29 October 2020

#Splunk

#Splunk

Key Concepts


Level Topic Sub-Topics
1Splunk OverviewWhat is Splunk, Splunk Use Cases, Machine Data, Splunk Architecture, Real-time vs Historical Data
2Splunk InstallationSystem Requirements, Splunk Enterprise Install, Forwarder Install, Windows Install, Linux Install
3Splunk ComponentsIndexer, Search Head, Forwarder, Deployment Server, License Master
4Splunk Data InputsFiles & Directories, TCP/UDP Inputs, Scripted Inputs, Windows Event Logs, Syslog
5Splunk Indexing ProcessParsing Phase, Indexing Phase, Buckets, Hot/Warm/Cold Buckets, Metadata
6Splunk Web InterfaceSearch Bar, Apps Menu, Dashboards, Settings, Monitoring Console
7SPL BasicsSearch Command, Keywords, Time Range Picker, Pipes, Fields
8SPL Searching & FilteringAND/OR/NOT, Wildcards, Field Searches, Time Modifiers, Subsearch
9Fields & Field ExtractionDefault Fields, Field Discovery, Regex Extraction, Delimiters, Field Aliases
10Transforming Commandsstats, chart, timechart, top, rare
11Reporting in SplunkReport Creation, Scheduling Reports, Export Formats, Sharing Reports, Report Acceleration
12Splunk DashboardsDashboard Panels, Visualization Types, XML Dashboards, Tokens, Inputs
13LookupsLookup Tables, CSV Lookups, Automatic Lookups, Lookup Commands, Geo Lookups
14Knowledge ObjectsFields, Tags, Event Types, Macros, Workflow Actions
15Splunk Apps & Add-onsSplunkbase, App Installation, Add-on Configuration, CIM Compliance, App Permissions
16Common Information Model (CIM)CIM Overview, Data Models, Normalization, Tags & Fields, CIM Validation
17Data ModelsData Model Structure, Pivot, Acceleration, Constraints, Datasets
18Alerts in SplunkAlert Types, Alert Conditions, Throttling, Actions, Email & Webhook Alerts
19User ManagementUsers & Roles, Capabilities, Authentication, Authorization, Role Mapping
20Splunk Security BasicsRBAC, Secure Ports, TLS/SSL, Audit Logs, Password Policies
21Forwarder ManagementUniversal Forwarder, Heavy Forwarder, Deployment Server, Server Classes, Outputs.conf
22Configuration Filesinputs.conf, outputs.conf, props.conf, transforms.conf, limits.conf
23Performance TuningSearch Optimization, Index Sizing, Bucket Management, Resource Monitoring, Acceleration
24Monitoring ConsoleIndexer Health, Search Head Health, Forwarder Status, Resource Usage, Alerts
25Splunk REST APIREST Basics, Authentication, Search API, Admin API, Use Cases
26Splunk Backup & RestoreIndex Backup, Config Backup, Cold to Frozen, Restore Process, Best Practices
27Splunk ScalingDistributed Search, Indexer Clustering, Search Head Clustering, Load Balancing, High Availability
28Troubleshooting SplunkSearch Issues, Indexing Issues, Forwarder Issues, Log Files, Common Errors
29Splunk Use CasesLog Monitoring, Security Analytics, IT Operations, Business Analytics, Compliance
30Splunk Interview & Certification PrepCommon Interview Questions, SPL Scenarios, Admin Concepts, Architect Concepts, Certification Path

Interview question

BASIC

  1. What is Splunk?
  2. What are the major components of Splunk?
  3. What is an Index in Splunk?
  4. What is a Splunk Forwarder?
  5. Difference between Universal Forwarder (UF) and Heavy Forwarder (HF)?
  6. What is a Search Head?
  7. What is sourcetype?
  8. What is props.conf used for?
  9. What is transforms.conf?
  10. Explain Splunk architecture.
  11. What is SPL in Splunk?
  12. What is the purpose of stats command?
  13. Difference between stats and eventstats?
  14. What is timechart command?
  15. What is eval command?
  16. What is a lookup in Splunk?
  17. What are field extractions?
  18. What are knowledge objects?
  19. What is a Dashboard?
  20. What are workflow actions?
  21. What is Splunkbase?
  22. What is indexes.conf?
  23. Difference between Search Head and Indexer?
  24. What are eventtypes?
  25. What are tags in Splunk?

INTERMEDIATE

  1. What is parsing in Splunk?
  2. What is indexing phase?
  3. What is a License Master?
  4. What are buckets in Splunk?
  5. Explain hot, warm, cold, frozen buckets.
  6. What is summary indexing?
  7. What is a data model?
  8. What is CIM (Common Information Model)?
  9. Difference between tags and eventtypes?
  10. Difference between join and append?
  11. What is a subsearch?
  12. What is transaction command used for?
  13. How does rex command work?
  14. What is regex extraction?
  15. What is a deployment server?
  16. What is Search Head Clustering?
  17. What is Indexer Clustering?
  18. What is KV Store?
  19. What is Risk Analysis in Splunk ES?
  20. What are notable events?
  21. What are correlation searches?
  22. How do you use Splunk REST API?
  23. What are Alerts in Splunk?
  24. Explain data onboarding process.
  25. What is collect command?

ADVANCED

  1. What is tstats command?
  2. What are accelerated data models?
  3. Difference between lookup and inputlookup?
  4. Summary indexing vs report acceleration?
  5. How do you optimize Splunk searches?
  6. What is multisite indexer clustering?
  7. What is a cluster master?
  8. What is captain election in SHC?
  9. What is bucket replication?
  10. What is indexer discovery?
  11. What is HEC (HTTP Event Collector)?
  12. What is modular input?
  13. What is scripted input?
  14. Difference between Cribl and Splunk HF?
  15. What is Splunk Observability?
  16. How APM traces work in Splunk?
  17. Difference between metrics and events?
  18. What is Splunk Stream processor?
  19. Explain parsing performance optimization.
  20. What are typical SIEM use cases?
  21. How risk score is calculated?
  22. What is UEBA in Splunk ES?
  23. Explain threat intel integration.
  24. What is collect command?
  25. How do you scale a large Splunk deployment?

EXPERT

  1. Design Splunk architecture for 100TB/day ingestion.
  2. Explain multi-region Splunk deployment.
  3. How do you implement CI/CD for Splunk apps?
  4. Scaling Search Head Clusters for enterprise workloads.
  5. What is DMC (Monitoring Console)?
  6. Explain storage tiering in Splunk.
  7. How to approach Splunk migration?
  8. Explain RBAC and governance in Splunk.
  9. How to tune correlation searches in ES?
  10. Explain SOAR integration with Splunk ES.
  11. On-prem vs Cloud Splunk migration approach?
  12. HEC load balancing mechanisms?
  13. Blueprint for optimized forwarder architecture.
  14. Explain advanced risk-based alerting (RBA).
  15. What is DDAA in ES?
  16. Using MLTK (Machine Learning Toolkit) in ES.
  17. How to automate playbooks in SOAR?
  18. What is workload management in Splunk?
  19. How to optimize saved searches?
  20. How to design complex data models?
  21. What are Splunk trust boundaries?
  22. How Splunk is used for DevSecOps pipelines?
  23. What is guarded search mode?
  24. Explain advanced clustering topologies.
  25. How to secure Splunk for regulated environments?

Related Topics


   Splunk Architecture   
   Splunk Components   
   Splunk Data Inputs   
   Splunk Indexing Process   
   SPL Basics   
-
Labels: , ,