Splunk Interview Questions — Architecture, SPL, ES & SOAR Answers

① Architecture & Forwarders — the pipeline and deployment components

Q: Describe the Splunk architecture — what are the three tiers?

Model answer: Splunk is a three-tier distributed pipeline. Forwarders sit on the data sources — servers, firewalls, endpoints — and ship data to the middle tier. Indexers receive the data stream, run it through the parsing pipeline (line breaking, timestamp extraction, field extraction metadata, and writing events to time-series buckets), and store the indexed events. Search heads receive user queries, translate them to SPL, and fan the search out to all indexers (distributed search), collect partial results and merge them. The clean one-liner: forwarders collect, indexers store, search heads query.

Q: Universal forwarder vs heavy forwarder — when do you use each?

Model answer: A universal forwarder (UF) is a lightweight agent — it does minimal parsing (just enough to identify events), uses almost no CPU or memory, and ships raw data compressed to the indexer. It is the default choice for every endpoint and server because its footprint is tiny. A heavy forwarder (HF) is a full Splunk installation configured only to forward. It runs the complete parsing pipeline — it can filter, transform, mask (for PII), route to different indexes and even do lookups before data reaches the indexer. Use an HF when you need to scrub sensitive fields before indexing, route by source type, or do compliance-driven data reduction at the collection tier. The interview rule: UF for volume/scale, HF for pre-processing.

Q: Explain the indexer bucket lifecycle — hot, warm, cold, frozen.

Model answer: When an indexer writes new events it opens a hot bucket — it is actively being written to and can be searched. When the bucket hits its size or time limit the indexer rolls it to warm (read-only, recent data, still on fast storage). After the warm retention age, it becomes cold (read-only, older data, typically moved to cheaper/slower storage). When cold retention expires the bucket is frozen — Splunk either deletes it or archives it to a path you specify (e.g. S3 via SmartStore). Only frozen data is inaccessible by default. The lifecycle drives storage tiering and is the answer to 'how does Splunk manage disk?'

Q: What is indexer clustering, and what does the replication factor do?

Model answer: Indexer clustering groups indexers under a cluster master (manager node) so that bucket copies are replicated across peers, providing data availability and high availability. The replication factor (RF) sets how many raw data copies exist (default 3 — data survives loss of RF-1 peers). The search factor (SF) sets how many searchable copies exist (default 2 — searches keep working if one peer is down). A search head cluster adds HA at the search tier with a deployer and captain role. The typical enterprise config: RF=3, SF=2, three or more indexer peers and a three-member search head cluster.

② SPL & Data Models — search language, CIM and acceleration

Q: Explain how SPL works — what is the pipe model?

Model answer: SPL (Search Processing Language) is pipe-based: each command takes a result set, transforms it, and passes the output to the next command via |. A search always starts with a generating command (most commonly a keyword/field search against the index, written before the first pipe) that returns raw events. Then transforming commands aggregate: stats counts and aggregates (like SQL GROUP BY), timechart plots values over time, eval computes new fields, rex extracts fields with regex, lookup enriches with external data, where filters rows. The result flows left to right — each | step narrows or reshapes. A typical detection query: index=windows EventCode=4625 | stats count by user, src_ip | where count > 20 — counts failed logins per user and IP, then filters to those over 20.

Q: What is the Common Information Model (CIM), and why does Splunk ES depend on it?

Model answer: The CIM (Common Information Model) is Splunk's field-naming standard: it defines canonical field names for every data domain (e.g. src_ip, dest_ip, user, action in the Network Traffic data model). Different vendors use different raw field names — Cisco calls a source IP src, Palo Alto calls it srcaddr. CIM normalises them so an ES correlation search written against src_ip works across all sources. CIM is enforced through field aliases and calculated fields in add-ons (TAs), and Splunk Enterprise Security correlation searches are written against CIM data models — so if your data is not CIM-normalised, your ES detections do not fire.

Q: What is a data model and what is data model acceleration?

Model answer: A data model is a hierarchical schema that defines a structured view over raw events: it declares datasets (like Authentication, Network Traffic) and the fields each dataset expects. You search a data model with | datamodel Authentication All_Authentication search or with Pivot. Data model acceleration (also called TSIDX acceleration) pre-summarises the data model into time-series index (TSIDX) files so queries with tstats skip raw event reading entirely, returning results orders of magnitude faster. ES correlation searches almost always use | tstats count from datamodel=... for speed. The trade-off: acceleration uses extra disk and a background search job to keep the summaries current.

③ ES, RBA & SOAR — Enterprise Security, risk scoring and automated response

Q: What is Splunk Enterprise Security (ES) and how does it generate Notable Events?

Model answer: Splunk Enterprise Security (ES) is a premium SIEM app built on top of Splunk. It provides pre-built correlation searches (scheduled SPL searches that run against CIM data models), a Notable Events framework (the analyst queue for investigating detections), Risk-Based Alerting (RBA), threat intelligence management, and asset and identity enrichment. When a correlation search fires it creates a Notable Event in the Incident Review dashboard — similar to a ticket. Analysts work Notable Events by reviewing the evidence, assigning status (New / In Progress / Resolved), and documenting the outcome. The gold line: ES = correlation searches on CIM data → Notable Events → analyst workflow.

Q: What is Risk-Based Alerting (RBA), and how does it differ from traditional alerting?

Model answer: Traditional alerting fires a Notable Event every time a single detection rule triggers — leading to alert fatigue when the same benign behaviour trips the same rule repeatedly. Risk-Based Alerting (RBA) changes the model: each detection rule adds risk points to a risk object (a user, system or other entity) rather than firing directly. A separate Risk Notable correlation search fires only when a risk object's cumulative risk score crosses a threshold — say 100 points — within a time window. The result is far fewer, higher-fidelity alerts. Interviewers like the one-liner: RBA aggregates weak signals per entity so only genuinely risky behaviour escalates.

Q: What is Splunk SOAR (Phantom) and how do playbooks work?

Model answer: Splunk SOAR (formerly Phantom) is a Security Orchestration, Automation and Response platform that connects to hundreds of security tools via apps and connectors. A playbook is an automated workflow — written in Python or via a visual editor — that executes a sequence of actions when triggered by an event (e.g. a Notable Event from ES). A typical phishing playbook: receive the alert → extract URLs and hashes → query VirusTotal → if malicious, block the URL in the proxy, quarantine the user in AD, and post a Slack notification → close the Notable Event. Playbooks can be fully automated or prompt an analyst for approval before a destructive action. The key concept: SOAR reduces mean time to respond (MTTR) by automating repetitive triage and containment steps.

Q: How does Splunk ES integrate with Splunk SOAR for end-to-end automation?

Model answer: The integration is bidirectional. ES → SOAR: a Notable Event can trigger a SOAR playbook automatically via the adaptive response framework (ES sends the event context to SOAR using the Splunk ES app for SOAR). The playbook enriches and responds — e.g. geo-IP lookup, endpoint isolation via EDR, block in firewall. SOAR → ES: SOAR playbooks can update the Notable Event status, add comments and close it once automated response is complete, giving analysts full audit trail in the ES Incident Review. The net result: detection in ES, automated triage and containment in SOAR, and a documented resolution back in ES — all without an analyst touching the keyboard for routine detections.

④ Tuning & Scenarios — scheduler, tstats, summary indexing and real-world fixes

Q: What is summary indexing and when should you use it?

Model answer: Summary indexing is a technique where a scheduled search runs periodically, computes aggregated results (e.g. hourly counts, risk tallies), and writes those summaries as events to a dedicated summary index. A later search queries only the lightweight summary rather than replaying all raw events. Use summary indexing when: you have a very expensive scheduled search that needs to run frequently, you need long-retention aggregates beyond raw data retention, or your reporting queries span months of data. It predates data model acceleration and is still useful for custom aggregations that do not fit a CIM data model. Trade-off: adds complexity and another scheduled job to maintain.

Q: What is tstats, and why is it faster than a regular search?

Model answer: | tstats is a generating command that queries TSIDX (time-series index) files — the pre-built acceleration summaries of data models — without reading raw events. Because the TSIDX files contain only the indexed field metadata (not full event text), tstats returns results far faster than a stats search over raw data, especially over long time ranges. The typical ES correlation search pattern: | tstats summariesonly=true count from datamodel=Network_Traffic.All_Traffic where All_Traffic.action=blocked by All_Traffic.src_ip. The summariesonly=true flag means: only use the pre-built summaries, do not fall back to raw events. The trade-off is that tstats only knows fields that the data model acceleration has computed — you cannot tstats over arbitrary fields not in the accelerated model.

Q: How do you manage search scheduler concurrency — what causes searches to skip and how do you fix it?

Model answer: Splunk's search scheduler runs saved searches and correlations on a time-based queue. When more searches are due to run than there are available scheduler slots (controlled by max_searches_per_cpu and scheduler.max_searches_perc), the scheduler skips lower-priority searches, logging 'This search was skipped'. Fixes: (1) Stagger search schedules — spread correlation searches so they do not all fire at the :00 mark. (2) Increase indexer capacity so searches finish faster and slots free up. (3) Convert expensive raw-event searches to tstats so they complete in milliseconds. (4) Raise priority for critical detection searches. (5) Disable or tune infrequently used saved searches. The diagnostic: check the Search Job Inspector and the scheduler.log to find which searches are skipping and why.

Q: A Splunk analyst sees high lag on a correlation search that queries 30 days of Windows event logs. How do you approach the tuning?

Model answer: First, check whether the data is CIM-normalised and the data model is accelerated. If it is, rewrite the search using | tstats summariesonly=true against the correct data model — this alone often reduces runtime from minutes to seconds. If the search cannot use tstats (e.g. it queries a custom field not in the model), consider summary indexing: run a nightly aggregation job and query the summary for 30-day reporting. Also check the time range — searches that span months across unaccelerated indexes scan every raw event on every indexer; reducing to the last 7 days is often sufficient for detection. Check index= filters are specific (do not leave out the index= term — without it, Splunk scans all indexes). Finally, check if the search is accelerated at the report level (Splunk report acceleration). Use the Search Job Inspector to see which command consumes the most time.