#Splunk

Question count -     Last updated    - V4 (03-Sep-2025)

Level Topic Subtopics Basic Introduction to Splunk What is Splunk, Features, Architecture, Editions, Use Cases Splunk Components Forwarders, Indexers, Search Heads Data Ingestion Basics Input types, Data sources, Formats Splunk Search Language (SPL) Basics Search commands, Syntax, Keywords Indexing Index creation, Data retention, Index types Fields & Field Extraction Default fields, Extracting fields, Regex Event Types What are events, Event metadata, Event examples Knowledge Objects Saved searches, Event types, Tags Dashboards Basics Simple dashboards, Panels, Charts Splunk Documentation & Tools Splunk Docs, Apps, Add-ons Intermediate Advanced Search Commands stats, timechart, chart, top, rare, eval Data Parsing & Transforming Transforms.conf, Props.conf, Data normalization Lookup Tables Static lookups, Automatic lookups, KV Store lookups Field Aliases Field renaming, Best practices Tags & Event Types Custom tags, Event categorization Alerts & Scheduled Searches Creating alerts, Trigger actions, Scheduled searches Splunk Apps & Add-ons Installing apps, Using add-ons, Marketplace Data Models & Pivots CIM, Pivot interface, Accelerated data models Search Macros Macro creation, Usage, Parameters Regular Expressions Extracting data, Named captures, Best practices Advanced Indexing Internals Index structure, Buckets, Indexing pipelines Data Retention Policies Frozen data, Retention settings, Archiving Performance Tuning Search optimization, Index optimization, Best practices Splunk Clustering Indexer clustering, Search head clustering, Deployment scenarios Distributed Search Search head pooling, Search affinity, Load balancing Advanced Dashboards & Visualizations Dynamic panels, Drilldowns, Advanced charts Splunk REST API API endpoints, Authentication, Examples Security & Access Control Roles, Users, Authentication methods Event Correlation Correlation searches, Use cases Splunk Enterprise Security ES app, Notable events, Incident review Expert Splunk Architecture Deep Dive Indexer internals, Forwarder types, Queue handling Custom Apps & Add-ons App development, Splunk SDKs, Deployment Advanced Field Extraction Regex optimization, Field aliases, Multi-line events Splunk Deployment Strategies Single vs Multi-site, Best practices Troubleshooting Splunk Log analysis, Common errors, Debugging techniques Data Model Acceleration CIM compliance, Acceleration techniques Machine Learning Toolkit (MLTK) Installing MLTK, Using algorithms, Predictive analytics Splunk IT Service Intelligence (ITSI) KPIs, Glass tables, Service monitoring Splunk Observability Cloud APM, Metrics, Infrastructure monitoring Future Trends & Best Practices Cloud-native Splunk, AI integration, Performance tuning

1. Fundamentals

1. What is Splunk and what are its main features?
2. Explain the Splunk architecture.
3. What are the different Splunk editions?
4. What is the difference between indexers, forwarders, and search heads?
5. What is a forwarder in Splunk?
6. What are the types of forwarders?
7. How does Splunk ingest data?
8. What are events in Splunk?
9. Explain Splunk buckets and their types.
10. How do you search data in Splunk?
11. What is SPL (Search Processing Language)?
12. How do you create a basic search query?
13. What are fields in Splunk?
14. How do you extract fields?
15. What are tags and event types?
16. What is a knowledge object?
17. How do you create saved searches?
18. What is a dashboard in Splunk?
19. What is the role of Splunk apps and add-ons?
20. How do you monitor Splunk logs?
21. What is Splunk Data Models?
22. What are lookup tables in Splunk?
23. What is the difference between Splunk Free vs Enterprise?
24. What are common use cases of Splunk?
25. How does Splunk handle large data volumes?

---

2. Searching & Reporting

1. How do you use the stats command in Splunk?
2. How do you use the timechart command?
3. What is the eval command used for?
4. How do you filter results using where?
5. How do you count unique events?
6. How do you sort data in Splunk search?
7. How do you use top and rare commands?
8. What is the difference between table and fields commands?
9. How do you create macros in Splunk?
10. How do you use the rex command?
11. How do you perform regular expression searches?
12. How do you create alerts from search results?
13. What is the difference between scheduled and real-time searches?
14. How do you perform subsearches?
15. How do you join data from multiple indexes?
16. How do you create summary indexes?
17. What are lookup tables and how are they used in searches?
18. How do you use workflow actions in Splunk?
19. How do you create drilldowns in dashboards?
20. How do you visualize search results using charts?
21. How do you implement conditional evaluation in searches?
22. How do you handle large search results?
23. How do you extract multi-line events?
24. How do you track failed searches?
25. How do you optimize search performance?

---

3. Indexing & Data Management

1. How is data indexed in Splunk?
2. What are hot, warm, cold, and frozen buckets?
3. How do you configure retention policies?
4. What is the role of props.conf and transforms.conf?
5. How do you handle timestamp extraction?
6. How do you manage sourcetypes?
7. How do you manage host, source, and index fields?
8. What is data normalization?
9. How do you perform data transformations?
10. How do you handle duplicate events?
11. What are common indexing errors and how do you troubleshoot them?
12. How do you monitor indexing performance?
13. How do you scale indexing for high-volume data?
14. What is the difference between event-based and metric-based indexes?
15. How do you archive frozen data?
16. How do you import external CSV or JSON files?
17. How do you handle structured vs unstructured data?
18. How do you configure inputs for forwarders?
19. How do you monitor ingestion queues?
20. How do you manage multiple indexes?
21. How do you enforce data retention compliance?
22. How do you detect data anomalies during indexing?
23. How do you troubleshoot slow indexing issues?
24. How do you set up indexer clustering?
25. How do you perform index recovery?

---

4. Security & Administration

1. How do you manage users and roles in Splunk?
2. What are Splunk capabilities?
3. How do you configure role-based access control (RBAC)?
4. How do you secure Splunk deployment?
5. How do you implement SSL/TLS in Splunk?
6. How do you configure single sign-on (SSO)?
7. What are authentication methods in Splunk?
8. How do you audit user activity?
9. How do you monitor Splunk logs for security?
10. How do you manage tokens and API keys?
11. How do you implement alert actions securely?
12. How do you limit access to indexes?
13. How do you monitor license usage?
14. What are best practices for Splunk administration?
15. How do you perform backup and restore?
16. How do you troubleshoot user login issues?
17. How do you configure data encryption at rest?
18. How do you monitor deployment health?
19. How do you maintain high availability?
20. How do you upgrade Splunk safely?
21. How do you configure clustering for security?
22. How do you monitor and alert on system metrics?
23. How do you implement compliance audits?
24. How do you manage large-scale deployments?
25. How do you ensure disaster recovery readiness?

---

5. Dashboards & Visualization

1. How do you create a dashboard in Splunk?
2. What are panels and how do you use them?
3. How do you use charts and graphs?
4. How do you implement drilldowns in dashboards?
5. How do you use dynamic dropdowns?
6. How do you add real-time search panels?
7. How do you use CSS and Simple XML in dashboards?
8. How do you create advanced visualizations?
9. How do you use custom tokens?
10. How do you schedule dashboard refresh?
11. How do you embed dashboards in web pages?
12. How do you use single-value visualizations?
13. How do you create geospatial visualizations?
14. How do you apply conditional formatting?
15. How do you link dashboards together?
16. How do you optimize dashboard performance?
17. How do you create multi-panel dashboards?
18. How do you filter dashboards by tokens?
19. How do you implement drill-through dashboards?
20. How do you create scatter plots and heatmaps?
21. How do you use advanced charting libraries?
22. How do you create dynamic tables?
23. How do you visualize log trends over time?
24. How do you manage dashboard permissions?
25. How do you troubleshoot slow dashboards?

---

6. Splunk Enterprise Security (ES) & ITSI

1. What is Splunk Enterprise Security (ES)?
2. What are notable events in ES?
3. How do you create correlation searches?
4. How do you configure risk scores?
5. What are key performance indicators (KPIs) in ITSI?
6. How do you use service monitoring in ITSI?
7. What is a glass table?
8. How do you configure thresholds in ES?
9. How do you integrate threat intelligence?
10. How do you configure adaptive response actions?
11. How do you manage ES data models?
12. How do you perform incident review?
13. How do you configure ITSI episodes?
14. How do you customize notable event aggregation?
15. How do you implement risk-based alerting?
16. How do you use machine learning in ES?
17. How do you integrate ES with SOAR tools?
18. How do you monitor service health in ITSI?
19. How do you configure key metrics for services?
20. How do you manage ES add-ons?
21. How do you create custom ES dashboards?
22. How do you tune ES correlation searches?
23. How do you handle ES data from multiple sources?
24. How do you configure incident prioritization?
25. How do you optimize ES performance?

---

7. Advanced Topics & Troubleshooting

1. How do you troubleshoot slow searches?
2. How do you optimize SPL queries?
3. How do you monitor forwarder performance?
4. How do you handle high-volume ingestion issues?
5. How do you troubleshoot indexer failures?
6. How do you resolve licensing issues?
7. How do you monitor CPU and memory usage in Splunk?
8. How do you identify bottlenecks in distributed search?
9. How do you troubleshoot dashboard performance issues?
10. How do you monitor Splunk deployment health?
11. How do you handle data duplication issues?
12. How do you manage multi-site Splunk deployment?
13. How do you debug custom apps and add-ons?
14. How do you monitor and alert on search latency?
15. How do you use REST API for troubleshooting?
16. How do you manage indexer clustering issues?
17. How do you perform proactive capacity planning?
18. How do you handle hot and cold bucket issues?
19. How do you optimize KV store performance?
20. How do you configure distributed caching?
21. How do you implement Splunk Observability Cloud features?
22. How do you debug field extraction issues?
23. How do you monitor and optimize alert execution?
24. How do you integrate Splunk with external monitoring tools?
25. How do you stay updated with Splunk best practices?