definitions Flashcards
What are fields?
building blocks of a Splunk search
What are field aliases?
normalizing data by assigning an alternate name to existing fields in your data
What are field extractions?
values are contained in a field at search time, but can also be manually extracted with the help of regex or delimiters
What are calculated fields?
perform calculations based on the values of existing fields
What are lookups?
used to add additional fields and values that are not contained in your data
What are event types?
- used to save a search that you use often
- user-defined field that represents a category of events
- can be used to normalize field names, tags and field extractions
What are tags?
saved key-value pairs (labels for your data)
What are workflow actions?
provide links within your data that interact with external resources or narrow your search (HTTP GET, HTTP POST, secondary search)
What are reports?
searches you run repeatedly
What are alerts?
searches you run repeatedly (scheduled or real-time), that send notifications
What are macros?
search strings or portions of search strings that can be reused in multiple places
What are data models?
- hierarchically structured datasets that can consist of three types: events, searches, transactions
- can be used in pivot
What is a saved search?
- a search that a user makes available for later use
- a type of knowledge object
- reports, alerts, scheduled searches are types of saved searches
What is a knowledge object?
- user-defined entity that enriches the existing data
- tool used to discover and analyze various aspects of data
- fields, field extractions, saved searches, event types, tags, field aliases, lookups, workflow actions, reports, alerts, data models
What is the CIM?
- Common Information Model
- 22 pre-configured data models
- fields names and tags
- least common denominator of a domain of interest
- used to normalize your data to match a common standard