Fundamentals 3

Question 1

What the count aggregation function do?

Answer 1

Returns the number of occurrences of the field X.

Question 2

What the dc aggregation function do?

Answer 2

Returns the count of distinct values of the field X.

Question 3

What the sum aggregation function do?

Answer 3

Returns the sum of the values of the field X.

Question 4

What the min aggregation function do?

Answer 4

Returns the minimum value of the field X.

Question 5

What the max aggregation function do?

Answer 5

Returns the maximum value of the field X.

Question 6

What the avg aggregation function do?

Answer 6

Returns the average of the values of field X.

Question 7

What the median aggregation function do?

Answer 7

Returns the middle-most value of the field X.

Question 8

What the range aggregation function do?

Answer 8

Returns the difference between the max and min values of the field X.

Question 9

What the stdev (Standard Deviation) aggregation function do?

Answer 9

Returns the sample standard deviation of the field X.

Question 10

What the var (Variance) aggregation function do?

Answer 10

Returns the sample variance of the field X.

Question 11

When aggregation functions are used?

Answer 11

When you want to summarize values from events into a single meaningful value.

Question 12

These aggregation functions can be used with which commands?

Answer 12

stats, chart and timechart.

Question 13

All aggregation functions accept what type of fields?

Answer 13

Numeric

Question 14

How to match a specific field value to be used on the count function?

Answer 14

Using eval, like count(eval(field=”value”))

Question 15

When do you use phrases as names, how you need to call the field name on a eval expression?

Answer 15

Using single quotes.

Question 16

What the fieldsummary command do?

Answer 16

Calculate summary statistics for fields in your events.

Question 17

What the is_exact column on the fieldsummary result means?

Answer 17

If there are more values than returned in the distinct count, this is set to 0, if not, as a 1.

Question 18

In the fieldsummary, how many distinct values for a field will be returned? How it can be changed?

Answer 18

100, by using maxvals=X argument.

Question 19

What the appendpipe command do?

Answer 19

It’s used to append a subpipeline search data to your results.

Question 20

What the list multivalue function do?

Answer 20

Returns a list of up to 100 values of the field X as a multivalue entry.

Question 21

What does the eventstats command do?

Answer 21

Generate statistics for fields in searched events and save into new fields on the results.

Question 22

What does the streamstats command do?

Answer 22

Generate statistics for fields in searched events and save into new fields on the results, but in a stream manner, in a per-event basis.

Question 23

What the current argument of streamstats do?

Answer 23

Include the current event in the sum, default is True.

Question 24

What the window argument of streamstats do?

Answer 24

Specifies the number of events to use when computing the statistics. Default is 0 (all)

Question 25

What the time_window argument of streamstats do?

Answer 25

Specify the time windows which the sum is done. Falt is None.

Question 26

Which are the three main arguments of streamstats?

Answer 26

current, window and time_window.

Question 27

What are the three types of operations that can be done with eval?

Answer 27

Arithmetic, concatenation and Boolean.

Question 28

What will happen to numbers that are concatenated?

Answer 28

They will be in the string form.

Question 29

What are the three functions to conversion for the eval command?

Answer 29

tostring(), tonumber() and printf().

Question 30

What the tostring() do?

Answer 30

Cast a value to a string.

Question 31

What the tonumber() do?

Answer 31

Cast a value to a number.

Question 32

What the printf() do?

Answer 32

Enable you to build a string using formating and optional arguments.

Question 33

With which commands tostring(), tonumber() and printf() works?

Answer 33

eval, fieldformat and where.

Question 34

What are the eval functions for calculating date and time?

Answer 34

now(), time(). strftime(), strptime() and relative_time()

Question 35

What the now() function of eval do?

Answer 35

Returns the time that the search is started.

Question 36

What the time() function of eval do?

Answer 36

Return the time an event was processed by the eval command

Question 37

What the strftime() function of eval do?

Answer 37

Convert an epoch into a time string.

Question 38

What the strptime() function of eval do?

Answer 38

Convert a time string into an epoch.

Question 39

What the relative_time() function of eval do?

Answer 39

Return a timestamp relative to specified time.

Question 40

What are the text funtions of eval command?

Answer 40

upper(), lower(), substring() and replace().

Question 41

What the upper() and lower() functions of eval command do?

Answer 41

Change string case.

Question 42

What the substr() function of eval command do?

Answer 42

This function returns a substring of X, starting at the index specified by Y with the number of characters specified by Z. If Z is not provided, the function returns the rest of the string.

Question 43

What the replace() function of eval command do?

Answer 43

This function returns a string formed by substituting string Z for every occurrence of regex string Y in string X. The third argument Z can also reference groups that are matched in the regex.

Question 44

What are the conditional functions of eval command?

Answer 44

if(), case(), coalesce(), match(), cidrmatch(), true(), false(), nullif(), isbool(), isint(), isnotnull(), isnull(), isnum(), isstr() and typeof().

Question 45

How many arguments the if function have? Which are they?

Answer 45

3 arguments: (bool expression, argument_to_return_true, argument_to_return_false)

Question 46

What is the case of using case instead of if?

Answer 46

When we need to validate Multiple values.

Question 47

What the coalesce() function of eval do?

Answer 47

Takes a list of arguments, and return to the new field, the first value that is not NULL.

Question 48

How the match() function of eval work?

Answer 48

It takes two arguments, a value and a regex, if the regex matches the value, it returns True.

Question 49

How the cidrmatch() function of eval works?

Answer 49

It takes two arguments, a CIDR string and a IP value to compare with, if the CIDR matches with the IP, it returns True.

Question 50

What are the eval statistic functions?

Answer 50

min(), max() and random()

Question 51

What is a subsearch?

Answer 51

A subsearch is a search enclosed square brackets that pass results to the outer searches.

Question 52

What the where command does?

Answer 52

Uses eval expressions to filter results.

Question 53

What does the fieldformat command do?

Answer 53

Change the format of a field value.

Question 54

What does the makeresults command do?

Answer 54

Is a generating command that will create a defined number of search results, can be used for testing data that is not ingested yet or to build data that will be used on other searches.

Question 55

How lookups are invoked?

Answer 55

Using the lookup command

Question 56

In which file a kv store is defined?

Answer 56

At the local directory of the app, in the collections.conf file.

Question 57

How KV store is populated?

Answer 57

By posting JSON on Splunk’ REST API or outputlookup command.

Question 58

What does the outputlookup command do?

Answer 58

Allows writing results from a search into a lookup file or a KV store collection, overwriting existing content in lookup files.

Question 59

What are the types of lookups?

Answer 59

File-based, External, KV Store, Geospatial and dbconnect lookups.

Question 60

As a best practice, where to place the lookup?

Answer 60

At the end of the search.

Question 61

How lookups can be created from alerts?

Answer 61

Using the “Output results to lookup option” in Alert Actions.

Question 62

What role is required to log events from alerts?

Answer 62

admin or edit_tcp.

Question 63

Splunk is based on which programming language Regex?

Answer 63

Perl

Question 64

What the erex command do?

Answer 64

Extract data from a field when you do not know the regular expression to use.

Question 65

What the rex command do?

Answer 65

Matches the value of the specified field against the unanchored regular expression and extracts the named groups into fields of the corresponding names.

Question 66

What is regex backtracking?

Answer 66

Backtracking occurs when a regular expression pattern contains optional quantifiers or alternation constructs, and the regular expression engine returns to a previously saved state to continue its search for a match.

Question 67

What is Self-Describing data?

Answer 67

Is data that includes the schema embedded into data.

Question 68

Which formats are examples of Self-Describing data?

Answer 68

JSON, XML.

Question 69

What does the spath command do?

Answer 69

Enables you to extract information from the structured data formats XML and JSON. The command stores this information in one or more fields. The command also highlights the syntax in the displayed events list.