definitions

Question 1

What are fields?

Answer 1

building blocks of a Splunk search

Question 2

What are field aliases?

Answer 2

normalizing data by assigning an alternate name to existing fields in your data

Question 3

What are field extractions?

Answer 3

values are contained in a field at search time, but can also be manually extracted with the help of regex or delimiters

Question 4

What are calculated fields?

Answer 4

perform calculations based on the values of existing fields

Question 5

What are lookups?

Answer 5

used to add additional fields and values that are not contained in your data

Question 6

What are event types?

Answer 6

• used to save a search that you use often
• user-defined field that represents a category of events
• can be used to normalize field names, tags and field extractions

Question 7

What are tags?

Answer 7

saved key-value pairs (labels for your data)

Question 8

What are workflow actions?

Answer 8

provide links within your data that interact with external resources or narrow your search (HTTP GET, HTTP POST, secondary search)

Question 9

What are reports?

Answer 9

searches you run repeatedly

Question 10

What are alerts?

Answer 10

searches you run repeatedly (scheduled or real-time), that send notifications

Question 11

What are macros?

Answer 11

search strings or portions of search strings that can be reused in multiple places

Question 12

What are data models?

Answer 12

• hierarchically structured datasets that can consist of three types: events, searches, transactions
• can be used in pivot

Question 13

What is a saved search?

Answer 13

• a search that a user makes available for later use
• a type of knowledge object
• reports, alerts, scheduled searches are types of saved searches

Question 14

What is a knowledge object?

Answer 14

• user-defined entity that enriches the existing data
• tool used to discover and analyze various aspects of data
• fields, field extractions, saved searches, event types, tags, field aliases, lookups, workflow actions, reports, alerts, data models

Question 15

What is the CIM?

Answer 15

• Common Information Model
• 22 pre-configured data models
• fields names and tags
• least common denominator of a domain of interest
• used to normalize your data to match a common standard

Question 16

What are transforming commands?

Answer 16

• massages raw data into a data table
• transform specified cell values for each event into numerical values that can be used for statistical purposes
• required to transform search results into visualizations
• top, rare, chart, timechart, stats, geostats,…

Question 17

What are the three search modes?

Answer 17

Fast: quick but not detailed (no contents for interesting fields)
Smart (default): combination of fast & verbose
Verbose: slow but detailed (returns all possible field and event data)

Question 18

What is a data series?

Answer 18

a sequence of related data points that are plotted in a visualization

Question 19

What are expressions?

Answer 19

produce a value and can be composed by literals, functions, fields parameters, comparisons and other expressions

Question 20

Which are the Splunk CIM Add-On Data Models?

Answer 20

Alerts
Application State
Authentication
Change Analysis
CIM Validation (S.o.S)
Databases
Email
Interprocess Messaging
Intrusion Detection
Inventory
Java Virtual Machines (JVM)
Malware
Network Traffic
Performance
Splunk Audit Logs
Ticket Management
Updates
Vulnerabilities
Web

Question 21

What is the order of processing for knowledge objects at search time?

Answer 21

(first to last)
–> field extractions
–> field aliases
–> calculated fields
–> lookups
–> event types
–> tags