Splunk FAQ’s

The common port numbers for Splunk are:

• Splunk Web Port: 8000
• Splunk Management Port: 8089
• Splunk Network port: 514
• Splunk Index Replication Port: 8080
• Splunk Indexing Port: 9997
• KV store: 8191

Splunk supports three types of dashboards, namely:

• Fast mode
• Smart mode
• Verbose mode

There are three different kinds of Splunk dashboards:

• Real-time dashboards
• Dynamic form-based dashboards
• Dashboards for scheduled reports

Splunk is available in three different versions.

• Splunk Enterprise
• Splunk Light
• Splunk Cloud

It is a component of Splunk Enterprise which creates and manages indexes. The primary functions of an indexer are 1) Indexing raw data into an index and 2) Search and manage Indexed data.

Splunk DB Connect is a generic SQL database plugin designed for Splunk. It enables users to integrate database information with Splunk queries and reports seamlessly.

Some of the important search commands in Splunk are:

• Abstract
• Erex
• Addtotals
• Accum
• Filldown
• Typer
• Rename
• Anomalies

The advantages of getting data into Splunk via forwarders are TCP connection, bandwidth throttling, and secure SSL connection for transferring crucial data from a forwarder to an indexer.

Lookup commands are used when you want to receive some fields from an external file (such as CSV file or any python based script) to get some value of an event. It is used to narrow the search results as it helps to reference fields in an external CSV file that match fields in your event data

Different types of Data Inputs in Splunk are

• Using files and directories as input.
• To get the data push automatically in splunk is by Configuring Network ports.

Commonly used Splunk configuration files are:

• Inputs file
• Transforms file
• Server file
• Indexes file
• Props file

Alerts can be used when you have to monitor for and respond to specific events. For example, sending an email notification to the user when there are more than three failed login attempts in a 24-hour period.

It can be extracted either from the below options

• Event Lists
• Sidebar
• From Settings menu via GUI
• Creating regular expressions in props.conf configuration file

Splunk allows you to keeps track of indexed events in a fish buckets directory. It contains CRCs and seeks pointers for the files you are indexing, so Splunk can’t if it has read them already.

$splunkhome/etc/system/default

The alert manager adds workflow to Splunk. The purpose of alert manager o provides a common app with dashboards to search for alerts or events.

A summary index is a special index that stores that result calculated by Splunk. It is a fast and cheap way to run a query over a longer period of time.

It is the directory used by Splunk enterprise to store data and indexed files into the data. These index files contain various buckets managed by the age of the data.

Splunk App is the collection of reports, dashboard, alerts, field extractions and lookups whereas Splunk Add-ons are same but they don’t have the visual components of a report or a dashboard.