Splunk 7.x Fundmentals Part1 & Others

Question 1

Machine data is always structured.

Select your answer.
True
False

Answer 1

False

Question 2

Machine data makes up for more than ___% of the data accumulated by organizations.

Select your answer.
10
90
25
50

Answer 2

90%

Question 3

Machine data is only generated by web servers.

Select your answer.
False
True

Answer 3

False

Question 4

Search requests are processed by the ___________.

Select your answer.
Forwarders
Indexers
Search Heads

Answer 4

Indexers

Question 5

A single-instance deployment of Splunk Enterprise handles:

Select all that apply.
Indexing
Input
Searching
Parsing

Answer 5

Indexing
Searching
Parsing

Question 6

Which of these is not a main component of Splunk?

Select your answer.
Collect and index data
Compress and archive
Search and investigate
Add knowledge

Answer 6

Compress and archive

Question 7

In most Splunk deployments, ________ serve as the primary way data is supplied for indexing.

Select your answer.
Search Heads
Forwarders
Local Files

Answer 7

Forwarders

Question 8

Which function is not a part of a single instance deployment?

Select your answer.
Searching
Indexing
Clustering
Parsing

Answer 8

Clustering

Question 9

Which apps ship with Splunk Enterprise?

Select all that apply.
Sideview Utils
DB Connect
Search & Reporting
Home App

Answer 9

Search & Reporting

Home App

Question 10

What are the three main default roles in Splunk Enterprise?

Select all that apply.
Admin
User
King
Manager
Power

Answer 10

Admin
User
Power

Question 11

_________ define what users can do in Splunk.

Select your answer.
Tokens
Disk permissions
Roles

Answer 11

Roles

Question 12

You can launch and manage apps from the home app.

Select your answer.
False
True

Answer 12

True

Question 13

The password for a newly installed Splunk instance is:

Select your answer.
Your email address.
Randomly generated.
Created when you install Splunk Enterprise.
Available from the splunk.com website.

Answer 13

Created when you install Splunk Enterprise.

Question 14

This role will only see their own knowledge objects and those that have been shared with them.

Select your answer.
User
Admin
Power

Answer 14

User

Question 15

In most production environments, _______ will be used as the source of data input.

Fill in the blank.

Answer 15

Forwarders

Question 16

The monitor input option will allow you to continuously monitor files.

Select your answer.
True
False

Answer 16

True

Question 17

Splunk knows where to break the event, where the time stamp is located and how to automatically create field value pairs using these.

Select your answer.
Source types
Line breaks
File names

Answer 17

Source types

Question 18

Splunk uses ________ to categorize the type of data being indexed.

Fill in the blank.

Answer 18

source types

Question 19

Files indexed using the the upload input option get indexed _____.

Select your answer.
Every hour
On every search
Once
Each time Splunk restarts

Answer 19

Once

Question 20

The time stamp you see in the events is based on the time zone in your user account.

Select your answer.
True
False

Answer 20

True

Question 21

How is the asterisk used in Splunk search?

Select your answer.
To make a nose for your clown emoticon
As a wildcard
As a place holder
To add up numbers

Answer 21

As a wildcard

Question 22

Events are always returned in chronological order.

Select your answer.
True
False

Answer 22

False

Question 23

A search job will remain active for ___ minutes after it is run.

Select your answer.
10
30
5
90
20

Answer 23

10

Question 24

Commands that create statistics and visualizations are called _______________ commands.

Fill in the blank.

Answer 24

transforming

Question 25

When zooming in on the event time line, a new search is run. Select your answer. False True

Answer 25

False

Question 26

When a search is sent to splunk, it becomes a _____. ``` Select your answer. Search job Task for Jimmy the Splunk elf Event File on the host system ```

Answer 26

Search job

Question 27

What is the order of evaluation for Boolean operations in Splunk? Drag and drop into the correct order. AND NOT OR

Answer 27

NOT OR AND

Question 28

These are booleans in the Splunk Search Language. ``` Select all that apply. OR IF AND NOT ```

Answer 28

OR AND NOT

Question 29

Which following search mode toggles behavior based on the type of search being run? Select your answer. Fast Verbose Smart

Answer 29

Smart

Question 30

These searches will return the same results. failed password failed AND password Select your answer. False True

Answer 30

True

Question 31

Wildcards cannot be used with field searches. Select your answer. True False

Answer 31

False

Question 32

What attributes describe the circled field below? a dest 4 ``` Select all that apply. It contains numerical values It contains 4 values. It cannot be used in a search. It contains string values. ```

Answer 32

It contains 4 values. | It contains string values.

Question 33

Field names are ________. ``` Select all that apply. Always capitalized Case insensitive Case sensitive Not important in Splunk ```

Answer 33

Case sensitive

Question 34

Which is not a comparison operator in Splunk? ``` Select your answer. ?= = <= != > ```

Answer 34

?=

Question 35

Field values are case sensitive. Select your answer. False True

Answer 35

False

Question 36

As a general practice, exclusion is better than inclusion in a Splunk search. Select your answer. True False

Answer 36

False

Question 37

What is the most efficient way to filter events in Splunk? Select your answer. By time. With an asterisk. Using booleans.

Answer 37

By time.

Question 38

Having separate indexes allows: Select all that apply. Ability to limit access. Multiple retention policies Faster Searches.

Answer 38

Ability to limit access. Multiple retention policies Faster Searches.

Question 39

Time to search can only be set by the time range picker. Select your answer. True False

Answer 39

False

Question 40

This symbol is used in the "Advanced" section of the time range picker to round down to nearest unit of specified time. ``` Select your answer. & % * @ ^ ```

Answer 40

@

Question 41

What is missing from this search? sourcetype=a* | rename ip as "User IP" | table User IP ``` Select your answer. Quotation marks around User IP. Search terms A table command. A pipe. ```

Answer 41

Quotation marks around User IP.

Question 42

Finish the rename command to change the name of the status field to HTTP Status. sourcetype=a* status=404 | rename----------------- ``` Select your answer. as "HTTP Status" status to "HTTP Status" status as "HTTP Status" status as HTTP Status ```

Answer 42

status as "HTTP Status"

Question 43

What command would you use to remove the status field from the returned events? sourcetype=a* status=404 | ----------------- status ``` Select your answer. table fields - fields not ```

Answer 43

fields -

Question 44

Excluding fields using the Fields Command will benefit performance. Select your answer. True False

Answer 44

False

Question 45

Would the ip column be removed in the results of this search? Why or why not? sourcetype=a* | rename ip as "User" | fields - ip Select your answer. No, because table columns can not be removed. Yes, because a pipe was used between search commands No, because the name was changed. Yes, because the negative sign was used.

Answer 45

No, because the name was changed.

Question 46

To display the most common values in a specific field, what command would you use? ``` Select your answer. all table top rare ```

Answer 46

top

Question 47

Which clause would you use to rename the count field? sourcetype=vendor* | stats count ------- "Units Sold" ``` Select your answer. rename show as to ```

Answer 47

as

Question 48

How many results are shown by default when using a Top or Rare Command? Fill in the blank.

Answer 48

10

Question 49

Which one of these is not a stats function? ``` Select your answer. Sum Count Avg List Addtotals ```

Answer 49

Addtotals

Question 50

Which stats function would you use to find the average value of a field? Fill in the blank.

Answer 50

Avg

Question 51

Charts can be based on numbers, time, or location. Select your answer. False True

Answer 51

True

Question 52

The User role can not create reports. Select your answer. True False

Answer 52

False

Question 53

A time range picker can be included in a report. Select your answer. True False

Answer 53

True

Question 54

If a search returns this, you can view the results as a chart. ``` Select your answer. Numbers Statistical values A list. Time limits. ```

Answer 54

Statistical values

Question 55

In a dashboard, a time range picker will only work on panels that include a(n) __________ search. ``` Select your answer. visualization transforming accelerated inline ```

Answer 55

inline

Question 56

These roles can create reports: Select all that apply. User Admin Power

Answer 56

User Admin Power

Question 57

_____________ are reports gathered together into a single pane of glass. ``` Select your answer. Dashboards Alerts Scheduled Reports Panels ```

Answer 57

Dashboards

Question 58

Adding child data model objects is like the ______ Boolean in the Splunk search language. Select your answer. OR AND NOT

Answer 58

AND

Question 59

Pivots can be saved as dashboards panels. Select your answer. False True

Answer 59

True

Question 60

Data models are made up of ___________. ``` Select your answer. Dashboard panels Pivots Datasets Transforming searches ```

Answer 60

Datasets

Question 61

Pivots cannot be saved as reports panels. Select your answer. True False

Answer 61

False

Question 62

These are knowledge objects that provide the data structure for pivot. ``` Select your answer. Indexes Data models Alerts Reports ```

Answer 62

Data models

Question 63

Which role(s) can create data models? Select all that apply. Admin Power User

Answer 63

User

Question 64

When using a .csv file for Lookups, the first row in the file represents this. ``` Select your answer. Field names Input fields Output fields Nothing, it is ignored ```

Answer 64

Field names

Question 65

External data used by a Lookup can come from sources like: ``` Select all that apply. None. Only internal data can be used. Geospatial data Scripts CSV files ```

Answer 65

Geospatial data Scripts CSV files

Question 66

Finish this search command so that it displays data from the http_status.csv Lookup file. | ---------- http_status.csv ``` Select your answer. inputlookup lookup=* lookup datalookup ```

Answer 66

inputlookup

Question 67

A lookup is categorized as a dataset. Select your answer. False True

Answer 67

True

Question 68

To keep from overwriting existing fields with your Lookup you can use the ____________ clause. Fill in the blank.

Answer 68

OUTPUTNEW

Question 69

Real-time alerts will run the search continuously in the background. Select your answer. False True

Answer 69

True

Question 70

Alerts can send an email. Select your answer. False True

Answer 70

True

Question 71

Alerts can run uploaded scripts. Select your answer. True False

Answer 71

True

Question 72

Alerts can be shared to all apps. Select your answer. True False

Answer 72

True

Question 73

Once an alert is created, you can no longer edit its defining search. Select your answer. True False

Answer 73

False

Question 74

An alert is an action triggered by a _____________. ``` Select your answer. Report Saved search Selected field Tag ```

Answer 74

Saved search

Question 75

Splunk major parts

Answer 75

search heads indexers forwarders

Question 76

What are the types of forwarders?

Answer 76

○ Universal Forwarder   ○ Light Forwarder (deprecated)   ○ Heavy Forwarder

Question 77

How to install forwarders in large environments?

Answer 77

Deployment tools like SCCM, Ansible, or Chef

Question 78

What are Splunk deployment schemes?

Answer 78

- small/non-distributed environment combining all parts in one instance less than 100 forwarders - Enterprise/distributed environment: mini-indexers, search heads, 1000s of forwarders - clustering: data replication (availability, fidelity, recovery), redundancy

Question 79

What are the server roles?

Answer 79

``` Search Head, Indexer, Cluster Master, License Master, Deployment Server, KV Store, SHC Deployer ```

Question 80

Splunk General tasks?

Answer 80

- Creating reports - Creating dashboards - Creating alerts - Scheduled reports and alerts

Question 81

Splunk SOC tasks?

Answer 81

- Centralized monitoring - Event log collection - Log correlation to identify IOCs - Import syslog and local registry information into Splunk - Create multiple compliance reports

Question 82

PaloAlto Authentication

Answer 82

- Configuring Authentication | - Using Two-Factor Authentication to Secure the Firewall

Question 83

PaloAlto Decryption

Answer 83

- Decrypting SSH Traffic | - Decrypting SSL Inbound Traffic

Question 84

PaloAlto application Management

Answer 84

- Allowing Only Trusted Applications | - Denying High Risk Apps

Question 85

PaloAlto Responding to Attacks

Answer 85

Stopping Reconnaissance Attacks Denying International Attackers Using Dynamic Block Lists

Question 86

Cisco ASA Tasks

Answer 86

Configure IPS Configure NAT Implement VPN via ASA Device Manager

Question 87

pFsense tasks

Answer 87

PCAP Analysis Analyze Network Traffic with pftop Using syslog to identify access

Question 88

Python?

Answer 88

- If statement, For, While loops - If/else - While loop - Python functions

Question 89

Powershell?

Answer 89

- Piping - Scripting basics - Common commands

Question 90

Regex?

Answer 90

- Queries basics - Building Regex: * Extracting Data from Windows logs * Extracting data from firwall logs

Question 91

SQL?

Answer 91

- Statements: Select, Delte, Update, Insert | - Creating Views