What is a Splunk source, sourcetype, and host? [Intermediate]
Answer
In Splunk, source is where the data came from, sourcetype describes the data format, and host identifies the machine or logical source host. These fields are foundational for search, parsing, and governance.
Technical explanation
source may be a file path, API input, stream, or object name.
sourcetype controls parsing behavior and field extraction conventions.
host helps identify origin, but in Kubernetes it may need careful design because pod, node, and container identities differ.
Hands-on example
Example: source=/var/log/checkout/app.log, sourcetype=checkout_json, host=ip-10-0-2-17. A search can start with index=prod_app sourcetype=checkout_json host=ip-10-0-2-17 to inspect logs from one node or container source.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Observability interview questions
- What is observability, and how is it different from traditional monitoring? [Basic]
- What are the three pillars of observability (metrics, logs, traces)? [Basic]
- What is the difference between monitoring and observability in practice? [Basic]
- What are the four golden signals of monitoring? [Basic]
- What is the difference between the USE method and the RED method? [Basic]
- When would you use the USE method versus the RED method? [Basic]
- What is an SLI, an SLO, and an SLA, and how do they relate? [Basic]
- How do you choose good SLIs for a service? [Basic]