Splunk Systems Administration Questions and Answers full semester

Splunk Systems Administration Questions and Answers full semester Name all types of "Splunk Deployment" Standalone - Functions as a single server no forwarders are sending data to it Basic - Forwards collect data and send it to the splunk server. Distributed - Includes indexers, forwarders, deployment servers and search heads. What is the purpose of a splunk search head? - Allow users to submit search requests using SPL - Distribute search requests to the indexers - Consolidate results and render visualizations of results - Search time knowledge objects are stored on the search heads - Examples include: field extractions, alerts, and dashboards Brainpower Read More Previous Play Next Rewind 10 seconds Move forward 10 seconds Unmute 0:00 / 0:15 Full screen What is the purpose of a splunk indexer? • Reside on dedicated machines • Receive, index, and store incoming data from forwarders • Search data in response to requests received from the search heads What is the purpose of a splunk forwarder? • Splunk instances that monitor configured inputs and forward the data to the index • Best practice data collection method • Requires minimal resources and typically installed on the machines that produce the data What is Included in the Splunk Enterprise software package? - indexer -search head -license master -deployment server - heavy forwarder - master node True or False Splunk on *NIX does not auto-start at boot time True Should you run splunk as super user? No, do not run Splunk as super-user! How should you set up Time Synchronization? Use a time synchronization service such as NTP What port does "splunkd" use in Splunk Enterprise? 8089 What port does "Splunk Web" use in Splunk Enterprise? 8000 What port does "Web app-server proxy" use in Splunk Enterprise? 8065 What port does "KV Store" use in Splunk Enterprise? 8191 What port does "splunkd" use in Universal Forwarder? 8089 When setting splunk up on linux what are some basic recommendations? Increase ulimit settings - The following OS parameters need to be increased to allow for a large number of buckets/forwarders/users - Turn Transparent Huge Pages (THP) off on Splunk Enterprise servers What is the recommended hardware to use when setting up an Indexer? Memory 12 GB RAM CPU 12 CPU cores Running at 2+ GHz Disk Disk subsystem capable of 800 IOPS RAID 10 Network 1Gb Ethernet NIC Optional second NIC for a management network What is the recommended hardware to use when setting up an Search Head? Memory 12 GB RAM CPU 4 CPUs, quad-core per CPU Running at 2+ GHz Disk 2 x 10K RPM 300GB SAS drives - RAID 1 Network 1Gb Ethernet NIC Optional second NIC for a management network What is splunkd used for? Spawns and controls Splunk child processes (helpers) - Splunk Web proxy, KV store, and Introspection services - Each search, scripted input, or scripted alert • Accesses, processes, and indexes incoming data • Handles all search requests and returns results What is Splunk Web used for? Splunk Web is browser-based user interface - Provides both a search and management front end for splunkd process When using the splunk CLI (executable command in the bin directory) what does "splunk help" do? Display a usage summary When using the splunk CLI (executable command in the bin directory) what does "splunk help object" do? Display the details of a specific object When using the splunk CLI (executable command in the bin directory) what does "splunk [start | stop | restart]" do? Manages the Splunk processes When using the splunk CLI (executable command in the bin directory) what does "splunk start --accept-liscense]" do? Automatically accept the license without prompt When using the splunk CLI (executable command in the bin directory) what does "splunk status" do? Display the Splunk process status When using the splunk CLI (executable command in the bin directory) what does "splunk show splunkd-port" do? Show the port that the splunkd listens on When using the splunk CLI (executable command in the bin directory) what does "splunk show web-port" do? Show the port that Splunk Web listens on When using the splunk CLI (executable command in the bin directory) what does "splunk show servername" do? Show the servername of this instance When using the splunk CLI (executable command in the bin directory) what does "splunk show default-hostname" do? Show the default host name used for all data inputs What is the Monitoring Console (MC)? MC is a Splunk admin-only app used to monitor and investigate Splunk performance, resource usage, and more Which installer will you use to install the Search Head? Splunk Enterprise True or False. When you install Splunk on a Windows OS, you also have to configure the boot-start? False. You only need to do that on a Linux installation True or False. The default Splunk Web port is set to 8000. True. What are the Splunk License Types • Enterprise trial license - Downloads with product - Features same as Enterprise except for 500 MB per day limit - Only valid for 60 days, after which one of the other 3 license types must be activated - Sales trial license is a trial Enterprise license of varying size and duration • Enterprise license - Purchased from Splunk - Full functionality for indexing, search head, deployment server, etc. - Sets the daily indexing volume - No-enforcement license, allows users to keep searching even if you are in a license violation period • Free license - Disables alerts, authentication, clustering, distributed search, summarization, and forwarding to non-Splunk servers - Allows 500 MB/day of indexing and forwarding to other Splunk instances Forwarder license - Sets the server up as a heavy forwarder - Applies to non-indexing forwarders - Allows authentication, but no indexing If the indexing exceeds the allocated daily quota in a pool what happens? an alert is raised in Messages (pool warning) on any page in Splunk Web What Counts As Daily License Quota? • All data from all sources that is indexed What does not count against your license daily quota? - Replicated data (Index Clusters) - Summary indexes - Splunk internal logs (_internal, _audit, etc. indexes) - Structural components of an index (metadata, tsidx, etc.) Does Metrics data count against a splunk license? yes, at a fixed 150 bytes per metric event - Draws from the same license quota as event data For the "Enterprise License" whats considered a role? Search Heads, Deployment Server and other Splunk Enterprise Instances may not index data but still need the license role For the "Enterprise License" whats uses data? Indexers (Search Peers) need the license for data as well as role How can you add a license in splunk? Can use CLI or Splunk Web (upload or copy/paste) • Licenses are stored under SPLUNK_HOME/etc/licenses • Multiple licenses of the same type are stacked (added together) Where can you Change to Slave? Change an instance to slave by entering the master license server URI What is "License Pooling"? Pools allow licenses to be subdivided and assigned to a group of indexers - Can be created for a given stack - Warnings and violations occur per pool True or False. Splunk provides separate licenses for metrics and events data. False. Metrics data draws from the same license quota as event data. True or False. Search Heads also need an Enterprise License (or set as a slave to a License Master with an Enterprise License) even though you have not configured any inputs. True True or False. If the indexing exceeds the daily license quota in a pool, your license will go into a violation. False. If the indexing exceeds the allocated daily quota in a pool, an alert is raised. If it is not fixed by midnight then the alert turns into a warning. 5 or more warnings on an enforced Enterprise license or 3 warnings on a Free license, in a rolling 30-day period, is a violation. What is an App? • An app is a collection of: - Configuration files - Scripts, web assets, etc. • Most apps are focused on: - A specific type of data from a vendor, operating system, or industry - A specific business need Can you install Apps on Forwarders? Universal forwarders don't have a web interface, but they can still benefit from an app When you delete an app, all of its related configuration files and scripts are deleted from a Splunk server? True How can you delete an app? - splunk remove app app_folder - Or, navigate to SPLUNK_HOME/etc/apps and delete the app's folder and all its contents - Restart the Splunk server True or False. Write permissions to an app means that the user's role is able to modify the app. False, User's role with write permission can add/delete/modify knowledge objects used in the app True or False. Universal forwarders don't have a web interface, but they can still benefit from an app. True Where are splunk configuration files saved? Configuration changes are saved in .conf files under SPLUNK_HOME/etc/