Splunk Training

You will gain knowledge of below areas upon the completion of this course:

• Understand Splunk architecture. 
• Splunk Cloud, search and log management. 
• Configuration and management of Splunk tools. 
• User management and indexing in Splunk 
• Understand chart, reports and visualization in Splunk
• Splunk format, calculation and analysis
• Database lookup security and execution process in Splunk 
• Weblog analysis using Splunk log analyzer. 

• System administrators and software developers 
• Database Experts, search analysts and Administrators. 

• Splunk is one of the widely deployed tools to analyse the system-generated data and gain insights out of it. 
• Large dependency on machine-generated data has created huge demand for Splunk and Splunk professionals. 
• According to Payscale.com the average salary received by a Splunk professional ranges between $80,592 to $181,527 a year.

Yes, you will get the Splunk course completion certificate from SK Trainings. This certificate is valid across all the top global organizations and simplifies your job search process.

Yes, you will get all the assistance from the expert’s trainers required to qualify your certification exam. Moreover, our Splunk syllabus modules are in-line with the certification modules, this will simplify your preparation process.

• Managing Licenses
• Splunk License Types
• Adding a License
• License Warnings and violations
• What Counts As Daily License Quota
• Viewing Alerts
• License Staking
• Master License Server
• License Pooling

• Adding an Input With Splunk Web
• How can you tell what App you are in
• Adding your Monitor Input
• Preview Data
• Specify the Source
• Select Host, Source type and Index

• What is an App
• Apps configured by Default
• Viewing All Apps
• Managing Apps
• Installing an App Manually
• Enabling and Disabling Apps
• Deleting an App
• App Permissions

• Configuration Directories
• Default vs. Local Configuration
• Global Context vs. User or App Context
• Runtime Merging of Configurations
• Configuration Testing Commands

• Forwarders and Indexers
• Benefits of Using Forwarders
• Splunk Universal Forwarder
• Heavy Forwarder
• Configuration Steps
• Configuring the Receiving Port
• Downloading the Universal Forwarder Installer
• Installing Universal Forwarder Manually
• Forwarder Configuration Files

• What are the components
• Discussion on Forwarders- UF/HF
• Common ports for the set up
• License Master/Slave relationship
• Understanding of Deployment Server and Indexer

• Understand the uses of Splunk
• Define Splunk Apps
• Learn basic navigations in Splunk

• Run basic searches
• Set the time range of a search
• Identify the contents of search results
• Refine searches
• Use the timeline
• Work with events
• Control a search job
• Save search results

• Understand fields
• Use fields in searches
• Use the fields sidebar

• Save a search as a report
• Edit reports
• Create reports that include visualizations such as charts and tables
• Add reports to a dashboard

• Creating a dashboard
• Add a reports to a dashboard
• Add a pivot report to a dashboard
• Edit a dashboard

• Review basic search commands and general search practices
• Examine the anatomy of a search
• Use the following commands to perform searches:
  • Fields
  • Table
  • Rename
  • Rex
  • Multikv

• Use the following commands and their functions:
  • Top
  • Rare
  • Stats
  • Addcoltals

• Explore the available visualizations
• Create a basic chart
• Split values into multiple series
• Omit null and other values from chartss
• Create a timechart
• Chart multiple values on the same timeline
• Format charts
• Explain when to use each type of reporting command

• Using the eval command:
  • Perform calculations
  • Convert values
  • Round values
  • Format values
  • Use conditional statements
• Further filter calculated results

• Define naming conventions
• Create and use field aliases
• Create and use calculated fields

• Perform field extractions using Field Extractor

• Create and use tags
• Describe event types and their uses
• Create an event type

• Describe the function of a workflow action
• Crate a GET workflow action
• Crate a POST workflow action
• Crate a Search workflow action

• Describe alerts
• Create alerts
• View fired alerts

• Describe macros
• Manage macros
• Create and use a basic macro
• Define arguments and variables for a macro
• Add and use arguments with a macro

This kind of question is asked to understand the scope of your knowledge. You can answer that question by saying that Splunk has a lot of competition in the market for analyzing machine logs, doing business intelligence, for performing IT operations and providing security. But, there is no one single tool other than Splunk that can do all of these operations and that is where Splunk comes out of the box and makes a difference. With Splunk you can easily scale up your infrastructure and get professional support from a company backing the platform. Some of its competitors are Sumo Logic in the cloud space of log management and ELK in the open source category. You can refer to the below table to understand how Splunk fares against other popular tools feature-wise.

You can say that the benefits of getting data into Splunk via forwarders are bandwidth throttling, TCP connection and an encrypted SSL connection for transferring data from a forwarder to an indexer. The data forwarded to the indexer is also load balanced by default and even if one indexer is down due to network outage or maintenance purpose, that data can always be routed to another indexer instance in a very short time. Also, the forwarder caches the events locally before forwarding it, thus creating a temporary backup of that data.

License master in Splunk is responsible for making sure that the right amount of data gets indexed. Splunk license is based on the data volume that comes to the platform within a 24hr window and thus, it is important to make sure that the environment stays within the limits of the purchased volume.

Consider a scenario where you get 300 GB of data on day one, 500 GB of data the next day and 1 terabyte of data some other day and then it suddenly drops to 100 GB on some other day. Then, you should ideally have a 1 terabyte/day licensing model. The license master thus makes sure that the indexers within the Splunk deployment have sufficient capacity and are licensing the right amount of data.

If you exceed the data limit, then you will be shown a ‘license violation’ error. The license warning that is thrown up, will persist for 14 days. In a commercial license you can have 5 warnings within a 30 day rolling window before which your Indexer’s search results and reports stop triggering. In a free version however, it will show only 3 counts of warning.

This is a common question aimed at candidates appearing for the role of a Splunk Administrator. Alerts can be used when you want to be notified of an erroneous condition in your system. For example, send an email notification to the admin when there are more than three failed login attempts in a twenty-four hour period. Another example is when you want to run the same search query every day at a specific time to give a notification about the system status.

Different options that are available while setting up alerts are:

• You can create a web hook, so that you can write to hipchat or github. Here, you can write an email to a group of machines with all your subject, priorities, and body of the message
• You can add results, .csv or pdf or inline with the body of the message to make sure that the recipient understands where this alert has been fired, at what conditions and what is the action he has taken
• You can also create tickets and throttle alerts based on certain conditions like a machine name or an IP address. For example, if there is a virus outbreak, you do not want every alert to be triggered because it will lead to many tickets being created in your system which will be an overload. You can control such alerts from the alert window.

Data models are used for creating a structured hierarchical model of your data. It can be used when you have a large amount of unstructured data, and when you want to make use of that information without using complex search queries.

A few use cases of Data models are:

• Create Sales Reports: If you have a sales report, then you can easily create the total number of successful purchases, below that you can create a child object containing the list of failed purchases and other views
• Set Access Levels: If you want a structured view of users and their various access levels, you can use a data model
• Enable Authentication: If you want structure in the authentication, you can create a model around VPN, root access, admin access, non-root admin access, authentication on various different applications to create a structure around it in a way that normalizes the way you look at data.

There will be a great deal of events coming to Splunk in a short time. Thus it is a little complicated task to search and filter data. But, thankfully there are commands like ‘search’, ‘where’, ‘sort’ and ‘rex’ that come to the rescue. That is why, filtering commands are also among the most commonly asked Splunk interview questions.

Search: The ‘search’ command is used to retrieve events from indexes or filter the results of a previous search command in the pipeline. You can retrieve events from your indexes using keywords, quoted phrases, wildcards, and key/value expressions. The ‘search’ command is implied at the beginning of any and every search operation.

Where: The ‘where’ command however uses ‘eval’ expressions to filter search results. While the ‘search’ command keeps only the results for which the evaluation was successful, the ‘where’ command is used to drill down further into those search results. For example, a ‘search’ can be used to find the total number of nodes that are active but it is the ‘where’ command which will return a matching condition of an active node which is running a particular application.

Sort: The ‘sort’ command is used to sort the results by specified fields. It can sort the results in a reverse order, ascending or descending order. Apart from that, the sort command also has the capability to limit the results while sorting. For example, you can execute commands which will return only the top 5 revenue generating products in your business.

Rex: The ‘rex’ command basically allows you to extract data or particular fields from your events. For example if you want to identify certain fields in an email id: abc@edureka.co, the ‘rex’ command allows you to break down the results as abc being the user id, edureka.co being the domain name and edureka as the company name. You can use rex to breakdown, slice your events and parts of each of your event record the way you want.

There are about 5 fields that are default and they are barcoded with every event into Splunk. They are host, source, source type, index and timestamp.

You can extract fields from either event lists, sidebar or from the settings menu via the UI. The other way is to write your own regular expressions in props.conf configuration file.

You might not want to index all your events in Splunk instance. In that case, how will you exclude the entry of events to Splunk. An example of this is the debug messages in your application development cycle. You can exclude such debug messages by putting those events in the null queue. These null queues are put into transforms.conf at the forwarder level itself.

Splunk Apps are considered to be the entire collection of reports, dashboards, alerts, field extractions and lookups. Splunk Apps minus the visual components of a report or a dashboard are Splunk Add-ons. Lookups, field extractions, etc are examples of Splunk Add-on.

Sourcetype is a default field which is used to identify the data structure of an incoming event. Sourcetype determines how Splunk Enterprise formats the data during the indexing process. Source type can be set at the forwarder level for indexer extraction to identify different data formats. Because the source type controls how Splunk software formats incoming data, it is important that you assign the correct source type to your data. It is important that even the indexed version of the data (the event data) also looks the way you want, with appropriate timestamps and event breaks. This facilitates easier searching of data later.

This is a sure-shot question because your interviewer will judge this answer of yours to understand how well you know the concept. The Forwarder acts like a dumb agent which will collect the data from the source and forward it to the Indexer. The Indexer will store the data locally in a host machine or on cloud. The Search Head is then used for searching, analyzing, visualizing and performing various other functions on the data stored in the Indexer.

This is another frequently asked Splunk interview question which will test the candidate’s hands-on knowledge. In case of small deployments, most of the roles can be shared on the same machine which includes Indexer, Search Head and License Master. However, in case of larger deployments the preferred practice is to host each role on stand alone hosts. Details about roles that can be shared even in case of larger deployments are mentioned below:

• Strategically, Indexers and Search Heads should have physically dedicated machines. Using Virtual Machines for running the instances separately is not the solution because there are certain guidelines that need to be followed for using computer resources and spinning multiple virtual machines on the same physical hardware can cause performance degradation.
• However, a License master and Deployment server can be implemented on the same virtual box, in the same instance by spinning different Virtual machines.
• You can spin another virtual machine on the same instance for hosting the Cluster master as long as the Deployment master is not hosted on a parallel virtual machine on that same instance because the number of connections coming to the Deployment server will be very high.
• This is because the Deployment server not only caters to the requests coming from the Deployment master, but also to the requests coming from the Forwarders.

In case the license master is unreachable, then it is just not possible to search the data. However, the data coming in to the Indexer will not be affected. The data will continue to flow into your Splunk deployment, the Indexers will continue to index the data as usual however, you will get a warning message on top your Search head or web UI saying that you have exceeded the indexing volume and you either need to reduce the amount of data coming in or you need to buy a higher capacity of license.

Questions regarding Search Factor and Replication Factor are most likely asked when you are interviewing for the role of a Splunk Architect. SF & RF are terminologies related to Clustering techniques (Search head clustering & Indexer clustering).

The search factor determines the number of searchable copies of data maintained by the indexer cluster. The default value of search factor is 2. However, the Replication Factor in case of Indexer cluster, is the number of copies of data the cluster maintains and in case of a search head cluster, it is the minimum number of copies of each search artifact, the cluster maintains Search head cluster has only a Search Factor whereas an Indexer cluster has both a Search Factor and a Replication Factor Important point to note is that the search factor must be less than or equal to the replication factor

This is the kind of question which only somebody who has worked as a Splunk administrator can answer. The answer to the question is below.

• The obvious and the easiest way would be by using files and directories as input
• Configuring Network ports to receive inputs automatically and writing scripts such that the output of these scripts is pushed into Splunk is another common way
• But a seasoned Splunk administrator, would be expected to add another option called windows inputs. These windows inputs are of 4 types: registry inputs monitor, printer monitor, network monitor and active directory monitor.

As the name suggests, Search time field extraction refers to the fields extracted while performing searches whereas, fields extracted when the data comes to the indexer are referred to as Index time field extraction. You can set up the indexer time field extraction either at the forwarder level or at the indexer level.

Another difference is that Search time field extraction’s extracted fields are not part of the metadata, so they do not consume disk space. Whereas index time field extraction’s extracted fields are a part of metadata and hence consume disk space.