{"id":8867,"date":"2020-01-17T05:52:26","date_gmt":"2020-01-17T05:52:26","guid":{"rendered":"https:\/\/www.devopsschool.com\/blog\/?p=8867"},"modified":"2021-11-13T10:57:26","modified_gmt":"2021-11-13T10:57:26","slug":"splunk-interview-questions-and-answer-part-4","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/blog\/splunk-interview-questions-and-answer-part-4\/","title":{"rendered":"Splunk Interview Questions and Answer Part \u2013 4"},"content":{"rendered":"\n<p><strong>Which file is used for role and mapping  <\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>authorize.conf (Ans)<\/strong><\/li><li>authorizes.conf<\/li><li>authentication.conf<\/li><li>limits.conf<\/li><\/ul>\n\n\n\n<p><strong>You can not search the data in frozen stage of bucket<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>True (Ans)<\/strong><\/li><li>False<\/li><\/ul>\n\n\n\n<p><strong>Attributes in indexes.conf to freeze data when it grows too old<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>frozenTimePeriodInSecs (Ans)<\/strong><\/li><li>frozenTimePeriodInMinutes<\/li><li>frozenTimePeriodInHour<\/li><li>MaxDataSizeInMb<\/li><\/ul>\n\n\n\n<p><strong>Which Splunk License does not exist<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>search head (Ans)<\/strong><\/li><li>forwarder<\/li><li>free<\/li><li>Splunk Enterprise<\/li><\/ul>\n\n\n\n<p><strong>You can not back up hot buckets<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Yes, you can not do<\/li><li>No , you can back up hot buckets<\/li><li>You can back up hot buckets as well, you need to take a snapshot of the files, using a tool like VSS.<\/li><li><strong>Its not possible to take backup of hot buckets (Ans)<\/strong><\/li><\/ul>\n\n\n\n<p><strong>Why you should create multiple indexes?<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>To control user access.<\/li><li>To accommodate varying retention policies.<\/li><li>To speed searches in certain situations.<\/li><li><strong>All of the above. (Ans)<\/strong><\/li><\/ul>\n\n\n\n<p><strong>Which command is used only to delete index web data ?<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>splunk clean eventdata -index web (Ans)<\/strong><\/li><li>splunk clean eventdata<\/li><li>splunk remove -index web<\/li><li>splunk disable -index web<\/li><\/ul>\n\n\n\n<p><strong>What is the use of Add-on in splunk?<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>To create dashboards<\/li><li>To run only scripts <\/li><li><strong>To extract fields, parsing etc but do not provide dashboards  (Ans)<\/strong><\/li><li>To replace App<\/li><\/ul>\n\n\n\n<p><strong>In which index, events from the file system change monitor, auditing, and all user search history are stored. <\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>audit<\/li><li><strong>_audit (Ans)<\/strong><\/li><li>index<\/li><li>_index<\/li><li>main<\/li><\/ul>\n\n\n\n<p><strong>Can you create new index starting with _ in splunk web-gui ?<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Yes<\/li><li><strong>No (Ans)<\/strong><\/li><li>You can create but it is not recommended by Splunk<\/li><\/ul>\n\n\n\n<p><strong>Deployment server push configuration files to deployment client<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>True<\/li><li><strong>False (Ans)<\/strong><\/li><\/ul>\n\n\n\n<p><strong>Deployment client uses which configuration files to connect deployment server ?<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>serverclass.conf<\/li><li><strong>deploymentclient.conf (Ans)<\/strong><\/li><li>inputs.conf<\/li><li>outputs.conf<\/li><\/ul>\n\n\n\n<p><strong>universal forwarder can index the data <\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>True<\/li><li><strong>False (Ans)<\/strong><\/li><\/ul>\n\n\n\n<p><strong>Which component should not have web gui?<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Search Head<\/li><li>Deployment Server<\/li><li><strong>Universal Forwarder (Ans)<\/strong><\/li><li>Heavy Forwarder<\/li><\/ul>\n\n\n\n<p><strong>Search Head can not index the data.<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>True<\/li><li><strong>False (Ans)<\/strong><\/li><\/ul>\n\n\n\n<p><strong>Which index includes Splunk Enterprise internal logs and metrics.<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>_internal (Ans)<\/strong><\/li><li>audit<\/li><li>main<\/li><li>_audit<\/li><\/ul>\n\n\n\n<p><strong>The deployment server does not automatically deploy apps when you edit through forwarder management. <\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>True<\/li><li><strong>False (Ans)<\/strong><\/li><\/ul>\n\n\n\n<p><strong>The deployment server does not automatically deploy apps in response to direct edits of serverclass.conf<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>True (Ans)<\/strong><\/li><li>Flase<\/li><\/ul>\n\n\n\n<p><strong>A dedicated deployment server can handle how many clients ?<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>50<\/li><li>100<\/li><li>400<\/li><li><strong>500 &#8211; 1000 clients, even more than this  and it depends of the periodicity, and the size of the bundles to deploy. (Ans)<\/strong><\/li><\/ul>\n\n\n\n<p><strong>Which is used in script stanza ?<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>monitor<\/li><li><strong>script (Ans)<\/strong><\/li><li>fschange<\/li><\/ul>\n\n\n\n<p><strong>which attribute can be used to run a script in every 5 minutes <\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>interval = 5<\/li><li><strong>interval = 300 (Ans)<\/strong><\/li><li>interval = 1800<\/li><li>cron = 300<\/li><\/ul>\n\n\n\n<p><strong>which can be used in stanza to destroy file after reading the file<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>fschange<\/li><li>monitor<\/li><li><strong>batch (Ans)<\/strong><\/li><li>destroy<\/li><\/ul>\n\n\n\n<p><strong>To receive data from forwarder  in indexer in inputs.conf file, which is used in stanza ? <\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>tcp<\/li><li><strong>splunktcp (Ans)<\/strong><\/li><li>udp<\/li><li>forwardertcp<\/li><\/ul>\n\n\n<div class=\"epyt-gallery\" data-currpage=\"1\" id=\"epyt_gallery_55168\"><iframe loading=\"lazy\"  id=\"_ytid_97646\"  width=\"760\" height=\"427\"  data-origwidth=\"760\" data-origheight=\"427\" src=\"https:\/\/www.youtube.com\/embed\/?enablejsapi=1&#038;autoplay=0&#038;cc_load_policy=0&#038;cc_lang_pref=&#038;iv_load_policy=1&#038;loop=0&#038;rel=1&#038;fs=1&#038;playsinline=0&#038;autohide=2&#038;theme=dark&#038;color=red&#038;controls=1&#038;disablekb=0&#038;\" class=\"__youtube_prefs__  no-lazyload\" title=\"YouTube player\"  data-epytgalleryid=\"epyt_gallery_55168\"  allow=\"fullscreen; accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen data-no-lazy=\"1\" data-skipgform_ajax_framebjll=\"\"><\/iframe><div class=\"epyt-gallery-list\"><div>Sorry, there was a YouTube error.<\/div><\/div><\/div>","protected":false},"excerpt":{"rendered":"<p>Which file is used for role and mapping authorize.conf (Ans) authorizes.conf authentication.conf limits.conf You can not search the data in frozen stage of bucket True (Ans) False Attributes in indexes.conf&#8230; <\/p>\n","protected":false},"author":1,"featured_media":9639,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_joinchat":[],"footnotes":""},"categories":[5207],"tags":[5693,5692,991],"class_list":["post-8867","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-splunk","tag-freeze-data","tag-role-and-mapping","tag-splunk"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/8867","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/comments?post=8867"}],"version-history":[{"count":2,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/8867\/revisions"}],"predecessor-version":[{"id":25103,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/8867\/revisions\/25103"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/media\/9639"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/media?parent=8867"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/categories?post=8867"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/tags?post=8867"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}