Splunk Flashcards

Question

An alert is an action triggered by a ____________.

Answer 1

saved search

Answer 2

data models

Answer 3

Admin and Power

Answer 4

non-transforming

Answer 5

case insensitive

Answer 6

Search & Reporting | Home App

Answer 7

sourcetype

Answer 8

Compress and archive

Answer 9

Out of the box there are 3 main roles

Answer 10

Click Data Summary in the Searching & Reporting app

Answer 11

Host, Sources, and Sourcetypes on separate tabs

Answer 12

The local timezone set in your profile.

Answer 13

insensitive

Answer 14

What booleans are supported in splunk search?

Answer 15

Reverse chronological order (newest first)

Answer 16

timestamp, host, source, sourcetype

Answer 17

earliest and latest | eg: earliest=-h latest=@d

Answer 18

No, it only filters the results

Answer 19

CSV, XML, JSON

Answer 20

Instead of returning all the results, from a search, it returns a random sampling of events.

Answer 21

Each event, found in a search, has a 1 in 100, or 1% change of being included in the sample result set.

Answer 22

searchable key/value pairs from event data.

Answer 23

Based on sourcetype and key/value pairs found in the data.

Answer 24

20% of events have these fields present in them.

Answer 25

Fast, Smart, Verbose

Answer 26

Case sensitive

Answer 27

Returns everything except the events matching the NOT boolean

Answer 28

One or more panels displaying data visually in a useful way.

Answer 29

When including spaces or special characters

Answer 30

+ (include) occurs before field extraction and improves performance - (exclude) occurs after field extraction, and no performance improvement

Answer 31

The limit option | e.g: | sort limit=20 -categoryID, product_name

Answer 32

count & percent

Answer 33

limit (limit=0 returns unlimited results)

Answer 34

chart or timechart

Answer 35

line, area, column, bar, bubble, scatter, pie

Answer 36

transaction

Answer 37

case_sensitive_match

Answer 38

Field Aliases

Answer 39

Settings > Tags > List by field value pair

Answer 40

Event Type

Answer 41

Workflow Actions

Answer 42

Common Information Model (CIM)

Answer 43

password AND failed

Answer 44

As a wildcard

Answer 45

status as "HTTP Status"

Answer 46

No, because the name was changed.

Answer 47

Quotation marks around User ID

Answer 48

Statistical values

Answer 49

Time range selected

Answer 50

An IP address.

Answer 51

if (Boolean, Is True, Is False)

Answer 52

The Fieldformat Command.

Answer 53

transaction

Answer 54

Transactions

Answer 55

User, Power, Admin

Answer 56

All apps Private Specifiic App

Answer 57

field names

Answer 58

Define a lookup table Define a lookup Create and automatic lookup

Answer 59

inputlookup

Answer 60

Can be referenced by lookup tables. Are applicable to a specified app context. Make correlation easier.

Answer 61

Eval Commands

Answer 62

The event actions menu

Answer 63

The regular expression.

Answer 64

Are persistent Are specific to a host, source or sourcetype. Are reusable in multiple searches.

Answer 65

tag::host=alert

Answer 66

Event Types

Answer 67

Send field values to external resources. Pass variables to a URL. Execute a secondary search.

Answer 68

List in triggered alerts Send Email Run a script

Answer 69

Allow you to store entire search strings, including pipes and eval statements. Are time range independent. Can pass arguments to the search.

Answer 70

dostuff(2)

Answer 71

Add a root object

Answer 72

``` Auto-Extracted Eval Expression Lookup Regular Expression Geo IP ```

Answer 73

Forwarders Indexers Search Heads

Answer 74

compressed

Answer 75

Machines where the data originates

Answer 76

1. search heads | 2. indexers

Answer 77

Index Cluster

Answer 78

1. disk space | 2. CPU power

Answer 79

./splunk start

Answer 80

./splunk enable boot-start

Answer 81

1. admin | 2. changeme

Answer 82

Data input Indexing Search Management

Answer 83

Faster searches Access limiting Multiple retention policies

Answer 84

Hot buckets are writable, warm buckets are not. Hot buckets are searched first. The naming convention.

Answer 85

can_delete

Answer 86

forwarders

Answer 87

sourcetypes

Answer 88

Simple XML Splunk JavaScript SDKs

Answer 89

search peer

Answer 90

load balance

Answer 91

Distributed Management Console

Answer 92

forwarders

Answer 93

Search head

Answer 94

Machines where the data originates

Answer 95

all data on the local system

Answer 96

testing and development

Answer 97

Universal Forwarder

Answer 98

Sourcetype

Answer 99

in a consistent format

Answer 100

Search & Reporting, Home App

Answer 101

reverse chronological order

Answer 102

Dashboards

Answer 103

non-transforming

Answer 104

Data models

Answer 105

view the results of the instance of that search

Answer 106

verbose mode

Answer 107

top values by time

Answer 108

Click Data Summary in the Searching & Reporting app

Answer 109

Host, Sources, and Sourcetypes on separate tabs

Answer 110

The local timezone set in your profile.

Answer 111

insensitive

Answer 112

AND, OR, NOT

Answer 113

earliest and latest | eg: earliest=-h latest=@d

Answer 114

No, it only filters the results

Answer 115

Based on sourcetype and key/value pairs found in the data.

Answer 116

When including spaces or special characters

Answer 117

The limit option | e.g: | sort limit=20 -categoryID, product_name

Answer 118

chart or timechart

Answer 119

case_sensitive_match

Answer 120

Settings > Tags > List by field value pair

Answer 121

Event Type

Answer 122

Indexers, Forwarders, Search Heads

Answer 123

Clustering

Answer 124

Forwarders

Answer 125

Input, Parsing, Indexing, and Searching

Answer 126

source type

Answer 127

Source types

Answer 128

forwarders

Answer 129

Multiple retention policies, ability to limit access, and faster searches.

Answer 130

No, because the name was changed.

Answer 131

... | top Vendor limit=5 showperc=f

Answer 132

... | top Vendor limit=5 countfield="Number of Sales" userother=t

Answer 133

... | top product_name by Vendor limit=3 countfield="Number of Sales" showperc=f

Answer 134

... | rare Vendor limit=5 showcount"Number of Sales" showperc=f useother=t

Answer 135

... | rare product_name by Vendor limit=5 showcount="Number of Sales" showperc=f useother=t

Answer 136

... | stats count as "Potential Issues"

Answer 137

... | stats count(vendor_action) as ActionEvents, count as TotalEvents

Answer 138

... | stats count by user, app, vendor_action

Answer 139

... | stats dc(s_hostname) as "Websites visited:"

Answer 140

... | stats sum(sc_bytes) as Bandwidth by s_hostname | sort -Bandwidth

Answer 141

... | stats count as "Units Sold" avg(sale_price) as "Average Selling Price" by product_name

Answer 142

... | stats value(s_hostname) by cs_username

Answer 143

Statistical Values

Answer 144

non-transforming

Answer 145

Data models

Answer 146

CSV, scripts, geospatial data

Answer 147

search head

Answer 148

Admin, Power, User

Answer 149

Admin, power

Answer 150

field names

Answer 151

admin and changeme

Answer 152

search job

Answer 153

commands(x)

Answer 154

mvcount(MVFIELD)

Answer 155

mvdedup(X)

Answer 156

mvfilter(X)

Answer 157

mvfind(MVFIELD,"REGEX")

Answer 158

mvindex(MVFIELD,STARTINDEX,ENDINDEX)

Answer 159

mvjoin(MVFIELD,STR)

Answer 160

mvrange(X,Y,Z)

Answer 161

mvzip(X,Y,"Z")

Answer 162

split(X,"Y")

Answer 163

Forwarders

Answer 164

Source types

Answer 165

Sourcetypes

Answer 166

Search job

Answer 167

And Not Or

Answer 168

Multiple retention policies Ability to limit access Faster Searches

Answer 169

Power | Admin

Answer 170

Field names

Answer 171

inputlookup

Answer 172

Geospatial data CSV files Scripts

Answer 173

Double quotes around the exact word or phrase (CS)

Answer 174

Field value pairs are used to search an extracted field (Field name CS, Field value CI)

Answer 175

=, !=, , >=

Answer 176

- Keywords - Booleans - Phrases - Fields - Wildcards - Comparison Operators - time - specificity - the more you tell the search engine, the better your results - inclusion is better than exclusion

Answer 177

Commands tell Splunk what we want to do with the search results such as: - creating charts - computing statistics - formatting

Answer 178

Forwarders

Answer 179

Input, Parsing, Indexing, and Searching

Answer 180

... | top Vendor limit=5 showperc=f

Answer 181

.. | top Vendor limit=5 countfield="Number of Sales" userother=t

Answer 182

... | top product_name by Vendor limit=3 countfield="Number of Sales" showperc=f

Answer 183

... | rare Vendor limit=5 showcount"Number of Sales" showperc=f useother=t

Answer 184

... | rare product_name by Vendor limit=5 showcount="Number of Sales" showperc=f useother=t

Answer 185

... | stats count as "Potential Issues"

Answer 186

... | stats count(vendor_action) as ActionEvents, count as TotalEvents

Answer 187

... | stats count by user, app, vendor_action

Answer 188

... | stats dc(s_hostname) as "Websites visited:"

Answer 189

... | stats sum(sc_bytes) as Bandwidth by s_hostname | sort -Bandwidth

Answer 190

... | stats sum(sc_bytes) as Bandwidth by s_hostname | sort -Bandwidth

Answer 191

... | stats value(s_hostname) by cs_username

Answer 192

String value, contains 4 values

Answer 193

adaptive response action

Answer 194

ad hoc search

Answer 195

alert action

Answer 196

App Key Value Store

Answer 197

app manifest

Answer 198

audit event

Answer 199

Automatic key value field

Answer 200

base search

Answer 201

bloom filter

Answer 202

bucket fixing

Answer 203

Build Event Type utility

Answer 204

calculated field

Answer 205

capability

Answer 206

character set encoding

Answer 207

collection

Answer 208

command-line interface

Answer 209

command-line tool

Answer 210

Common Information Model (CIM)

Answer 211

Community support

Answer 212

conditional routing

Answer 213

Index Data, Search and Investigate, Add Knowledge, Monitor and Alert, and Report & Analyze

Answer 214

Collects data from any source. As data enters, inspectors go to work. Determines how to process the data. When it is matched it is labeled with a source type. Data is then broken into single events. Time stamps are identified and normalized to a consistent format. Events then stored in Splunk index where they can be searched.

Answer 215

Find values across multiple sources allowing to analyze and run statistics.

Answer 216

Add knowledge objects to data. Effects how data is interpreted. Classified and enriched, and normalized for future use.

Answer 217

Can Monitor infrastructure in real time to identify issues, problems, and attacks before they impact customers and services. Create alerts and automatically respond with a variety of actions.

Answer 218

Provides reports and the ability to do dashboards empowering groups in the organization by giving them the information they need organized into a single pane.

Answer 219

(1) Require minimal resources, (2)little impact on performance, (3) Reside on the machine where the data originates.

Answer 220

Single Instance to a full distributed infrastructure.

Answer 221

Input, Parsing, Indexing and Searching

Answer 222

Perfect environment for proof of concept, personal use, learning, and night serve the need of small department-sized environments.

Answer 223

Split the functionality across multiple specialized instances of Splunk enterprise. Add forwarders to send data to our indexers and eventually add multiple search heads and indexers to increase our indexing and search capacity. Search heads and indexes can also be clustered making sure data is always available and searchable.

Answer 224

Separate indexes can make searches faster. Limits data amount Splunk searches. Returns events only from that index.Multiple indexes allow limiting access by user role in order to control who sees what data. Also helps with retention policies

Answer 225

Limiting a search to time frame is a best practice.

Answer 226

Called Transforming Commands which transform data into data tables.

Answer 227

By default will remain active for 10 minutes

Answer 228

Remain active for 7 days

Answer 229

add backslash info="keyword1\"keyword2\"not in db"

Answer 230

Search by Time, inclusion is better than exclusion,filter command as early as possible in search,

Answer 231

1. Search Terms. 2. Commands. 3. Functions 4. Arguments 5. Clauses

Answer 232

Tells Splunk what we want to do with Search Results such as creating charts, computing statisitcs, and formatting

Answer 233

Explain how we want to chart, compute, and evaluate the results.

Answer 234

Variables we want to apply to the functions

Answer 235

Explain how we want the results grouped or defined.

Answer 236

Search Term, Commands, Functions

Answer 237

Indexer - It indexes the machine data Forwarder - Refers to Splunk instances that forward data to the remote indexers Search Head - Provides GUI for searching Deployment Server -Manages the Splunk components like indexer, forwarder, and search head in computing environment

Answer 238

Universal Forwarders - It performs processing on the incoming data before forwarding it to the indexer. Heavy Forwarders - It parses the data before forwarding them to the indexer works as an intermediate forwarder, remote collector.

Answer 239

``` Sorting Results Filtering Results Grouping Results. Filtering, Modifying and Adding Fields Reporting Results ```

Answer 240

``` Splunk Management Port 8089 Splunk Index Replication Port 8080 KV store 8191 Splunk Web Port 8000 Splunk Indexing Port 9997 Splunk network port 514 ```

Answer 241

A directory that contains indexed data is known as a Splunk bucket. It also contains events of a certain period.

Answer 242

Bucket lifecycle includes following stages: Hot - It contains newly indexed data and is open for writing. For each index, there are one or more hot buckets available Warm - Data rolled from hot Cold - Data rolled from warm Frozen - Data rolled from cold. The indexer deletes frozen data by default but users can also archive it. Thawed - Data restored from an archive. If you archive frozen data , you can later return it to the index by thawing (defrosting) it.

Answer 243

fail* password | stats count by src, dest, user, sourcetype | sort - count | where count > 2

Answer 244

bin Directory, ./splunk start

Answer 245

Hot -R/W-NoBackups | Warm-ROnly-YesBackups | Cold-ROnly-YesBackups

Answer 246

Host & Warm: $SPLUNK_HOME/var/lib/splunk/defaultdb/db/* Cold ~defaultdb/colddb/* Thawed ~ defualtdb/thaweddb/*

Answer 247

N/A Frozen data gets deleted or archived into a directory location you specify.

Answer 248

$SPLUNK_HOME/var/log/splunk

Answer 249

True - Splunk stores log file in splunkd.log under $SPLUNK_HOME/var/log/splunk/

Answer 250

Parsing can be done in Props & transforms.

Answer 251

Modify the splunk-launch.conf to change the defualt splunk data store location.

Answer 252

indexes.conf is used to create index in splunk

Answer 253

Authentication.conf is used to add LDAP groups.

Answer 254

authorize.conf

Answer 255

Search macros are reusable chunks of Search Processing Language (SPL) that you can insert into other searches. Macros you define, are stored in macros.conf

Answer 256

Splunk stores data in 2 type of files/directories 1) actual data in zip files takes ~15% of file size 2) index files takes ~35% of file size So around 50% of files size require to store that file and other than this space is required to store search results.

Answer 257

Summary index is used to give fast result of report/dashboard. You can store any cron/save search result in summary index so that you can reduce the data in summary index.

Answer 258

``` BATCH ("Upload a file" in Splunk Web): TCP: Data distribution: UDP: FIFO (First In, First Out queue): Scripted Input: File system change monitor (fschange monitor) File system monitoring filters: http: (HTTP Event Collector) HTTP Event Collector (HEC) - Local stanza for each token WINDOWS INPUTS: Performance Monitor Windows Event Log Monitor Event Log whitelist and blacklist formats Active Directory Monitor Remote Queue Monitor SQS specific settings Windows Registry Monitor Windows Host Monitoring ```

Answer 259

splunk enable app SplunkForwarder -auth :

Answer 260

System local, App local, App default, System default.

Answer 261

User Directories for current user, App Directories for current running app, App Dirs for all other apps, System Dirs.

Answer 262

Edit $SPLUNK_HOME/etc/splunk-launch.conf

Answer 263

server.conf [diskUsage] minFreeSpace =

Answer 264

5000MB or 5GB

Answer 265

A time-series index file; A tsidx file associates each unique keyword in your data with location references to events, which are stored in a companion rawdata file. Together, the rawdata file and its related tsidx files make up the contents of an index bucket. Each search you run scans tsidx files for the search keywords and uses their location references to retrieve from the rawdata file the events to which those keywords refer. To speed up searches, bloom filters narrow the set of tsidx files that Splunk Enterprise must search to get accurate results.

Answer 266

indexes.conf [indexname] enableTsidxreduction=True timePeriodInSecBeforeTsidxReduction=86400

Answer 267

A data structure that you use to test whether an element is a member of a set. Splunk Enterprise uses bloom filters to decrease the time it requires to retrieve events from the index. This strategy is effective when you search for rare terms. In Splunk Enterprise, bloom filters work at the index bucket level. The filters rule out buckets that do not contain keywords from the search being run. Splunk Enterprise saves time searching by focusing on the tsidx files within the bucket where the search keywords exist.

Answer 268

Retention is managed via limits.conf | Create bloom filter for specific index via indexes.conf

Answer 269

Authorize.conf

Answer 270

frozenTimePeriodInSecs

Answer 271

Search head

Answer 272

splunk clean eventdata -index web

Answer 273

To Extract fields, parsing etc but do not provide dashboards.

Answer 274

Can Edit all saved searches, alerts, objects, ect

Answer 275

Delete search or keyword

Answer 276

Clustering

Answer 277

Input, Parsing, Indexing, and Searching

Answer 278

User, Power, Admin

Answer 279

Source Type

Answer 280

NOT, OR, AND

Answer 281

inputs.conf for port 9997

Answer 282

$SPLUNK_HOME/etc/system/local Server classes are essentially categories. They use filters to control what clients they apply to, contain a set of applications, and may define deployment server behavior for the management of those applications.

Answer 283

Used to decipher file input issues. A subdirectory where Splunk software tracks how far into a file indexing has progressed, to enable the software to detect when data has been added to the file and resume indexing. The fishbucket subdirectory contains seek pointers and CRCs for indexed files. default location /opt/splunk/var/lib/splunk

Answer 284

As the indexer indexes your data, it creates a number of files. These files contain two types of data: The raw data in compressed form (rawdata) Indexes that point to the raw data, plus some metadata files (index files) Together, these files constitute the Splunk Enterprise index.

Answer 285

deploymentclient.conf

Answer 286

500 - 1000 Clients, even more than this and it depends of the periodicity, and the size of the bundles to deploy.

Answer 287

Distributed Management Console; Dashboard providing insight to your deployment. Install on Search head(not rec for prod), License master, or Deployment server.

Answer 288

Batch - Use batch to set up a one time, destructive input of data from a source. For continuous, non-destructive inputs, use monitor. Remember, after the batch input is indexed, Splunk Enterprise deletes the file.

Answer 289

An application that ingests machine data, indexes it, and visualizes it for users to

Answer 290

The money in the field is great, the amount of data that can be analyzed is incredible, 70% of companies are transitioning into splunk, allows you to gain new insight, there is a community called ninjas that allows you to be interactive with, and its fun!

Answer 291

Enterprise, Cloud, Light

Answer 292

A script that sends data from a device to the splunk device

Answer 293

A single entity such as an row in a table. Or if you have an alert that comes into splunk which will be timestamped

Answer 294

Splunk Processing Language

Answer 295

a space is an implied ____ in a search string

Answer 296

chronological, alphabetical, ascii

Answer 297

1. selecting a range of bars on the timeline 2. selecting a bar on the timeline 3. deselect

Answer 298

default fields

Answer 299

all extracted fields

Answer 300

false (fast, smart, verbose)

Answer 301

1. on a regular schedule | 2. in real-time

Answer 302

constantly running in the background

Answer 303

returns a fresh result set

Answer 304

1. add the report to a dashboard 2. open the report and edit it 3. accelerate slow running reports

Answer 305

table, chart or visualization based on a datamodel set

Answer 306

1. dashboard panel | 2. report

Answer 307

accounting response for TradeID

Answer 308

1. treats field values in a case-INsensitive manner | 2. allows searching on a keyword

Answer 309

sourcetype=access_* | stats max(bytes)

Answer 310

statistical values

Answer 311

adds the highlighted value to the search criteria

Answer 312

inputlookup

Answer 313

1. create the lookup table 2. define the lookup 3. configure the lookup to run automatically

Answer 314

forwarders

Answer 315

search head

Answer 316

``` raw data (full log files) index files (key keywords from logs) ```

Answer 317

full log files

Answer 318

key keywords from logs

Answer 319

main _internal _audit:

Answer 320

Stores Splunk Enterprise internal logs and processing metrics.

Answer 321

Contains events related to the file system change monitor, auditing, and all user search history

Answer 322

This is the default Splunk Enterprise index. All processed data is stored here unless otherwise specified.

Answer 323

parsing phase and indexing phase

Answer 324

While parsing splunk performs and extracts a set of default for each event like host, source, and sourcetype.

Answer 325

The source of an event is the name of the file, stream, or other input from which the event originates

Answer 326

The source type of an event is the format of the data input from which it originates like for windows .evt files from event viewer

Answer 327

An event's host value is typically the hostname, IP address, or fully qualified domain name of the network host from which the event originated

Answer 328

Its nothing but way of storing character/words in memory

Answer 329

if your logs are very long or messy then it will break them in small parts easy to understand

Answer 330

sort logs as per time or as they occurred.

Answer 331

Splunk indexing process: a) Breaking all events into segments called buckets that can then be searched upon. You can determine the level of segmentation, which affects indexing and searching speed, search capability, and efficiency of disk compression. b) Building the index data structures. c) Writing the raw data and index files to disk, where post-indexing compression occurs Splunk parsing and indexing phases

Answer 332

Splunk stores all its data in directories on server called buckets. Buckets are nothing but directories on servers. A bucket moves through several stages as it ages - hot,warm,cold,frozen

Answer 333

this is the directory where all data is written and the most recent data is kept here. Warm - the next tier down, read only and likely still searched

Answer 334

- rarely searched data as it has aged or been archived (rolled) to this bucket. While read only and still searchable, this is considered the archive tier.

Answer 335

this is data that is pushed to a dead media like tape or deleted. There is a thawing process possible if not deleted completely to allow data to be pushed back into higher tier buckets

Answer 336

Set maxTotalDataSizeMB

Answer 337

There are multiple ways to create new index in splunk indexer. You can achieve it t through GUI/CLI or simply editing index.conf at $splunk home/etc/system/local. Simplest way is through GUI (front-end). If number of index are more then simply edit inputs.conf and add all index name to it. Below are steps for the same.

Answer 338

To add a new index, add a stanza to indexes.conf in $SPLUNK_HOME/etc/system/local, identified by the name of the new index. For example: [newindex] homePath= coldPath= thawedPath= ...

Answer 339

Configuring timestamp recognition Convertig timeformat to our default timeformat Configuring linebreaking for multiline events. Setting up character set encoding Defining manual filed extarction regex Allowing processing of binary files. Configuring event segmentation. Overriding Splunk's automated host and source type matching Defining where to lookup for lookup table etc

Answer 340

/opt/splunk/etc/system/default/props.conf --->never edit this file as its conatians default configuration /opt/splunk/etc/system/local/props.conf ----->We can edit this file for configurations

Answer 341

There happens to be seven attributes you want to set in props.conf every time you bring data into Splunk

Answer 342

This is the first attribute is used to tell Splunk where to start to look for the timestamp in your event.

Answer 343

Setting this attribute makes Splunk happy and run more efficiently because it will not have to spend any extra time and resources to find the time stamp. You can tell Splunk that your timestamp is 20 characters into your event so Splunk will not waste any time looking through the entire event.

Answer 344

Many people "sleep" on this attribute and shouldn't. It is very important to help Splunk interpret your data. With this attribute you are telling Splunk the format your time stamp is in using strptime Splunk will not have to try to figure out if 10/2/12 is October 2, 2012, February 10, 2012, or even something weird like December 2, 2010.

Answer 345

this attribute is the leader and decision maker of the group. Depending on the value of this attribute, other attributes are required. This setting should be set to "false" and used along with the LINE_BREAKER attribute, which can greatly increase processing speed.

Answer 346

This attribute looks the toughest and most intimidating. It identifies how your events should be broken apart. This is important because if this is not set correctly you can have data that is spread across multiple events. Using regular expressions, Splunk will look for that specific pattern and break up your events accordingly, and as mentioned before, this should be used in conjunction with SHOULD_LINEMERGE = false.

Answer 347

- This attribute is nothing to sneeze at. Measured in bytes, this attribute limits the length of an event (line of data), and will break when the limit is met. The default value is 10000 so set this to 999999 bytes or more depending on the size of your event. Because your data is not being broken up into multiline events (given SHOULD_LINEMERGE = false) you will want to ensure your events do not get broken up incorrectly.

Answer 348

the time zone attribute is probably the most forgotten of the group. You will want to set the time zone for each host in your Splunk environment. This will ensure the time is displayed correctly on your search head.

Answer 349

- a bucket are directories on servers in splunk: hot, warm, cold, frozen, thawed. - events within splunk are broken down into segments called buckets - inside indexes, files, collection of databases, subdirectories

Answer 350

port open for indexing

Answer 351

host, source, source type, time stamp

Answer 352

Works like a case statement in shell scripting. This function takes pairs of arguments X and Y. The X arguments are Boolean expressions that will be evaluated from first to last. When the first X expression is encountered that evaluates to TRUE, the corresponding Y argument will be returned. The function defaults to NULL if none are true.

Answer 353

Install apps, create knowledge objects for all users (what apps a user will see by default)

Answer 354

Creates and shares knowledge objects for users of app, real-time searches

Answer 355

Only see own knowledge objects and those shared to them.

Answer 356

1. Splunk bar 2. App bar 3. Search bar 4. Time range picker 5. How to search panel 6. What to search panel 7. Search History

Answer 357

Edit job settings, send job to background, inspect and delete job.

Answer 358

Backslash | Example: info="user "chrisV4" not in database" info="user\"chrisV4\" not in database "

Answer 359

Source, Host, Sourcetype

Answer 360

values, count, and percentage

Answer 361

top values, top values by time, rare values, events with this field

Answer 362

sourcetype=

Answer 363

are, are not

Answer 364

> >= < <= -->

Answer 365

parenthesis

Answer 366

1. Select a field from the fields sidebar 2. Use the pivot interface 3. Use the Splunk search language commands in the search bar with statistics and visualization tabs

Answer 367

report or dashboard pannel

Answer 368

form or custom

Answer 369

all the time

Answer 370

Keywords, booleans, phrases, fields, wildcards, and comparisons.

Answer 371

=, !=, <=, >, >=

Answer 372

1. Time is the most efficient filter 2. More you tell search the better your results 3. Inclusion is better than exclusion 4. Filter as early as possible

Answer 373

Search terms

Answer 374

_time & _raw

Answer 375

exclusion, extraction

Answer 376

Stats command

Answer 377

Stats count

Answer 378

Stats Sum command

Answer 379

Timechart command

Answer 380

Index Data, Search & investigate, Add knowledge, Monitor & Alert, Report & Analyze.

Answer 381

Description: This function returns the character length of a string X. Basic example ... | eval n=len(field)

Answer 382

Description: This function takes one string argument and returns the string in lowercase. Basic example The following example returns the value provided by the field username in lowercase. ... | eval username=lower(username)

Answer 383

Description: This function takes one or two arguments X and Y, and returns X with the characters in Y trimmed from the left side. If Y is not specified, spaces and tabs are removed. Basic example The following example trims the leading spaces and all of the occurrences of the letter Z from the left side of the string. The value that is returned is x="abcZZ ". ... | eval x=ltrim(" ZZZZabcZZ ", " Z")

Answer 384

Description: This function returns a string formed by substituting string Z for every occurrence of regex string Y in string X. The third argument Z can also reference groups that are matched in the regex. Basic example: The following example returns date, with the month and day numbers switched. If the input is 1/14/2017 the return value would be 14/1/2017. ... | eval n=replace(date, "^(\d{1,2})/(\d{1,2})/", "\2/\1/")

Answer 385

Description: This function takes one or two arguments X and Y, and returns X with the characters in Y trimmed from the right side. If Y is not specified, spaces and tabs are removed. Basic example: The following example returns n="ZZZZabc". ... | eval n=rtrim(" ZZZZabcZZ ", " Z")

Answer 386

Description: This function takes two arguments, an input source field X and an spath expression Y, that is the XML or JSON formatted location path to the value that you want to extract from X. Basic example: The following example returns the hashtags from a twitter event. index=twitter | eval output=spath(_raw, "entities.hashtags")

Answer 387

Description: This function returns a substring of X, starting at the index specified by Y with the number of characters specified by Z. If Z is not provided, the function returns the rest of the string Basic example: The following example concatenates "str" and "ing" together, returning "string": ... | eval n=substr("string", 1, 3) + substr("string", -3)

Answer 388

Description: This function takes one or two arguments X and Y and returns X with the characters in Y trimmed from both sides. If Y is not specified, spaces and tabs are removed. Basic example: The following example returns "abc". ... | eval n=trim(" ZZZZabcZZ ", " Z")

Answer 389

Description: This function takes one string argument and returns the string in uppercase. Basic example: The following example returns the value provided by the field username in uppercase. ... | eval n=upper(username)

Answer 390

Description: This function takes one URL string argument X and returns the unescaped or decoded URL string. Basic example The following example returns "http://www.splunk.com/download?r=header". ... | eval n=urldecode("http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fr%3Dheader")

Answer 391

Index Cluster

Answer 392

1. disk space | 2. CPU power

Answer 393

./splunk start

Answer 394

./splunk enable boot-start

Answer 395

1. admin | 2. changeme

Answer 396

Faster searches Access limiting Multiple retention policies

Answer 397

Hot buckets are writable, warm buckets are not. Hot buckets are searched first. The naming convention.

Answer 398

can_delete

Answer 399

forwarders

Answer 400

sourcetypes

Answer 401

Simple XML Splunk JavaScript SDKs

Answer 402

search peer

Answer 403

load balance

Answer 404

testing and development

Answer 405

not indexing not data ainput not parsing

Answer 406

Universal Forwarder

Answer 407

not parsing not data input

Answer 408

not alter.conf

Answer 409

The Fieldformat Command.

Answer 410

All apps Private Specifiic App

Answer 411

Can be referenced by lookup tables. Are applicable to a specified app context. Make correlation easier.

Answer 412

Eval Commands

Answer 413

The event actions menu

Answer 414

The regular expression.

Answer 415

Are persistent Are specific to a host, source or sourcetype. Are reusable in multiple searches.

Answer 416

tag::host=alert

Answer 417

Event Types

Answer 418

Send field values to external resources. Pass variables to a URL. Execute a secondary search.

Answer 419

List in triggered alerts Send Email Run a script

Answer 420

dostuff(2)

Answer 421

boolean expressions | eval expressions

Answer 422

Add a root object

Answer 423

``` Auto-Extracted Eval Expression Lookup Regular Expression Geo IP ```

Answer 424

Hot buckets are writable, warm buckets are not. Hot buckets are searched first. The naming convention.

Answer 425

can_delete

Answer 426

search peer

Answer 427

load balance

Answer 428

Distributed Management Console

Answer 429

not indexing not data ainput not parsing

Answer 430

in a consistent format

Answer 431

Index Data, Search & investigate, Add knowledge, Monitor & Alert, Report & Analyze.

Answer 432

1. Collects data 2. Label data with source type 3. Stored in splunk index

Answer 433

Appends subsearch results to current results.

Answer 434

Appends the fields of the subsearch results to current results. first results to first result. second to second etc.

Answer 435

Appends the result of the subpipeline applied to the current result set to results.

Answer 436

Finds association rules between field values.

Answer 437

Identifies correlations between fields.

Answer 438

Builds a contingency table for two fields.

Answer 439

Builds a contingency table for two fields.

Answer 440

Builds a contingency table for two fields.

Answer 441

Calculates the correlation between different fields.

Answer 442

Returns the difference between two search results.

Answer 443

SQL-like joining of results from the main results pipeline with the results from the subpipeline.

Answer 444

Joins results with itself.

Answer 445

Performs set operations (union diff intersect) on subsearches.

Answer 446

Provides statistics grouped optionally by fields. See Functions for stats chart and timechart in the Splunk Enterprise Search Reference.

Answer 447

Groups search results into transactions.

Answer 448

Returns audit trail information that is stored in the local audit index.

Answer 449

Returns information about the specified index.

Answer 450

Returns the number of events in an index.

Answer 451

Returns a list of source sourcetypes or hosts from a specified index or distributed search peer.

Answer 452

Returns typeahead information on a specified prefix.

Answer 453

Crawls the filesystem for new sources to add to an index.

Answer 454

Delete specific events or search results.

Answer 455

Adds sources to Splunk or disables sources from being processed by Splunk.

Answer 456

Keeps a running total of the specified numeric field.

Answer 457

Add fields that contain common information about the current search.

Answer 458

Computes the sum of all numeric fields for each result.

Answer 459

Computes the difference in field value between nearby results.

Answer 460

Calculates an expression and puts the value into a field. See Functions for eval and where in the Splunk Enterprise Search Reference.

Answer 461

Adds location information such as city country latitude longitude and so on based on IP addresses.

Answer 462

Extracts field-values from table-formatted events.

Answer 463

Sets RANGE field to the name of the ranges that match.

Answer 464

Adds a relevancy field which indicates how well the event matches the query.

Answer 465

Concatenates string values and saves the result to a specified field.

Answer 466

Allows you to specify example or counter example values to automatically extract fields that have similar values.

Answer 467

Extracts field-value pairs from search results.

Answer 468

Extracts values from search results using a form template.

Answer 469

Specify a Perl regular expression named groups to extract fields while you search.

Answer 470

Provides a straightforward means for extracting fields from structured data formats XML and JSON.

Answer 471

Extracts XML key-value pairs.

Answer 472

Converts field values into numerical values.

Answer 473

Replaces NULL values with the last non-NULL value.

Answer 474

Replaces null values with a specified value.

Answer 475

Change a specified field into a multivalued field during a search.

Answer 476

Changes a specified multivalued field into a single-value field at search time.

Answer 477

Converts the difference between 'now' and '_time' to a human-readable value and adds adds this value to the field 'reltime' in your search results.

Answer 478

Renames a specified field; wildcards can be used to specify multiple fields.

Answer 479

Replaces values of specified fields with a specified new value.

Answer 480

Analyze numerical fields for their ability to predict another discrete field.

Answer 481

Computes an "unexpectedness" score for an event.

Answer 482

Finds and summarizes irregular or uncommon search results.

Answer 483

Clusters similar events together.

Answer 484

Performs k-means clustering on selected fields.

Answer 485

Removes outlying numerical values.

Answer 486

Displays the least common values of a field.

Answer 487

returns location information such as city country latitude longitude and so on based on IP addresses.

Answer 488

Generate statistics which are clustered into geographical bins to be rendered on a world map.

Answer 489

Enables you to use time series algorithms to predict future values of fields.

Answer 490

Computes moving averages of fields.

Answer 491

Enables you to determine the trend in your data by removing the seasonal pattern.

Answer 492

Computes the sum of all numeric fields for each result.

Answer 493

Puts continuous numerical values into discrete sets.

Answer 494

Returns results in a tabular output for charting. See Statistical and charting functions in the Splunk Enterprise Search Reference.

Answer 495

Builds a contingency table for two fields.

Answer 496

Calculates the correlation between different fields.

Answer 497

Returns the number of events in an index.

Answer 498

Adds summary statistics to all search results.

Answer 499

Transforms results into a format suitable for display by the Gauge chart types.

Answer 500

Makes a field that is supposed to be the x-axis continuous (invoked by chart/timechart)

Answer 501

Removes outlying numerical values.

Answer 502

Displays the least common values of a field.

Answer 503

Provides statistics grouped optionally by fields. See Statistical and charting functions in the Splunk Enterprise Search Reference.

Answer 504

Adds summary statistics to all search results in a streaming manner.

Answer 505

Create a time series chart and corresponding table of statistics. See Statistical and charting functions in the Splunk Enterprise Search Reference.

Answer 506

Displays the most common values of a field.

Answer 507

Computes moving averages of fields.

Answer 508

Converts results from a tabular format to a format similar to stats output. Inverse of xyseries and maketable.

Answer 509

Converts results into a format suitable for graphing.

Answer 510

Emails search results, either inline or as an attachment, to | one or more specified email addresses

Answer 511

Combines events in search results that have a single differing field value into one result with a multivalue field of the differing field.

Answer 512

Removes results that do not match the specified regular expression.

Answer 513

Finds transaction events within specified search constraints.

Answer 514

Creates a table using the specified fields.

Answer 515

Removes any search that is an exact duplicate with a previous result.

Answer 516

Performs arbitrary filtering on your data. See Evaluation functions in the Splunk Enterprise Search Reference.

Answer 517

Converts results from a tabular format to a format similar to stats output. Inverse of xyseries and maketable.

Answer 518

Returns results that match a time-range.

Answer 519

Expands the values of a multivalue field into separate events for each value of the multivalue field.

Answer 520

Returns the search results of a saved search.

Answer 521

Searches Splunk indexes for matching events. This command is implicit at the start of every search pipeline that does not begin with another generating command.

Answer 522

Loads events or results of a previously completed search job.

Answer 523

Calculates the eventtypes for the search results.

Answer 524

Returns the first number n of specified results.

Answer 525

Reverses the order of the results.

Answer 526

Sorts search results by the specified fields.

Answer 527

Returns the last number N of specified results

Answer 528

Loads search results from the specified CSV file.

Answer 529

Loads events or results of a previously completed search job.

Answer 530

Outputs search results to a specified CSV file.

Answer 531

Ouputs the raw text field (_raw) of results into the _xml field.

Answer 532

Emails search results either inline or as an attachment to one or more specified email addresses.

Answer 533

A looping operator, performs a search over each search result.

Answer 534

Searches Splunk indexes for matching events. This command is implicit at the start of every search pipeline that does not begin with another generating command.

Answer 535

Takes the results of a subsearch and formats them into a single result.

Answer 536

SQL-like joining of results from the main results pipeline with the results from the subpipeline.

Answer 537

Specify the values to return from a subsearch.

Answer 538

Performs set operations (union diff intersect) on subsearches.

Answer 539

Returns a list of the time ranges in which the search results were found.

Answer 540

Converts the difference between 'now' and '_time' to a human-readable value and adds adds this value to the field 'reltime' in your search results.

Answer 541

Analyze numerical fields for their ability to predict another discrete field. See Also anomalousvalue.

Answer 542

Computes an "unexpectedness" score for an event. See Also anomalousvalue & cluster & kmeans & outlier.

Answer 543

Finds and summarizes irregular or uncommon search results. See Also analyzefields & anomalies & cluster & kmeans & outlier.

Answer 544

Appends subsearch results to current results. See Also appendcols & appendcsv & join & set.

Answer 545

Appends the fields of the subsearch results to current results first results to first result second to second etc. See Also append & appendcsv & join & set.

Answer 546

Appends the result of the subpipeline applied to the current result set to results. See Also append & appendcols & join & set.

Answer 547

Finds association rules between field values. See Also associate & correlate.

Answer 548

Identifies correlations between fields. See Also correlate and contingency.

Answer 549

Returns audit trail information that is stored in the local audit index.

Answer 550

Sets up data for calculating the moving average. See Also accum & autoregress & delta & trendline & streamstats.

Answer 551

Puts continuous numerical values into discrete sets. See Also chart and timechart.

Answer 552

Replaces a field value with higher-level grouping such as replacing filenames with directories. See Also cluster and dedup.

Answer 553

Returns results in a tabular output for charting. See Functions for stats chart and timechart in the Splunk Enterprise Search Reference. See Also timechart

Answer 554

Clusters similar events together. See Also anomalies anomalousvalue cluster kmeans outlier

Answer 555

Uses a duration field to find the number of "concurrent" events for each event. See Also timechart

Answer 556

Builds a contingency table for two fields. See Also associate correlate

Answer 557

Converts field values into numerical values. See Also eval

Answer 558

Calculates the correlation between different fields. See Also associate & contingency

Answer 559

Returns information about the specified index.

Answer 560

Computes the difference in field value between nearby results. See Also accum & autoregress & trendline & streamstats

Answer 561

Returns the difference between two search results.

Answer 562

Allows you to specify example or counter example values to automatically extract fields that have similar values. See Also extract & kvform & multikv & regex & rex & xmlkv

Answer 563

Returns the number of events in an index. See Also dbinspect

Answer 564

Adds summary statistics to all search results. See Also stats

Answer 565

Extracts field-value pairs from search results. See Also kvform & multikv & xmlkv & rex

Answer 566

Expresses how to render a field at output time without changing the underlying value. See Also eval & where

Answer 567

Removes fields from search results.

Answer 568

Generates summary information for all or a subset of the fields. See Also af & anomalies & anomalousvalue & stats

Answer 569

Replaces NULL values with the last non-NULL value. See Also fillnull

Answer 570

Replaces null values with a specified value.

Answer 571

Generates a list of suggested event types. See Also typer

Answer 572

Run a templatized streaming subsearch for each field in a wildcarded field list. See Also eval

Answer 573

Takes the results of a subsearch and formats them into a single result.

Answer 574

Retrieves data from a dataset such as a data model dataset a CSV lookup a KV Store lookup a saved search or a table dataset.

Answer 575

Transforms results into a format suitable for display by the Gauge chart types.

Answer 576

Generates time-range results.

Answer 577

Generate statistics which are clustered into geographical bins to be rendered on a world map. See Also stats & xyseries

Answer 578

Returns the first number n of specified results. See Also reverse & tail

Answer 579

Causes Splunk Web to highlight specified terms.

Answer 580

Returns a history of searches formatted as an events list or as a table. See Also search

Answer 581

Adds sources to Splunk or disables sources from being processed by Splunk.

Answer 582

Loads search results from the specified CSV file. See Also loadjob & outputcsv

Answer 583

Extracts location information from IP addresses.

Answer 584

SQL-like joining of results from the main results pipeline with the results from the subpipeline. See Also selfjoin & appendcols

Answer 585

Performs k-means clustering on selected fields. See Also anomalies & anomalousvalue & cluster & outlier

Answer 586

Extracts values from search results using a form template. See Also extract & kvform & multikv & xmlkv & rex

Answer 587

Loads events or results of a previously completed search job. See Also inputcsv

Answer 588

Returns a list of the time ranges in which the search results were found. See Also map & transaction

Answer 589

Makes a field that is supposed to be the x-axis continuous (invoked by chart/timechart) See Also chart & timechart

Answer 590

Change a specified field into a multivalued field during a search. See Also mvcombine & mvexpand & nomv

Answer 591

A looping operator performs a search over each search result.

Answer 592

Returns a list of source sourcetypes or hosts from a specified index or distributed search peer. See Also dbinspect

Answer 593

Retrieves event metadata from indexes based on terms in the logical expression. See Also metadata & search

Answer 594

Calculates statistics for the measurement metric_name and dimension fields in metric indexes. See Also stats

Answer 595

Extracts field-values from table-formatted events.

Answer 596

Run multiple streaming searches at the same time. See Also append & join

Answer 597

Combines events in search results that have a single differing field value into one result with a multivalue field of the differing field. See Also mvexpand & makemv & nomv

Answer 598

Expands the values of a multivalue field into separate events for each value of the multivalue field. See Also mvcombine & makemv & nomv

Answer 599

Changes a specified multivalued field into a single-value field at search time. See Also makemv & mvcombine & mvexpand

Answer 600

Removes outlying numerical values. See Also anomalies & anomalousvalue & cluster & kmeans

Answer 601

Outputs search results to a specified CSV file. See Also inputcsv & outputtext

Answer 602

Ouputs the raw text field (_raw) of results into the _xml field. See Also outputtext

Answer 603

Enables you to use time series algorithms to predict future values of fields. See Also x11

Answer 604

Sets RANGE field to the name of the ranges that match.

Answer 605

Displays the least common values of a field. See Also stats & top

Answer 606

Removes results that do not match the specified regular expression. See Also rex & search

Answer 607

Calculates how well the event matches the query.

Answer 608

Converts the difference between 'now' and '_time' to a human-readable value and adds adds this value to the field 'reltime' in your search results. See Also convert

Answer 609

Renames a specified field; wildcards can be used to specify multiple fields.

Answer 610

Replaces values of specified fields with a specified new value.

Answer 611

Access a REST endpoint and display the returned entities as search results.

Answer 612

Specify the values to return from a subsearch. See Also format & search

Answer 613

Reverses the order of the results. See Also head & sort & tail

Answer 614

Specify a Perl regular expression named groups to extract fields while you search. See Also extract & kvform & multikv & xmlkv & regex

Answer 615

Buffers events from real-time search to emit them in ascending time order when possible.

Answer 616

Returns the search results of a saved search.

Answer 617

Runs an external Perl or Python script as part of your search.

Answer 618

Anonymizes the search results.

Answer 619

Searches Splunk indexes for matching events.

Answer 620

Finds transaction events within specified search constraints. See Also transaction

Answer 621

Joins results with itself. See Also join

Answer 622

Emails search results to a specified email address.

Answer 623

Performs set operations (union, diff, intersect) on subsearches. See Also append & appendcols & join & diff

Answer 624

Sets the field values for all results to a common value. See Also eval & fillnull & rename

Answer 625

Sorts search results by the specified fields. See Also reverse

Answer 626

Provides a straightforward means for extracting fields from structured data formats, XML and JSON. See Also xpath

Answer 627

Provides statistics, grouped optionally by fields. See Functions for stats, chart, and timechart in the Splunk Enterprise Search Reference. See Also eventstats & top & rare

Answer 628

Concatenates string values.

Answer 629

Adds summary statistics to all search results in a streaming manner. See Also eventstats & stats

Answer 630

Creates a table using the specified fields. See Also fields

Answer 631

Annotates specified fields in your search results with tags. See Also eval

Answer 632

Returns the last number n of specified results. See Also head & reverse

Answer 633

Create a time series chart and corresponding table of statistics. See Functions for stats, chart, and timechart in the Splunk Enterprise Search Reference. See Also chart & bucket

Answer 634

Displays the most common values of a field. See Also rare & stats

Answer 635

Groups search results into transactions.

Answer 636

Reformats rows of search results as columns.

Answer 637

Computes moving averages of fields. See Also timechart

Answer 638

Returns typeahead information on a specified prefix.

Answer 639

Calculates the eventtypes for the search results. See Also typelearner

Answer 640

Removes any search that is an exact duplicate with a previous result. See Also dedup

Answer 641

Converts results from a tabular format to a format similar to stats output. Inverse of xyseries and maketable.

Answer 642

Performs arbitrary filtering on your data. See Functions for eval and where in the Splunk Enterprise Search Reference. See Also eval

Answer 643

Extracts XML key-value pairs. See Also extract & kvform & multikv & rex

Answer 644

Unescapes XML.

Answer 645

Redefines the XML path.

Answer 646

Converts results into a format suitable for graphing.

Answer 647

Suppose you have the following fields: fieldA, FieldB, fieldC -- If you search for fieldB!=value3 You will get Results fieldB=value1, fieldB=value2 If fieldB does not exist, nothing is returned. ----------------------------------------------------- Searching with NOT: If you search for NOT fieldB=value3, the search returns everything except fieldB=value3: fieldA=value1, fieldA=value2, fieldA=value3 fieldB=value1, fieldB=value2 fieldC=value1, fieldC=value2, fieldC=value3 If fieldB does not exist, NOT fieldB=value3 returns: fieldA=value1, fieldA=value2, fieldA=value3 fieldC=value1, fieldC=value2, fieldC=value3

Answer 648

s, sec, secs, second, seconds

Answer 649

m, min, minute, minutes

Answer 650

h, hr, hrs, hour, hours

Answer 651

d, day, days

Answer 652

w, week, weeks

Answer 653

mon, month, months

Answer 654

q, qtr, qtrs, quarter, quarters

Answer 655

y, yr, yrs, year, years

Answer 656

earliest=10/19/2016:0:0:0 latest=10/27/2016:0:0:0

Answer 657

Splunk software always snaps backwards or rounds down to the latest time that is not after the specified time. For example, the current time is 15:45:00 and the snap to time is earliest=-h@h. The time modifier snaps to 14:00.

Answer 658

to snap to a specific day of the week, use @w0 for Sunday, @w1 for Monday, and so forth. For Sunday, you can specify either w0 or w7.

Answer 659

specify earliest=-mon@mon latest=@mon. This example begins at the start of the previous month and ends at the start of the current month.

Answer 660

On April 28th, you decide to run a search at 14:05. If you specify earliest=-2d, the search goes back exactly two days, starting at 14:05 on April 26th. If you specify earliest=-2d@d, the search goes back to two days and snaps to the beginning of the day. The search looks for events starting from 00:00 on April 26th.

Answer 661

If you want to search events from the start of UTC epoch time, use earliest=1. (earliest=0 in the search string indicates that time is not used in the search.) When earliest=1 and latest=now or latest=, the search will run over all time. The difference is that: Specifying latest=now (which is the default) does not return future events. Specifying latest= returns future events, which are events that contain timestamps later than the current time, now.

Answer 662

Specify that the search starts or ends at the current time.

Answer 663

Specify a snap to the beginning of the most recent quarter: Jan 1, Apr 1, July 1, or Oct 1.

Answer 664

Specify "snap to" days of the week; where w0 is Sunday, w1 is Monday, etc. When you snap to a week, @w or @week, it is equivalent to snapping to Sunday or @w0. You can use either w0 or w7 for Sunday.

Answer 665

Now, the current time | Wednesday, 05 February 2017, 01:37:05 P.M. now

Answer 666

60 minutes ago Wednesday, 05 February 2017, 12:37:05 P.M. Equivalent modifiers -60m@s

Answer 667

1 hour ago, to the hour | Wednesday, 05 February 2017, 12:00:00 P.M.

Answer 668

Yesterday | Tuesday, 04 February 2017, 12:00:00 A.M.

Answer 669

24 hours ago (yesterday) | Tuesday, 04 February 2017, 01:37:05 P.M. Equivalent modifiers -24h@s

Answer 670

7 days ago, 1 week ago today | Wednesday, 28 January 2017, 12:00:00 A.M.

Answer 671

7 days ago, snap to minute boundary Wednesday, 28 January 2017, 01:37:00 P.M.

Answer 672

Beginning of the current week | Sunday, 02 February 2017, 12:00:00 A.M.

Answer 673

Tomorrow | Thursday, 06 February 2017, 12:00:00 A.M.

Answer 674

24 hours from now, tomorrow | Thursday, 06 February 2017, 01:37:05 P.M. Equivalent modifiers +24h@s

Answer 675

You can also specify offsets from the snap-to-time or "chain" together the time modifiers for more specific relative time definitions.

Answer 676

Snap to the beginning of today (12 A.M.) and subtract 2 hours from that time. Resulting Time 10 P.M. last night.

Answer 677

One month ago, snapped to the first of the month at midnight, and add 7 days. Resulting Time The 8th of last month at 12 A.M.

Answer 678

Example 1: Web access errors from the beginning of the week to the current time of your search (now). eventtype=webaccess error earliest=@w0 This search returns matching events starting from 12:00 A.M. of the Sunday of the current week to the current time. Of course, this means that if you run this search on Monday at noon, you will only see events for 36 hours of data. -------------------------------------------------------- Example 2: Web access errors from the current business week (Monday to Friday). eventtype=webaccess error earliest=@w1 latest=+7d@w6 This search returns matching events starting from 12:00 A.M. of the Monday of the current week and ending at 11:59 P.M. of the Friday of the current week. If you run this search on Monday at noon, you will only see events for 12 hours of data. Whereas, if you run this search on Friday, you will see events from the beginning of the week to the current time on Friday. The timeline however, will display for the full business week. -------------------------------------------------------- Example 3: Web access errors from the last full business week. eventtype=webaccess error earliest=-7d@w1 latest=@w6 This search returns matching events starting from 12:00 A.M. of last Monday and ending at 11:59 P.M. of last Friday

Answer 679

NCSA combined format http web server logs (can be generated by apache or other web servers) Example: 10.1.1.43 - webdev [08/Aug/2005:13:18:16 -0700] "GET / HTTP/1.0" 200 0442 "-" "check_http/1.10 (nagios-plugins 1.4)"

Answer 680

NCSA combined format http web server logs (can be generated by apache or other web servers), with cookie field added at end Example: "66.249.66.102.1124471045570513" 59.92.110.121 - - [19/Aug/2005:10:04:07 -0700] "GET /themes/splunk_com/images/logo_splunk.png HTTP/1.1" 200 994 "http://www.splunk.org/index.php/docs" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050524 Fedora/1.0.4-4 Firefox/1.0.4" "61.3.110.148.1124404439914689"

Answer 681

NCSA common format http web server logs (can be generated by apache or other web servers) Examples: 10.1.1.140 - - [16/May/2005:15:01:52 -0700] "GET /themes/ComBeta/images/bullet.png HTTP/1.1" 404 304

Answer 682

Standard Apache web server error log Example: [Sun Aug 7 12:17:35 2005] [error] [client 10.1.1.015] File does not exist: /home/reba/public_html/images/bullet_image.gif

Answer 683

NCSA combined format http web server logs (can be generated by apache or other web servers)

Answer 684

NCSA combined format http web server logs (can be generated by apache or other web servers) with cookie field added at end

Answer 685

NCSA common format http web server logs (can be generated by apache or other web servers)

Answer 686

Standard Asterisk IP PBX call detail record

Answer 687

Standard Asterisk event log (management events)

Answer 688

Standard Asterisk messages log (errors and warnings)

Answer 689

Standard Asterisk queue log

Answer 690

Standard Cisco syslog produced by all Cisco network devices including PIX firewalls routers ACS etc. usually via remote syslog to a central log host

Answer 691

Standard IBM DB2 database administrative and error log

Answer 692

Exim MTA mainlog

Answer 693

Exim reject log

Answer 694

Standard linux syslog (/var/log/messages on most platforms)

Answer 695

Linux securelog

Answer 696

Log4j standard output produced by any J2EE server using log4j

Answer 697

Standard mysql error log

Answer 698

Standard MySQL query log; also matches the MySQL binary log following conversion to text

Answer 699

Standard Postfix MTA log reported via the Unix/Linux syslog facility

Answer 700

Standard Sendmail MTA log reported via the Unix/Linux syslog facility

Answer 701

Standard Sugarcrm activity log reported using the log4php utility

Answer 702

Weblogic server log in the standard native BEA format

Answer 703

Websphere activity log also often referred to as the service log

Answer 704

Corefile export from Websphere

Answer 705

Standard Websphere system error log in the IBM native trlog format

Answer 706

Standard Websphere system out log in the IBM native trlog format; similar to the log4j server log for Resin and Jboss sample format as the system error log but containing lower severity and informational events

Answer 707

Standard windows event log reported through a 3rd party Intersect Alliance Snare agent to remote syslog on a Unix or Linuxserver

Answer 708

``` Real Time Architecture Universal Machine Data Platform Schema on the Fly Agile Reporting and Analytics Scales from Desktop to Enterprise Fast Time to Value Passionate and Vibrant Community ```

Answer 709

Splunk Enterprise Splunk Cloud Splunk Light

Answer 710

Real-time collection, search, monitoring and analysis across massive streams of machine data in a single solution

Answer 711

Open, extensible platform delivering integrated, end-to-end data collection, management and analysis

Answer 712

Search-time schema delivers flexibility to interact with the data and change perspective on the fly at search time

Answer 713

Interactive search and reporting, enabling rapid, interactive analysis and visualization of data.

Answer 714

IT Operations Application Delivery Security and Compliance

Answer 715

Splunk Enterprise Security Splunk IT Service Intelligence Splunk User Behavior Analytics (UBA) Premium Apps

Answer 716

Analytics driven SIEM: user to monitor, detect, analyze, investigate and repond to threats and attacks Complimentary product. Customers must have an equivalent license of Core Splunk (same GB Volume)

Answer 717

Data Driven service insight for root cause isolation and improved service operations Complimentary Product. Customers must have an equivalent license of Core Splunk (same GB Volume)

Answer 718

Detect cyber-attacks and insider threats using data science, machine learning, behavior baseline, peer group analytics, and advanced correlation Licensing: Number of authorized users(the number of users or system accounts in Microsoft AD, lightweight directory access protocol (LDAP) or an similar service that is used to authenticate users inside the network. needs to be sold with content subscription packs

Answer 719

Community Standard Enterprise and Global Support PS and CSM

Answer 720

``` Business Qualification Technical Interlock Champion Tested Proof Completed Mutually Agreed Closed Plan ```

Answer 721

``` Corporate Objectives Business Strategy Initiatives Risks and Critical Capabilities C Level Commercial Insights ```

Answer 722

Prospecting Guide Meeting Guide Differentiation Pitch Champion Guide

Answer 723

Value Stack Whiteboard Differentiators best used together

Answer 724

Vertical and Segments

Answer 725

Delivers a light version of Splunk for Small IT environment 5 users Cheaper 20GB of daily data indexing

Answer 726

Machine data is one of the fastest, growing, most complex and most valuable segments of big data

Answer 727

All the power of Splunk Enterprise, delivered as a service. Runs in an Amazon Web Service AWS GovCloud-Splunk Cloud solution hosted in secure enviornment for public sector 1.33X more expensive but its in the cloud and support is included

Answer 728

Splunk online communities include splunk base, splunk answers, and spunk dev Active communities including Facebook and Linkedin; regional customer events, user group meetings and annual user conference.

Answer 729

Flexible data engine that scales to index terabytes of data per day and permits thousands of users to concurrently search petabytes of data

Splunk Flashcards

Fundamentals 1 and 2