Common Splunk Interview Questions

18. Explain Search factor(SF) and Replication Factor(RF)?

Search factor(SF): Determines the number of searchable copies of data maintained by the indexer cluster. The default value of search factor is 2.

Replication factor(RF): In case of indexer cluster  is the number of copies of data the cluster maintains. In case of a search head cluster it is the minimum number of copies of each search artifact, the cluster maintains.

Search head cluster has only a Search Factor whereas an Indexer cluster has both a Search Factor and a Replication Factor

Important point to note is that the search factor must be less than or equal to the replication factor.

19. How can we extract fields?

You can extract fields from either event lists, sidebar or from the settings menu via the UI.
The other way is to write your own regular expressions in props.conf configuration file.

20. What is the command to stop and start Splunk service?

The command to start Splunk service is: ./splunk start

The command to stop Splunk service is: ./splunk stop

21. What is the difference between Index time and Search time?

Index time: Index time is a period when the data is consumed and the point when it is written to disk.

It happens at index time when splunk indexes data.

At index time, it extracts some default fields like source, source types and hosts.

We can also define our custom source types, hosts so that it tags events with them.

event time stamping, Event line breaking, Custom index-time field extraction, Structured data field extraction, event segmentation this process happens.

Search time:  Search time take place while the search is run as events are composed by the search.

It happens at search time when we search through data.

It can extract additional fields other than default fields depending on its search settings.

It includes field aliasing, tagging, addition of fields from lookup. But here, you cannot change host or source type assignments.

both required props and transforms.conf files