1.Compare Splunk & Spark
Ans:
Criteria | Splunk | Spark |
Deployment area | Collecting large amounts of machine generated data | Iterative applications & in-memory processing |
Nature of tool | Proprietary | Open Source |
Working mode | Streaming mode | Both streaming and batch mode |
-
What is Splunk tool?
Ans: Splunk is a powerful platform for searching, analyzing, monitoring, visualizing and reporting of your enterprise data. It acquires important machine data and then converts it into powerful operational intelligence by giving real time insight to your data using alerts, dashboards and charts etc.
Or:
What is Splunk? Why is Splunk used for analyzing machine data?
This question will most likely be the first question you will be asked in any Splunk interview. You need to start by saying that:
- Splunk is a platform which allows people to get visibility into machine data, that is generated from hardware devices, networks, servers, IoT devices and other sources
- Splunk is used for analyzing machine data because it can give insights into application management, IT operations, security, compliance, fraud detection, threat visibility etc
-
Explain the working of Splunk ?
Ans:
Splunk works into three phases –
- First phase –it gathers data to solve your query from many sources as required.
- Second phase –it converts that data into results that can solve your query.
- Third phase –it displays the information/answers via a chart, report or graph, which is understood by large audiences.
-
What are the components of Splunk?
Ans:
Splunk has four important components :
- Indexer –It indexes the machine data
- Forwarder –Refers to Splunk instances that forward data to the remote indexers
- Search Head –Provides GUI for searching
- Deployment Server –Manages the Splunk components like indexer, forwarder, and search head in computing environment.
-
What are the types of Splunk forwarder?
Ans:
Splunk has two types of Splunk forwarder which are as follows:
- Universal Forwarders –It performs processing on the incoming data before forwarding it to the indexer.
- Heavy Forwarders –It parses the data before forwarding them to the indexer works as an intermediate forwarder, remote collector.
- What are alerts in Splunk?
Ans:
An alert is an action that a saved search triggers on regular intervals set over a time range, based on the results of the search. When the alerts are triggered, various actions occur consequently.. For instance, sending an email when a search to the predefined list of people is triggered.
Three types of alerts:
- Pre-result alerts :Most commonly used alert type and runs in real-time for an all- time span. These alerts are designed such that whenever a search returns a result, they are triggered.
- Scheduled alerts :The second most common- scheduled results are set up to evaluate the results of a historical search result running over a set time range on a regular schedule. You can define a time range, schedule and the trigger condition to an alert.
- Rolling-window alerts:These are the hybrid of pre-result and scheduled alerts. Similar to the former, these are based on real-time search but do not trigger each time the search returns a matching result . It examines all events in real-time mapping within the rolling window and triggers the time that specific condition by that event in the window is met, like the scheduled alert is triggered on a scheduled search.
-
What are the categories of SPL commands?
Ans:
SPL commands are divided into five categories:
- Sorting Results –Ordering results and (optionally) limiting the number of results.
- Filtering Results –It takes a set of events or results and filters them into a smaller set of results.
- Grouping Results –Grouping events so you can see patterns.
- Filtering, Modifying and Adding Fields –Taking search results and generating a summary for reporting.
- Reporting Results –Filtering out some fields to focus on the ones you need, or modifying or adding fields to enrich your results or events.
- HADOOP
- SPLUNK
- Splunk collects , visualizes, and analyzes the data and passes it to hadoop for ETL and other batch processing
- Splunk collects , visualizes, and analyzes the data and passes it to hadoop for ETL and other batch processing
- Splunk collects , visualizes, and analyzes the data and passes it to hadoop for ETL and other batch processing
- Splunk collects , visualizes, and analyzes the data and passes it to hadoop for ETL and other batch processing
- Splunk collects , visualizes, and analyzes the data and passes it to hadoop for ETL and other batch processing
- Splunk collects , visualizes, and analyzes the data and passes it to hadoop for ETL and other batch processing
-
-
What are common port numbers used by Splunk
-
Ans:
-
Common ports numbers on which services are run (by default) are :
Service | Port Number |
Splunk Management Port | 8089 |
Splunk Index Replication Port | 8080 |
KV store | 8191 |
Splunk Web Port | 8000 |
Splunk Indexing Port | 9997 |
Splunk network port | 514 |
-
What are Splunk buckets? Explain the bucket lifecycle ?
Ans:
A directory that contains indexed data is known as a Splunk bucket. It also contains events of a certain period. Bucket lifecycle includes following stages:
- Hot –It contains newly indexed data and is open for writing. For each index, there are one or more hot buckets available
- Warm –Data rolled from hot
- Cold –Data rolled from warm
- Frozen –Data rolled from cold. The indexer deletes frozen data by default but users can also archive it.
- Thawed –Data restored from an archive. If you archive frozen data , you can later return it to the index by thawing (defrosting) it.
-
What command is used to enable and disable Splunk to boot start?
Ans:
- To enable Splunk to boot start use the following command:
$SPLUNK_HOME/bin/splunk enable boot-start
- To disable Splunk to boot start use the following command:
$SPLUNK_HOME/bin/splunk disable boot-start