SPLUNK ASSESSMENT

1. What is logRecordType and give few examples.

Answer: We use logRecordType to narrow down according to the product/functionality like
A is for SOAP API, V is for VisualforceRequest etc. Example:

i) index= ap17 00D2x000005NxZ3 0052x000001xDGc earliest=-2h logRecordType=A

ii) index=ap17 00D2x000005NxZ3 (logRecordType=A OR logRecordType=L OR
logRecordType=a OR logRecordType=ma OR logRecordType=apblk OR
logRecordType=apaaa OR logRecordType=aprst OR logRecordType=apout)
earliest=05/09/2020:03:30:00 latest=05/09/2020:04:30:00 | stats count by
logRecordType
iii) index=ap17* 00D2x000005NxZ3 * (logRecordType=A OR logrecordtype=aprst OR
logrecordtype=apblk OR logRecordType=apars) earliest=05/09/2020:10:30:00
latest=05/09/2020:10:30:00

2. How long does splunk logs remains?

Answer: The logs are available for past 30 days. (Today-30 days)

3. What is logRecordType that calculates SOQL time?

Answer: “cocod” logRecordType is used where we provide QueryType as SOQL to define
the source of query as SOQL.

Eg: index=ap17 00D2x000005NxZ3 earliest=05/09/2020:11:00:00

latest=05/09/2020:14:00:00 `logRecordType(cocod)` queryExecutionTime>5000 | stats
count avg(queryExecutionTime) max(queryExecutionTime) by QueryType
uniqueQueryIdentifier querySqlId userId _time

4. How to splunk sandbox instance and prod?

Answer: To splunk on sandbox instance and prod instance, we follow below syntax:
Production:

index=ap17
here, ap17 is the instance for production org.

Sandbox:

`from_index_sandbox(cs101)`
here, cs101 is the instance for sandbox org.

Sandbox Query change Link: Here

5. What is request id and thread id?

Answer: Request Id is a globally unique id for a given request. Request ID is used to retrieve
the status of any activity.
Thread Id is threadId of the caller.

6. How to set timezone in splunk? and what is the recommended timezone?

Answer: We can set timezone in Splunk by navigating to Splunk >> Click on your
Username >> Preferences.
 **It is recommended to set the timezone as GMT timezone.

7. What is earliest and latest? What is format used?

Answer: We use earliest and latest to choose a timespan to search. We can choose the
timespan using timepicker from right side of search input box or use
Syntax:
earliest=MM/dd/yyyy:hh:mm:ss latest=MM/dd/yyyy:hh:mm:ss within the query. The latter
overrides the former.

*API:*

1. Perform the below scenario in your local org: Org Id : 00D2w000005oMSU,

00D2x000005NxZ3

a) Using Rest API, insert an account record in your local org. Provide the splunk query
with results to check the same API call.
Answer: Created a new Account using REST API: 0010I00002Tnt6QQAR

Splunk Query: index=AP17 00D2x000005NxZ3 `logRecordType(A)`| fillnull value=NA

| stats count by clientName, entityName, methodName, userId, remoteAddr

b) Using Soap API, insert a contact record in your local org. Provide the splunk query
with results to check the same API call.
Answer: Created a new contact using SOAP API: 0032w00000IjUS6AAN

Splunk Query: index=AP16 00D2w000005oMSU `logRecordType(A)`| fillnull value=NA

| stats count by clientName, entityName, methodName, userId, remoteAddr

c) Provide the splunk query to see all API calls for last 24 hours in your local org.
Answer: We can use the below splunk query to see daily API requests:

index=Ap16 00D2w000005oMSU earliest=-24h (`logRecordType(a, A, aprst, apars, apaaa,

p, maopr)` OR (`logRecordType(L)` AND logName=Api and resultCode=0) OR
(`logRecordType(U)` AND logName="/services/proxy")) | eval
oauth_consumer=if(like(_raw, "%OauthLink%"), OauthLink, "Not_Whitelisted") | stats
count by logRecordType, oauth_consumer

*Login Rate:*

1. We are hitting "Login Rate Limit" which is 3,600(default) per user per hour. Please
list the steps you will take to debug this issue, kindly include Splunk query used.
Answer:
Identify the user hitting the limit:
index=instanceno* earliest=-4d orgId* logRecordType=sclrt "LOGIN_RATE_EXCEEDED"
| fields userId
| dedup userId
| table userId
dedup will remove duplicate userId as we just to identify which user hit the limit.
Analyse the usage pattern:
index=instanceno* earliest=-15d `logRecordType(L)` orgId* userId="userId*"
| timechart count span=1h

*Asynchronous Apex:*

1. What are the logRecordTypes associated with Batch Apex? Please explain their
usage.
Answer: We use logRecordType *axapx* with different *quiddity*

index=instanceno* orgId* `logRecordType(axapx)` quiddity=A OR quiddity=F OR

quiddity=Q OR quiddity=S earliest=-7d
| timechart span=1d count BY quiddity
| addtotals col=false

2. List the MessageTypeName for all Asynchronous processes.

Answer: Please find the list of Processes with corresponding MessageTypeNames

Process MessageTypeName

Future methods APEX_FUTURE

Queueable apex APEX_QUEUEABLE

Batch apex execute method SERIAL_BATCH_APEX_RANGE_CHUNK

Bulk API parallel ASYNC_API

Bulk API serial ASYNC_API_SINGLE_THREADED

*Apex Execution:*

1. Write a splunk query that will provide a table having all the trigger executions
(triggeName, triggerType etc.) executed in last 24 hours for your local org.
Answer:
Index = ap17 00D2x000005NxZ3 earliest=-24h `logRecordType(t)`

2. Provide the steps to debug the error "Apex CPU time limit exceeded". Kindly
include Splunk queries used.
Answer: Best way is to check for this error is to check the debug logs to identify loopholes
specific to particular process.
Step 1: Retrieve the details using "Apex CPU time limit exceeded"

index= ap17 earliest=-10m 00D2x000005NxZ3 "Apex CPU time limit exceeded"

Step 2: Retrieved the RequestId and then use the requestId to get details about transaction.