Splunk Interview Questions for Admin

13. Explain how data ages in splunk?

Data coming in to the indexer is stored in directories called buckets. A bucket moves through several stages as data ages: hot, warm, cold, frozen and thawed. Over time, buckets ‘roll’ from one stage to the next stage.

• The first time when data gets indexed, it goes into a hot bucket. Hot buckets are both searchable and are actively being written to. An index can have several hot buckets open at a time
• When certain conditions occur (for example, the hot bucket reaches a certain size or splunkd gets restarted), the hot bucket becomes a warm bucket (“rolls to warm”), and a new hot bucket is created in its place. Warm buckets are searchable, but are not actively written to. There can be many warm buckets
• Once further conditions are met (for example, the index reaches some maximum number of warm buckets), the indexer begins to roll the warm buckets to cold based on their age. It always selects the oldest warm bucket to roll to cold. Buckets continue to roll to cold as they age in this manner
• After a set period of time, cold buckets roll to frozen, at which point they are either archived or deleted.

14. what are buckets? Explain bucket Lifecycle?

Buckets are directories that store the indexed data in Splunk. So, it is a physical directory that chronicles the events of a specific period

• Hot – A hot bucket comprises of the newly indexed data, and hence, it is open for writing and new additions. An index can have one or more hot buckets. 
• Warm – A warm bucket contains the data that is rolled out from a hot bucket. 
• Cold – A cold bucket has data that is rolled out from a warm bucket. 
• Frozen – A frozen bucket contains the data rolled out from a cold bucket. The Splunk Indexer deletes the frozen data by default. However, there’s an option to archive it. An important thing to remember here is that frozen data is not searchable.

15. Explain pipelines in splunk?

Splunk processes data through pipelines. A pipeline is a thread, and each pipeline consists of multiple functions called processors. There is a queue between pipelines.

Data in Splunk moves through the data pipeline in phases. Input data originates from inputs such as files and network feeds. As it moves through the pipeline, processors transform the data into searchable events that encapsulate knowledge.

types of pipeline:

• parsing pipeline
• merging pipeline
• typing pipeline
• index pipeline

16. What are the Types Queues in splunk?

Types of queues:

• Parsing Queue
• Aggregation Queue
• Typing Queue
• Indexing Queue