New

Question 1

When can a pipe follow a macro?

A. A pipe may always follow a macro. Most Voted
B. The current user must own the macro.
C. The macro must be defined in the current app.
D. Only when sharing is set to global for the macro.

Answer 1

A. A pipe may always follow a macro.

Question 2

Data Models

Answer 2

Data models drive the pivot toool.
Data models enable users of Pivot to create compelling reports and dashboards without designing the searches that generate them

Question 3

Data models are composed of one or more of which of the following datasets? (Choose all that apply.)

A. Events datasets
B. Search datasets
C. Transaction datasets
D. Any child of event, transaction, and search datasets

Answer 3

A, B, and C

Question 4

Pivot Tool

Answer 4

A table, chart, or visualization based on a data model dataset.
Used by users that dont need to know SPL

Question 5

Splunk shows data in _____ .

A.
ASCII Character order.

B.
Reverse chronological order.

C.
Alphanumeric order.

D.
Chronological order.

Answer 5

B.
Reverse chronological order

Question 6

How to tell if a field exists

Answer 6

The EXISTS operator

Question 7

Head command

Answer 7

The “head” command in Splunk is used to limit the number of events returned by a search. By specifying a numeric value with the “head” command, you can restrict the search results to only display a certain number of events from the beginning of the results set.

Question 8

limit command

Answer 8

The “limit” command is used in Splunk to restrict the number of search results returned. It helps control the volume of data displayed and enhances search performance by reducing the data set.

Question 9

drilldown

Answer 9

Configured within individual vizualizations

Drilldown is a tool for configuring responses to user clicks on visualizations in a dashboard or form.

Question 10

dropdown

Answer 10

Use this input to let users choose one option from a dropdown menu.

Question 11

Which command is used to create a lookup table in Splunk?

a) inputlookup

b) outputlookup

c) evallookup

d) createlookup

Answer 11

b) outputlookup

The correct command to create a lookup table in Splunk is the “outputlookup” command. This command allows you to output the results of a search into a lookup table.

Question 12

Which command is used to perform a lookup in Splunk?

a) inputlookup

b) outputlookup

c) evallookup

d) searchlookup

Answer 12

a) inputlookup

The “inputlookup” command is used to perform a lookup in Splunk. This command allows you to search and retrieve data from an existing lookup table.

Question 13

How can you associate a lookup table with your data during the indexing process in Splunk?

a) By configuring props.conf and transforms.conf.

b) By using the append command in a search pipeline.

c) By applying field extractions to the lookup table.

d) By defining a lookup definition file.

Answer 13

a) By configuring props.conf and transforms.conf.

To associate a lookup table with your data during the indexing process in Splunk, you need to configure props.conf and transforms.conf. These configuration files allow you to define rules that specify which lookup table to use based on specific criteria, such as sourcetype or source.

Question 14

What is the purpose of using a cron schedule for a scheduled report in Splunk?

a) To specify the time zone for the report

b) To define the search string for the report

c) To schedule the report to run at specific time intervals

d) To enable real-time monitoring for the report

Answer 14

c) To schedule the report to run at specific time intervals

A cron schedule is used in Splunk to define the specific time intervals at which a scheduled report should run.

Question 15

Machine data makes up for more than ___% of the data accumulated by organizations.

Answer 15

90

Question 16

Which apps ship with Splunk Enterprise?

(Select all that apply.)

A) Home App
B) Sideview Utils
C) Search & Reporting
D) DB Connect

Answer 16

A) Home App
C) Search & Reporting

Question 17

The default username and password for a newly installed Splunk instance is:

A) username and password
B) admin and changeme
C) admin and 12345
D) buttercup and rawks

Answer 17

B) admin and changeme

Question 18

To keep from overwriting existing fields with your Lookup you can use the _________ clause.

Answer 18

OUTPUTNEW

Question 19

What is a transforming command?

Answer 19

A type of search command that orders the results into a data table. Transforming commands “transform” the specified cell values for each event into numerical values that Splunk Enterprise can use for statistical purposes.

Question 20

What are seven common transforming commands?

Answer 20

Transforming commands include:
1) chart
2) timechart
3) stats
4) top
5) rare
6) contingency
7) highlight.

Question 21

What does CIM stand for and what is it?

Answer 21

Common Information Model (CIM).

A shared semantic model focused on extracting value from data.

Question 22

What is pivot?

Answer 22

Pivot is a command that applies a pivot operation to data.

For example: This command counts the number of events in the “HTTP Requests” object in the “Tutorial” data model.

…| pivot Tutorial HTTP_requests count(HTTP_requests) AS “Count of HTTP requests”

Question 23

What are the three required parts of a pivot?

Answer 23

The pivot command is a generating command and must be first in a search pipeline. It requires a large number of inputs: the data model, the data model object, and pivot elements.

…| pivot <datamodel-name> <object-name> <pivot-element></pivot-element></object-name></datamodel-name>

Question 24

What does SPL stand for and what are some of it’s features?

Answer 24

Search Processing Language (SPL)

It is Splunk’s proprietary language. SPL encompasses all the search commands and their functions, arguments, and clauses. Its syntax was originally based on the Unix pipeline and SQL. The scope of SPL includes data searching, filtering, modification, manipulation, insertion, and deletion.

Question 25

What is the difference between stats, chart, and time chart?

Answer 25

Stats: Tabular format that allows unlimited fields.

Chart: Graphical format that allows two fields (x and y axis) and can be pie chart, bar chart, line chart etc.

Time Chart: Allows display in bar or line graph format, and only takes in one field because it uses time for the X axis.

Question 26

What are the five default fields for every event in Splunk?

Answer 26

1) host
2) source
3) source type
4) index
5) timestamp

Question 27

What are the five Splunk data bucket ages, from most current to oldest?

Answer 27

1) Hot
2) Warm
3) Cold
4) Frozen
5) Thawed

Question 27

What does a generating command do?

Answer 27

A generating command fetches information from the indexes, without any transformations.

Generating commands are either event-generating (distributable or centralized) or report-generating. Most report-generating commands are also centralized. Depending on which type the command is, the results are returned in a list or a table.

Question 28

What does the metadata command do?

Answer 28

The metadata command returns a list of sources, sourcetypes, or hosts from a specified index or distributed search peer.

For Example: …| metadata type=hosts

Question 28

What is the Splunk data inspector process?

Answer 28

1) Look at data and decide how to process it.
2) Label data by source type.
3) Break data into events.
4) Normalize timestamps.
5) Added to Splunk index to be searched

Question 29

What is the job of the Search Head?

Answer 29

Handle search requests using Splunk search language. Enriches data with reports, dashboards, visualizations.

sends its searches to indexer

Question 30

What are the benefits of a Search Head Cluster?

Answer 30

1) Services more users.
2) Allows users and searches to share resources.
3) Distribute requests across the set of indexers.

Question 31

What are the benefits of a traditional Index Cluster?

Answer 31

1) Replicate data.
2) Prevent data loss.
3) Promote availability.
4) Manage multiple indexers.

Question 33

Which ports are required for Splunk?

Answer 33

1) splunkweb, port 8000
2) splunkd, port 8089
3) forwarder, port 9997

Question 34

While Splunk starts automatically on Windows after installation, to automatically start Splunk on a Linux a user is required to enable…

Answer 34

boot-start

Question 35

What is the URL used by administrators for creating and installing additional Splunk apps?

Answer 35

splunkbase.splunk.com

Question 36

What are the three options for adding app data?

Answer 36

1) Upload
2) Monitor
3) Forward

Question 37

which parts are the field names, field values, and delimiters?…

icmp_seq=0
ttl=64

Answer 37

which parts are the field names, field values, and delimiters?…

icmp_seq=0
ttl=64

Question 38

In regards to the Data Summary window, what is the difference between: Host, Source, and Sourcetype?

Answer 38

Host: A semi-unique identifier, such as host name, IP address, etc.
Source: Name of the file, stream, path, etc.
Sourcetype: The product or software type, such as cisco_asa, ps, win_audit, etc.

Question 39

What is the benefit of using a monitor over a forwarder?

Answer 39

A monitor sends event data as it happens, rather than on a schedule, allowing near real time information.