me

Question 1

Which search string only returns events from hostWWW3

Answer 1

host=WWW3

Question 2

By default, how long does Splunk retain a search job?

Answer 2

10 Minutes

Question 3

What must be done before an automatic lookup can be created?

Answer 3

The lookup definition must be created.

Question 4

Which of the following Splunk components typically resides on the machines where data originates?

Answer 4

Forwarder

Question 5

What determines the scope of data that appears in a scheduled report?

Answer 5

The owner of the report can configure permissions so that the report uses either the User role or the owner’s profile at run time

Question 6

When writing searches in Splunk, which of the following is true about Booleans?

Answer 6

They must be uppercase.

Question 7

Which of the following searches would return events with failure in index netfw or warn or critical in index netops

Answer 7

(index=netfw failure) OR (index=netops (warn OR critical))

Question 8

Select the answer that displays the accurate placing of the pipe in the following search string:
index=security sourcetype=access_* status=200 stats count by price

Answer 8

index=security sourcetype=access_* status=200 | stats count by price

Question 9

Which of the following constraints can be used with the top command?

Answer 9

limit

Question 10

When editing a dashboard, which of the following are possible options?

Answer 10

Modify the chart type displayed in a dashboard panel.

Question 11

When running searches, command modifiers in the search string are displayed in what color?

Answer 11

Orange

Question 12

Which of the following represents the Splunk recommended naming convention for dashboards?

Answer 12

Group_Object_Description

Question 13

How can search results be kept longer than 7 days?

Answer 13

By changing the job settings

Question 14

Which of the following is a Splunk search best practice?

Answer 14

Filter as early as possible

Question 15

When looking at a dashboard panel that is based on a report, which of the following is true?

Answer 15

You cannot modify the search string in the panel, but you can change and configure the visualization.

Question 16

Which of the following are common constraints of the top command?

Answer 16

limit, count

Question 17

When displaying results of a search, which of the following is true about line charts?

Answer 17

Line charts are optimal for multiple series with 3 or more columns

Question 18

How are events displayed after a search is executed?

Answer 18

in reverse chronological order

Question 19

Which of the following is true about user account settings and preferences?

Answer 19

Full name, time zone, and default app can be defined by clicking the login name in the Splunk bar.

Question 20

What is a primary function of a scheduled report?

Answer 20

Triggering an alert in your Splunk instance when certain conditions are met.

Question 21

After running a search, what effect does clicking and dragging across the timeline have?

Answer 21

Moves to past or future events.

Question 22

Which command is used to review the contents of a specified static lookup file?

Answer 22

inputlookup

Question 23

What must be done in order to use a lookup table in Splunk?

Answer 23

The lookup file must be uploaded to Splunk and a lookup definition must be created.

Question 24

When sorting on multiple fields with the sort command, what delimiter can be used between the field names in the search?

Answer 24

,

Question 25

Which time range picker configuration would return real-time events for the past 30 seconds?

Answer 25

Real-time - Earliest: 30-seconds ago, Latest: Now

Question 26

What is the correct syntax to count the number of events containing a vendor_action field?

Answer 26

stats count (vendor_action)

Question 27

What is one benefit of creating dashboard panels from reports

Answer 27

It makes the dashboard more efficient because it only has to run one search string.

Question 28

By default, which of the following fields would be listed in the fields sidebar under interesting Fields?

Answer 28

host

Question 29

Which of the following statements about case sensitivity is true?

Answer 29

Field names ARE case sensitive; field values are NOT.

Question 30

What does the rare command do?

Answer 30

Returns the least common field values of a given field in the results.

Question 31

When an alert action is configured to run a script, Splunk must be able to locate the script.
Which is one of the directories Splunk will look in to find the script?

Answer 31

$SPLUNK_HOME/bin/scripts

Question 32

Which Boolean operator is always implied between two search terms, unless otherwise specified?

Answer 32

AND

Question 33

What does the values function of the stats command do?

Answer 33

Returns a count of unique values for a given field.

Question 34

Which stats command function provides a count of how many unique values exist for a given field in the result set?

Answer 34

dc(field)

Question 35

A collection of items containing things such as data inputs, UI elements, and knowledge objects is known as what?

Answer 35

An app

Question 36

Which statement is true about Splunk alerts?

Answer 36

Alerts are based on searches that are either run on a scheduled interval or in real-time.

Question 37

What is the purpose of using a by clause with the stats command?

Answer 37

To group the results by one or more fields.

Question 38

How do you add or remove fields from search results?

Answer 38

Use fields +to add and fields –to remove

Question 39

A field exists in search results, but isn’t being displayed in the fields sidebar.
How can it be added to the fields sidebar?

Answer 39

Click All Fields and select the field to add it to Selected Fields.

Question 40

In the fields sidebar, which character denotes alphanumeric field values?

Answer 40

a

Question 41

What is the main requirement for creating visualizations using the Splunk UI?

Answer 41

Your search must transform event data into XML formatted data first.

Question 42

What syntax is used to link key/value pairs in search strings?

Answer 42

action=purchase

Question 43

What user interface component allows for time selection?

Answer 43

Time range picker

Question 44

Which of the following searches will return results where fail, 400, and error exist in every event?

Answer 44

error AND (fail OR 400)

Question 45

When placed early in a search, which command is most effective at reducing search execution time?dedup

Answer 45

dedup

Question 46

Which of the following is the most efficient filter for running searches in Splunk?

Answer 46

sourcetype

Question 47

How does Splunk determine which fields to extract from data?

Answer 47

Splunk automatically discovers many fields based on sourcetype and key/value pairs found in the data.

Question 48

Which of the following file types is an option for exporting Splunk search results?

Answer 48

PDF

Question 49

What syntax is used to link key/value pairs in search strings?

Answer 49

Relational operators such as =,

Question 50

Which search string returns a filed containing the number of matching events and names that field Event Count?

Answer 50

index=security failure | stats count by “Event Count”

Question 51

Which search would return events from the access_combined sourcetype?

Answer 51

Sourcetype=access_combined

Question 52

Which of the following index searches would provide the most efficient search performance?

Answer 52

index=web OR index=s*

Question 53

What is a suggested Splunk best practice for naming reports?

Answer 53

Use a consistent naming convention so they are easily separated by characteristics such as group and object.

Question 54

In a deployment with multiple indexes, what will happen when a search is run and an index is not specified in the search string?

Answer 54

Events from every index searched by default to which the user has access will be returned.

Question 55

When looking at a statistics table, what is one way to drill down to see the underlying events?

Answer 55

Clicking on any field value in the table

Question 56

In the Splunk interface, the list of alerts can be filtered based on which characteristics?

Answer 56

App, Time Window, Type, and Severity

Question 57

What are the steps to schedule a report?

Answer 57

After saving the report, click Schedule.

Question 58

In the fields sidebar, what indicates that a field is numeric?

Answer 58

A # symbol to the left of the field name.

Question 59

Which of the following are functions of the stats command?

Answer 59

sum, avg, values

Question 60

At index time, in which field does Splunk store the timestamp value?

Answer 60

_time

Question 61

Which of the following is a best practice when writing a search string?

Answer 61

Avoid using formatting clauses, as they add too much overhead.

Question 62

What type of search can be saved as a report?

Answer 62

Any search can be saved as a report

Question 63

What can be included in the All Fields option in the sidebar?

Answer 63

field descriptions

Question 64

When viewing the results of a search, what is an Interesting Field?

Answer 64

A field that appears in at least 20% of the events.

Question 65

When a Splunk search generates calculated data that appears in the Statistics tab, in what formats can the results be exported?

Answer 65

CSV, XML, JSON

Question 66

Which search matches the events containing the terms “error” and “fail”

Answer 66

index=security error OR fail

Question 67

Which of the following is an option after clicking an item in search results?

Answer 67

adding the item to the search

Question 68

Which of the following fields is stored with the events in the index?

Answer 68

source

Question 69

Which of the following is the recommended way to create multiple dashboards displaying data from the same search?

Answer 69

Export the results of the search to an XML file and use the file as the basis of the dashboards.

Question 70

What does the following specified time range do?

earliest=-72h@h latest=@d

Answer 70

Look back 72 hours, up to the end of today.

Question 71

Which events will be returned by the following search string?

host=www3 status=50

Answer 71

All events with a host of www3 that also have a status of 503

Question 72

What does the stats command do?

Answer 72

Calculates statistics on data that matches the search criteria.

Question 73

Which is primary function of the timeline located under the search bar?

Answer 73

To show peaks and/or valleys in the timeline, which can indicate spikes in activity or downtime

Question 74

What can be configured using the Edit Job Settings menu?

Answer 74

Change Job Lifetime from 10 minutes to 7 days.

Question 75

Which command is used to validate a lookup file?

Answer 75

inputlookup products.cs

Question 76

Which statement is true about the top command?

Answer 76

It returns the top 10 results.
It displays the output in table format.
It returns the count and percent columns per row.

Question 77

How can another user gain access to a saved report?

Answer 77

The owner of the report can edit permissions from the Edit dropdown.

Question 78

What is the primary use for the rare command

Answer 78

To find the least common values of a field in a dataset.

Question 79

What happens when a field is added to the Selected Fields list in the fields sidebar?

Answer 79

The selected field and its corresponding values will appear underneath the events in the search results.

Question 80

By default, which of the following is a Selected Field?

Answer 80

sourcetype

Question 81

According to Splunk best practices, which placement of the wildcard results in the most efficient search?

Answer 81

fail*

Question 82

Which command automatically returns percent and count columns when executing searches?

Answer 82

top

Question 83

Which command automatically returns percent and count columns when executing searches?

Answer 83

top

Question 84

Which search string is the most efficient?

Answer 84

index=security “failed password”

Question 85

Which search string matches only events with the status_code of 404?

Answer 85

status_code>403 status_code<405

Question 86

_______________ transforms raw data into events and distributes the results into an index.

Answer 86

Indexer

Question 87

Documentations for Splunk can be found at docs.splunk.com

Answer 87

True

Question 88

Which component of Splunk is primarily responsible for saving data?

Answer 88

Indexer

Question 89

Universal forwarder is recommended for forwarding the logs to indexers.

Answer 89

True

Question 90

Splunk apps are used for following

Answer 90

Designed to cater numerous use cases and empower Splunk.
Allows multiple workspaces for different use cases/user roles.
It is collection of different Splunk config files like data inputs, UI and Knowledge Object.

Question 91

Three basic components of Splunk are

Answer 91

Indexer
Forwarder
Search Head

Question 92

What is Splunk?

Answer 92

Splunk is a software platform to search, analyze and visualize the machine-generated data.

Question 93

We should use heavy forwarder for sending event-based data to Indexers.

Answer 93

False

Question 94

Splunk Enterprise is used as a Scalable service in Splunk Cloud.

Answer 94

True

Question 95

Which component of Splunk let us write SPL query to find the required data?

Answer 95

Search Head

Question 96

All components are installed and administered in Splunk Enterprise on-premise.

Answer 96

True

Question 97

Log filtering/parsing can be done from _____________.

Answer 97

Heavy Forwarders (HF)

Question 98

Which is the default app for Splunk Enterprise?

Answer 98

Searching and Reporting

Question 99

What kind of logs can Splunk Index?

Answer 99

All firewall, web server, database, router and switch logs

Question 100

Portal for Splunk apps can be accessed through www.splunkbase.com

Answer 100

True

Question 101

Splunk shows data in __________________

Answer 101

Reverse chronological order.

Question 102

Which of the following can be used as wildcard search in Splunk?

Answer 102

*

Question 103

What result will you get with following search index=test sourcetype=”The_Questionnaire_P*”

Answer 103

the_questionnaire_pedia

Question 104

Prefix wildcards might cause performance issues.

Answer 104

True

Question 105

Machine data can be in structured and unstructured format.

Answer 105

True

Question 106

Field names are case sensitive.

Answer 106

True

Question 107

Splunk internal fields contains general information about events and starts from underscore i.e. _ .

Answer 107

True

Question 108

How many main user roles do you have in Splunk?

Answer 108

3

Question 109

Which of the following are Splunk premium enhanced solutions?

Answer 109

Splunk User Behavior Analytics (UBA)
Splunk IT Service Intelligence (ITSI)
Splunk Enterprise Security (ES)

Question 110

Fields are searchable name and value pairings that differentiates one event from another.

Answer 110

True

Question 111

Splunk extracts fields from event data at index time and at search time.

Answer 111

True

Question 112

Field values are case sensitive

Answer 112

False

Question 113

Splunk indexes the data on the basis of timestamps.

Answer 113

True

Question 114

______________ is the default web port used by Splunk.

Answer 114

8000

Question 115

Which of the following statements are correct about Search & Reporting App?

Answer 115

Can be accessed by Apps > Search & Reporting.
Provides default interface for searching and analyzing logs.
Enables the user to create knowledge object, reports, alerts and dashboards

Question 116

Parsing of data can happen both in HF and Indexer.

Answer 116

Yes

Question 117

Monitor option in Add Data provides _______________.

Answer 117

Both One-time and continuous monitoring.

Question 118

License Meter runs before data compression.

Answer 118

Yes

Question 119

Forward Option gather and forward data to indexers over a receiving port from remote machines.

Answer 119

True

Question 120

You can on-board data to Splunk using following means

Answer 120

CLI
Splunk Web
Splunk apps and add-ons
inouts.conf

Question 121

Data sources being opened and read applies to

Answer 121

input phase

Question 122

Select the correct option that applies to Index time processing

Answer 122

Indexing
Parsing
Input

Question 123

Splunk automatically determines the source type for major data types.

Answer 123

True

Question 124

Parsing of data can happen both in HF and UF.

Answer 124

No

Question 125

Upload option creates inputs.conf

Answer 125

No

Question 126

Splunk index time process can be broken down into __________ phase

Answer 126

3

Question 127

In monitor option you can select the following options in GUI.

Answer 127

Filed & Directories, HTTP Event Collector (HEC), TCP/UDP and Scripts

Question 128

Uploading local files though Upload options index the file only once

Answer 128

Yes

Question 129

Which of the statements are correct about HF?

Answer 129

Parsing
Masking
Forwarding

Question 130

Where does Licensing meter happen?

Answer 130

Indexer

Question 131

Matching search terms are highlighted.

Answer 131

Yes

Question 132

Beginning parentheses is automatically highlighted to guide you on the presence of complimenting parentheses.

Answer 132

Yes

Question 133

Zoom Out and Zoom to Selection re-executes the search.

Answer 133

Yes

Question 134

Every Search in Splunk is also called _____________.

Answer 134

Job

Question 135

Matching of parentheses is a feature of Splunk Assistant.

Answer 135

Yes

Question 136

Search Assistant is enabled by default in the SPL editor with compact settings.

Answer 136

Yes

Question 137

What is Search Assistant in Splunk?

Answer 137

Shows options to complete the search string.

Question 138

@ Symbol can be used in advanced time unit option.

Answer 138

Yes

Question 139

The new data uploaded in Splunk are shown in ________________.

Answer 139

Real-time

Question 140

You can use the following options to specify start and end time for the query range

Answer 140

beginning=

ending=

Question 141

You can change the App context in Input setting.

Answer 141

Yes

Question 142

The default host name used in Inputs general settings can not be changed.

Answer 142

False

Question 143

Events in Splunk are automatically segregated using data and time.

Answer 143

Yes

Question 144

You are able to create new Index in Data Input settings.

Answer 144

Yes

Question 145

Splunk Parses data into individual events, extracts time, and assigns metadata.

Answer 145

True

Question 146

Which of the statements is correct regarding click and drag option in timeline?

Answer 146

The new result after selecting the range by dragging filters the events and displays the most recent first.

Question 147

Which symbol is used to snap the time?

Answer 147

@

Question 148

Which of the statements are correct

Answer 148

Zoom to selection: Narrows the time range and re-executes the search.
Format Timeline: Hides or shows the timeline in different views.
Zoom-out: Expands the time focus and re-executes the search.

Question 149

There are three different search modes in Splunk

Answer 149

Smart, Fast, Verbose

Question 150

Select the statements that are true for timeline in Splun

Answer 150

Timeline shows distribution of events specified in the time range in the form of bar.
Single click to see the result for particular time period.
You can click and drag across the bar for selecting the range.
You can hover your mouse for details like total events, time and date.

Question 151

Keywords are highlighted when you mouse over search results and you can click this search result to

Answer 151

Open new search.
Exclude the item from search.
Add the item to search.

Question 152

You can view the search result in following format

Answer 152

Table
Raw
List

Question 153

Snapping rounds down to the nearest specified unit.

Answer 153

Yes

Question 154

Data summary button just below the search bar gives you the following

Answer 154

Hosts
Sourcetypes
Sources

Question 155

What options do you get after selecting timeline?

Answer 155

Zoom to selection
Format Timeline
Deselect
Zoom Out

Question 156

At the time of searching the start time is 03:35:08.

Will it look back to 03:00:00 if we use -30m@h in searching?

Answer 156

Yes

Question 157

Can you stop or pause the searching?

Answer 157

Yes

Question 158

You can also specify a time range in the search bar. You can use the following for beginning and ending for a time range

Answer 158

earliest=

latest=

Question 159

Which all time unit abbreviations can you include in Advanced time range picker?

Answer 159

h
mon
y
w
d
s
m

Question 160

Interesting fields are the fields that have at least 20% of resulting fields.

Answer 160

True

Question 161

How to make Interesting field into a selected field

Answer 161

Click field in field sidebar -> click YES on the pop-up dialog on upper right side -> check now field should be visible in the list of selected fields

Question 162

Field names are case sensitive and field value are not.

Answer 162

True

Question 163

!= and NOT are same arguments.

Answer 163

False

Question 164

Query - status != 100:

Answer 164

Will return event where status field exist but value of that field is not 100.

Question 165

NOT status = 100:

Answer 165

Will return event where status field exist but value of that field is not 100 and all events where status field doesn’t exist.

Question 166

Will the queries following below get the same result?

1. index=log sourcetype=error_log status !=100 2. index=log sourcetype=error_log NOT status =100

Answer 166

No

Question 167

Select the best options for “search best practices” in Splunk

Answer 167

Select the time range always.
Try to specify index values.
Include as many search terms as possible.
Inclusion is generally better than exclusion.
Try to keep specific search terms.

Question 168

The better way of writing search query for index is:

Answer 168

(index=a OR index=b)

Question 169

Put query into separate lines where | (Pipes) are used by selecting following options.

Answer 169

Shift + Enter

Question 170

Fields are searchable key value pairs in your event data.

Answer 170

True

Question 171

Selected fields are a set of configurable fields displayed for each event.

Answer 171

True

Question 172

Following are the time selection option while making search

Answer 172

Date & Time Range
Advanced 
Date Range 
Presets
Relative

Question 173

Search Language Syntax in Splunk can be broken down into the following components

Answer 173

Search term
Command 
Pipe 
Functions 
Arguments 
Clause