallery\" data-currpage=\"1\" id=\"epyt_gallery_65567\"><figure class=\"wp-block-embed wp-block-embed-youtube is-type-video is-provider-youtube epyt-figure\"><div class=\"wp-block-embed__wrapper\"><iframe loading=\"lazy\"  id=\"_ytid_98444\"  width=\"760\" height=\"427\"  data-origwidth=\"760\" data-origheight=\"427\" src=\"https:\/\/www.youtube.com\/embed\/?enablejsapi=1&#038;autoplay=0&#038;cc_load_policy=0&#038;cc_lang_pref=&#038;iv_load_policy=1&#038;loop=0&#038;rel=1&#038;fs=1&#038;playsinline=0&#038;autohide=2&#038;theme=dark&#038;color=red&#038;controls=1&#038;disablekb=0&#038;\" class=\"__youtube_prefs__  no-lazyload\" title=\"YouTube player\"  data-epytgalleryid=\"epyt_gallery_65567\"  allow=\"fullscreen; accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen data-no-lazy=\"1\" data-skipgform_ajax_framebjll=\"\"><\/iframe><\/div><\/figure><div class=\"epyt-gallery-list\"><div>Sorry, there was a YouTube error.<\/div><\/div><\/div>","protected":false},"excerpt":{"rendered":"<p>Of the following, which is the best description of Splunk? Splunk is a log collector. Splunk is a business intelligence tool. Splunk is operational intelligence that consumes and makes machine data useable and valuable. (Ans) Splunk is an alerting tool. What are the building blocks of a Splunk App? Configuration files (Ans) Data sources Reports&#8230;<\/p>\n","protected":false},"author":1,"featured_media":9534,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_kad_post_transparent":"","_kad_post_title":"","_kad_post_layout":"","_kad_post_sidebar_id":"","_kad_post_content_style":"","_kad_post_vertical_padding":"","_kad_post_feature":"","_kad_post_feature_position":"","_kad_post_header":false,"_kad_post_footer":false,"_kad_post_classname":"","_joinchat":[],"footnotes":""},"categories":[5207],"tags":[766,482,991,5686],"class_list":["post-8831","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-splunk","tag-interview","tag-questions","tag-splunk","tag-splunk-app"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/8831","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/comments?post=8831"}],"version-history":[{"count":3,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/8831\/revisions"}],"predecessor-version":[{"id":25107,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/8831\/revisions\/25107"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/media\/9534"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/media?parent=8831"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/categories?post=8831"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/tags?post=8831"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}