Part 1

Question 1

Single instance of Splunk Enterprise handles

Answer 1

Input
Parsing
Indexing
Searching

Question 2

In most splunk deployments ,——-serve as the primary way data is supplied for indexing

Answer 2

Forwarders

Question 3

This role will only see their own knowledge objects and those that have been shared with them

Answer 3

User

Question 4

In most production environments,—-will be used as the source of data input

Answer 4

Forwarders

Question 5

When zooming in on the event time line; a new search is run

Answer 5

False

Question 6

In a dashboard, a time range picker will only work on panels that include a ——- search

Answer 6

Inline

Question 7

These roles can create reports

Answer 7

Power,admin.

Question 8

To keep from overwriting existing fields with your lookup you can use the —— clause

Answer 8

Outputnew

Question 9

When using a .csv file for lookups, the first row in the file represents this

Answer 9

Field names

Question 10

The instant pivot button is displayed In the statistics and visualisations tabs when a ————- search is run

Answer 10

Non-transforming

Question 11

Forwarders

Answer 11

Require minimal resources

Little impact on performance

Reside on machines where data originates

Question 12

Main components of splunk

Answer 12

Indexer

Search head

Forwarder

Question 13

Single instance deployment

Answer 13

Input

Parsing

Indexing

Searching

•proof of concept
Personal use
Learning
Might serve needs of small departments sized environments

Question 14

Splunk cloud

Answer 14

Subscription service

Index up to 5gb per day up to 15 days

Question 15

Roles

Answer 15

Determine what a user is able to see, do and interact with

Question 16

Three main roles

Answer 16

Admin- install apps , create knowledge objects for all users

Power- can create and share knowledge objects for users of an app and do real-time searches

Users- will only see their own knowledge objects and those that have been shared with them

Question 17

Upload, files only get indexed once .csv

Monitor , files & directories,http, tcp,scripts

Forward, receive data From external forwarders

Answer 17

Local files

Http

Question 18

Indexes

Answer 18

Directories where data is stored

Question 19

Having separate indexes

Answer 19

Will make data more efficient

Limits data amount splunk searches

Returns only events froM that index

Multiple indexes allow limiting access by user role.
- you control who sees what data

Separate indexes allow custom retention policies.

(Web data index) (6months)
(Main index)
(Security index)(1 year)

Question 20

Search and reporting app

Answer 20

Default interface

Knowledge objects

Reports

Dashboards

Question 21

Commands that create statistics and visualisations are called —-

Answer 21

Transforming commands

Question 22

By default, a search job will remain active for ——

Answer 22

10mins—- after that a new search will have to be run, to keep for longer you can schedule a report

Question 23

Shared search Jobs Remain active for —-

Answer 23

7days- and readable to everyone
print results or save to PDF
less load on server, more efficient

Question 24

Export results Will allow you to export events from the job in —— format

Answer 24

Raw

CSV

XML

JSON

Question 25

Fast

Smart

Verbose

Answer 25

Fast - field discovery is disabled for this mode - speed over complete

Smart- default , balances

Verbose - complete over speed

Question 26

Timeline

Answer 26

Clicking and dragging- moves to past or future events

Zoom in- uses your original search job (re execute )

Zoom out- runs a new search job to return newly selected events(re executes )

Deselect- return to original results

Question 27

Default fields

Answer 27

Host

Source

Sourcetype

Question 28

Interesting fields

Answer 28

Have values in at least 20% of the events

Question 29

a

#

Answer 29

String value (written to left)

Numeral (written to left)

Number to right - number of unique values for the field.

=* any results that contain this field action

Question 30

When you add an event to selected fields list —-

Answer 30

The field will show where the events occurs

Question 31

You can run more efficient searches by ——

Answer 31

Using fields in them

Question 32

Field operators

Answer 32

=
!= used with numerical or string values

> =
<
<= numerical values

Question 33

Time most efficient - less data you have to search , faster splunk will be.

After time ——

Answer 33

Default fields of :

Index
Source
Host
Sourcetype

Most powerful

(The more you tell search , better your results)

Question 34

Filter

Answer 34

Early , faster

Question 35

Filter events early in search —-

Answer 35

Indexes

Multiple indexes -users can search only what they need to make searches more efficient

Can also be used to limit access

Can search multiple indexes at same time

Wildcards can also be used for index values

Question 36

Fields command —-

Answer 36

Include or exclude fields from search results

Question 37

Fields —-

Answer 37

metafields- host, source, sourcetype, index
internal fields-time and raw

Field extraction - costly part of searching , being able to limit fields extracted can make searches more efficient

Field inclusion- happens before field extraction , can improve performance.

Field exclusion- happens after field extraction, only affecting displayed results

Renaming - once renamed , original name is not available to subsequent search commands( can’t access it with original name ) . New field names will need to be used further down the pipeline

fields command allows you to exclude , include specified fields in your search report.
fields+ before(default) improves performance
fields- after table/display easier to read.

Question 38

Sort command

Answer 38

String data- sorted alphanumerically

Numeric data- sorted numerically

Question 39

Transforming commands - into visualisations

Answer 39

raw data in to data table **transforms events into visualisations
Top- most common default 10 results (table-count,%)
Rare- least common
Stats Commands
chart
time chart
geostats

statistical functions:
count 
dc- groups 
sum- adds 
avg-
min, max, 
list - writes all values 
values -specify and write values once
*count and sum must be within same pipe

Question 40

Reports -Power user

Answer 40

Read and write permissions on report (everyone has read access)

Question 41

Time range picker will only work on panels with an ——

Answer 41

Inline search

Question 42

Data models - created by admin & power who understand splunk language

Answer 42

Knowledge objects that provide data structure that drives pivots
Data model- framework
Pivot - Interface

Data sets - small collections of data -field names /values

Question 43

Data sets help users—-

Answer 43

Find data

Get answers faster

Data sets tab-lists look ups and data models, prebuilt ones make it easier to interact with your data

Question 44

Look ups

Answer 44

Categorised as a dataset

Get a lookup file 2 steps :
define lookup table
define a lookup

Can configure look up to run automatically

Look up fields are case sensitive by default

Fields and values to your events that were not included In the index data .
pull data away from standalone files
allow you to add more fields to your events Example : http codes - description(output fields)

.csv
Scripts
Geo

Data useful for search but might not be available in your index

By default- fields in lookup table are returned as output fields , except input field

Outputnew - when you don’t want to overwrite existing fields

Question 45

Additional lookup options

Answer 45

Populate lookup table with search results

Define lookup based on external script or command

Use splunk DB connect application

Use geospatial lookups to create queries , to generate chloropleth map visualisations.

Populate events with KV store fields

Question 46

Reports

Answer 46

can show events, stats(tables), visualisations(charts), stats and visualisations allow you to drill down by default to see underlying events.
Running multiple reports can put w big demand on system hardware, even if everything is configured to recommended specs

Running a report returns fresh results each time you run it.

Scheduled priority- only available to admin users
Default , higher , highest

• *time range picker can’t be used on SCHEDULED report!
• if you add a time range picker-allows you to adjust time range of report when you run it.

Actions to trigger - log event , output results to look up , telemetry endpoint , run a script ,
Send email , webhook

Can disable , embed(anyone with access to web page can see report) ,move , delete reports

*embedded report with not show data until scheduled search is run .
*running a report returns fresh results for each time you run it.
You can edit a report, but not save as new report.
**You can add scheduled report to a dashboard
for alphanumeric fields-only 3 available reports

User=can only see knowledge objects and what has been shared by them .cant create reports,

Question 47

Alerts

Answer 47

Searches that are run on scheduled intervals or in real time

Notify you when results of search meet defined conditions

As soon as alert conditions are satisfied an action is triggered.

Real time alerts are run continuously and can get place more over head on system performance.

Triggered when the search is completed.

Alerts can:
List in interface
Log events 
Output to lookup 
Send to a telemetry endpoint 
Trigger scripts 
Send emails 
Use webhook 
Run a custom alert 

By default :
Every one has read access
Power users have write access

Scheduled and real-time

Throttle - how many times alert is executed.

Question 48

Search job

Answer 48

By default -read permissions are private

20 results per page

Saved search 10 mins , can extend to 7 days (doesn’t re execute search)

Can share search- allows multiple users working on same issue to see data( efficient). External copy: 
Raw events 
Csv
XML
JSON

Search history, most recent -5 per page

Question 49

As best practice and performance…

Answer 49

Fed up as early in the search as possible

Question 50

Case sensitive

Answer 50

Boolean - uppercase

Field names - productId vs productid

Field values from LOOKUP(default) (admin can change this when creating look up tables)

Searching with tags

Reg ex commands

*if commands references a specific value , that value will be case sensitive ex host value www1 rather than WWW1

Question 51

Not case sensitive

Answer 51

Search terms
Command names
Clauses
Functions

Question 52

Basic deployment

20gb per day 20 users

Answer 52

Searching 
Indexing 
Parsing 
Forwarder management 
Input

Question 53

Multi instance
100gb per day
100 users

Answer 53

Searching
Indexing
Parsing
Input

Several hundred forwarders

Question 54

Increasing search capacity

Answer 54

Add a search head cluster

• more users and searches to share resources
• coordinate activities to handle search requests set of indexers
• min 3 search heads

Index cluster

• replicate data
• prevent data loss
• availability
• manage multiple indexers

Non replicating

• simplified management
• no availability or data recovery

Question 55

Wildcard*

Answer 55

At beginning - all events
Middle - inconsistent
End is better* using OR when possible

Question 56

Search language

Answer 56

Command - blue

Function- purple

Argument - green

Boolean/ command modifiers - orange

Question 57

3 methods to create tables and visualisations

Answer 57

Select field from fields side bar choose report to run

Use pivot interface, start with data set or instant pivot

Use search language transforming commands in search bar

Question 58

Dashboards

Answer 58

One or more panels

Events

Tables

Charts

**reports can be used to create panel of dashboard - exported as PDF or printed

Efficient to create panels from reports- single report. Can be used across different dashboards.

Question 59

Instant pivot

Answer 59

Utilise pivot tool without pre existing data model . Can save to dashboard

Question 60

Inputlookup

Answer 60

Load results from static look up
good for; review data in csv
validate lookup

Question 61

When looking at a dashboard panel that is based on a report

Answer 61

You cannot modify the search string in the panel but you can change and configure the visualisation

Question 62

User account settings and preferences

Answer 62

Full names can only be changed by accounts with a power user or admin role .

Question 63

Command to review contents of a specified static lookup file

Answer 63

Inputlookup

Question 64

In order to use a lookup table in splunk

Answer 64

Lookup file must be uploaded to splunk, lookup definition must be created

Question 65

Values function of stats command

Answer 65

Returns a count of unique values for a given field

Question 66

Main requirement for creating visualisations using splunk UI

Answer 66

Search must transform event data into XML formatted data first

Question 67

What can be included in the all fields option in terms he side bar

Answer 67

Field descriptions

Question 68

Fast-

Smart -

Verbose-

Answer 68

Speed

Balance

Completeness

Question 69

The rename command is useful for ——-

Answer 69

Giving fields more meaningful names

Question 70

When including spaces or special characters in field names ——

Answer 70

Use double straight quotes
rename status as “HTTP status”

Once you rename field you can’t access it with its original name

Question 71

Fields command allows —-

Answer 71

You to include or exclude specified fields in your search or report

Question 72

Top command

Answer 72

Most common values of given field
10 results
Count and percent columns
Limit count field showperc

Question 73

3 methods for creating stats and visualisations

Answer 73

Select a field from fields sidebar, choose report to run

Use pivot interface - dataset, instant pivot

Splunk search language transforming commands in search bar.

Question 74

g.o.d (smart naming)

Answer 74

group- name of dept
object- report etc
description- failed logins etc

Question 75

3 main methods of creating tables and visualisations

Answer 75

field-fields side bar & choose report to run
pivot interface, dataset or instant pivot
splunk search language, transforming commands in the search bar

Question 76

why create panels from reports?

Answer 76

a single report can be used across different dashboards

Question 77

if lookup is not configured to run automatically

Answer 77

use lookup command in your search to use lookup fields

Question 78

output argument is optional

Answer 78

if not specified, lookup returns all fields from the lookup table except the match fields

Question 79

outputnew

Answer 79

do not want to overwrite existing fields

Question 80

after time most powerful keywords are

Answer 80

host, spurce, sourcetype

Question 81

use fields commands to use

Answer 81

only fields you need

Question 82

search job inspector

Answer 82

header
execution costs
search job properties

Question 83

the instant pivot button is displayed after a —

Answer 83

non transforming search is run

Question 84

data models are made up of datasets

Answer 84

look up is categorised as a dataset

Question 85

pivot

Answer 85

can be displayed as; table or visualisation

can be saved as report, and can include a time range picker

Question 86

splunk deployed—

Answer 86

enterprise , light, cloud

Question 87

apps available from—-

Answer 87

splunkbase, or admins can build their own

Question 88

enhance solutions

Answer 88

ITSI
ES
UBA

Question 89

Search and reporting app

Answer 89

knowledge objects , reports , dashboards

Question 90

data summary

Answer 90

host , source , sourcetype

Question 91

components

Answer 91

indexer, search head, forwarder

Question 92

additional splunk components

Answer 92

deployment server, cluster master, license master

Question 93

adding a search head cluster

Answer 93

more users for search and share. 3 search heads

Question 94

can add data inputs

Answer 94

cli, splunk web, input.conf, splunkbase

Question 95

click any item in search results (options)

Answer 95

add to search, exclude , new search

Question 96

search result layout

Answer 96

raw , list , table

Question 97

save as:

Answer 97

Report, dashboard panel, alert

Question 98

report types

Answer 98

numeric- 6 report types

alphanumeric- 3 report types

Question 99

pivot

Answer 99

can be displayed as; table or visualisation

Question 100

instant pivot

Answer 100

Use pivot without pre existing data model, executes search without commands
can select fields to be included in data model object

Question 101

lookup fields are–

Answer 101

case sensitive

Question 102

severity of triggered alerts—

Answer 102

low, medium, high, critical