Splunk Interview Questions for Admin

9. What is the use of License Master in Splunk?

License master is responsible for making sure that right amount of data gets indexed.splunk license is based on the data volume that comes to the platform within 24hr window.

Eg: You get 300 GB data on day one, 500gb on second data and 1 terabyte data of  on some day  and suddenly it drops to 100gb on some day. Then ideally you should have 1 terabyte data licensing model. The license master thus makes sure that the indexers within the splunk deployment have sufficient capacity and licensing the right amount of data.

10. What happens if license master is unreachable?

In case it happens it is not possible to search the data. The data coming into the indexer will not be affected. The  data will continue to flow into your splunk deployment, the indexer will continue to index the data as usual. You will get the warning message on top of search head  or web UI saying that you exceeded the indexing volume.

11. Explain license violation from splunk perspective?

If you exceed the data limit it will show a license violation error. The license warning that is thrown up will persist for 14 days. In commercial license you can have 5 warnings  within a 30day rolling window before which  your  indexer’s search results and reports stop triggering.

12. What are types of splunk licenses?

Types of licenses are:

• Enterprise license
• free license
• Forwarder license
• Beta license
• Licenses for search heads (for distributed search)
• Licenses for cluster members (for index replication)