001-4694216464 contact@iconitinc.com

Online Splunk Certification

1. Explain ‘license violation’ from Splunk perspective?

Ans: If you exceed the data limit, then you will be shown a ‘license violation’ error. The license warning that is thrown up, will persist for 14 days. In a commercial license you can have 5 warnings within a 30 day rolling window before which your Indexer’s search results and reports stop triggering. In a free version however, it will show only 3 counts of warning.

2. What are the defaults fields for every event in Splunk?

Ans: There are about 5 fields that are default and they are barcoded with every event into Splunk.

They are host, source, source type, index and timestamp.

3. Why use only Splunk?

Ans: Splunk has a lot of competition in the market, for performing IT operations, for analyzing machine logs, providing security and doing business intelligence. But, there is no one single tool other than Splunk that can do all of these operations and that is where Splunk comes out of the box and makes a difference. Splunk helps in scaling up infrastructure and get professional help from a firm supporting the platform.

4. How can you troubleshoot Splunk performance issues?

Ans: There are three ways of doing this.

  • Check for errors in splunkd.log

  • Check server performance issues

  • Install Splunk on Splunk app and check for errors and warnings in the dashboard

5. Types Of Splunk Forwarder?


⦁ Universal forwarder(UF) -Light weight Splunk instance- can’t parse or index data

⦁ Heavy forwarder(HF) – full instance of Splunk with advance functionality of parsing & indexing

6. What is a lookup command? Differentiate between input lookup & output lookup commands.

Ans: Lookup command is that topic into which most interview questions dive into, with questions like: Can you enrich the data? How do you enrich the raw data with external lookup?

If you want to receive some fields from an external file, you can use Lookup commands. It is usually used to narrow the search results. An inputlookup basically takes an input as the name suggests.

7. Which is the latest Splunk version in use?

Ans: Splunk 6.3

8. Can you name a few most important configuration files in Splunk?


  1. props.conf

  2. indexes.conf

  3. inputs.conf

  4. transforms.conf

  5. server.conf

9. Who are the top direct competitors to Splunk?

Ans: Logstash, Loggly, LogLogic, Sumo Logic, etc. are some of the top direct competitors to Splunk.

10. Name the common port numbers used by Splunk.

Ans: The common port numbers for Splunk are:

  • Splunk Web Port: 8000

  • Splunk Management Port: 8089

  • Splunk Network port: 514

  • Splunk Index Replication Port: 8080

  • Splunk Indexing Port: 9997

  • KV store: 819

11. What is the configuration files precedence in Splunk?

Ans: The precedence of configuration files in Splunk is as follows:

  • System Local Directory (highest priority)

  • App Local Directories

  • App Default Directories

  • System Default Directory (lowest priority)

12.  List out different types of Splunk licenses?

Ans: The types of Splunk licenses are as follows:

  • Free license

  • Beta license

  • Search heads license

  • Cluster members license

  • Forwarder license

  • Enterprise license

13. What is Source type of Splunk?

Ans: It is one of the default fields that Splunk has assigned to all incoming data. It informs the Splunk what kind of data is being sent so that it can format the data intelligently during indexing. Sourcetype also helps to categorize the data for making the search easy

14. What are parts of Splunk/Splunk engineering?

Ans: The following are parts of Splunk:

Search head - gives GUI to seeking

Indexer - records machine information

Forwarder - Forwards logs to Indexer

Deployment server - Mange's Splunk parts in the circulated condition 

15. What are Splunk Buckets? Explain the Bucket Lifecycle?

Ans: A directory that contains indexed data is known as a Splunk bucket. It also contains events of a certain period. Bucket lifecycle includes following stages:

  • Hot – It contains recently indexed data and is open for writing. For each index, there are one or more hot buckets available

  • Warm – In warm stage data rolled from hot

  • Cold – Cold stage data rolled from warm

  • Frozen – Data rolled from cold. The indexer deletes frozen data by default but users can also archive it.

  • Thawed – Information restored from an archive file. If you archive frozen data , you can later return it to the index by thawing (defrosting) it.


Request a call back