Beyond Basic Search - Mod 1

Question 1

What is this an example of?

Search for a single word (e.g., error) or group of words (e.g., error password)

Answer 1

This is an example of Keywords

Question 2

NOT, OR, AND are what in the Splunk language?

Answer 2

Booleans

Question 3

Must NOT, OR, AND booleans be uppercase?

Answer 3

Yes, these Booleans are always uppercase

Question 4

Are phrases like “web error” different from “web AND error”?

Answer 4

Yes, these examples are different

OR is implied not AND

Question 5

What are the rules for using Wildcards in Splunk’s search language?

Answer 5

Starting searches with a wildcard and adding Wildcards in the middle of the search string are inefficient ways to use Wildcards

Tailing wildcards are a best practice

Question 6

What are the comparisons used in Splunk’s search language?

Answer 6

=, !=, ,>=

=, != are used in alphanumeric searches

Question 7

This command returns a table containing only specified fields in result set.

Answer 7

table command

Question 8

This command renames a field in results.

Answer 8

rename command

Question 9

This command includes or excludes specified fields.

Answer 9

fields command

Question 10

This command removes duplicates from results

Answer 10

dedup command

Question 11

This command sorts results by specified field.

Answer 11

sort command

Question 12

This command adds field values from an external source (e.g., csv files)

Answer 12

lookup command

Question 13

What are some of the key/values that are case sensitive in Splunk?

Answer 13

Boolean operators (uppercase)
Field names
Field values from lookup (default, but configurable)
Regular expressions
eval and where commands
Tags

Page 17 Mod 1

Question 14

What are some of the key/values that are case insensitive in Splunk?

Answer 14

Command names
Command clauses
Search terms
Statistical functions
Field values

Page 17 Mod 1

Question 15

As events come in, where does Splunk place them?

Answer 15

Into an index’s hot bucket (only writable bucket)

Question 16

What is the transition that takes place as the buckets age in Splunk?

Answer 16

They roll from hot to warm to cold

Question 17

What does each bucket have?

Answer 17

Its own raw data, metadata, and index files

Question 18

What does the metadata keep track of?

Answer 18

Source, sourcetype and host

Question 19

When you search, Splunk uses what to choose which buckets to search?

Answer 19

Time Range

Question 20

Splunk uses the bucket indexes to find what?

Answer 20

Qualifying events

Question 21

After time what are the most powerful keywords?

Answer 21

Host, source, and sourcetype

Question 22

What makes searches more efficient?

Answer 22

Including as many search terms as possible

Page 20 Mod 1

Question 23

What are some of the things a transforming command can do in Splunk?

Answer 23

• Massage raw data into a data table
• ‘Transforms’ specified cell values for each event into numerical values that you can use for statistical purposes
• Is required to ‘transform’ search results into visualizations

Commands Include

• top
• rare
• chart
• timechart
• stats
• geostats

Page 23 Mod 1

Question 24

What are the transforming commands in Splunk?

Answer 24

• top
• rare
• stats
• chart
• timechart
• geostats

Page 23 Mod 1

Question 25

What do non-transforming searches return using the Fast Mode?

Answer 25

Events - fields sidebar displays only those fields required for the search

• Patterns
• No statistics or visualizations

Question 26

What does Fast Mode focus on?

Answer 26

Emphasizes performance, returning only essential and required data

Question 27

What kind of search results do you get when using transforming searches in Fast Mode?

Answer 27

• Statistics and visualizations
• no Events
• no Patterns

Question 28

What is the default search mode in Splunk?

Answer 28

Smart Mode

Question 29

When searching in Smart Mode what kind of search results do you get with non-transforming searches?

Answer 29

Events - fields sidebar displays all fields

• Patterns
• no Statistics or visualizations

Question 30

Which search mode gives you the best results for your search?

Answer 30

Smart Mode

Question 31

How does Verbose Mode function?

Answer 31

Emphasized completeness by returning all possible field and event data

Question 32

For transforming searches, what kind of results do you get using Smart Mode?

Answer 32

Statistics or visualizations

• no Events
• no Patterns

Question 33

For non-transforming searches, what results do you get using Verbose Mode?

Answer 33

Event - fields sidebar displays all fields
Patterns
- no Statistics or visualizations

Question 34

Using transforming searches, what results do you get with Verbose Mode?

Answer 34

Events
Patterns
Statistics or visualizations

Question 35

?

Dense is a type of search. What are the attributes of Dense?

Answer 35

• a large percentage of the data matches the search
• use cases: computing stats, reporting
  index=web sourcetype=access_combined
  | timechart count

Question 36

?

Sparse is a type of search. What are the attributes of Sparse?

Answer 36

• a small percentage of data matches the search
• use cases: troubleshooting, error analysis
  index=web sourcetype=access_combined status=404 | timechart count

Question 37

?

Super Sparse is a type of search. What are the attributes of Super Sparse?

Answer 37

• returns a small number of results from each index bucket matching the search
• I/0 intensive as the indexer looks through all of an index’s buckets
• with a lot of data, with a lot of buckets, it can take a long time to finish
  index=network sourcetype=cisco_wsa_squid action=denied src_ip=10.2.3.11

Question 38

?

Rare is a type of search. What are the attributes of Rare?

Answer 38

• the indexer checks all buckets to find results, but bloom filters eliminate those buckets that don’t include search results
• use cases: user behavior tracking
  index=web sourcetype=access_combine sessionID=1234

Question 39

?

What search type does this indexer throughput belong to:
Up to 50k matching EPS (events per second) CPU bound

Answer 39

Dense

Question 40

?

What search type does this indexer throughput belong to:
Up to 5k matching EPS (events per second) CPU bound.

Answer 40

Sparse

Question 41

?

What search type does this indexer throughput belong to:
Up to 2 seconds per index bucket I/0 bound

Answer 41

Super Sparse

Question 42

?

What search type does this indexer throughput belong to:
Up to 10-50 index buckets/second I/0 bound

Answer 42

Rare

Question 43

Search Job Inspector allows you to examine what Splunk?

Answer 43

• Overall stats of search (e.g., records processed and returned, processing time)
• How the search was processed
• Where Splunk spent its time

Question 44

What is the Search Job Inspector used for?

Answer 44

Used to troubleshoot search’s performance and understand the impact of knowledge objects on processing (e.g., event types, tags, lookups)

Question 45

Can any search job be inspected?

Answer 45

Only those that are not expired

Question 46

The search job inspector has how many components and what are they?

Answer 46

It has 3 components and they are:
Header
Execution costs
Search job properties

Question 47

Top of search jo inspector provides what kind of info?

Answer 47

Basic info along with time to run and number of events scanned.

Question 48

What does Execution Costs provide?

Answer 48

Details on cost to retrieve results, such as:

• command.search.index
• command.search.filter
• command.search.rawdata

Question 49

Time to search the index for the location to read in rawdata files

Answer 49

command.search.index

Question 50

Time to filter out events that do not match

Answer 50

command.search.filter

Question 51

Time to read events from the rawdata files

Answer 51

command.search.rawdata