Splunk 7.x Fundmentals Part1 & Others Flashcards
Machine data is always structured.
Select your answer.
True
False
False
Machine data makes up for more than ___% of the data accumulated by organizations.
Select your answer. 10 90 25 50
90%
Machine data is only generated by web servers.
Select your answer.
False
True
False
Search requests are processed by the ___________.
Select your answer.
Forwarders
Indexers
Search Heads
Indexers
A single-instance deployment of Splunk Enterprise handles:
Select all that apply. Indexing Input Searching Parsing
Indexing
Searching
Parsing
Which of these is not a main component of Splunk?
Select your answer. Collect and index data Compress and archive Search and investigate Add knowledge
Compress and archive
In most Splunk deployments, ________ serve as the primary way data is supplied for indexing.
Select your answer.
Search Heads
Forwarders
Local Files
Forwarders
Which function is not a part of a single instance deployment?
Select your answer. Searching Indexing Clustering Parsing
Clustering
Which apps ship with Splunk Enterprise?
Select all that apply. Sideview Utils DB Connect Search & Reporting Home App
Search & Reporting
Home App
What are the three main default roles in Splunk Enterprise?
Select all that apply. Admin User King Manager Power
Admin
User
Power
_________ define what users can do in Splunk.
Select your answer.
Tokens
Disk permissions
Roles
Roles
You can launch and manage apps from the home app.
Select your answer.
False
True
True
The password for a newly installed Splunk instance is:
Select your answer. Your email address. Randomly generated. Created when you install Splunk Enterprise. Available from the splunk.com website.
Created when you install Splunk Enterprise.
This role will only see their own knowledge objects and those that have been shared with them.
Select your answer.
User
Admin
Power
User
In most production environments, _______ will be used as the source of data input.
Fill in the blank.
Forwarders
The monitor input option will allow you to continuously monitor files.
Select your answer.
True
False
True
Splunk knows where to break the event, where the time stamp is located and how to automatically create field value pairs using these.
Select your answer.
Source types
Line breaks
File names
Source types
Splunk uses ________ to categorize the type of data being indexed.
Fill in the blank.
source types
Files indexed using the the upload input option get indexed _____.
Select your answer. Every hour On every search Once Each time Splunk restarts
Once
The time stamp you see in the events is based on the time zone in your user account.
Select your answer.
True
False
True
How is the asterisk used in Splunk search?
Select your answer. To make a nose for your clown emoticon As a wildcard As a place holder To add up numbers
As a wildcard
Events are always returned in chronological order.
Select your answer.
True
False
False
A search job will remain active for ___ minutes after it is run.
Select your answer. 10 30 5 90 20
10
Commands that create statistics and visualizations are called _______________ commands.
Fill in the blank.
transforming
When zooming in on the event time line, a new search is run.
Select your answer.
False
True
False
When a search is sent to splunk, it becomes a _____.
Select your answer. Search job Task for Jimmy the Splunk elf Event File on the host system
Search job
What is the order of evaluation for Boolean operations in Splunk?
Drag and drop into the correct order.
AND NOT OR
NOT
OR
AND
These are booleans in the Splunk Search Language.
Select all that apply. OR IF AND NOT
OR
AND
NOT
Which following search mode toggles behavior based on the type of search being run?
Select your answer.
Fast
Verbose
Smart
Smart
These searches will return the same results.
failed password
failed AND password
Select your answer.
False
True
True
Wildcards cannot be used with field searches.
Select your answer.
True
False
False
What attributes describe the circled field below?
a dest 4
Select all that apply. It contains numerical values It contains 4 values. It cannot be used in a search. It contains string values.
It contains 4 values.
It contains string values.
Field names are ________.
Select all that apply. Always capitalized Case insensitive Case sensitive Not important in Splunk
Case sensitive
Which is not a comparison operator in Splunk?
Select your answer. ?= = <= != >
?=
Field values are case sensitive.
Select your answer.
False
True
False
As a general practice, exclusion is better than inclusion in a Splunk search.
Select your answer.
True
False
False
What is the most efficient way to filter events in Splunk?
Select your answer.
By time.
With an asterisk.
Using booleans.
By time.
Having separate indexes allows:
Select all that apply.
Ability to limit access.
Multiple retention policies
Faster Searches.
Ability to limit access.
Multiple retention policies
Faster Searches.
Time to search can only be set by the time range picker.
Select your answer.
True
False
False
This symbol is used in the “Advanced” section of the time range picker to round down to nearest unit of specified time.
Select your answer. & % * @ ^
@
What is missing from this search?
sourcetype=a* | rename ip as “User IP” | table User IP
Select your answer. Quotation marks around User IP. Search terms A table command. A pipe.
Quotation marks around User IP.
Finish the rename command to change the name of the status field to HTTP Status.
sourcetype=a* status=404 | rename—————–
Select your answer. as "HTTP Status" status to "HTTP Status" status as "HTTP Status" status as HTTP Status
status as “HTTP Status”
What command would you use to remove the status field from the returned events?
sourcetype=a* status=404 | —————– status
Select your answer. table fields - fields not
fields -
Excluding fields using the Fields Command will benefit performance.
Select your answer.
True
False
False
Would the ip column be removed in the results of this search? Why or why not?
sourcetype=a* | rename ip as “User” | fields - ip
Select your answer.
No, because table columns can not be removed.
Yes, because a pipe was used between search commands
No, because the name was changed.
Yes, because the negative sign was used.
No, because the name was changed.
To display the most common values in a specific field, what command would you use?
Select your answer. all table top rare
top
Which clause would you use to rename the count field?
sourcetype=vendor* | stats count ——- “Units Sold”
Select your answer. rename show as to
as
How many results are shown by default when using a Top or Rare Command?
Fill in the blank.
10
Which one of these is not a stats function?
Select your answer. Sum Count Avg List Addtotals
Addtotals
Which stats function would you use to find the average value of a field?
Fill in the blank.
Avg
Charts can be based on numbers, time, or location.
Select your answer.
False
True
True
The User role can not create reports.
Select your answer.
True
False
False
A time range picker can be included in a report.
Select your answer.
True
False
True
If a search returns this, you can view the results as a chart.
Select your answer. Numbers Statistical values A list. Time limits.
Statistical values
In a dashboard, a time range picker will only work on panels that include a(n) __________ search.
Select your answer. visualization transforming accelerated inline
inline
These roles can create reports:
Select all that apply.
User
Admin
Power
User
Admin
Power
_____________ are reports gathered together into a single pane of glass.
Select your answer. Dashboards Alerts Scheduled Reports Panels
Dashboards
Adding child data model objects is like the ______ Boolean in the Splunk search language.
Select your answer.
OR
AND
NOT
AND
Pivots can be saved as dashboards panels.
Select your answer.
False
True
True
Data models are made up of ___________.
Select your answer. Dashboard panels Pivots Datasets Transforming searches
Datasets
Pivots cannot be saved as reports panels.
Select your answer.
True
False
False
These are knowledge objects that provide the data structure for pivot.
Select your answer. Indexes Data models Alerts Reports
Data models
Which role(s) can create data models?
Select all that apply.
Admin
Power
User
User
When using a .csv file for Lookups, the first row in the file represents this.
Select your answer. Field names Input fields Output fields Nothing, it is ignored
Field names
External data used by a Lookup can come from sources like:
Select all that apply. None. Only internal data can be used. Geospatial data Scripts CSV files
Geospatial data
Scripts
CSV files
Finish this search command so that it displays data from the http_status.csv Lookup file.
| ———- http_status.csv
Select your answer. inputlookup lookup=* lookup datalookup
inputlookup
A lookup is categorized as a dataset.
Select your answer.
False
True
True
To keep from overwriting existing fields with your Lookup you can use the ____________ clause.
Fill in the blank.
OUTPUTNEW
Real-time alerts will run the search continuously in the background.
Select your answer.
False
True
True
Alerts can send an email.
Select your answer.
False
True
True
Alerts can run uploaded scripts.
Select your answer.
True
False
True
Alerts can be shared to all apps.
Select your answer.
True
False
True
Once an alert is created, you can no longer edit its defining search.
Select your answer.
True
False
False
An alert is an action triggered by a _____________.
Select your answer. Report Saved search Selected field Tag
Saved search
Splunk major parts
search heads
indexers
forwarders
What are the types of forwarders?
○ Universal Forwarder
○ Light Forwarder (deprecated)
○ Heavy Forwarder
How to install forwarders in large environments?
Deployment tools like SCCM, Ansible, or Chef
What are Splunk deployment schemes?
- small/non-distributed environment combining all parts in one instance less than 100 forwarders
- Enterprise/distributed environment: mini-indexers, search heads, 1000s of forwarders
- clustering: data replication (availability, fidelity, recovery), redundancy
What are the server roles?
Search Head, Indexer, Cluster Master, License Master, Deployment Server, KV Store, SHC Deployer
Splunk General tasks?
- Creating reports
- Creating dashboards
- Creating alerts
- Scheduled reports and alerts
Splunk SOC tasks?
- Centralized monitoring
- Event log collection
- Log correlation to identify IOCs
- Import syslog and local registry information into Splunk
- Create multiple compliance reports
PaloAlto Authentication
- Configuring Authentication
- Using Two-Factor Authentication to Secure the Firewall
PaloAlto Decryption
- Decrypting SSH Traffic
- Decrypting SSL Inbound Traffic
PaloAlto application Management
- Allowing Only Trusted Applications
- Denying High Risk Apps
PaloAlto Responding to Attacks
Stopping Reconnaissance Attacks
Denying International Attackers
Using Dynamic Block Lists
Cisco ASA Tasks
Configure IPS
Configure NAT
Implement VPN via ASA Device Manager
pFsense tasks
PCAP Analysis
Analyze Network Traffic with pftop
Using syslog to identify access
Python?
- If statement, For, While loops
- If/else
- While loop
- Python functions
Powershell?
- Piping
- Scripting basics
- Common commands
Regex?
- Queries basics
- Building Regex:
- Extracting Data from Windows logs
- Extracting data from firwall logs
SQL?
- Statements: Select, Delte, Update, Insert
- Creating Views
