Explore topic-wise InterviewSolutions in Current Affairs.

Configuration files that are of the UTMOST importance in Splunk are: 

• Props.conf: It configures indexing properties, such as timezone offset, pattern COLLISION priority, custom source TYPE rules, etc.
• Indexes.conf: It configures and manages index settings.
• Inputs.conf: It is used to set up data inputs.
• Transforms.conf: It can be used to configure regex transformations to be PERFORMED on data inputs.
• Server.conf: There are a variety of settings available for configuring the overall state of the Splunk Enterprise instance.

Generally, Splunk applications and add-ons are separate entities, but both have the same extension, i.e., SPL files. 

• Splunk Apps: A Splunk app extends Splunk functionality with its own inbuilt user interface. Each of these apps are separate and serves a specific purpose. Each Splunk app consists of a collection of Splunk knowledge objects (LOOKUPS, tags, saved searches, event types, etc). They can also make use of other Splunk apps or add-ons. Multiple apps can be run simultaneously in Splunk. Several apps offer the option of RESTRICTING or limiting the amount of information a user can access. By controlling access levels, the user has access to only the information that is NECESSARY for him and not the rest. You can open apps from the Splunk Enterprise homepage or through the App menu or in the Apps section of the Settings page. 
  Example: Splunk Enterprise Security App, etc.
• Splunk Add-on: These are types of applications that are built on top of the Splunk platform that add features and functionality to other apps, such as allowing users to import data, map data, SAVE searches, macros. Add-ons typically do not run as standalone apps, rather they are reusable components that support other apps in different SCENARIOS. Most of the time, it is used as a framework, where a team leverages its functionality to some extent and creates something new on top of it. As a rule, they do not have navigable user interfaces. You cannot open an Add-on from the Splunk Enterprise homepage or app menu. 
  Examples: Splunk Add-on for Checkpoint OPSEC LEA, Splunk Add-on for EMC VNX or the Splunk Common Information Model Add-on.

A time zone is a CRUCIAL factor to consider when searching for events from a fraud or security perspective. This is because Splunk uses the time zone defined by your browser. Your browser then picks up the time zone associated with the machine/computer system you're working on. So, you will not be able to find your desired event if you search for it in the wrong time zone. The timezone is PICKED up by Splunk when DATA is entered, and it is particularly important when you are searching and comparing data from different sources. You can, for instance, look for events COMING in at 4:00 PM IST, for your London data centre, or for your Singapore data centre, ETC. The timezone property is therefore vital when correlating such events. 

The following COMMANDS can be USED to start and stop SPLUNK SERVICES: 

• Start Splunk service ./splunk start
• Stop Splunk service ./splunk stop
• Restart Splunk service ./splunk restart

In the case where you do not wish to index all of your events in Splunk, what can you do to prevent the entry of those events into Splunk? Debug messages are a good example of this in your application development cycle.  

Such debug messages can be excluded by putting them in the null queue. This is achieved by specifying a REGEX that matches the necessary events and sending the rest to the NULL queue. Null QUEUES are defined at the forwarder level in transforms.conf. Below is an example that drops all events EXCEPT those containing the debug message. 

In props.conf  

In transforms.conf  

Summary indexes store analyses, reports, and summaries computed by Splunk. This is an INEXPENSIVE and fast WAY to run a query for a long PERIOD of time. Essentially, it is the default index that Splunk Enterprise uses if there isn't another one specified by the user. Among the KEY features of the Summary Index is that you can retain the analytics and reports even after the data has gotten OLDER.

Splunk alerts are ACTIONS that get TRIGGERED when a specific criterion is met; these CONDITIONS are defined by the user. You can use Splunk Alerts to be notified whenever anything goes awry with your system. For instance, the user can set up Alerts so that an email notification will be sent to the admin when three unsuccessful login attempts are made within 24 hours. 

The following options are available when setting up alerts:  

• A webhook can be created to send messages to Hipchat or Github. With this email, you can send a message to a group of machines along with a subject, priority, and message body.
• Results can be attached as .csv files, pdf files, or inline with the message body to ensure the recipient understands what alerts have been fired, at what conditions, and what actions have been taken.
• You can also create tickets and CONTROL alerts based on conditions such as an IP address or machine name. As an example, if a virus outbreak occurs, you do not want every alert to be triggered as it will create a lot of tickets in your system, which will be overwhelming. Such alerts can be CONTROLLED from the alert window.

The FREE version of SPLUNK lacks the FOLLOWING features:  

• Distributed searching
• Forwarding of DATA through HTTP or TCP (to non-Splunk)
• Agile reporting and statistics based on a real-time architecture
• Scheduled searches/alerts and authentication
• Managing deployments.

Splunk products come in three different versions as follows:  

• Splunk Enterprise: A number of IT companies USE Splunk Enterprise. This software analyzes data from DIVERSE websites, applications, devices, sensors, etc. Data from your IT or business infrastructure can be searched, analyzed, and visualized using this program.
• Splunk Cloud: It is basically a SaaS (Software as a Service) offering many of the same features as enterprise versions, including APIS, SDKs, etc. User logins, lost passwords, failed login attempts, and server restarts can all be tracked and sorted.
• Splunk Light: This is a FREE VERSION of Splunk which allows you to view, search, and edit your log data. This version has fewer capabilities and features than other versions.

Splunk Database (DB) Connect is a general-purpose SQL (Structured Query Language) database extension/plugin for Splunk that permits easy integration between database information and Splunk queries/reports. Splunk DB Connect is EFFECTIVELY used to combine structured data from databases with unstructured machine data, and Splunk Enterprise can then be used to uncover insights from the combined data. 

Some of the benefits of using Splunk Database Connect connect are as follows:   

• By using Splunk DB Connect, you are adding new data inputs for Splunk Enterprise, i.e., adding additional sources of data to Splunk Enterprise. Splunk DB Connect lets you import your database tables, ROWS, and columns directly into Splunk Enterprise, which then indexes them. Once that relational data is within Splunk Enterprise, you can analyze and visualize it the same way you would any other Splunk Enterprise data.
• In addition, Splunk DB Connect enables you to write your Splunk Enterprise data back to your relational databases.
• With DB Connect, you can reference fields from an external database that MATCH fields in your event data, using the Database Lookup feature. This way, you can enrich your event data with more MEANINGFUL information.

The FOLLOWING are COMMON ports used by Splunk: 

• Web Port: 8000 
• Management Port: 8089 
• Network port: 514 
• INDEX REPLICATION Port: 8080 
• Indexing Port: 9997 
• KV store: 8191

License violations occur after a series of license warnings, and license warnings occur when your daily INDEXING volume exceeds the license's limit. Getting multiple license warnings and exceeding the maximum warning limit for your license will result in a license violation. With a Splunk commercial license, users can receive five warnings within a 30-day period before INDEXER stops triggering search RESULTS and reports. Users of the FREE version, however, will only receive three warnings. 

Avoid License Warning:

• Monitor your license usage over time and ensure that you have enough license volume to meet your daily needs.
• Viewing the license usage report in the license master can help troubleshoot index volume.
• In the monitoring console, set up an alert to track daily license usage.

Troubleshoot License Violation Warning:

• Determine which index/source type recently received more data than usual.
• Splunk Master license pool-wise quotas can be checked to identify the pool for which the violation occurred.
• Once we KNOW which pool is receiving more data, then we need to determine which source type is likely to be receiving more than normal data.
• Having identified the source type, the next step is to find out which machine is sending so many logs and the reason behind it.
• We can then troubleshoot the problem accordingly.

It is the responsibility of the license MASTER in Splunk to ensure that the limited amount of data is indexed. Since each Splunk license is based on the amount of data that is COMING into the platform in 24 hours, it is essential to keep the environment within the limits of its purchased volume.  

Whenever the license master becomes unavailable, it is simply impossible to search the data. Therefore, only searching remains halted while the indexing of data continues. Data entering the Indexer won't be impacted. Your Splunk deployment will continue to receive data, and the Indexers will continue to index the data as usual. However, upon exceeding the indexing volume, you will receive a warning message on top of your Search HEAD or web interface so that you can either reduce your data intake or PURCHASE a larger capacity license. 

A license is required for each Splunk instance. With Splunk, you receive a license that specifies which features you can use and how much data can be indexed. Various Splunk License types include:

• The Splunk Enterprise license: Among all Splunk license types, Enterprise licenses are the most popular. These licenses give users access to all the features of Splunk Enterprise within a specified limit of indexed data or vCPU usage per day. These licenses include enterprise features such as authentication and distributed search. SEVERAL types of Splunk Enterprise licenses are available, including the Splunk for Industrial IoT license and Splunk Enterprise Trial license.
• The Free license: Under the Free license, Splunk Enterprise is COMPLETELY free to use with limited functionality. Some features are not available under this license, such as authentication. Only a limited amount of data can be indexed.
• The FORWARDER license: A Forwarder license enables unlimited forwarding of data, as well as a subset of the Splunk Enterprise features that are required for authentication, configuration management, and SENDING data.
• The Beta license: Each Splunk beta release requires a separate beta license, which cannot be used with other Splunk releases. With a beta license, Splunk Enterprise features are enabled for a specific beta release PERIOD.

Splunk queries allow specific operations to be run on machine-generated data. Splunk queries communicate with a database or source of data by using SPL (Search Processing Language). This language contains many FUNCTIONS, arguments, commands, etc., that can be used to extract desired information from machine-generated data. This makes it possible for users to analyze their data by running queries. Similar to SQL, it allows users to update, query, and change data in databases.

It is primarily used to analyze log files and extract REFERENCE information from machine-generated data. In particular, it is beneficial to companies that have a variety of data sources and need to PROCESS and analyze them SIMULTANEOUSLY in order to produce real-time results. 

In a dashboard, tables, charts, event lists, etc., are used to represent data VISUALIZATIONS, and they do so by using panels. Dashboard panels present or display chart data, table data, or summarized data visually in a pleasing manner. On the same dashboard, we can add multiple panels, and therefore multiple reports and charts. Splunk is a popular data platform with lots of customization options and dashboard options. 

There are three kinds of the dashboard you can create with Splunk: 

• Dynamic form-based dashboards: They allow Splunk users to CHANGE the dashboard data based on values entered in input fields without leaving the page. A dashboard can be customized by adding input fields (such as time, radio buttons, text boxes, checkboxes, dropdowns, and so on) that change the data, depending on the selection made. Dashboards of this type are useful for troubleshooting issues and analyzing data.
• Static Real-time Dashboards: They are often displayed on a large screen for constant viewing. It also provides alerts and indicators to prompt QUICK responses from relevant personnel.
• Scheduled Dashboards: These dashboards can be downloaded as PDF files and shared with team members at PREDETERMINED intervals. There are times when active LIVE dashboards can only be viewed by certain viewers/users only.

Some of the Splunk dashboard examples include security analytics dashboard, patient treatment flow dashboard, eCommerce website monitoring dashboard, exercise tracking dashboard, runner data dashboard, etc. 

Data entering into Splunk instances VIA forwarders has MANY advantages including bandwidth throttling, a TCP connection, and an encrypted SSL connection between the forwarder and indexer. By default, data forwarded to the indexers are also load-balanced, and if one indexer goes down for any reason, that data can always be routed to another indexer instance in a very short amount of TIME. FURTHERMORE, the forwarder stores the data events locally before forwarding them, CREATING a temporary backup of the data.

A forwarder is a Splunk instance or agent you deploy on IT systems, which collects machine logs and sends them to the indexer. You can choose between two types of forwarders:  

• Universal Forwarder: A universal forwarder is ideal for sending raw data collected at the source to an indexer without any prior processing. Basically, it's a component that performs minimal processing before forwarding incoming data streams to an indexer. ALTHOUGH it is faster, it also results in a LOT of unnecessary information being forwarded to the indexer, which will result in higher performance overhead for the indexer.
• Heavy Forwarder: You can eliminate half of your problems using a heavy forwarder since one LEVEL of data processing happens at the source before forwarding the data to the indexer. Parsing and indexing take place on the source machine and only data EVENTS that are parsed are sent to the indexer.

As shown below, Splunk ARCHITECTURE is composed of three main components:

• Splunk Forwarder: These are components that you use to COLLECT MACHINE data/logs. This is responsible for gathering and forwarding real-time data with less processing power to Indexer.  Splunk forwarder performs cleansing of data depending on the type of forwarder used (Universal or Heavy forwarder).
• Splunk Indexer: The indexer allows you to index i.e., transform raw data into events and then store the results data coming from the forwarder. Incoming data is processed by the indexer in real-time. Forwarder transforms data into events and stores them in indexes to enable search operations to be performed efficiently.
• Search Head: This component is used to interact with Splunk. It lets users perform various operations like PERFORMING queries, analysis, ETC., on stored data through a graphical user interface. Users can perform searches, analyze data, and report results.

In order to use Splunk in your infrastructure, you must understand how Splunk performs on the internal level. In general, Splunk processes DATA in three stages:

• Data Input Stage: This stage involves Splunk consuming raw data not from a single, but from many sources, breaking it up into 64K BLOCKS, and annotating each block with metadata KEYS. A metadata key INCLUDES the hostname, source, and source type of the data.
• Data Storage Stage: In this stage, two different phases are performed, Parsing and Indexing.
  • In the Parsing phase, Splunk analyzes the data, transforms it, and extracts only the relevant information. This is also called "event processing," SINCE it breaks down the data sets into different events.
  • During the indexing phase, Splunk software writes the parsed events into the index queue. One of the main benefits of using this is to make sure the data is easily accessible for anyone during the search.
• Data Searching Stage: This stage usually controls how the index data is accessed, viewed, and used by the user. Reports, event types, dashboards, visualization, alerts, and other knowledge objects can be created based on the user's reporting requirements.

In general, machine data is difficult to understand and has an unstructured format (not arranged as per pre-defined data model), making it unsuitable for analysis and visualization of data. Splunk is the perfect tool for TACKLING such problems. Splunk is used to analyze machine data for SEVERAL reasons:   

• Provides business insights: The Splunk platform analyzes machine data for patterns and trends, providing operational insights that ASSIST businesses in making smarter decisions for the profitability of the organization.
• Enhances operational visibility: Splunk obtains a comprehensive view of overall operations based on machine data and then aggregates it across the entire infrastructure.
• Ensures proactive monitoring: Splunk employs a real-time analysis of machine data to discover system errors and vulnerabilities (external/internal breaches and intrusions).
• Search and Investigation: Splunk uses machine data to pinpoint and fix problems by CORRELATING EVENTS across numerous data sources and detecting patterns in large datasets.