1002

Question 1

Case sensitive

Answer 1

Field values from lookups 
Field values from eval, where
Tags
Dataset name
Reg ex
Boolean

Question 2

Can choose values to be case insensitive when creating lookup tables

Answer 2

Admin role

Question 3

Buckets

Answer 3

Raw data
Index data to find qualifying events

Time range to choose which buckets to search

Hot- writable - rolls when max time is reached , indexer restarted

Warm-read only , named by time stamps
Of first and last events in the bucket

Cold - diff location - slower , cost effective

Configurable by admin- max size , max time span

Question 4

Execution costs

Answer 4

Any job that has not expired can be inspected 10,000-20,000 events per second

Question 5

Chart command

Answer 5

By - y axis

Over - x axis

Any stats function can be applied to chart command

If 2 clauses are used - first field will be used as over clause : over , by

Usenull=f
Useother=f
Usefield=f

NOT usefill

Question 6

Timechart

Answer 6

_time
Statistical aggregations over time 
Single or multi series 
Time range can be adjusted using span=
Line ,area ,chart
Limit=0 useother=f usenull=f

Can add a sparkline and trend
Sparkline - in-line char display time based trends
Trend - directions in which values are moving (right side of value )

Question 7

7 chart types

Answer 7

Line 
Area 
Column
Bar 
Scatter - 2 data values

Chart overlay- one series of data over another visualisation

Trellis - multiple charts based on one result set , only run once

Question 8

Stats command

Answer 8

See the result of calculation or group of events on a field value

2 or more fields
Doesn’t need to be time based

Question 9

OR

Answer 9

To view events from multiple indexes not AND

Question 10

Trendline command

Answer 10

Moving average on a chart
Defines period to compute the trend- integer between 2 & 10,000

3 arguments - trend type , time period , field

Sma- simple |trendline sma2(sales) as trend

Ema- exponential

Wma- weighted moving average

Question 11

2 types of maps

Answer 11

Cluster= Geostats =latitude, longitude , by argument- same functions as stats

Choropleth= geom command =pologons, shading , relative metrics ,predefined regions ,need .KMZ & KML keyhole markup language

Splunk ships 2 kmz files:
Geo_us_states.kmz
Geo_countries.kmz

-iplocation= Info to event includes external IP addresses

Define latfield and longfield only if they differ from the default lat/lon fields.

Question 12

Gauge command -Single value

Answer 12

Set colours , number format

Question 13

Add totals command

Answer 13

Default - sum numerical fields for each event

Question 14

Eval

Answer 14

Calculates , convert, round , format =field values

Multiple eval commands can be used in search
Expressions separated by commas
If no numeric values - “double quotes”

Results of eval are written to new or existing field (if field exists eval overwrites values ).

Doesn’t over write indexed data

Field values case sensitive

Can use search or where commands to filter

Characters - concerts field values to strings - sort used after returns alphanumerically

Sort used before - numerically

Operators -arithmetic, concatenation, Boolean, comparison

If function = 3 arguments “x,y,z”

Case function = Boolean return what is true , can be wrapped in transforming commands

Round function = 2 decimal places , if no decimal given splunk rounds to closest whole number.

Tostring function= numeric field into string , commas , duration ops out of _time .
Commas , duration, hex

Field format = format values but not change characteristics of underlying values

Search command =filter , anytime , insensitive,*

Where command = Sytax as eval , compare values from different fields . Like% wildcard operator * can’t be used

%multiple characters
_one character

Add totals - numeric fields for each event , totals

Question 15

Transactions

Answer 15

Group of events that span time

One or more field names

Multiple fields specified if transaction exists between those fields events with related field values are grouped into a single transaction

Only use when you need to see events correlated together or when needs to be grouped with start or end values -1000 per transaction

2 fields :
Duration - 1st event to last
Event count- number of events contained by transaction

Constraints :
Max span - total time between earliest and latest
Max pause - total between events doesn’t exceed value

Max count - not automatically created with transaction command

Only use transaction when you need to find correlated events

Can use stats and reporting commands with transactions

Useful when event doesn’t provide info

Mid -message id
Dcid- delivery connection id
Icid- incoming connection id

Question 16

Field aliases

Answer 16

Normalise data over multiple sources
1 or more to any extracted field

Original field not replaced by the field Alias
Field aliases can be applied before lookups
Can be applied to lookups

Define can be referenced to lookup table

Apply them lookups - settings , selecting fields , add new actions , destination app

Question 17

Calculated fields

Answer 17

Setting , calculated fields , add new , eval expression

Saves time , long complex eval commands , must be an extracted field !!!

Look up table of search string can’t be used

Question 18

Event types

Answer 18

Categorise events based on search string .

Time range not available

Saved reports - reports , openin search - verbose mode. Execute search

Priority -colour value for event types

Question 19

Knowledge objects

Answer 19

Tools discover and analyse

Interpretation 
Classification 
Enrichment 
Normalisation 
Datasets 

Knowledge objects are:
Shareable - not automatically
Reusable
Searchable

Automatically set to private

Admin can reassign knowledge objects and share to all apps

Knowledge manager - normalises event data
Builds data model that provides dataset for pivot

Naming convention - to know what each knowledge object does 6 keys: (toolbox uncluttered)
Group 
Type
Platform 
Category 
Time 
Description

GDPTTC

Question 20

Fields

Answer 20

Discovers fields based on sourcetype, key value pairs ,. Fields related to the search results

Specific to host , source , source type

Fx- user extracts own fields , static fields , GUI, regex & delimiter. Can be shared , re used in multiple places 1 settings - fields sidebar or event actions menu
Non matches will display in fx events that don’t contain extracted fields

Regex - unstructured .syslog
If you edit you will not be returned to field ex UI

Delimiter structured .csv
Spaces , commas , pipes , tabs

3 ways to access field extractor utility
Settings / field names from settings
Fields sidebar
Event actions menu (easiest way)

Only events with highlighted string are included

Once field is created using regex method you can modify the underlying regex

Question 21

Field aliases

Answer 21

Settings/fields/add new action

A new way to normalise data over any default field (host , source , sourcetype )

Multiple aliases can be applied to one field

When you create field aliases original is not affected

Question 22

Tags

Answer 22

Tag::host=alert
Tag=privileged
Tag with value tag=
Specific field tag=::=

Knowledge objects
Tags case sensitive

Event types show up in fields list

Event types =categorise events based on search , no time range , side bar , event types , number of events , percentage

Priorities =which colour displays for event type (1high -10low)

Question 23

Macros
Settings / advanced search

‘us_sales’
us_sales(2)

Answer 23

Search string can be reused in multiple places, Time range independent, store entire search string , pipes and eval .

Pass argument $arg$
Backtick in search string
Parentheses following macro name

Values used to resolve search string at execution time !!

Can pipe results of macro to other commands

Preview without running ctr+shift+E

Can be added multiple places

Question 24

Workflow - settings/fields/workflow action

Answer 24

GET: Info ,URI

POST: send field values , LINK

SEARCH: field values ,secondary search .POST

Post workflow action:
Link , URI, POST

Action is used when creating a post workflow action

To escape ! Inside first dollar sign

Validation step of field extractor workflow can remove values that aren’t a match for field you want to define .

Question 25

Datasets

Answer 25

Datasets-collections of data represented as tables with field names for columns and field values for cells.

Lookup is not a dataModel dataset type

Pivot reports based on datasets

Data models 3 types of datasets: est
Events
transactions
Searches

Event datasets contain constraints and fields - only return Events that include that field

Broken down. In to hierarchy
Child objects - marrow down the events

5 fields to add to a pivot : GRAEL
Auto 
Eval expression
Lookup field 
Regular expression 
GeoIP

Hidden fields will not be displayed to a pivot user , but can be used to define other data sets.

Fields used in datamodels don’t need be extracted before creating the datasets
Many ways to access and use datasets
Dataset name case sensitive

Transaction add field :
String 
Number 
Boolean 
IPV4

Field flags :
Optional
Required
Hidden

New pivot window auto populated with a count of events for the selected dataset
Fields with each dataset are available as split rows and columns

Question 26

Datamodel command -specified data model and its objects

Answer 26

|datamodel web web search |fields web*

Question 27

CIM normalises common language

Answer 27

Data normalised at index time or search time using knowledge objects

CIM schema used . Creating field extractions, aliases, event types , tags

Admin installs CIM add on - splunkbase - JSON format

No effect to licence

No additional indexing