Splunk Questions and Answers Already Passed

Document Content and Description Below

Splunk Questions and Answers Already Passed Machine Data? ✔✔Makes up about 90% of data accumulated by organizations. Structured and Unstructured. Improves Operational Intelligence How does Spl... unk help with Machine Data? ✔✔Index Data, Search and Investigate, Add Knowledge, Monitor and Alert, and Report & Analyze Index ✔✔Collects data from any source. As data enters, inspectors go to work. Determines how to process the data. When it is matched it is labeled with a source type. Data is then broken into single events. Time stamps are identified and normalized to a consistent format. Events then stored in Splunk index where they can be searched. Search ✔✔Find values across multiple sources allowing to analyze and run statistics. Knowledge ✔✔Add knowledge objects to data. Effects how data is interpreted. Classified and enriched, and normalized for future use. Monitor & Alert ✔✔Can Monitor infrastructure in real time to identify issues, problems, and attacks before they impact customers and services. Create alerts and automatically respond with a variety of actions. Reports ✔✔Provides reports and the ability to do dashboards empowering groups in the organization by giving them the information they need organized into a single pane. 3 Main Splunk Processing Components ✔✔Indexers, Search Heads, and Forwarders. Indexer ✔✔Processes incoming data storing it as indexes as events. As the indexer indexes data, it creates a number of files in directories by age (time). Search ✔✔When you search the data Splunk will only need to open the directories that match the timeframe of search making searches more efficient. Search head ✔✔Allows users to use the Splunk search language to search the index data. Search heads handle search requests from users and distribute requests to the indexers which perform the actual searches on the data. Search heads then consolidate and enrich the results from the indexers before returning them to the user. 3 Things Search can produce ✔✔Dashboards, Reports and Visualization to assist the search experience. Forwarders ✔✔Splunk enterprise instances that consume data and forward it to the indexers for processing. Forwarder Characteristics ✔✔(1) Require minimal resources, (2)little impact on performance, (3) Reside on the machine where the data originates. Example of Forwarder ✔✔Have a web server we want to monitor we would install the forwarder on the web server and have it send data to the indexer Splunk Deployment Scalibility ✔✔Single Instance to a full distributed infrastructure. Single Instance Deployment Splunk Instance ✔✔Input, Parsing, Indexing and Searching When would you use a single-instance deployment ✔✔Perfect environment for proof of concept, personal use, learning, and night serve the need of small department-sized environments. What would we have to do in a Full Scale Infrastructure Deployment? ✔✔Split the functionality across multiple specialized instances of Splunk enterprise. Add forwarders to send data to our indexers and eventually add multiple search heads and indexers to increase our indexing and search capacity. Search heads and indexes can also be clustered making sure data is always available and searchable. Search requests are processed by? ✔✔Indexers In most Splunk Deployments, this servers as the primary way data is supplied for indexing. ✔✔Forwarder Main Components of Splunk ✔✔Collect and index data, search and investigate.Add knowledge Which function is not a part of a single instance deployment? ✔✔Clustering 3 Roles in Splunk? ✔✔Admin, Power User, and End-User. Admin Role ✔✔Install Apps, Create Knowledge Objects for All Users Power User Role ✔✔Create and share Knowledge Objects for Users of an app and do real time searches. End User Role ✔✔Will only see their own knowledge objects and those shared with them. Roles ✔✔Define what users can do in Splunk. Index ✔✔Directories where the data is stored Reasons to Split Indexes ✔✔Separate indexes can make searches faster. Limits data amount Splunk searches. Returns events only from that index.Multiple indexes allow limiting access by user role in order to control who sees what data. Also helps with retention policies Search ✔✔Limiting a search to time frame is a best practice. Commands that Create Statistics and Visualizations ✔✔Called Transforming Commands which transform data into data tables. Time for Search Job ✔✔By default will remain active for 10 minutes Time for Shared Search Job ✔✔Remain active for 7 days Search Booleans ✔✔Not, Or, And. Add parenthesis: Keyword 1 NOT (Keyword2 OR Keyword 2) Wildcard Search ✔✔KeyWord* Exact Search ✔✔"Keyword" Escaping characters in Search ✔✔add backslash info="keyword1\"keyword2\"not in db" Best Practices ✔✔Search by Time, inclusion is better than exclusion,filter command as early as possible in search, Splunk Search Language Sytnax ✔✔1. Search Terms. 2. Commands. 3. Functions 4. Arguments 5. Clauses Commands ✔✔Tells Splunk what we want to do with Search Results such as creating charts, computing statisitcs, and formatting Functins ✔✔Explain how we want to chart, compute, and evaluate the results. Arguments ✔✔Variables we want to apply to the functions Clauses ✔✔Explain how we want the results grouped or defined. Search Language Example ✔✔Search Term, Commands, Functions [Show More]

Last updated: 2 years ago

Preview 1 out of 7 pages