If you’re looking for Splunk Interview Questions & Answers for Experienced or Freshers, you are at the right place.In case you want to learn the basics of Splunk then, you can start off by reading the first blog in my Splunk tutorial series: What Is Splunk? All the best!

1) What is Splunk?

Ans: Splunk is a software technology that is used for searching, visualizing, and monitoring machine-generated big data. It monitors and different types of log files and stores data in Indexers.

2) What Are Components Of Splunk/splunk Architecture?

Ans: The fundamental components of Splunk are:

  • Search head  – provides GUI for searching
  • Indexer – indexes machine data
  • Forwarder -Forwards logs to Indexer
  • Deployment server -Manges splunk components in distributed environment

3) Why is Splunk used for analyzing machine data?

Ans: One of the most used analytics tools out there is Microsoft Excel and the drawback with it is that Excel can load only up to 1048576 rows and the machine data are generally huge. Splunk comes handy in dealing with machine-generated data (big data), the data from servers, devices or networks can be easily loaded into Splunk and can be analyzed to check for any threat visibility, compliance, security etc. it can also be used for application monitoring. 

4) Explain how Splunk works

Ans: Data is loaded into Splunk using the forwarder which acts as an interface between the Splunk environment and the outside world, then this data is forwarded to an indexer where the data is either stored locally or on a cloud. The indexer indexes the machine data and stores it in the server. Search Head is the GUI which is provided by Splunk for searching and analyzing (searches, visualizes, analyzes and performs various other functions) the data.

Deployment server manages all the components of Splunk like indexer, forwarder and search head in Splunk environment.


5) What are common port numbers used by Splunk?

Ans: Common ports used by Splunk are as follows:

  • Web Port: 8000
  • Management Port: 8089
  • Network port: 514
  • Index Replication Port: 8080
  • Indexing Port: 9997
  • KV store: 8191

6) Why use only Splunk?

Ans: There are many alternatives for Splunk which give a lot of competition to it some of them are as below:

ELK/Logstash (open source)

Elasticsearch is used for searching it’s like the search head in Splunk, Log stash is for data collection which is similar to the forwarder used in Splunk, and Kibana is used for data visualization(search head does the same in Splunk)

Graylog (open source with commercial version)

Graylog is yet another tool which was name last year with its release 1.0. Similar to ELK stack Graylog also has different components it uses Elasticsearch as its core component but the data is stored in Mongo DB and uses  Apache Kafka. It has two versions one core version which is available for free and the enterprise version which comes with functions like archiving.

Sumo Logic (cloud service)

So what makes Splunk best among all is that Splunk comes as a single package of the data collector, storage as well as the analytics tool inbuilt. Splunk is also scalable and provides support/professional help for its enterprise edition.

7) Briefly, explain the Splunk Architecture

Ans: The below picture gives a brief overview of the Splunk architecture and its components.

splunk training

8) What are the components of Splunk architecture?

Ans: There are four components in the Splunk architecture. They are:

  • Indexer: Indexes machine data
  • Forwarder: Forwards logs to index
  • Search head: Provides GUI for searching
  • Deployment server: Manages the Splunk components(indexer, forwarder and search head) in a distributed environment

9) Give a few use cases of Knowledge Objects.

Ans: Knowledge objects can be used in many domains. Few examples are:

  • Application Monitoring: Your applications can be monitored in real-time with configured alerts to notify when an application crashes.
  • Physical Security: You can have the fulll everage of the data containing information about the volcanos, floods etc. to gain insights, if your firm deals with them.
  • Network Security: With the usage of lockups from your knowledge objects, you can increase security in your systems by blacklisting certain IPs from getting into your network.
  • Employee Management: If you want to monitor the activity of people who are serving their notice period, then you can create a list of those people and create a rule preventing them from copying data and using them outside.

10) Explain Search Factor (SF) & Replication Factor (RF)

These are the terminologies which are used in Splunk clustering techniques. Indexer cluster is a specially configured group of Splunk Enterprise indexers which replicates external data and is used for disaster recovery.

In terms of the Splunk documentation search, the factor can be described as “The number of searchable copies of data that an indexer cluster maintains. The default value of search factor is 2” whereas replication factor is defined as the number of copies of data that the cluster maintains.

Indexer cluster has both a Search Factor and a Replication Factor whereas Search head cluster has only a Search Factor

11) What are Splunk buckets? Explain the bucket lifecycle.

Ans: The directories in which the indexed data is stored is known as Splunk buckets and these have events of the certain period. The lifecycle of Splunk bucket includes four stages hot, warm, cold, frozen and thawed.

  • Hot– This bucket contains the recently indexed data and is open for writing.
  • Warm– After the data falls in hot bucket depending on your data policies it moves to warm buckets
  • Cold– The next stage after warm is the cold stage wherein the data can’t be edited.
  • Frozen– By default the indexer deletes the data from frozen buckets but these can also be archived.
  • Thawed– The retrieval of information from archived files (frozen bucket) is known as thawing.

12) What is the function of Alert Manager?

Ans: The alert manager adds workflow to Splunk. The purpose of alert manager o provides a common app with dashboards to search for alerts or events.

13) How can you troubleshoot Splunk performance issues?

Ans: Three ways to troubleshoot Splunk performance issue.

See server performance issues.

See for errors in splunkd.log.

Install Splunk app and check for warnings and errors in the dashboard.

14) What is the difference between Index time and Search time?

Ans: Index time is a period when the data is consumed and the point when it is written to disk. Search time take place while the search is run as events are composed by the search.

15) How to reset the Splunk administrator password?

Ans: In order to reset the administrator password, perform the following steps:

  • Login into the server on which Splunk is installed
  • Rename the password file and then again start the Splunk.
  • After this, you can sign into the server by using username either administrator or admin with a password changeme.

16) List out different types of Splunk licenses

Ans: The types of Splunk licenses are as follows:

  • Free license
  • Beta license
  • Search heads license
  • Cluster members license
  • Forwarder license
  • Enterprise license

17) Why should we use Splunk Alert? What are the different options while setting up Alerts?

Ans: The state of being watchful for any possible error is known as alert and in Splunk, environment alerts can arise due to any connection failures or security violations or breaking of any user-created rules.

For example, sending notifications or a report of the users who have failed to login after utilizing their three attempts in a portal to the application administrator.

Different options that are available while setting up alerts are:

  • A webhook can be created to write the alerts to hipchat or GitHub.
  • Add results, .csv or pdf or in line with the body of the message so that the root cause of the alert can be identified.
  • Tickets can be created and alerts can be throttled from a machine or an IP.

18) What is the difference between stats and transaction commands?

Ans: The transaction command is useful in two areas. Two transactions are not identified by unique id anymore. In this case, the identifier is re-used to identify web sessions. Here, time span or pauses are used to divide data into transactions. In cases when an identifier is used again, a specific message may identify the beginning or end of a transaction. Usually, stats command is used in a distributed search environment as it performs better. If a unique id is an identifier, stats can be used.

19) Explain Data Models and Pivot

Ans: For creating a structured hierarchical model of your data Data Models are used. When you want to want to make use of that information without using complex search queries or you have a large amount of unstructured data, you can use Data Models.

On the other hand with pivots, you have the flexibility to create the front views of your results and then pick and choose the most appropriate filter for a better view of results.

20) What is a lookup command? Differentiate between input lookup & output lookup commands.

Ans: Lookup command is that topic into which most interview questions dive into, with questions like: Can you enrich the data? How do you enrich the raw data with external lookup?

If you want to receive some fields from an external file, you can use Lookup commands. It is usually used to narrow the search results. An inputlookup basically takes an input as the name suggests.

21) Name features which are not available in Splunk free version?

Ans: Splunk free version lacks the following features:

  • Distributed searching
  • Forwarding in HTTP or TCP
  • Agile statistics and reporting with Real-time architecture
  • Offers analysis, search, and visualization capabilities to empower users of all types.
  • Generate ROI faster

22) Explain types of search modes in Splunk?

Ans: There are three types of search modules. They are:

  • Fast mode: It increases the searching speed by limiting search data.
  • Verbose mode: This mode returns all possible fields and event data.
  • Smart mode: It is a default setting in a Splunk app. Smart mode toggles the search behavior based on transforming commands.

23) Where to download Splunk Cloud?

Ans: Visit website: https://www.splunk.com/ to download a free trial of Splunk Cloud.

24) What is the difference between Search time and Index time field extractions?

Ans: As the name suggests, Search time field extraction refers to the fields extracted while performing searches whereas, fields extracted when the data comes to the indexer are referred to as Index time field extraction.

Splunk training includes training in basic search, sharing and saving of results, creating tags and event types, generating reports, and charts creationI hope this set of Splunk interview questions and answers will help you in preparing for your interview.

25) What is Time Zone property in Splunk?

Ans: Time zone property provides the output for a specific time zone. Splunk takes the default time zone from browser settings. The browser takes the current time zone from the computer system, which is currently in use. Splunk takes that time zone when users are searching and correlating bulk data coming from other sources.

close slider

Your Name (required)

Your Email (required)

Contact Number




No Of Participant