Questions

Question 1

What determines the scope of data that appears in a scheduled report?

Answer 1

Permissions granted by the owner of report.

Question 2

When writing searches in Splunk.what is true about Booleans?

Answer 2

They must be uppercase.

Question 3

How can search results be kept for longer than 7 days?

Answer 3

Changing job settings

Question 4

When running searches, command modifiers are displayed in what colour?

Answer 4

Orange

Question 5

Which of the following is a Splunk search best practice?

Answer 5

Filter as early as possible

Question 6

How are events displayed after a search is executed?

Answer 6

Reverse chronological order

Question 7

What is the primary function of a scheduled report?

Answer 7

Triggering an alert in your Splunk instance when certain conditions are met

Question 8

Which commands is used to review the contents of a specified static lookup file?

Answer 8

inputlookup

Question 9

When sorting on multiple fields with the sort command, what delimiter can be used between the field names in the search?

Answer 9

,

Question 10

Which of the following about case sensitivity is true?

Answer 10

Field names ARE case sensitive; field values are NOT

Question 11

What does the rare command do?

Answer 11

Returns the least common field values of a given field in the results.

Question 12

Which Boolean operator is always implied between two search terms, unless otherwise specified?

Answer 12

AND

Question 13

What is the purpose of using a by clause with the stats command?

Answer 13

To group the results by one or more fields

Question 14

How can you add a field to the fields sidebar?

Answer 14

Click All Fields and select the field to add it to Selected Fields

Question 15

In the fields sidebar, which character denotes alpha numeric field values?

Answer 15

a

Question 16

How does Splunk determine which fields to extract from data?

Answer 16

Splunk automatically discovers many fields based on sourcetype and key/value pairs found in data.

Question 17

What syntax is used to link key/value pairs in search strings?

Answer 17

Relational operators such as =,

Question 18

In a deployment with multiple indexes, what will happen when a search is run and an index is not specified in the search string?

Answer 18

Events from every index searched by default to which the user has access will be returned

Question 19

In the Splunk interface, the list of alerts can be filtered based on which characteristics?

Answer 19

App, Time, Window, Type, and Severity

Question 20

When viewing results of a search, what is an interesting field?

Answer 20

A field that appears in the at least 20% of events

Question 21

When a Splunk search generates calculated data that appears in the Statistics tab, in what formats can the results be exported?

Answer 21

CSV, XML, JSON

Question 22

What is the recommended way to create multiple dashboards displaying data from the same search?

Answer 22

Export the results of the search to an XML file and use the file as the basis of the dashboards

Question 23

What does the stats command do?

Answer 23

Calculates statistics on data that matches the search criteria

Question 24

Which is the primary function of the timeline located under the search bar?

Answer 24

To show peaks and/or valleys in the timeline, which can indicate spikes in activity or downtime.

Question 25

What can be configured using the Edit Job Settings menu?

Answer 25

Change Job Lifetime from 10 minutes to 7 days

Question 26

What is the primary use of the rare command?

Answer 26

To find the least common values of a field in a dataset

Question 27

What happens when a field is added to Selected Fields?

Answer 27

The selected field wand it’s corresponding values will appear underneath the events in the search results.

Question 28

How would you describe lookup files?

Answer 28

Lookups contain static data available in the index.

Question 29

Which component of Splunk is primarily responsible for saving data?

Answer 29

Indexer

Question 30

Is the universal forwarded recommended for forwarding logs to the indexers?

Answer 30

Yes.

Question 31

What can be used as a wildcard search in Splunk?

Answer 31

*

Question 32

Can prefix wildcards cause performance issues?

Answer 32

Yes

Question 33

What forms does machine data come in?

Answer 33

Structured and unstructured

Question 34

How many user roles are there in Splunk?

Answer 34

3

Question 35

Where can data be parsed?

Answer 35

Heavy Forwarder and Indexers

Question 36

How can you onboard data to Splunk?

Answer 36

CLI, Splunk Web, Splunk apps and add-ons, inputs.conf

Question 37

What does the eval command do?

Answer 37

Calculates an expression and puts the resulting value into a destination field

Question 38

When could you need to use lookup tables?

Answer 38

To retrieve additional information present in the raw events.

Question 39

What’s an advantage of using data models with Pivot?

Answer 39

You can create dashboards and reports without designing the searches that generate them.

Question 40

What is the difference between Selected Fields and Interesting Fields in the Fields sidebar?

Answer 40

Selected Fields show host, source, and sourcetype fields.

Interesting Fields show the fields extracted by Splunk that are present in at least 20% of the events.