me Flashcards
1
Q
Which search string only returns events from hostWWW3
A
host=WWW3
2
Q
By default, how long does Splunk retain a search job?
A
10 Minutes
3
Q
What must be done before an automatic lookup can be created?
A
The lookup definition must be created.
4
Q
Which of the following Splunk components typically resides on the machines where data originates?
A
Forwarder
5
Q
What determines the scope of data that appears in a scheduled report?
A
The owner of the report can configure permissions so that the report uses either the User role or the owner’s profile at run time
6
Q
When writing searches in Splunk, which of the following is true about Booleans?
A
They must be uppercase.
7
Q
Which of the following searches would return events with failure in index netfw or warn or critical in index netops
A
(index=netfw failure) OR (index=netops (warn OR critical))
8
Q
Select the answer that displays the accurate placing of the pipe in the following search string:
index=security sourcetype=access_* status=200 stats count by price
A
index=security sourcetype=access_* status=200 | stats count by price
9
Q
Which of the following constraints can be used with the top command?
A
limit
10
Q
When editing a dashboard, which of the following are possible options?
A
Modify the chart type displayed in a dashboard panel.
11
Q
When running searches, command modifiers in the search string are displayed in what color?
A
Orange
12
Q
Which of the following represents the Splunk recommended naming convention for dashboards?
A
Group_Object_Description
13
Q
How can search results be kept longer than 7 days?
A
By changing the job settings
14
Q
Which of the following is a Splunk search best practice?
A
Filter as early as possible
15
Q
When looking at a dashboard panel that is based on a report, which of the following is true?
A
You cannot modify the search string in the panel, but you can change and configure the visualization.
16
Q
Which of the following are common constraints of the top command?
A
limit, count
17
Q
When displaying results of a search, which of the following is true about line charts?
A
Line charts are optimal for multiple series with 3 or more columns
18
Q
How are events displayed after a search is executed?
A
in reverse chronological order
19
Q
Which of the following is true about user account settings and preferences?
A
Full name, time zone, and default app can be defined by clicking the login name in the Splunk bar.
20
Q
What is a primary function of a scheduled report?
A
Triggering an alert in your Splunk instance when certain conditions are met.
21
Q
After running a search, what effect does clicking and dragging across the timeline have?
A
Moves to past or future events.
22
Q
Which command is used to review the contents of a specified static lookup file?
A
inputlookup
23
Q
What must be done in order to use a lookup table in Splunk?
A
The lookup file must be uploaded to Splunk and a lookup definition must be created.
24
Q
When sorting on multiple fields with the sort command, what delimiter can be used between the field names in the search?
A
,
25
Which time range picker configuration would return real-time events for the past 30 seconds?
Real-time - Earliest: 30-seconds ago, Latest: Now
26
What is the correct syntax to count the number of events containing a vendor_action field?
stats count (vendor_action)
27
What is one benefit of creating dashboard panels from reports
It makes the dashboard more efficient because it only has to run one search string.
28
By default, which of the following fields would be listed in the fields sidebar under interesting Fields?
host
29
Which of the following statements about case sensitivity is true?
Field names ARE case sensitive; field values are NOT.
30
What does the rare command do?
Returns the least common field values of a given field in the results.
31
When an alert action is configured to run a script, Splunk must be able to locate the script.
Which is one of the directories Splunk will look in to find the script?
$SPLUNK_HOME/bin/scripts
32
Which Boolean operator is always implied between two search terms, unless otherwise specified?
AND
33
What does the values function of the stats command do?
Returns a count of unique values for a given field.
34
Which stats command function provides a count of how many unique values exist for a given field in the result set?
dc(field)
35
A collection of items containing things such as data inputs, UI elements, and knowledge objects is known as what?
An app
36
Which statement is true about Splunk alerts?
Alerts are based on searches that are either run on a scheduled interval or in real-time.
37
What is the purpose of using a by clause with the stats command?
To group the results by one or more fields.
38
How do you add or remove fields from search results?
Use fields +to add and fields –to remove
39
A field exists in search results, but isn’t being displayed in the fields sidebar.
How can it be added to the fields sidebar?
Click All Fields and select the field to add it to Selected Fields.
40
In the fields sidebar, which character denotes alphanumeric field values?
a
41
What is the main requirement for creating visualizations using the Splunk UI?
Your search must transform event data into XML formatted data first.
42
What syntax is used to link key/value pairs in search strings?
action=purchase
43
What user interface component allows for time selection?
Time range picker
44
Which of the following searches will return results where fail, 400, and error exist in every event?
error AND (fail OR 400)
45
When placed early in a search, which command is most effective at reducing search execution time?dedup
dedup
46
Which of the following is the most efficient filter for running searches in Splunk?
sourcetype
47
How does Splunk determine which fields to extract from data?
Splunk automatically discovers many fields based on sourcetype and key/value pairs found in the data.
48
Which of the following file types is an option for exporting Splunk search results?
PDF
49
What syntax is used to link key/value pairs in search strings?
Relational operators such as =,
50
Which search string returns a filed containing the number of matching events and names that field Event Count?
index=security failure | stats count by “Event Count”
51
Which search would return events from the access_combined sourcetype?
Sourcetype=access_combined
52
Which of the following index searches would provide the most efficient search performance?
index=web OR index=s*
53
What is a suggested Splunk best practice for naming reports?
Use a consistent naming convention so they are easily separated by characteristics such as group and object.
54
In a deployment with multiple indexes, what will happen when a search is run and an index is not specified in the search string?
Events from every index searched by default to which the user has access will be returned.
55
When looking at a statistics table, what is one way to drill down to see the underlying events?
Clicking on any field value in the table
56
In the Splunk interface, the list of alerts can be filtered based on which characteristics?
App, Time Window, Type, and Severity
57
What are the steps to schedule a report?
After saving the report, click Schedule.
58
In the fields sidebar, what indicates that a field is numeric?
A # symbol to the left of the field name.
59
Which of the following are functions of the stats command?
sum, avg, values
60
At index time, in which field does Splunk store the timestamp value?
_time
61
Which of the following is a best practice when writing a search string?
Avoid using formatting clauses, as they add too much overhead.
62
What type of search can be saved as a report?
Any search can be saved as a report
63
What can be included in the All Fields option in the sidebar?
field descriptions
64
When viewing the results of a search, what is an Interesting Field?
A field that appears in at least 20% of the events.
65
When a Splunk search generates calculated data that appears in the Statistics tab, in what formats can the results be exported?
CSV, XML, JSON
66
Which search matches the events containing the terms “error” and “fail”
index=security error OR fail
67
Which of the following is an option after clicking an item in search results?
adding the item to the search
68
Which of the following fields is stored with the events in the index?
source
69
Which of the following is the recommended way to create multiple dashboards displaying data from the same search?
Export the results of the search to an XML file and use the file as the basis of the dashboards.
70
What does the following specified time range do?
earliest=-72h@h latest=@d
Look back 72 hours, up to the end of today.
71
Which events will be returned by the following search string?
host=www3 status=50
All events with a host of www3 that also have a status of 503
72
What does the stats command do?
Calculates statistics on data that matches the search criteria.
73
Which is primary function of the timeline located under the search bar?
To show peaks and/or valleys in the timeline, which can indicate spikes in activity or downtime
74
What can be configured using the Edit Job Settings menu?
Change Job Lifetime from 10 minutes to 7 days.
75
Which command is used to validate a lookup file?
| inputlookup products.cs
76
Which statement is true about the top command?
It returns the top 10 results.
It displays the output in table format.
It returns the count and percent columns per row.
77
How can another user gain access to a saved report?
The owner of the report can edit permissions from the Edit dropdown.
78
What is the primary use for the rare command
To find the least common values of a field in a dataset.
79
What happens when a field is added to the Selected Fields list in the fields sidebar?
The selected field and its corresponding values will appear underneath the events in the search results.
80
By default, which of the following is a Selected Field?
sourcetype
81
According to Splunk best practices, which placement of the wildcard results in the most efficient search?
fail*
82
Which command automatically returns percent and count columns when executing searches?
top
83
Which command automatically returns percent and count columns when executing searches?
top
84
Which search string is the most efficient?
index=security “failed password"
85
Which search string matches only events with the status_code of 404?
status_code>403 status_code<405
86
_______________ transforms raw data into events and distributes the results into an index.
Indexer
87
Documentations for Splunk can be found at docs.splunk.com
True
88
Which component of Splunk is primarily responsible for saving data?
Indexer
89
Universal forwarder is recommended for forwarding the logs to indexers.
True
90
Splunk apps are used for following
Designed to cater numerous use cases and empower Splunk.
Allows multiple workspaces for different use cases/user roles.
It is collection of different Splunk config files like data inputs, UI and Knowledge Object.
91
Three basic components of Splunk are
Indexer
Forwarder
Search Head
92
What is Splunk?
Splunk is a software platform to search, analyze and visualize the machine-generated data.
93
We should use heavy forwarder for sending event-based data to Indexers.
False
94
Splunk Enterprise is used as a Scalable service in Splunk Cloud.
True
95
Which component of Splunk let us write SPL query to find the required data?
Search Head
96
All components are installed and administered in Splunk Enterprise on-premise.
True
97
Log filtering/parsing can be done from _____________.
Heavy Forwarders (HF)
98
Which is the default app for Splunk Enterprise?
Searching and Reporting
99
What kind of logs can Splunk Index?
All firewall, web server, database, router and switch logs
100
Portal for Splunk apps can be accessed through www.splunkbase.com
True
101
Splunk shows data in __________________
Reverse chronological order.
102
Which of the following can be used as wildcard search in Splunk?
*
103
What result will you get with following search index=test sourcetype="The_Questionnaire_P*"
the_questionnaire_pedia
104
Prefix wildcards might cause performance issues.
True
105
Machine data can be in structured and unstructured format.
True
106
Field names are case sensitive.
True
107
Splunk internal fields contains general information about events and starts from underscore i.e. _ .
True
108
How many main user roles do you have in Splunk?
3
109
Which of the following are Splunk premium enhanced solutions?
Splunk User Behavior Analytics (UBA)
Splunk IT Service Intelligence (ITSI)
Splunk Enterprise Security (ES)
110
Fields are searchable name and value pairings that differentiates one event from another.
True
111
Splunk extracts fields from event data at index time and at search time.
True
112
Field values are case sensitive
False
113
Splunk indexes the data on the basis of timestamps.
True
114
______________ is the default web port used by Splunk.
8000
115
Which of the following statements are correct about Search & Reporting App?
Can be accessed by Apps > Search & Reporting.
Provides default interface for searching and analyzing logs.
Enables the user to create knowledge object, reports, alerts and dashboards
116
Parsing of data can happen both in HF and Indexer.
Yes
117
Monitor option in Add Data provides _______________.
Both One-time and continuous monitoring.
118
License Meter runs before data compression.
Yes
119
Forward Option gather and forward data to indexers over a receiving port from remote machines.
True
120
You can on-board data to Splunk using following means
CLI
Splunk Web
Splunk apps and add-ons
inouts.conf
121
Data sources being opened and read applies to
input phase
122
Select the correct option that applies to Index time processing
Indexing
Parsing
Input
123
Splunk automatically determines the source type for major data types.
True
124
Parsing of data can happen both in HF and UF.
No
125
Upload option creates inputs.conf
No
126
Splunk index time process can be broken down into __________ phase
3
127
In monitor option you can select the following options in GUI.
Filed & Directories, HTTP Event Collector (HEC), TCP/UDP and Scripts
128
Uploading local files though Upload options index the file only once
Yes
129
Which of the statements are correct about HF?
Parsing
Masking
Forwarding
130
Where does Licensing meter happen?
Indexer
131
Matching search terms are highlighted.
Yes
132
Beginning parentheses is automatically highlighted to guide you on the presence of complimenting parentheses.
Yes
133
Zoom Out and Zoom to Selection re-executes the search.
Yes
134
Every Search in Splunk is also called _____________.
Job
135
Matching of parentheses is a feature of Splunk Assistant.
Yes
136
Search Assistant is enabled by default in the SPL editor with compact settings.
Yes
137
What is Search Assistant in Splunk?
Shows options to complete the search string.
138
@ Symbol can be used in advanced time unit option.
Yes
139
The new data uploaded in Splunk are shown in ________________.
Real-time
140
You can use the following options to specify start and end time for the query range
beginning=
| ending=
141
You can change the App context in Input setting.
Yes
142
The default host name used in Inputs general settings can not be changed.
False
143
Events in Splunk are automatically segregated using data and time.
Yes
144
You are able to create new Index in Data Input settings.
Yes
145
Splunk Parses data into individual events, extracts time, and assigns metadata.
True
146
Which of the statements is correct regarding click and drag option in timeline?
The new result after selecting the range by dragging filters the events and displays the most recent first.
147
Which symbol is used to snap the time?
@
148
Which of the statements are correct
Zoom to selection: Narrows the time range and re-executes the search.
Format Timeline: Hides or shows the timeline in different views.
Zoom-out: Expands the time focus and re-executes the search.
149
There are three different search modes in Splunk
Smart, Fast, Verbose
150
Select the statements that are true for timeline in Splun
Timeline shows distribution of events specified in the time range in the form of bar.
Single click to see the result for particular time period.
You can click and drag across the bar for selecting the range.
You can hover your mouse for details like total events, time and date.
151
Keywords are highlighted when you mouse over search results and you can click this search result to
Open new search.
Exclude the item from search.
Add the item to search.
152
You can view the search result in following format
Table
Raw
List
153
Snapping rounds down to the nearest specified unit.
Yes
154
Data summary button just below the search bar gives you the following
Hosts
Sourcetypes
Sources
155
What options do you get after selecting timeline?
Zoom to selection
Format Timeline
Deselect
Zoom Out
156
At the time of searching the start time is 03:35:08.
Will it look back to 03:00:00 if we use -30m@h in searching?
Yes
157
Can you stop or pause the searching?
Yes
158
You can also specify a time range in the search bar. You can use the following for beginning and ending for a time range
earliest=
| latest=
159
Which all time unit abbreviations can you include in Advanced time range picker?
```
h
mon
y
w
d
s
m
```
160
Interesting fields are the fields that have at least 20% of resulting fields.
True
161
How to make Interesting field into a selected field
Click field in field sidebar -> click YES on the pop-up dialog on upper right side -> check now field should be visible in the list of selected fields
162
Field names are case sensitive and field value are not.
True
163
!= and NOT are same arguments.
False
164
Query - status != 100:
Will return event where status field exist but value of that field is not 100.
165
NOT status = 100:
Will return event where status field exist but value of that field is not 100 and all events where status field doesn't exist.
166
Will the queries following below get the same result?
| 1. index=log sourcetype=error_log status !=100 2. index=log sourcetype=error_log NOT status =100
No
167
Select the best options for "search best practices" in Splunk
Select the time range always.
Try to specify index values.
Include as many search terms as possible.
Inclusion is generally better than exclusion.
Try to keep specific search terms.
168
The better way of writing search query for index is:
(index=a OR index=b)
169
Put query into separate lines where | (Pipes) are used by selecting following options.
Shift + Enter
170
Fields are searchable key value pairs in your event data.
True
171
Selected fields are a set of configurable fields displayed for each event.
True
172
Following are the time selection option while making search
```
Date & Time Range
Advanced
Date Range
Presets
Relative
```
173
Search Language Syntax in Splunk can be broken down into the following components
```
Search term
Command
Pipe
Functions
Arguments
Clause
```
