Splunk Interview Questions and Answers

Splunk Interview Questions And Answers from Codingcompiler prepared by real-time experienced professionals. These Splunk interview questions were asked in various interviews conducted by top multinational companies across the globe. We hope that these interview questions on Splunk will help you in cracking your next Splunk job interview. All the best and happy learning.

Splunk Interview Questions

  1. What is Splunk? 
  2. Why is Splunk used for analyzing machine data?
  3. What are the common port numbers used by Splunk?
  4. What are the components of Splunk? Explain Splunk architecture?
  5. What is Splunk Indexer? What are the stages of Splunk Indexing?
  6. what are most important configuration files of splunk OR can you tell name of few important configuration files in splunk?
  7. What Are Types Of Splunk Licenses?
  8. What Happens If The License Master Is Unreachable?
  9. What Is Splunk Db Connect?
  10. Why people prefer Splunk as compared to other open-source options?

Splunk Interview Questions and Answers

1. What is Splunk? 

Splunk is a platform which allows people to get visibility into machine data, that is generated from hardware devices, networks, servers, IoT devices and other sources.

Splunk (the product) captures, indexes, and correlates real-time data in a searchable repository from which it can generate graphs, reports, alerts, dashboards, and visualizations. Splunk intends to make machine data accessible across an organization by identifying data patterns, providing metrics, diagnosing problems, and providing intelligence for business operations. Splunk is a horizontal technology used for application management, security and compliance, as well as business and web analytics. As of early 2016, Splunk had over 10,000 customers.

2. Why is Splunk used for analyzing machine data?

Splunk is used for analyzing machine data because of following reasons:

  1. Business Insights: Splunk understands the trends, patterns and then gains the operational intelligence from the machine data which in turn help in taking better informed business decisions.
  2. Operational Visibility: Using the machine data Splunk obtains an end-to-end visibility across operations and then breaks it down across the infrastructure.
  3. Proactive Monitoring: Splunk uses the machine data to monitor systems in the real time which helps in identifying the issues, problems and even attacks.
  4. Search & Investigation: Machine data is also used to find and fix the problems, correlate events across multiple data sources and implicitly detect patterns across massive sets of data by Splunk.

3. What are the common port numbers used by Splunk?

Below are the common port numbers used by Splunk. However, we can change them if required.

ServicePort Number used
Splunk Web port8000
Splunk Management port8089
Splunk Indexing port9997
Splunk Index Replication port8080
Splunk Network port514 (Used to get data from the Network port, i.e., UDP data)
KV Store8191

4. What are the components of Splunk? Explain Splunk architecture?

Below are the components of Splunk:

  • Search Head: Provides the GUI for searching
  • Indexer: Indexes the machine data
  • Forwarder: Forwards logs to the Indexer
  • Deployment Server: Manges Splunk components in a distributed environment

5. What is Splunk Indexer? What are the stages of Splunk Indexing?

Splunk Indexer is the Splunk Enterprise component that creates and manages indexes. The primary functions of an indexer are:

  • Indexing incoming data
  • Searching the indexed data
  • Picture

6. what are most important configuration files of splunk OR can you tell name of few important configuration files in splunk?

  • props.conf
  • indexes.conf
  • inputs.conf
  • transforms.conf
  • server.conf

7. What Are Types Of Splunk Licenses?

  • Enterprise license
  • Free license
  • Forwarder license
  • Beta license
  • Licenses for search heads (for distributed search)
  • Licenses for cluster members (for index replication)

8.  What Happens If The License Master Is Unreachable?

License slave will start a 24-hour timer, after which search will be blocked on the license slave (though indexing continues). users Will not be able to search data in that slave until it can reach license master again.

9. What Is Splunk Db Connect?

Splunk DB Connect is a generic SQL database plugin for Splunk that allows you to easily integrate database information with Splunk queries and reports.

10. Why people prefer Splunk as compared to other open-source options?

Splunk is the only tool is capable of managing operations like data analysis, giving security & managing IT operation and doing business intelligence. This is how Splunk makes a difference and assists users to scale their business infrastructure.

Frequently Asked Splunk Interview Questions and Answers

11. Why do companies adopt Splunk?

i. It works as ‘Google” for log files

ii. The users can use simpler terms to search with the aim of Search processing Language(SPL)

iii. It does not require any data base or backend as the data is directly stored in the Spunk file system

iv. With Splunk there is no chance of encountering even a single point of failure

12. What are Splunk buckets? Explain the bucket lifecycle?

A directory that contains indexed data is known as a Splunk bucket. It also contains events of a certain period. Bucket lifecycle includes the following stages

Hot – It contains newly indexed data and is open for writing. For each index, there are one or more hot buckets available

Warm – Data rolled from hot

Cold – Data rolled from warm

Frozen – Data rolled from cold. The indexer deletes frozen data by default but users can also archive it.

Thawed – Data restored from an archive. If you archive frozen data, you can later return it to the index by thawing (defrosting) it.

13. What command is used to enable and disable Splunk to boot start?

To enable Splunk to boot start use the following command:

$SPLUNK_HOME/bin/Splunk enable boot-start

To disable Splunk to boot start use the following command:

$SPLUNK_HOME/bin/Splunk disable boot-start

14. What is the eval command?

A: It evaluates an expression and consigns the resulting value into a destination field. If the destination field matches with an already existing field name, the existing field is overwritten with the eval expression. This command evaluates Boolean, mathematical and string expressions.

Using eval command:

  • Convert Values
  • Round Values
  • Perform Calculations
  • User conditional statements
  • Format Values

15. What is the use of sort command?

A: It sorts search results by the specified fields.


sort [] … [desc]

Example: | sort num(ip), -str(URL)

It sort results by ip value in ascending order whereas URL value in descending order.

16. What is the use of License Master in Splunk?

License Master is the used for control how much data you can index in a day. License master has a clock which tracks the data indexed by any Splunk Enterprise Infrastructure. License master is also used to block the users from accessing the search data in 24 hours once the license slave is disconnected from the license master.

17. What is the use of DB Connect in Splunk?

DB Connect in Splunk is plugin to access generic SQL databases and integrate various information and data available in those databases with Splunk queries and reports.

18. How Splunk helps the enterprise?

In the midst of various tools available for managing general data, there is a need for an effective tool to manage the machine data. Splunk is more like a Google for your machine data. With the help of this engine the machine data in the system can be searched, visualized, monitored and reported easily. The tool also provides real-time insights on the machine data using representations such as charts, reports and alerts.

17. List some of the features that is lagging in Splunkfree?

Following are some of the features that is lagging in Splunkfree,

Authentication as well as scheduled searches or alerts.
Distributed search.
Forwarding in TCP as well as HTTP to non-Splunk.
Deployment management.

18. What is use of Time Zone property in Splunk and when it is required?

Time zone is very important when we search for the events from a security or fraud perspective. If we search with wrong time zone we will end up and unable to find the event. It will pick up the default time zone from the setting of the browser. It usually picks up the current time zone from the system we are using. It usually picks up time zone when data is input when we search as well as correlating data coming from different sources.

19. Explain Splunk app? How it differs from Add-on?

Splunk App is said to be entire collections of reports, dashboard, alerts, field extractions and lookups. Splunk Add-on means the visual component of a report or dashboard minus Splunk Apps.

20. Explain search head pool & search head clusters?

Search head pool as well as Search head clusters are features. It provides Splunk for the highly available of the search head in the case any search heads go down. The Search head clusters is introduced newly. Pooling will remove in the next upcoming version. Captain is being managed by search head cluster. captain controls the slave. Search head clusters is reliable & efficient compared to pooling.

Advanced Splunk Interview Questions and Answers for experienced

21. How to reset splunk password?

To reset the password, access to the file where Splunk is running is necessary. Then perform the following steps:

Move $SPLUNK_HOME/etc/passwd file to $SPLUNK_HOME/etc/passwd.bak

Restart Splunk and log in with default username and password i.e. admin/changeme.

Reset the password and combine the password file with the backup file.

22. When to use auto_high_volume in splunk?

auto_high_volume is used when the indexes are of very high volume. A high volume index can get over 10GB of data.

23. What is CIM and what is it used for?

CIM is the common information model. It’s used to normalize the field names in the data so you can search for the same field in different types of logs using the common field name.

24. What is a syslog server?

 A syslog server is used to collect data from devices you cannot install a forwarder on, such as network devices like routers and switches, and application logs from something like a Websense server. You’d use R syslog or syslog NG to configure a syslog server and then put a universal forwarder on the syslog server to forward the data to Splunk.

25. What is crontab?

The crontab list the commands and scripts to be run on each server and what day and time they are supposed to run. For example one command might be scheduled to run every hour, while another command is scheduled to run once a week on Monday at midnight.

26. What are the features that are not available in Splunk free?

Splunk free lacks these features:

  • Distributed Search
  • Authentication and scheduled searches
  • Deployment management
  • Forwarding in TCP/HTTP

27. Splunk licenses specify what?

It specifies how much data you can index per calendar day

28. What is the source type in Splunk?

The source type is Splunk way of identifying data

29. How can we extract fields?

You can extract fields from event lists, sidebar or the settings menu via the UI. The other way is to write your regular expressions in the pros — conf configuration file.

30. What is the null queue?

The null queue is an approach to trim out all the unwanted data.

31. Which role can create a data model?

The role that can create data model is Admin & power user

Above are the interview questions and answers for Splunk jobs. Candidates who find their job profile identical can easily apply for the Splunk jobs and get a secured future ahead.

 32. what is summary index in splunk?

The Summary index is the default summary index (the index that plunk Enterprise uses if you do not indicate another one). If you plan to run a variety of summary index reports you may need to create additional summary indexes.

33. What is bucket ? How data ages in Splunk ?

An index directory is called a bucket.  A bucket moves through several stages as it ages:  hot warm cold frozen thawed.

34. What are diffrence between splunk app and splunk add-on?

 splunk app is container/directory of configurations, searches,dashboards etc. in splunk where you can create dashboard, report etc. splunk add-on is used to define the data, field extractions and does  not have gui.

35. What is command for restarting just the splunk daemon?

Ans: splunk start splunkd

Related Interview Questions

  1. Apigee Interview Questions
  2. Cloud Foundry Interview Questions And Answers
  3. Actimize Interview Questions
  4. Kibana Interview Questions
  5. Nagios Interview Questions
  6. Jenkins Interview Questions
  7. Chef Interview Questions
  8. Puppet Interview Questions
  9. DB2 Interview Questions
  10. AnthillPro Interview Questions
  11. Angular 2 Interview Questions
  12. Hibernate Interview Questions
  13. ASP.NET Interview Questions
  14. PHP Interview Questions
  15. Kubernetes Interview Questions

Leave a Comment