Splunk Getting Data In 1|30 Questions with Answers 2023
Once splunk gets some data, it immediately... - CORRECT ANSWER indexes it, so that it's
... [Show More] available for indexing
With its universal indexing ability, Splunk transforms your data into a series of _______, consisting of _________. - CORRECT ANSWER individual events, searchable fields
what type of data can splunk index? - CORRECT ANSWER Any data. In particular, any and all IT streaming and historical data. Stuff like event logs, web logs, live application logs, network feeds, system metrics, change monitoring, message queues, archive files, or anything else of interest.
Point Splunk at a data source. Tell Splunk a bit about the source. That source then becomes a _________ to Splunk. - CORRECT ANSWER data input
You can easily get remote data into Splunk, either by using _________ or by installing _________ on the machines where the data originates. - CORRECT ANSWER network feeds, Splunk forwarders
Forwarders are ... - CORRECT ANSWER lightweight versions of Splunk that consume data and then forward it on to the main Splunk instance for indexing and searching.
There are 4 ways to define a data input for splunk: - CORRECT ANSWER apps, splunkweb, splunkcli, inputs.conf
generally, you can classify splunk inputs as (4): - CORRECT ANSWER Files and directories, Network events, Windows sources, Other sources
use this to get data from files and directories: - CORRECT ANSWER "files and directories monitor" input processor
use this to watch for changes to your file system - CORRECT ANSWER file system change monitor
You can index and search Windows data on a non-Windows instance of Splunk, but you must first use a Windows instance to gather the data. You can do this with a - CORRECT ANSWER Splunk forwarder running on Windows.
A local resource is a fixed resource that your Splunk server has ________. - CORRECT ANSWER direct access to
examples of local resources are: - CORRECT ANSWER hard disk or solid state drive installed in a desktop or laptop, or a RAM disk loaded at system start-up
a remote resource is a resource that is not - CORRECT ANSWER local
examples of remote resources are: - CORRECT ANSWER Network drives mapped from Windows systems, Active Directory schemas, and NFS or other network-based mounts on *nix systems
These are lightweight Splunk instances, whose main purpose is to consume data and forward it on to Splunk indexers for further processing. - CORRECT ANSWER Forwarders
What is the purpose of Splunk forwarders (2)? - CORRECT ANSWER to consume data and forward it on to Splunk indexers for further processing.
What is the performance impact of a Splunk forwarder? - CORRECT ANSWER They require minimal resources and have little impact on performance, so they can usually reside on the machines where the data originates.
Why use forwarders over raw network feeds? - CORRECT ANSWER 1 - Tagging of metadata (source, sourcetype, and host)
2 - Configurable buffering
3 - Data compression
4 - SSL security
5 - Use of any available network ports
6 - Running scripted inputs locally
How does a Splunk forwarder differ from a Splunk indexer in a) the data it consumes and 2) how the data is consumed? - CORRECT ANSWER a) forwarders handle the same types of data as indexers...there is no difference. b) forwarders typically don't index data, they merely forward it to indexers
In most Splunk deployments, forwarders serve as the - CORRECT ANSWER primary consumers of data.
Forwarders generally do not have splunkweb for configuration. How can inputs be configured on forwarders? (5) - CORRECT ANSWER 1- Specify inputs during initial deployment. For Windows forwarders, you can specify common inputs during the installation process itself. For *nix forwarders, you can specify inputs directly after installation.
2 - Use the CLI.
3 - Edit inputs.conf.
4 - Deploy an app containing the desired inputs.
5 - Use Splunk Web on a full Splunk test instance to configure the inputs and then distribute the resulting inputs.conf file to the forwarder itself.
splunk apps can be downloaded from - CORRECT ANSWER splunkbase
these can simplify the process of getting data into splunk - CORRECT ANSWER apps
If Splunk Web is located behind a proxy server, you might have trouble accessing Splunkbase directly within Splunk. To solve this problem, you need to set - CORRECT ANSWER the http_proxy environment variable
What are some useful questions to ask prior to diving into Splunk? - CORRECT ANSWER - What kind of data do I want Splunk to index? Look here for a quick guide to the types of data Splunk indexes.
- Is there an app for that? See "Use apps" to find out if there's a pre-configured app that will meet your needs.
- Where does the data reside? Is it local or remote? See "Where is my data?".
- Should I use forwarders to access remote data? See "Use forwarders".
- What do I want to do with the indexed data? Get a sense of the possibilities; start by reading "What is Splunk knowledge?".
What basic steps can a person take to get started with Splunk? - CORRECT ANSWER 1 - understand your needs
2 - start out small, creating a test index
3 - Use data preview feature to see/modify how Splunk indexes your data before committing the data to the test index.
4 - run some searches on the test data
5 - (If necessary) massage your input and event processing configurations further until events look the way you want them to.
6 - Delete the data from your test index and start over
7 - When you're ready for prime time, point your inputs to the default "main" index!!!
When you add an input through Splunk Web, Splunk adds that input to... - CORRECT ANSWER a copy of inputs.conf that BELONGS TO THE APP you're currently in (make sure you're in the right app!!!!)
add /var/log/ as data input, via CLI - CORRECT ANSWER ./splunk add monitor /var/log/
if you get stuck with splunk CLI, it has built-in help...to list the CLI commands, type: - CORRECT ANSWER ./splunk help commands [Show Less]