Part 1 Flashcards
1
Q
Single instance of Splunk Enterprise handles
A
Input
Parsing
Indexing
Searching
2
Q
In most splunk deployments ,——-serve as the primary way data is supplied for indexing
A
Forwarders
3
Q
This role will only see their own knowledge objects and those that have been shared with them
A
User
4
Q
In most production environments,—-will be used as the source of data input
A
Forwarders
5
Q
When zooming in on the event time line; a new search is run
A
False
6
Q
In a dashboard, a time range picker will only work on panels that include a ——- search
A
Inline
7
Q
These roles can create reports
A
Power,admin.
8
Q
To keep from overwriting existing fields with your lookup you can use the —— clause
A
Outputnew
9
Q
When using a .csv file for lookups, the first row in the file represents this
A
Field names
10
Q
The instant pivot button is displayed In the statistics and visualisations tabs when a ————- search is run
A
Non-transforming
11
Q
Forwarders
A
Require minimal resources
Little impact on performance
Reside on machines where data originates
12
Q
Main components of splunk
A
Indexer
Search head
Forwarder
13
Q
Single instance deployment
A
Input
Parsing
Indexing
Searching
•proof of concept
Personal use
Learning
Might serve needs of small departments sized environments
14
Q
Splunk cloud
A
Subscription service
Index up to 5gb per day up to 15 days
15
Q
Roles
A
Determine what a user is able to see, do and interact with
16
Q
Three main roles
A
Admin- install apps , create knowledge objects for all users
Power- can create and share knowledge objects for users of an app and do real-time searches
Users- will only see their own knowledge objects and those that have been shared with them
17
Q
Upload, files only get indexed once .csv
Monitor , files & directories,http, tcp,scripts
Forward, receive data From external forwarders
A
Local files
Http
18
Q
Indexes
A
Directories where data is stored
19
Q
Having separate indexes
A
Will make data more efficient
Limits data amount splunk searches
Returns only events froM that index
Multiple indexes allow limiting access by user role.
- you control who sees what data
Separate indexes allow custom retention policies.
(Web data index) (6months)
(Main index)
(Security index)(1 year)
20
Q
Search and reporting app
A
Default interface
Knowledge objects
Reports
Dashboards
21
Q
Commands that create statistics and visualisations are called —-
A
Transforming commands
22
Q
By default, a search job will remain active for ——
A
10mins—- after that a new search will have to be run, to keep for longer you can schedule a report
23
Q
Shared search Jobs Remain active for —-
A
7days- and readable to everyone
print results or save to PDF
less load on server, more efficient
24
Q
Export results Will allow you to export events from the job in —— format
A
Raw
CSV
XML
JSON
25
Fast
Smart
Verbose
Fast - field discovery is disabled for this mode - speed over complete
Smart- default , balances
Verbose - complete over speed
26
Timeline
Clicking and dragging- moves to past or future events
Zoom in- uses your original search job (re execute )
Zoom out- runs a new search job to return newly selected events(re executes )
Deselect- return to original results
27
Default fields
Host
Source
Sourcetype
28
Interesting fields
Have values in at least 20% of the events
29
a
#
String value (written to left)
Numeral (written to left)
Number to right - number of unique values for the field.
=* any results that contain this field action
30
When you add an event to selected fields list —-
The field will show where the events occurs
31
You can run more efficient searches by ——
Using fields in them
32
Field operators
=
!= used with numerical or string values
>
>=
<
<= numerical values
33
Time most efficient - less data you have to search , faster splunk will be.
After time ——
Default fields of :
Index
Source
Host
Sourcetype
Most powerful
(The more you tell search , better your results)
34
Filter
Early , faster
35
Filter events early in search —-
Indexes
Multiple indexes -users can search only what they need to make searches more efficient
Can also be used to limit access
Can search multiple indexes at same time
Wildcards can also be used for index values
36
Fields command —-
Include or exclude fields from search results
37
Fields —-
metafields- host, source, sourcetype, index
internal fields-time and raw
Field extraction - costly part of searching , being able to limit fields extracted can make searches more efficient
Field inclusion- happens before field extraction , can improve performance.
Field exclusion- happens after field extraction, only affecting displayed results
Renaming - once renamed , original name is not available to subsequent search commands( can’t access it with original name ) . New field names will need to be used further down the pipeline
fields command allows you to exclude , include specified fields in your search report.
fields+ before(default) improves performance
fields- after table/display easier to read.
38
Sort command
String data- sorted alphanumerically
Numeric data- sorted numerically
39
Transforming commands - into visualisations
raw data in to data table **transforms events into visualisations
Top- most common default 10 results (table-count,%)
Rare- least common
Stats Commands
chart
time chart
geostats
```
statistical functions:
count
dc- groups
sum- adds
avg-
min, max,
list - writes all values
values -specify and write values once
*count and sum must be within same pipe
```
40
Reports -Power user
Read and write permissions on report (everyone has read access)
41
Time range picker will only work on panels with an ——
Inline search
42
Data models - created by admin & power who understand splunk language
Knowledge objects that provide data structure that drives pivots
Data model- framework
Pivot - Interface
Data sets - small collections of data -field names /values
43
Data sets help users—-
Find data
Get answers faster
Data sets tab-lists look ups and data models, prebuilt ones make it easier to interact with your data
44
Look ups
Categorised as a dataset
Get a lookup file 2 steps :
define lookup table
define a lookup
Can configure look up to run automatically
Look up fields are case sensitive by default
Fields and values to your events that were not included In the index data .
pull data away from standalone files
allow you to add more fields to your events Example : http codes - description(output fields)
.csv
Scripts
Geo
Data useful for search but might not be available in your index
By default- fields in lookup table are returned as output fields , except input field
Outputnew - when you don’t want to overwrite existing fields
45
Additional lookup options
Populate lookup table with search results
Define lookup based on external script or command
Use splunk DB connect application
Use geospatial lookups to create queries , to generate chloropleth map visualisations.
Populate events with KV store fields
46
Reports
can show events, stats(tables), visualisations(charts), stats and visualisations allow you to drill down by default to see underlying events.
Running multiple reports can put w big demand on system hardware, even if everything is configured to recommended specs
Running a report returns fresh results each time you run it.
Scheduled priority- only available to admin users
Default , higher , highest
* *time range picker can’t be used on SCHEDULED report!
* if you add a time range picker-allows you to adjust time range of report when you run it.
Actions to trigger - log event , output results to look up , telemetry endpoint , run a script ,
Send email , webhook
Can disable , embed(anyone with access to web page can see report) ,move , delete reports
*embedded report with not show data until scheduled search is run .
*running a report returns fresh results for each time you run it.
*You can edit a report, but not save as new report.
***You can add scheduled report to a dashboard
for alphanumeric fields-only 3 available reports
User=can only see knowledge objects and what has been shared by them .cant create reports,
47
Alerts
Searches that are run on scheduled intervals or in real time
Notify you when results of search meet defined conditions
As soon as alert conditions are satisfied an action is triggered.
Real time alerts are run continuously and can get place more over head on system performance.
Triggered when the search is completed.
```
Alerts can:
List in interface
Log events
Output to lookup
Send to a telemetry endpoint
Trigger scripts
Send emails
Use webhook
Run a custom alert
```
By default :
Every one has read access
Power users have write access
Scheduled and real-time
Throttle - how many times alert is executed.
48
Search job
By default -read permissions are private
20 results per page
Saved search 10 mins , can extend to 7 days (doesn’t re execute search)
```
Can share search- allows multiple users working on same issue to see data( efficient). External copy:
Raw events
Csv
XML
JSON
```
Search history, most recent -5 per page
49
As best practice and performance...
Fed up as early in the search as possible
50
Case sensitive
Boolean - uppercase
Field names - productId vs productid
Field values from LOOKUP(default) (admin can change this when creating look up tables)
Searching with tags
Reg ex commands
*if commands references a specific value , that value will be case sensitive ex host value www1 rather than WWW1
51
Not case sensitive
Search terms
Command names
Clauses
Functions
52
Basic deployment
| 20gb per day 20 users
```
Searching
Indexing
Parsing
Forwarder management
Input
```
53
Multi instance
100gb per day
100 users
Searching
Indexing
Parsing
Input
Several hundred forwarders
54
Increasing search capacity
Add a search head cluster
- more users and searches to share resources
- coordinate activities to handle search requests set of indexers
- min 3 search heads
Index cluster
- replicate data
- prevent data loss
- availability
- manage multiple indexers
Non replicating
- simplified management
- no availability or data recovery
55
Wildcard*
At beginning - all events
Middle - inconsistent
End is better* using OR when possible
56
Search language
Command - blue
Function- purple
Argument - green
Boolean/ command modifiers - orange
57
3 methods to create tables and visualisations
Select field from fields side bar choose report to run
Use pivot interface, start with data set or instant pivot
Use search language transforming commands in search bar
58
Dashboards
One or more panels
Events
Tables
Charts
**reports can be used to create panel of dashboard - exported as PDF or printed
Efficient to create panels from reports- single report. Can be used across different dashboards.
59
Instant pivot
Utilise pivot tool without pre existing data model . Can save to dashboard
60
Inputlookup
Load results from static look up
good for; review data in csv
validate lookup
61
When looking at a dashboard panel that is based on a report
You cannot modify the search string in the panel but you can change and configure the visualisation
62
User account settings and preferences
Full names can only be changed by accounts with a power user or admin role .
63
Command to review contents of a specified static lookup file
Inputlookup
64
In order to use a lookup table in splunk
Lookup file must be uploaded to splunk, lookup definition must be created
65
Values function of stats command
Returns a count of unique values for a given field
66
Main requirement for creating visualisations using splunk UI
Search must transform event data into XML formatted data first
67
What can be included in the all fields option in terms he side bar
Field descriptions
68
Fast-
Smart -
Verbose-
Speed
Balance
Completeness
69
The rename command is useful for ——-
Giving fields more meaningful names
70
When including spaces or special characters in field names ——
Use double straight quotes
rename status as “HTTP status”
Once you rename field you can’t access it with its original name
71
Fields command allows —-
You to include or exclude specified fields in your search or report
72
Top command
Most common values of given field
10 results
Count and percent columns
Limit count field showperc
73
3 methods for creating stats and visualisations
Select a field from fields sidebar, choose report to run
Use pivot interface - dataset, instant pivot
Splunk search language transforming commands in search bar.
74
g.o.d (smart naming)
group- name of dept
object- report etc
description- failed logins etc
75
3 main methods of creating tables and visualisations
field-fields side bar & choose report to run
pivot interface, dataset or instant pivot
splunk search language, transforming commands in the search bar
76
why create panels from reports?
a single report can be used across different dashboards
77
if lookup is not configured to run automatically
use lookup command in your search to use lookup fields
78
output argument is optional
if not specified, lookup returns all fields from the lookup table except the match fields
79
outputnew
do not want to overwrite existing fields
80
after time most powerful keywords are
host, spurce, sourcetype
81
use fields commands to use
only fields you need
82
search job inspector
header
execution costs
search job properties
83
the instant pivot button is displayed after a ---
non transforming search is run
84
data models are made up of datasets
look up is categorised as a dataset
85
pivot
can be displayed as; table or visualisation
| can be saved as report, and can include a time range picker
86
splunk deployed---
enterprise , light, cloud
87
apps available from----
splunkbase, or admins can build their own
88
enhance solutions
ITSI
ES
UBA
89
Search and reporting app
knowledge objects , reports , dashboards
90
data summary
host , source , sourcetype
91
components
indexer, search head, forwarder
92
additional splunk components
deployment server, cluster master, license master
93
adding a search head cluster
more users for search and share. 3 search heads
94
can add data inputs
cli, splunk web, input.conf, splunkbase
95
click any item in search results (options)
add to search, exclude , new search
96
search result layout
raw , list , table
97
save as:
Report, dashboard panel, alert
98
report types
numeric- 6 report types
| alphanumeric- 3 report types
99
pivot
can be displayed as; table or visualisation
100
instant pivot
Use pivot without pre existing data model, executes search without commands
can select fields to be included in data model object
101
lookup fields are--
case sensitive
102
severity of triggered alerts---
low, medium, high, critical
