Splunk

Question 1

Machine data is always structured.

Answer 1

False

Question 2

Machine data makes up for more than _____% of the data accumulated by organizations.

Answer 2

90

Question 3

Machine data can give you insights into:

Answer 3

Application performance
Security
Hardware monitoring
Sales
User Behavior

Question 4

Machine data is only log files on web servers.

Answer 4

False

Question 5

Which of these is NOT a main component of Splunk?

Answer 5

compress and archive

Question 6

The index does not play a major role in Splunk.

Answer 6

False

Question 7

Data is broken into single events by:

Answer 7

in a consistent format.

Question 8

Which role defines what apps a user will see by default?

Answer 8

Admin

Question 9

Which two apps ship with Splunk Enterprise?

Answer 9

Search & Reporting

Home App

Question 10

There are ______ components to the Search and Reporting app’s default interface.

Answer 10

7

Question 11

What is the most efficient way to filter events in Splunk?

Answer 11

reverse chronological order

Question 12

Commands that create statistics or visualizations are called ____________.

Answer 12

transforming commands

Question 13

The Search & Reporting App has how many search modes?

Answer 13

3

Question 14

Which character acts as a wildcard in the Splunk Search Language?

Answer 14

*

Question 15

What are Boolean operators in Splunk?

Answer 15

…

Question 16

Which is not a comparison operator in Splunk?

Answer 16

&=

Question 17

Field names are _____________.

Answer 17

case sensitive

Question 18

What could be said of the circled field below:

A dest 4

Answer 18

it contains four values
its was extracted at search time
it contains string values

Question 19

After a report is saved, you can no longer edit the search.

Answer 19

False

Question 20

Search commands can be used with search terms to do the following:

Answer 20

Create charts
Compute statistics
Format data

Question 21

If we want to see events after running a transforming command, we need to switch to this mode.

Answer 21

Verbose

Question 22

Any search that returns these values can be viewed as a chart.

Answer 22

Statistical

Question 23

Charts can be based on numbers, time or location.

Answer 23

True

Question 24

________ are searches gathered together in a single pane of glass.

Answer 24

Dashboards

Question 25

An alert is an action triggered by a ____________.

Answer 25

saved search

Question 26

Alerts can send an email.

Answer 26

True

Question 27

These are knowledge objects that provide the data structure for pivot.

Answer 27

data models

Question 28

Which roles can create data models?

Answer 28

Admin and Power

Question 29

You can think of adding child data model objects as an _________ Boolean in the Splunk search language.

Answer 29

AND

Question 30

The instant pivot button is displayed in the statistics and visualization tabs when a _______ search is used.

Answer 30

non-transforming

Question 31

Unlike pivot, reports created with instant pivot can not be saved.

Answer 31

False

Question 32

Splunk breaks data into ___________.

Answer 32

events

Question 33

Field values are _______.

Answer 33

case insensitive

Question 34

Which 2 apps ship with Splunk Enterprise?

Answer 34

Search & Reporting

Home App

Question 35

These searches will return the same results?

password fail

“password fail”

Answer 35

False

Question 36

Which is not a comparison operator in Splunk?

Answer 36

OR

Question 37

Data is broken into single events by:

Answer 37

sourcetype

Question 38

Which is not a comparison operator in Splunk?

Answer 38

%=

Question 39

A time range picker can be included in a report.

Answer 39

True

Question 40

Charts can be based on numbers, time or location.

Answer 40

True

Question 41

Which of these is not a main component of Splunk?

Answer 41

Compress and archive

Question 42

The index does not play a major role in Splunk.

Answer 42

False

Question 43

Admin, Power, User

Answer 43

Out of the box there are 3 main roles

Question 44

How can you view all sourcetypes?

Answer 44

Click Data Summary in the Searching & Reporting app

Question 45

What is shown in the Data Summary?

Answer 45

Host, Sources, and Sourcetypes on separate tabs

Question 46

What timezone is data displayed for, in searches?

Answer 46

The local timezone set in your profile.

Question 47

Search terms are case sensitive or insensitive?

Answer 47

insensitive

Question 48

AND, OR, NOT

Answer 48

What booleans are supported in splunk search?

Question 49

Symbol for “does not equal”

Answer 49

!=

Question 50

In what chronological order are events displayed, after a search?

Answer 50

Reverse chronological order (newest first)

Question 51

Each event has these field value pairs.

Answer 51

timestamp, host, source, sourcetype

Question 52

Time range abbreviations for seconds

Answer 52

s

Question 53

Time range abbreviations for minutes

Answer 53

m

Question 54

Time range abbreviations for hours

Answer 54

h

Question 55

Time range abbreviations for days

Answer 55

d

Question 56

Time range abbreviations for weeks

Answer 56

w

Question 57

Time range abbreviations for months

Answer 57

mon

Question 58

Time range abbreviations for year

Answer 58

y

Question 59

What are the commands for specifying a time range in a search string?

Answer 59

earliest and latest

eg: earliest=-h latest=@d

Question 60

Does narrowing the time range by dragging the selection bars across the timeline re-execute the search?

Answer 60

No, it only filters the results

Question 61

What formats may search results be exported to?

Answer 61

CSV, XML, JSON

Question 62

What does “event sampling” do?

Answer 62

Instead of returning all the results, from a search, it returns a random sampling of events.

Question 63

What does an event sample of 1:100 indicate?

Answer 63

Each event, found in a search, has a 1 in 100, or 1% change of being included in the sample result set.

Question 64

What is a Field?

Answer 64

searchable key/value pairs from event data.

Question 65

How does Splunk discover fields?

Answer 65

Based on sourcetype and key/value pairs found in the data.

Question 66

What percentage of search results have the fields listed under “Interesting Fields”?

Answer 66

20% of events have these fields present in them.

Question 67

What are the three search modes?

Answer 67

Fast, Smart, Verbose

Question 68

What is the default search mode?

Answer 68

Smart

Question 69

Field names are case sensitive or insensitive?

Answer 69

Case sensitive

Question 70

True/False: Splunk is subnet/CIDR aware for IP fields?

Answer 70

True

Question 71

How does NOT affect search results?

Answer 71

Returns everything except the events matching the NOT boolean

Question 72

What is a dashboard?

Answer 72

One or more panels displaying data visually in a useful way.

Question 73

What command changes the name of a field in search?

Answer 73

rename

Question 74

When should quotes be used around values in search?

Answer 74

When including spaces or special characters

Question 75

What command allows you to include/exclude fields in your search?

Answer 75

fields

Question 76

What is the difference between +/- with the fields command?

Answer 76

+ (include) occurs before field extraction and improves performance
- (exclude) occurs after field extraction, and no performance improvement

Question 77

How can you reduce the returned results with the sort command?

Answer 77

The limit option

e.g: | sort limit=20 -categoryID, product_name

Question 78

What command finds the most common values of a given field?

Answer 78

top

Question 79

How many results are returned by the top command, by default?

Answer 79

10

Question 80

What two columns are automatically returned by the top command?

Answer 80

count & percent

Question 81

What option changes the number of results returned by the top command?

Answer 81

limit (limit=0 returns unlimited results)

Question 82

What command returns the least common field values?

Answer 82

rare

Question 83

What command allows you to calculate statistics on data that matches your search criteria?

Answer 83

stats

Question 84

What option allows you to rename fields, within the stats command?

Answer 84

as

Question 85

What stats command shows all field values for a given field?

Answer 85

list

Question 86

What stats command shows all unique field values for a given field?

Answer 86

values

Question 87

To get multi-series tables you need to set up the underlying search with commands like…

Answer 87

chart or timechart

Question 88

What are the seven chart types?

Answer 88

line, area, column, bar, bubble, scatter, pie

Question 89

What eval command allows you to format for currency?

Answer 89

tostring

Question 90

What command allows you to create a single event from a group of events that share the same value in a given field?

Answer 90

transaction

Question 91

Max events displayed by transaction command

Answer 91

1,000

Question 92

What is the transforms.conf flag to switch whether or not a lookup field value is case-sensitive or not?

Answer 92

case_sensitive_match

Question 93

What is a way to normalize data over any default field?

Answer 93

Field Aliases

Question 94

What are nicknames that you create for related field/value pairs?

Answer 94

Tags

Question 95

Where can you view a list of all Tags?

Answer 95

Settings > Tags > List by field value pair

Question 96

A method of categorizing events based on a search

Answer 96

Event Type

Question 97

What may be run from an event in your search results to interact with external resources or run another search?

Answer 97

Workflow Actions

Question 98

Workflow action to pass information to an external web resource.

Answer 98

GET

Question 99

Workflow action to send field values to an external resource.

Answer 99

POST

Question 100

Workflow action to use field values to perform a secondary search.

Answer 100

Search

Question 101

Macros must be surrounded with what character?

Answer 101

backticks

Question 102

What tool provides a methodology to normalize data?

Answer 102

Common Information Model (CIM)

Question 103

Which search will return the same events as the search in the searchbar?

password failed

Answer 103

password AND failed

Question 104

What is the most efficient way to filter events in Splunk?

Answer 104

By time.

Question 105

Which is not a comparison operator in Splunk?

Answer 105

?=

Question 106

How is the asterisk used in Splunk search?

Answer 106

As a wildcard

Question 107

As general practice, inclusion is better than exclusion in a Splunk search.

Answer 107

True

Question 108

What command would you use to remove the status field from the returned events?

Answer 108

fields -

Question 109

Finish the rename command to change the name of the status field to HTTP Status.

sourcetype=access* status=404 | rename ______

Answer 109

status as “HTTP Status”

Question 110

Would the clientip column be removed in the results of this search? Why or why not?

sourcetype=access* | rename clientip as “user” | table user status | fields - clientip

Answer 110

No, because the name was changed.

Question 111

What is missing from this search?

sourcetype=acc* status=404 | rename clientip as “User ID” | table USer ID status host

Answer 111

Quotation marks around User ID

Question 112

Which command removes results with duplicate field values?

Answer 112

Dedup

Question 113

To display the most common values in a specific field, what command would you use?

sourcetype=vendor_sales | ______ Vendor

Answer 113

top

Question 114

How many events are shown by default when using the top or rare command?

Answer 114

10

Question 115

Finish this search to return unlimited results.

sourcetype=access_combined action=purchase | rare product_name _________

Answer 115

limit=0

Question 116

Which of these is NOT a stats function?

Answer 116

addtotals

Question 117

Which clause would you use to rename the count field?

sourcetype=vendor_sales | stats count(linecount) ______ “Units Sold”

Answer 117

as

Question 118

Which stats function would you use to find the average value of a field?

Answer 118

avg

Question 119

If a search returns this, you can view the results as a chart.

Answer 119

Statistical values

Question 120

When using the chart command, the x-axis should always be numeric.

Answer 120

False

Question 121

The timechart command clusters data in time intervals dependent on:

Answer 121

Time range selected

Question 122

Finish this search to remove any results that do not contain a value in the product_name field.

sourcetype=access_c* status>299 | chart count over host by product_name _______

Answer 122

usenull=f

Question 123

When using the search below, what axis would time be on?

sourcetype=vendor_sales | timechart count(linecount)

Answer 123

x

Question 124

The Trendline Command requires this many arguments:

Answer 124

3

Question 125

In the following search, what should the empty argument contain?

sourcetype=linux_secure | iplocation ______

Answer 125

An IP address.

Question 126

The Geostats Command requires both latitude and longitude data to use on a map.

Answer 126

True

Question 127

Data created using the Iplocation Command can not be used with the Geostats Command.

Answer 127

False

Question 128

Which command do you use when creating a choropeth map?

Answer 128

geom

Question 129

Which Splunk search command allows you to perform mathematical functions on field values?

Answer 129

Eval

Question 130

Which is the correct argument order when using the eval if function?

Answer 130

if (Boolean, Is True, Is False)

Question 131

If you want to format values without changing their characteristics, which would you use?

Answer 131

The Fieldformat Command.

Question 132

By default, the Fillnull Command replaces null values with this:

Answer 132

0

Question 133

You can only use one Eval Command per search.

Answer 133

False

Question 134

This command allows you to correlate related events on a field or list of fields that span time.

Answer 134

transaction

Question 135

Which of these is NOT a field created with the transaction command?

Answer 135

maxcount

Question 136

__________ should be used when you want to see the results of a calculation, or you need to group events on a field value.

Answer 136

Stats

Question 137

_________ should be used when you need to see events correlated together, or when events need to be grouped on start and end values.

Answer 137

Transactions

Question 138

What should you use with the transaction command to set the maximum total time between the earliest and latest events returned.

Answer 138

maxspan

Question 139

This stats function will return unique values for a given field.

Answer 139

Value

Question 140

Results of the Eval Commands always replace the existing field.

Answer 140

False

Question 141

Which roles can create Private Knowledge Objects?

Answer 141

User, Power, Admin

Question 142

Which roles can create knowledge objects shared across all apps?

Answer 142

Admin

Question 143

Knowledge objects can be used to normalize data?

Answer 143

True

Question 144

A Common Information Model (CIM) is supported by Splunk.

Answer 144

True

Question 145

What are the predefined ways knowledge objects can be shared?

Answer 145

All apps
Private
Specifiic App

Question 146

When using a .csv file for lookups, the first row in the file represents this.

Answer 146

field names

Question 147

Which is the correct order to use when creating a lookup?

Answer 147

Define a lookup table
Define a lookup
Create and automatic lookup

Question 148

Finish this search command so that it displays data from the http_status.csv lookup file.

__________ http_status.csv

Answer 148

inputlookup

Question 149

Finish this search so that it uses the http_status.csv lookup to return events.

sourcetype=access_c* NOT status=200 | _________ http_status code as status

Answer 149

lookup

Question 150

You can only have one field alias per field.

Answer 150

False

Question 151

Field Aliases ___________________

Answer 151

Can be referenced by lookup tables.
Are applicable to a specified app context.
Make correlation easier.

Question 152

Calculated fields are shortcuts for _______________.

Answer 152

Eval Commands

Question 153

Calculated fields can use lookup tables.

Answer 153

False

Question 154

The easiest way to extract a field is from ____________, allowing you to skip a few steps.

Answer 154

The event actions menu

Question 155

When editing a field extraction, you will be working with _________________.

Answer 155

The regular expression.

Question 156

You can extract multiple fields with the field extractor.

Answer 156

True

Question 157

______________ is a field extraction method for events that contain fields separated by a character.

Answer 157

delimiter

Question 158

Fields extracted with the field extractor

Answer 158

Are persistent
Are specific to a host, source or sourcetype.
Are reusable in multiple searches.

Question 159

You can only add one tag per field value pair.

Answer 159

False

Question 160

Which search would limit an “alert” tag to the “host” field?

Answer 160

tag::host=alert

Question 161

__________ allow you to categorize events based on search terms.

Answer 161

Event Types

Question 162

Tags can be added to event types.

Answer 162

True

Question 163

Event types do NOT show up in the field list.

Answer 163

False

Question 164

Splunk suggests naming your Knowledge Objects using _______ segmented keys.

Answer 164

6

Question 165

A workflow action can _________________.

Answer 165

Send field values to external resources.
Pass variables to a URL.
Execute a secondary search.

Question 166

This workflow action sends field value to external resources.

Answer 166

POST

Question 167

This workflow action passes variables in a URL.

Answer 167

GET

Question 168

To escape the “fieldname” value which command would you use? $_________fieldname$

Answer 168

!

Question 169

____________ are based on searches that run on a scheduled interval or in real-time.

Answer 169

Alerts

Question 170

Which actions can be triggered by an alert?

Answer 170

List in triggered alerts
Send Email
Run a script

Question 171

Alerts can be shared to all apps.

Answer 171

True

Question 172

Once an alert is created, you can no longer edit its defining search/

Answer 172

False

Question 173

A real-time alert type is useful when you want to know as soon as your trigger condition is met.

Answer 173

True

Question 174

Search Macros _______________

Answer 174

Allow you to store entire search strings, including pipes and eval statements.
Are time range independent.
Can pass arguments to the search.

Question 175

What is the proper syntax for using a macro called “dostuff”

sourcetype=gamelog |

Answer 175

‘dostuff’

Question 176

You can pipe the results of a Macro to other commands.

Answer 176

True

Question 177

What is the correct way to name a macro with two arguments?

Answer 177

dostuff(2)

Question 178

Validating macro arguments can be done with which type of command?

Answer 178

Add a root object

Question 179

Root search objects benefit from acceleration.

Answer 179

False

Question 180

_________ objects can be added to a root event object to narrow down the search.

Answer 180

Child

Question 181

What attributes can be added to an object?

Answer 181

Auto-Extracted
Eval Expression
Lookup
Regular Expression
Geo IP

Question 182

You can add additional child objects to either existing objects or the root object.

Answer 182

True

Question 183

After you configure a lookup, its fields can be found in the fields sidebar and you can use them in a search.

Answer 183

True

Question 184

No matter what user role creates the field alias, it is always set to Private by default.

Answer 184

True

Question 185

Running concurrent reports and the searches behind them puts very low demand on your system hardware.

Answer 185

False

Question 186

Search macros can only be used once in a given search.

Answer 186

False

Question 187

The results of a macro can not be piped to other commands.

Answer 187

False

Question 188

When building your data model, Splunk suggests you use root search objects whenever possible.

Answer 188

False

Question 189

What are the 3 main processing components of Splunk?

Answer 189

Forwarders
Indexers
Search Heads

Question 190

Raw data in an index is stored in a ________ form.

Answer 190

compressed

Question 191

Forwarders are typically installed on _____________.

Answer 191

Machines where the data originates

Question 192

The ___________ handle search management while ___________ perform the searches.

Answer 192

1. search heads

2. indexers

Question 193

A group of indexers configured to replicate each other’s data is called a ________.

Answer 193

Index Cluster

Question 194

__________ is often the biggest bottle neck in the Splunk indexing pipeline.

Answer 194

Disk I/O

Question 195

Search heads do not require as much ______ as indexers but require more _________.

Answer 195

1. disk space

2. CPU power

Question 196

Adding more machines no matter the hardware will make your deployment perform better.

Answer 196

False

Question 197

Splunk indexers and Search Heads on virtual machines should have ____ of the vCPU reserved to them.

Answer 197

100%

Question 198

Keeping ____ synchronized across your deployment, makes sure events are returned in the proper order.

Answer 198

time

Question 199

What command is used to start the Splunk Enterprise server?

Answer 199

./splunk start

Question 200

This command can be used to make Splunk start each time the server is booted.

Answer 200

./splunk enable boot-start

Question 201

When logging into Splunk Enterprise for the first time, a username of ______ and a password of are used.

Answer 201

1. admin

2. changeme

Question 202

The _______ folder inside the Splunk Enterprise installation directory contains licenses and configuration files.

Answer 202

etc

Question 203

Splunk Enterprise commands are executed from the ________ directory.

Answer 203

bin

Question 204

The following are Splunk Enterprise processing tiers.

Answer 204

Data input
Indexing
Search Management

Question 205

Event separation happens during the ________ segment of the data pipeline.

Answer 205

parsing

Question 206

Events are written to disk during the _______ segment of the data pipeline.

Answer 206

Indexing

Question 207

The functions of the data pipeline vary drastically depending on the deployment.

Answer 207

False

Question 208

Splunk Enterprise licenses specify how much data you can index per __________.

Answer 208

day

Question 209

Any editing done to .conf files should be done in the ________ directory.

Answer 209

local

Question 210

The ________ index is used when an index is not specified at input time.

Answer 210

main

Question 211

Having multiple indexes allows:

Answer 211

Faster searches
Access limiting
Multiple retention policies

Question 212

As data is input into Splunk Enterprise, it is first placed into a ________ bucket.

Answer 212

hot

Question 213

Some differences between hot and warm buckets are:

Answer 213

Hot buckets are writable, warm buckets are not.
Hot buckets are searched first.
The naming convention.

Question 214

When a bucket is frozen, by default it is moved to a different location before deleting.

Answer 214

False

Question 215

The timezone setting in a user’s account will effect the timestamp shown in events.

Answer 215

True

Question 216

_______________ define what users can do in Splunk.

Answer 216

Roles

Question 217

Only the ________ role can use the Delete Command by default.

Answer 217

can_delete

Question 218

The ______ role has the most capabilities of the predefined splunk roles.

Answer 218

admin

Question 219

When mixing authentication sources, scripted authentication will always take precedence.

Answer 219

False

Question 220

In most production environments, _______ will be used as your main source of data input.

Answer 220

forwarders

Question 221

Splunk uses ____________ to categorize the type of data being indexed.

Answer 221

sourcetypes

Question 222

The server that data is forwarded to is called the ______________.

Answer 222

receiver

Question 223

Indexing on a Heavy Forwarder does not affect your license.

Answer 223

False

Question 224

The following can be used to build apps for Splunk:

Answer 224

Simple XML
Splunk JavaScript
SDKs

Question 225

When migrating from a single instance deployment to a distributed environment, you will want to use the existing instance as an _______.

Answer 225

indexer

Question 226

An indexer in a distributed search environment is called a __________.

Answer 226

search peer

Question 227

It is a best practice to ____________ forwarders across all indexers in a search peer group.

Answer 227

load balance

Question 228

The management port is required when adding a search peer to a search head.

Answer 228

True

Question 229

DMC stands for

Answer 229

Distributed Management Console

Question 230

In most Splunk deployments, _________ serve as the primary way data is supplied for indexing.

Answer 230

forwarders

Question 231

Search strings are sent from the

Answer 231

Search head

Question 232

Forwarders are typically installed on __________

Answer 232

Machines where the data originates

Question 233

A server acting as a ___________ require the same hardware as a single deployment server.

Answer 233

Indexer

Question 234

Splunk Enterprise can be installed virtual environments.

Answer 234

True

Question 235

In a windows environment, a local system user will have access to:

Answer 235

all data on the local system

Question 236

Search requests are processed by the ____________.

Answer 236

Indexer

Question 237

____________ is the system process that handles indexing, searching, forwarding and the web interface for Splunk Enterprise.

Answer 237

Splunkd

Question 238

Splunk Enterprise should always be run as root in a *NIX environment.

Answer 238

False

Question 239

It is suggested that you have a single deployment instance available for _________.

Answer 239

testing and development

Question 240

A total of ____ cores are recommended per search head.

Answer 240

16

Question 241

This component is NOT installed from the Splunk Enterprise Package.

Answer 241

Universal Forwarder

Question 242

Splunk Enterprise deployment typically has ___ processing tiers.

Answer 242

3

Question 243

The segment of the data pipeline that stores user’s knowledge objects is the _______ segment.

Answer 243

indexing

Question 244

Any editing done to .conf files should be done in the _____ directory.

Answer 244

local

Question 245

The default management port for Splunkd is:

Answer 245

8089

Question 246

Search Heads require more _____ than indexers.

Answer 246

CPU Power

Question 247

The .conf files can only be edited using the Splunk web interface.

Answer 247

False

Question 248

Event separation happens during the __________ segment of the data pipeline.

Answer 248

parsing

Question 249

Events are written to disk during the ____ segment of the data pipeline.

Answer 249

indexing

Question 250

A license violation causes all data to stop being indexed.

Answer 250

False

Question 251

The functions of the data pipeline vary drastically depending on the deployment.

Answer 251

False

Question 252

Parsing and Indexing are both part of the ____ processing tier.

Answer 252

Indexing

Question 253

You can click a search term in the results to add it to the search class.

Answer 253

True

Question 254

The Splunk search language supports the ? wildcard.

Answer 254

False

Question 255

Using the export function, you can export an unlimited number of results.

Answer 255

True

Question 256

Field NAMES are case sensitive

Answer 256

True

Question 257

This search user=* displays only events that contain a value for user

Answer 257

True

Question 258

The following searches will return the same results: SEARCH 1: web AND error SEARCH 2: web and error

Answer 258

False

Question 259

Field names are case…

Answer 259

sensitive

Question 260

Use this command to exclude fields used in the search to make the results easier to read.

Answer 260

fields -

Question 261

These users can create objects that are shared across ALL apps

Answer 261

admin

Question 262

Machine data is always structured

Answer 262

False

Question 263

Machine data makes up __% of the data accumulated by organizations

Answer 263

90

Question 264

Machine data is only log files on web servers

Answer 264

False

Question 265

The index does not play a major role in Splunk

Answer 265

False

Question 266

Data is broken into single events by ___

Answer 266

Sourcetype

Question 267

Time stamp are stored ____

Answer 267

in a consistent format

Question 268

which role defines what apps a user will see by default

Answer 268

admin

Question 269

which two apps ship with Splunk Enterprise

Answer 269

Search & Reporting, Home App

Question 270

What is the most efficient way to filter events in Splunk?

Answer 270

By time

Question 271

When search is run, events are returned in ____

Answer 271

reverse chronological order

Question 272

which is not a valid option when editing a report?

Answer 272

Rename

Question 273

Wildcards can be used with field value searches

Answer 273

True

Question 274

A power user can allow read/write permissions on a report

Answer 274

True

Question 275

If we want to see events after running a transforming command, we need to switch to this mode.

Answer 275

Verbose

Question 276

Charts can be based on numbers, time or location

Answer 276

True

Question 277

_____ are searches gathered together into a single pane of glass

Answer 277

Dashboards

Question 278

Pivots can not be saved as reports or dashboard panels

Answer 278

False

Question 279

The instant pivot button is displayed in the statistics and visualization tabs when a ____ search is used

Answer 279

non-transforming

Question 280

These are knowledge objects that provide the data structure for pivot

Answer 280

Data models

Question 281

You can think of adding child data model objects as an ___ boolean in the Splunk search engine

Answer 281

AND

Question 282

Unlike pivot, reports created with instant pivot can not be saved.

Answer 282

False

Question 283

which role can create data models?

Answer 283

admin

Question 284

Splunk breaks down data input into individual ___

Answer 284

events

Question 285

From the search jobs page, you can click the job link to ___

Answer 285

view the results of the instance of that search

Question 286

Fields are searchable key/value pairs

Answer 286

True

Question 287

Field have names

Answer 287

True

Question 288

Default Fields are added to every event

Answer 288

True

Question 289

Administrators CANNOT configure default fields

Answer 289

True

Question 290

The interesting fields in the field sidebar will be the same for every search against the same index

Answer 290

False

Question 291

Interesting fields are those that have values in over 20% of events

Answer 291

True

Question 292

which search mode returns all event and field data?

Answer 292

verbose mode

Question 293

Select this in the field sidebar to automatically pipe your search results to the timechart command

Answer 293

top values by time

Question 294

How can you view all sourcetypes?

Answer 294

Click Data Summary in the Searching & Reporting app

Question 295

What is shown in the Data Summary?

Answer 295

Host, Sources, and Sourcetypes on separate tabs

Question 296

What timezone is data displayed for, in searches?

Answer 296

The local timezone set in your profile.

Question 297

Search terms are case sensitive or insensitive?

Answer 297

insensitive

Question 298

What booleans are supported in splunk search?

Answer 298

AND, OR, NOT

Question 299

Symbol for “does not equal”

Answer 299

!=

Question 300

Current search time is 09:37:12. What is the time range equation to search back 5 minutes on the minute?

Answer 300

-5m@m

Question 301

What are the commands for specifying a time range in a search string?

Answer 301

earliest and latest

eg: earliest=-h latest=@d

Question 302

Does narrowing the time range by dragging the selection bars across the timeline re-execute the search?

Answer 302

No, it only filters the results

Question 303

How does Splunk discover fields?

Answer 303

Based on sourcetype and key/value pairs found in the data.

Question 304

What is the default search mode?

Answer 304

Smart

Question 305

True/False: Splunk is subnet/CIDR aware for IP fields?

Answer 305

True

Question 306

When should quotes be used around values in search?

Answer 306

When including spaces or special characters

Question 307

What command allows you to include/exclude fields in your search?

Answer 307

fields

Question 308

How can you reduce the returned results with the sort command?

Answer 308

The limit option

e.g: | sort limit=20 -categoryID, product_name

Question 309

What command returns the least common field values?

Answer 309

rare

Question 310

What command allows you to calculate statistics on data that matches your search criteria?

Answer 310

stats

Question 311

What option allows you to rename fields, within the stats command?

Answer 311

as

Question 312

What stats command shows all field values for a given field?

Answer 312

list

Question 313

What stats command shows all unique field values for a given field?

Answer 313

values

Question 314

To get multi-series tables you need to set up the underlying search with commands like…

Answer 314

chart or timechart

Question 315

What is the transforms.conf flag to switch whether or not a lookup field value is case-sensitive or not?

Answer 315

case_sensitive_match

Question 316

Where can you view a list of all Tags?

Answer 316

Settings > Tags > List by field value pair

Question 317

A method of categorizing events based on a search

Answer 317

Event Type

Question 318

True/False. Machine data is always structured.

Answer 318

False

Question 319

True/False. Machine data is only generated by web servers.

Answer 319

False

Question 320

What are the three main processing components of Splunk?

Answer 320

Indexers, Forwarders, Search Heads

Question 321

What are search requests processed by?

Answer 321

Indexer

Question 322

Which function is not a part of a single instance deployment?

Answer 322

Clustering

Question 323

In most Splunk deployments, ________ serve as the primary way data is supplied for indexing.

Answer 323

Forwarders

Question 324

What does a single-instance deployment of Splunk Enterprise handle?

Answer 324

Input, Parsing, Indexing, and Searching

Question 325

_________ define what users can do in Splunk.

Answer 325

Roles

Question 326

This role will only see their own knowledge objects and those that have been shared with them.

Answer 326

User

Question 327

Splunk uses ________ to categorize the type of data being indexed.

Answer 327

source type

Question 328

True/False. The monitor input option will allow you to continuously monitor files.

Answer 328

True

Question 329

Files indexed using the the upload input option get indexed _____.

Answer 329

once

Question 330

Splunk knows where to break the event, where the time stamp is located and how to automatically create field value pairs using these.

Answer 330

Source types

Question 331

In most production environments, _______ will be used as your the source of data input.

Answer 331

forwarders

Question 332

Which following search mode toggles behavior based on the type of search being run?

Answer 332

Smart

Question 333

True/False. The time stamp you see in the events is based on the time zone in your user account.

Answer 333

True

Question 334

Having separate indexes allows:

Answer 334

Multiple retention policies, ability to limit access, and faster searches.

Question 335

True/False. Time to search can only be set by the time range picker.

Answer 335

False

Question 336

This symbol is used in the “Advanced” section of the time range picker to round down to nearest unit of specified time.

Answer 336

@

Question 337

As a general practice, exclusion is better than inclusion in a Splunk search.

Answer 337

False

Question 338

True/False. Excluding fields using the Fields Command will benefit performance.

Answer 338

False

Question 339

Would the ip column be removed in the results of this search? sourcetype=a* | rename IP as “User” | fields - ip

Answer 339

No, because the name was changed.

Question 340

Which command removes results with duplicate field values?

Answer 340

dedup

Question 341

What command would you use to remove the status field from the returned events? sourcetype=a* status=404 | ________ status

Answer 341

fields -

Question 342

How would you show the top five vendors without showing the percentage field?

Answer 342

… | top Vendor limit=5 showperc=f

Question 343

How would you show the top five vendors, rename the count field to “Number of Sales”, and add a row for the number of sales of vendors not listed in the top five?

Answer 343

… | top Vendor limit=5 countfield=”Number of Sales” userother=t

Question 344

How would you search for the top three products sold by each vendor?

Answer 344

… | top product_name by Vendor limit=3 countfield=”Number of Sales” showperc=f

Question 345

How would you show the top five vendors that sold the least amount of product?

Answer 345

… | rare Vendor limit=5 showcount”Number of Sales” showperc=f useother=t

Question 346

How would you show the five games that sold the least by each of the vendors?

Answer 346

… | rare product_name by Vendor limit=5 showcount=”Number of Sales” showperc=f useother=t

Question 347

How would you count the number of failed logins? Change the column name to “Potential Issues”.

Answer 347

… | stats count as “Potential Issues”

Question 348

How would you count the number of events that contain a vendor action field? Also count the total number of events.

Answer 348

… | stats count(vendor_action) as ActionEvents, count as TotalEvents

Question 349

How would you count the number of events by user, app, and vendor?

Answer 349

… | stats count by user, app, vendor_action

Question 350

How many unique websites have your employees visited, displayed as “Websites visited”?

Answer 350

… | stats dc(s_hostname) as “Websites visited:”

Question 351

How much bandwidth did employees spend at each website? This needs to be sorted in descending order.

Answer 351

… | stats sum(sc_bytes) as Bandwidth by s_hostname | sort -Bandwidth

Question 352

How would you show the number of units sold by a vendor for each specific product as well as the average selling price?

Answer 352

… | stats count as “Units Sold” avg(sale_price) as “Average Selling Price” by product_name

Question 353

How would you show each unique website a user has visited?

Answer 353

… | stats value(s_hostname) by cs_username

Question 354

Which stats function would you use to find the average value of a field?

Answer 354

avg

Question 355

To display the most common values in a specific field, what command would you use?

Answer 355

top

Question 356

True/False. A time range picker can be included in a report.

Answer 356

True

Question 357

True/False. Charts can be based on numbers, time, or location.

Answer 357

True

Question 358

If a search returns this, you can view the results as a chart.

Answer 358

Statistical Values

Question 359

The instant pivot button is displayed in the statistics and visualization tabs when a _______ search is run.

Answer 359

non-transforming

Question 360

True/False. A lookup is categorized as a dataset.

Answer 360

True

Question 361

To keep from overwriting exiting fields with your Lookup you can use the ____________ clause.

Answer 361

outputnew

Question 362

In a dashboard, a time range picker will only work on panels that include a(n) __________ search.

Answer 362

inline

Question 363

True/False. Pivots can be saved as dashboards panels.

Answer 363

True

Question 364

These are knowledge objects that provide the data structure for pivot.

Answer 364

Data models

Question 365

External data used by a Lookup can come from sources like:

Answer 365

CSV, scripts, geospatial data

Question 366

True/False. When zooming on the event timeline, a new search is run.

Answer 366

False

Question 367

Search strings are sent from the _________.

Answer 367

search head

Question 368

True/False. Events are always returned in chronological order.

Answer 368

False

Question 369

These roles can create reports:

Answer 369

Admin, Power, User

Question 370

Which role(s) can create data models?

Answer 370

Admin, power

Question 371

Adding child data model objects is like the ______ Boolean in the Splunk search language.

Answer 371

AND

Question 372

When using a .csv file for Lookups, the first row in the file represents this.

Answer 372

field names

Question 373

True/False. Alerts can be shared to all apps.

Answer 373

True

Question 374

True/False. Alerts can send an email.

Answer 374

True

Question 375

The default username and password for a newly installed Splunk instance is:

Answer 375

admin and changeme

Question 376

When a search is sent to splunk, it becomes a _____.

Answer 376

search job

Question 377

True/False. Field values are case sensitive.

Answer 377

False

Question 378

Which clause would you use to rename the count field?

Answer 378

as

Question 379

True/False. Real-time alerts will run the search continuously in the background.

Answer 379

True

Question 380

True/False. Alerts can run uploaded scripts.

Answer 380

True

Question 381

A search job will remain active for ___ minutes after it is run.

Answer 381

10

Question 382

True/False. You can launch and manage apps from the home app.

Answer 382

True

Question 383

The User role cannot create reports.

Answer 383

False

Question 384

Shared search jobs remain active for _______ by default.

Answer 384

7 days

Question 385

Pivots cannot be saved as reports panels. T/F

Answer 385

False

Question 386

Once an alert is created, you can no longer edit its defining search. T/F

Answer 386

False

Question 387

Returns a multivalued field that contains a list of the commands used in X

Basic example
The following example returns a multivalued field X, that contains ‘search’, ‘stats’, and ‘sort’.

… | eval x=commands(“search foo | stats count | sort count”)

Answer 387

commands(x)

Question 388

Returns a multivalue result based on all of values specified.

Basic example
… | eval fullName=mvappend(initial_values, “middle value”, last_values)

Answer 388

mvcount(MVFIELD)

Question 389

Removes all of the duplicate values from a multivalue field.

Basic example
… | eval s=mvdedup(mvfield)

Answer 389

mvdedup(X)

Question 390

Filters a multivalue field based on an arbitrary Boolean expression X.

Basic examples
The following example returns all of the values in field email that end in .net or .org.

… | eval n=mvfilter(match(email, “.net$”) OR match(email, “.org$”))

Answer 390

mvfilter(X)

Question 391

Finds the index of a value in a multivalue field that matches the REGEX.

Basic example
… | eval n=mvfind(mymvfield, “err\d+”)

Answer 391

mvfind(MVFIELD,”REGEX”)

Question 392

Returns a set of values from a multivalue field described by STARTINDEX and ENDINDEX.

Basic examples
Because indexes start at zero, the following example returns the third value in “multifield”, if the value exists.

… | eval n=mvindex(multifield, 2)

Answer 392

mvindex(MVFIELD,STARTINDEX,ENDINDEX)

Question 393

Takes all of the values in a multivalue field and appends them together delimited by STR.

The following search creates the base field with the values. The search then creates the joined field by using the result of the mvjoin function.

… | eval base=mvrange(1,6), joined=mvjoin(‘base’,” OR “)

Answer 393

mvjoin(MVFIELD,STR)

Question 394

Creates a multivalue field with a range of numbers between X and Y, incrementing by Z.

Basic examples
The following example returns a multivalue field with the values 1, 3, 5, 7, 9.

… | eval mv=mvrange(1,11,2)

Answer 394

mvrange(X,Y,Z)

Question 395

Returns the values of a multivalue field sorted lexicographically.

Basic example
… | eval s=mvsort(mvfield)

Answer 395

mvsort(X)

Question 396

Takes two multivalue fields, X and Y, and combines them by stitching together the first value of X with the first value of field Y, then the second with the second, and so on. The third argument, Z, is optional and is used to specify a delimiting character to join the two values. The default delimiter is a comma.

Basic example
… | eval nserver=mvzip(hosts,ports)

Answer 396

mvzip(X,Y,”Z”)

Question 397

Returns an mvfield spitting X by the delimited character Y

Basic example
… | eval n=split(foo, “;”)

Answer 397

split(X,”Y”)

Question 398

In most production environments, _______ will be used as your the source of data input.

Answer 398

Forwarders

Question 399

Splunk knows where to break the event, where the time stamp is located and how to automatically create field value pairs using these.

Answer 399

Source types

Question 400

Splunk uses ________ to categorize the type of data being indexed.

Answer 400

Sourcetypes

Question 401

The monitor input option will allow you to continuously monitor files.

Answer 401

True

Question 402

When zooming in on the event time line, a new search is run.

Answer 402

False

Question 403

When a search is sent to splunk, it becomes a _____.

Answer 403

Search job

Question 404

The time stamp you see in the events is based on the time zone in your user account.

Answer 404

True

Question 405

These are booleans in the Splunk Search Language.

Answer 405

And
Not
Or

Question 406

Having separate indexes allows:

Answer 406

Multiple retention policies
Ability to limit access
Faster Searches

Question 407

Which command removes results with duplicate field values?

Answer 407

Dedup

Question 408

Which one of these is not a stats function?

Answer 408

addtotals

Question 409

Data models are made up of ___________.

Answer 409

Datasets

Question 410

Which role(s) can create data models?

Answer 410

Power

Admin

Question 411

A lookup is categorized as a dataset.

Answer 411

True

Question 412

When using a .csv file for Lookups, the first row in the file represents this.

Answer 412

Field names

Question 413

Finish this search command so that it displays data from the http_status.csv Lookup file.

Answer 413

inputlookup

Question 414

External data used by a Lookup can come from sources like:

Answer 414

Geospatial data
CSV files
Scripts

Question 415

To keep from overwriting existing fields with your Lookup you can use the ____________ clause.

Answer 415

outputnew

Question 416

Real-time alerts will run the search continuously in the background.

Answer 416

True

Question 417

Once an alert is created, you can no longer edit its defining search.

Answer 417

False

Question 418

Alerts can be shared to all apps.

Answer 418

True

Question 419

Alerts can send an email.

Answer 419

True

Question 420

How do you use exact phrases?

Answer 420

Double quotes around the exact word or phrase (CS)

Question 421

What are the properties of Fields?

Answer 421

Field value pairs are used to search an extracted field (Field name CS, Field value CI)

Question 422

What are the comparison operators available to use in Splunk search language and what a…….

Answer 422

=, !=, , >=

Question 423

What are Splunk Search Terms

Answer 423

• Keywords
• Booleans
• Phrases
• Fields
• Wildcards
• Comparison Operators
• time
• specificity - the more you tell the search engine, the better your results
• inclusion is better than exclusion

Question 424

What are Commands?

Answer 424

Commands tell Splunk what we want to do with the search results such as:

• creating charts
• computing statistics
• formatting

Question 425

True/False. Machine data is always structured.

Answer 425

False

Question 426

True/False. Machine data is only generated by web servers.

Answer 426

False

Question 427

What are search requests processed by?

Answer 427

Indexer

Question 428

In most Splunk deployments, ________ serve as the primary way data is supplied for indexing.

Answer 428

Forwarders

Question 429

What does a single-instance deployment of Splunk Enterprise handle?

Answer 429

Input, Parsing, Indexing, and Searching

Question 430

True/False. The monitor input option will allow you to continuously monitor files.

Answer 430

True

Question 431

How would you show the top five vendors without showing the percentage field?

Answer 431

… | top Vendor limit=5 showperc=f

Question 432

How would you show the top five vendors, rename the count field to “Number of Sales”, and add a row for the number of sales of vendors not listed in the top five?

Answer 432

.. | top Vendor limit=5 countfield=”Number of Sales” userother=t

Question 433

How would you search for the top three products sold by each vendor?

Answer 433

… | top product_name by Vendor limit=3 countfield=”Number of Sales” showperc=f

Question 434

How would you show the top five vendors that sold the least amount of product?

Answer 434

… | rare Vendor limit=5 showcount”Number of Sales” showperc=f useother=t

Question 435

How would you show the five games that sold the least by each of the vendors?

Answer 435

… | rare product_name by Vendor limit=5 showcount=”Number of Sales” showperc=f useother=t

Question 436

How would you count the number of failed logins? Change the column name to “Potential Issues”.

Answer 436

… | stats count as “Potential Issues”

Question 437

How would you count the number of events that contain a vendor action field? Also count the total number of events.

Answer 437

… | stats count(vendor_action) as ActionEvents, count as TotalEvents

Question 438

How would you count the number of events by user, app, and vendor?

Answer 438

… | stats count by user, app, vendor_action

Question 439

How many unique websites have your employees visited, displayed as “Websites visited”?

Answer 439

… | stats dc(s_hostname) as “Websites visited:”

Question 440

How much bandwidth did employees spend at each website? This needs to be sorted in descending order.

Answer 440

… | stats sum(sc_bytes) as Bandwidth by s_hostname | sort -Bandwidth

Question 441

How would you show the number of units sold by a vendor for each specific product as well as the average selling price?

Answer 441

… | stats sum(sc_bytes) as Bandwidth by s_hostname | sort -Bandwidth

Question 442

How would you show each unique website a user has visited?

Answer 442

… | stats value(s_hostname) by cs_username

Question 443

What attributes describe the field: a dest 4

Answer 443

String value, contains 4 values

Question 444

True/False. You can launch and manage apps from the home app.

Answer 444

True

Question 445

The User role cannot create reports.

Answer 445

False

Question 446

A Splunk Enterprise term that describes any Unix or Linux-based system.

Answer 446

nix

Question 447

A type of custom alert action that conforms to the common action model.

Answer 447

adaptive response action

Question 448

A type of app that runs on the Splunk platform and provides specific capabilities to other apps, such as getting data in, mapping data, or providing saved searches and macros. An add-on is not typically run as a standalone app. Instead, an add-on is a reusable component that supports other apps across a number of different use cases.

Answer 448

add-on

Question 449

An unscheduled search

Answer 449

ad hoc search

Question 450

Uses a saved search to look for events in real time or on a schedule.

Answer 450

alerts

Question 451

A response, such as an email notification or webhook, to alert triggering or report completion.

Answer 451

alert action

Question 452

An alternate name that you assign to a field, allowing you to use that name to search for events that contain that field.

Answer 452

alias

Question 453

An application that runs on Splunk Enterprise and typically addresses several use cases.

Answer 453

app

Question 454

Provides a way to save and retrieve data within your Splunk apps as collections of key-value pairs, letting you manage and maintain the state of your apps and store additional information.

Answer 454

App Key Value Store

Question 455

a file generated by the Packaging Toolkit to describe a Splunk app, including dependencies and input groups.

Answer 455

app manifest

Question 456

The action of adding to and maintaining a collection of historical data.

Answer 456

archiving

Question 457

An event generated when an audited activity is performed in Splunk Enterprise.

Answer 457

audit event

Question 458

A type of field extraction that uses the KV_MODE attribute in props.conf to automatically extract fields for events associated with a specific host, source, or source type.

Answer 458

Automatic key value field

Question 459

A search on which you can base multiple similar searches.

Answer 459

base search

Question 460

A filtering rule that excludes one or more members from a set.

Answer 460

blacklist

Question 461

A data structure that you use to test whether an element is a member of a set.

Answer 461

bloom filter

Question 462

A file system directory containing a portion of a Splunk Enterprise index.

Answer 462

bucket

Question 463

is the remedial activity that occurs when a peer node goes offline.

Answer 463

bucket fixing

Question 464

A tool which dynamically creates event types based on the analysis of a selected event.

Answer 464

Build Event Type utility

Question 465

A field that represents the output of an eval expression.

Answer 465

calculated field

Question 466

A user action within Splunk Enterprise.

Answer 466

capability

Question 467

A method for displaying and working with language characters on computer systems.

Answer 467

character set encoding

Question 468

The container for a set of data in an App Key Value Store, similar to a database table where each record has a unique key. Collections exist within the context of a given app.

Answer 468

collection

Question 469

The Splunk Enterprise command-line interface (CLI) is a text interface that you use to enter system commands, edit configuration files, and run searches.

Answer 469

command-line interface

Question 470

A Splunk utility that can be run from the command-line interface (CLI) to troubleshoot a Splunk Enterprise deployment.

Answer 470

command-line tool

Question 471

A set of preconfigured data models that you can apply to your data at search time.

Answer 471

Common Information Model (CIM)

Question 472

A support service level that entitles the user to public information sources for questions about Splunk Enterprise.

Answer 472

Community support

Question 473

A data routing scenario where a forwarder selectively sends event data to receivers based on patterns in the event data.

Answer 473

conditional routing

Question 474

How does Splunk help with Machine Data?

Answer 474

Index Data, Search and Investigate, Add Knowledge, Monitor and Alert, and Report & Analyze

Question 475

Index

Answer 475

Collects data from any source. As data enters, inspectors go to work. Determines how to process the data. When it is matched it is labeled with a source type. Data is then broken into single events. Time stamps are identified and normalized to a consistent format. Events then stored in Splunk index where they can be searched.

Question 476

Search

Answer 476

Find values across multiple sources allowing to analyze and run statistics.

Question 477

Knowledge

Answer 477

Add knowledge objects to data. Effects how data is interpreted. Classified and enriched, and normalized for future use.

Question 478

Monitor & Alert

Answer 478

Can Monitor infrastructure in real time to identify issues, problems, and attacks before they impact customers and services. Create alerts and automatically respond with a variety of actions.

Question 479

Reports

Answer 479

Provides reports and the ability to do dashboards empowering groups in the organization by giving them the information they need organized into a single pane.

Question 480

Forwarder Characteristics

Answer 480

(1) Require minimal resources, (2)little impact on performance, (3) Reside on the machine where the data originates.

Question 481

Splunk Deployment Scalibility

Answer 481

Single Instance to a full distributed infrastructure.

Question 482

Single Instance Deployment Splunk Instance

Answer 482

Input, Parsing, Indexing and Searching

Question 483

When would you use a single-instance deployment

Answer 483

Perfect environment for proof of concept, personal use, learning, and night serve the need of small department-sized environments.

Question 484

What would we have to do in a Full Scale Infrastructure Deployment?

Answer 484

Split the functionality across multiple specialized instances of Splunk enterprise. Add forwarders to send data to our indexers and eventually add multiple search heads and indexers to increase our indexing and search capacity. Search heads and indexes can also be clustered making sure data is always available and searchable.

Question 485

Search requests are processed by?

Answer 485

Indexers

Question 486

In most Splunk Deployments, this servers as the primary way data is supplied for indexing.

Answer 486

Forwarder

Question 487

Reasons to Split Indexes

Answer 487

Separate indexes can make searches faster. Limits data amount Splunk searches. Returns events only from that index.Multiple indexes allow limiting access by user role in order to control who sees what data. Also helps with retention policies

Question 488

Search

Answer 488

Limiting a search to time frame is a best practice.

Question 489

Commands that Create Statistics and Visualizations

Answer 489

Called Transforming Commands which transform data into data tables.

Question 490

Time for Search Job

Answer 490

By default will remain active for 10 minutes

Question 491

Time for Shared Search Job

Answer 491

Remain active for 7 days

Question 492

Escaping characters in Search

Answer 492

add backslash info=”keyword1"keyword2"not in db”

Question 493

Best Practices

Answer 493

Search by Time, inclusion is better than exclusion,filter command as early as possible in search,

Question 494

Splunk Search Language Sytnax

Answer 494

1. Search Terms. 2. Commands. 3. Functions 4. Arguments 5. Clauses

Question 495

Commands

Answer 495

Tells Splunk what we want to do with Search Results such as creating charts, computing statisitcs, and formatting

Question 496

Functins

Answer 496

Explain how we want to chart, compute, and evaluate the results.

Question 497

Arguments

Answer 497

Variables we want to apply to the functions

Question 498

Clauses

Answer 498

Explain how we want the results grouped or defined.

Question 499

Search Language Example

Answer 499

Search Term, Commands, Functions

Question 500

Splunk has four important components, what are they?

Answer 500

Indexer - It indexes the machine data
Forwarder - Refers to Splunk instances that forward data to the remote indexers
Search Head - Provides GUI for searching
Deployment Server -Manages the Splunk components like indexer, forwarder, and search head in computing environment

Question 501

What are the types of Splunk forwarder?

Answer 501

Universal Forwarders - It performs processing on the incoming data before forwarding it to the indexer.
Heavy Forwarders - It parses the data before forwarding them to the indexer works as an intermediate forwarder, remote collector.

Question 502

What are the categories of SPL commands?

Answer 502

Sorting Results
Filtering Results
Grouping Results.
Filtering, Modifying and Adding Fields
Reporting Results

Question 503

What are common port numbers used by Splunk?

Answer 503

Splunk Management Port 8089
Splunk Index Replication Port 8080
KV store 8191
Splunk Web Port 8000
Splunk Indexing Port 9997
Splunk network port 514

Question 504

What are Splunk buckets?

Answer 504

A directory that contains indexed data is known as a Splunk bucket. It also contains events of a certain period.

Question 505

Explain the bucket lifecycle ?

Answer 505

Bucket lifecycle includes following stages:
Hot - It contains newly indexed data and is open for writing. For each index, there are one or more hot buckets available
Warm - Data rolled from hot
Cold - Data rolled from warm
Frozen - Data rolled from cold. The indexer deletes frozen data by default but users can also archive it.
Thawed - Data restored from an archive. If you archive frozen data , you can later return it to the index by thawing (defrosting) it.

Question 506

Define a Sample Failed password query

Answer 506

fail* password | stats count by src, dest, user, sourcetype | sort - count | where count > 2

Question 507

In Linux, how do you start Splunk from a command line?

Answer 507

bin Directory, ./splunk start

Question 508

Which command is used to create chart for map?

Answer 508

geostats

Question 509

Which chart is not used for single value?

Answer 509

bar

Question 510

Which tag is not the part to implement drilldown?

Answer 510

lable

Question 511

Which tag is used to create input in form in simple xml?

Answer 511

fieldset

Question 512

Which tag is used for search string in simplexml for dashboard?

Answer 512

query

Question 513

What are the 3 main Splunk Bucket Types and their read/write and Backup abilities?

Answer 513

Hot -R/W-NoBackups | Warm-ROnly-YesBackups | Cold-ROnly-YesBackups

Question 514

Storage Bucket locations?

Answer 514

Host & Warm: $SPLUNK_HOME/var/lib/splunk/defaultdb/db/*
Cold ~defaultdb/colddb/*
Thawed ~ defualtdb/thaweddb/*

Question 515

Where does frozen bucket get stored?

Answer 515

N/A Frozen data gets deleted or archived into a directory location you specify.

Question 516

The location where Splunk log files are stored?

Answer 516

$SPLUNK_HOME/var/log/splunk

Question 517

True/False: Splunk stores log file in splunkd.log under $SPLUNK_HOME/var/log/splunk/

Answer 517

True - Splunk stores log file in splunkd.log under $SPLUNK_HOME/var/log/splunk/

Question 518

Parsing can be done in which conf file? Inputs, Props Only? Transforms only? Props & transforms?

Answer 518

Parsing can be done in Props & transforms.

Question 519

If I want to change the default Splunk data store location, I need to modify which file?

Answer 519

Modify the splunk-launch.conf to change the defualt splunk data store location.

Question 520

Which conf file is used to create index in splunk? [Index.conf, indexes.conf, indexes, index]

Answer 520

indexes.conf is used to create index in splunk

Question 521

In which file we need to add LDAP group details for authentication? Authorize.conf or Authentication.conf?

Answer 521

Authentication.conf is used to add LDAP groups.

Question 522

In which files are role mappings done?

Answer 522

authorize.conf

Question 523

What are macros in Splunk?

Answer 523

Search macros are reusable chunks of Search Processing Language (SPL) that you can insert into other searches. Macros you define, are stored in macros.conf

Question 524

How much disk space is required to store data in Splunk?

Answer 524

Splunk stores data in 2 type of files/directories 1) actual data in zip files takes ~15% of file size 2) index files takes ~35% of file size So around 50% of files size require to store that file and other than this space is required to store search results.

Question 525

what is summary index in splunk?

Answer 525

Summary index is used to give fast result of report/dashboard. You can store any cron/save search result in summary index so that you can reduce the data in summary index.

Question 526

What kind of information can we pull in via inputs.conf?

Answer 526

BATCH ("Upload a file" in Splunk Web):
TCP:
Data distribution:
UDP:
FIFO (First In, First Out queue):
Scripted Input:
File system change monitor (fschange monitor)
File system monitoring filters:
http: (HTTP Event Collector)
HTTP Event Collector (HEC) - Local stanza for each token
WINDOWS INPUTS:
Performance Monitor
Windows Event Log Monitor
Event Log whitelist and blacklist formats
Active Directory Monitor
Remote Queue Monitor
SQS specific settings
Windows Registry Monitor
Windows Host Monitoring

Question 527

Command to setup splunk heavy forwarder?

Answer 527

splunk enable app SplunkForwarder -auth :

Question 528

What is the Splunk precedence order Globally?

Answer 528

System local, App local, App default, System default.

Question 529

What is the Splunk precedence order within app or user context?

Answer 529

User Directories for current user, App Directories for current running app, App Dirs for all other apps, System Dirs.

Question 530

Migration: After moving Splunk index db, what would you edit to reflect this new location?

Answer 530

Edit $SPLUNK_HOME/etc/splunk-launch.conf

Question 531

What file sets limits on disk usage?

Answer 531

server.conf
[diskUsage]
minFreeSpace =

Question 532

What is the minimum free space in splunk?

Answer 532

5000MB or 5GB

Question 533

What is TSIDX file and how is it used?

Answer 533

A time-series index file; A tsidx file associates each unique keyword in your data with location references to events, which are stored in a companion rawdata file. Together, the rawdata file and its related tsidx files make up the contents of an index bucket.

Each search you run scans tsidx files for the search keywords and uses their location references to retrieve from the rawdata file the events to which those keywords refer. To speed up searches, bloom filters narrow the set of tsidx files that Splunk Enterprise must search to get accurate results.

Question 534

What Splunk file would be used to reduce TSIDX disk usage?

Answer 534

indexes.conf
[indexname]
enableTsidxreduction=True
timePeriodInSecBeforeTsidxReduction=86400

Question 535

What is a Bloom Filter?

Answer 535

A data structure that you use to test whether an element is a member of a set. Splunk Enterprise uses bloom filters to decrease the time it requires to retrieve events from the index. This strategy is effective when you search for rare terms.

In Splunk Enterprise, bloom filters work at the index bucket level. The filters rule out buckets that do not contain keywords from the search being run. Splunk Enterprise saves time searching by focusing on the tsidx files within the bucket where the search keywords exist.

Question 536

What Splunk files are used to manage Bloom filter retention and set Bloom Filter for specific index?

Answer 536

Retention is managed via limits.conf

Create bloom filter for specific index via indexes.conf

Question 537

Which file is used for role and mapping ?

Answer 537

Authorize.conf

Question 538

[True or False]You can not search the data in frozen stage of bucket?

Answer 538

True

Question 539

Attributes in indexes.conf to freeze data when it grows too old?

Answer 539

frozenTimePeriodInSecs

Question 540

Which splunk License does not exist?

Search head, forwarder, free, Splunk Enterprise?

Answer 540

Search head

Question 541

Which command is used only to delete index web data ?

Answer 541

splunk clean eventdata -index web

Question 542

What is the use of Add-on in splunk?

Answer 542

To Extract fields, parsing etc but do not provide dashboards.

Question 543

What rights does power role have?

Answer 543

Can Edit all saved searches, alerts, objects, ect

Question 544

What does can_delete role do?

Answer 544

Delete search or keyword

Question 545

Which function is not a part of a single instance deployment?

Answer 545

Clustering

Question 546

What does a single-instance deployment of Splunk Enterprise handle?

Answer 546

Input, Parsing, Indexing, and Searching

Question 547

What are the three main default roles in Splunk Enterprise?

Answer 547

User, Power, Admin

Question 548

_________ define what users can do in Splunk.

Answer 548

Roles

Question 549

Splunk uses ________ to categorize the type of data being indexed.

Answer 549

Source Type

Question 550

True/False. The monitor input option will allow you to continuously monitor files.

Answer 550

True

Question 551

Which following search mode toggles behavior based on the type of search being run?

Answer 551

Smart

Question 552

What is the order of evaluation for Boolean operations in Splunk?

Answer 552

NOT, OR, AND

Question 553

What file needs to be configured on Indexer to start receiving data and what port?

Answer 553

inputs.conf for port 9997

Question 554

Where is the servercalss.conf file stored and what does it do?

Answer 554

$SPLUNK_HOME/etc/system/local
Server classes are essentially categories. They use filters to control what clients they apply to, contain a set of applications, and may define deployment server behavior for the management of those applications.

Question 555

What is a fishbucket?

Answer 555

Used to decipher file input issues.
A subdirectory where Splunk software tracks how far into a file indexing has progressed, to enable the software to detect when data has been added to the file and resume indexing. The fishbucket subdirectory contains seek pointers and CRCs for indexed files.
default location /opt/splunk/var/lib/splunk

Question 556

How does the indexer store indexes?

Answer 556

As the indexer indexes your data, it creates a number of files. These files contain two types of data: The raw data in compressed form (rawdata) Indexes that point to the raw data, plus some metadata files (index files) Together, these files constitute the Splunk Enterprise index.

Question 557

[True/False]Deployment server push configuration files to deployment client

Answer 557

False

Question 558

Deployment client uses which configuration files to connect deployment server ?
serverclass.conf, deploymentclient.conf, inputs.conf, outputs.conf

Answer 558

deploymentclient.conf

Question 559

[True/False]The deployment server does not automatically deploy apps in response to direct edits of serverclass.conf

Answer 559

True

Question 560

A dedicated deployment server can handle how many clients ?

Answer 560

500 - 1000 Clients, even more than this and it depends of the periodicity, and the size of the bundles to deploy.

Question 561

What is Splunk DMC?

Answer 561

Distributed Management Console;
Dashboard providing insight to your deployment. Install on Search head(not rec for prod), License master, or Deployment server.

Question 562

Which stanza can be used to destroy a file after reading the file?[ fschange, monitor, batch, destroy ]

Answer 562

Batch - Use batch to set up a one time, destructive input of data from a source. For continuous, non-destructive inputs, use monitor. Remember, after the batch input is indexed, Splunk Enterprise deletes the file.

Question 563

To receive data from forwarder in indexer in inputs.conf file, which is used in stanza ? [ tcp, splunktcp, udp, forwardertcp ]

Answer 563

splunktcp

Question 564

What is splunk?

Answer 564

An application that ingests machine data, indexes it, and visualizes it for users to

Question 565

Why would I want to learn splunk?

Answer 565

The money in the field is great, the amount of data that can be analyzed is incredible, 70% of companies are transitioning into splunk, allows you to gain new insight, there is a community called ninjas that allows you to be interactive with, and its fun!

Question 566

What are the different flavors of spunk?

Answer 566

Enterprise, Cloud, Light

Question 567

What is a forwarder

Answer 567

A script that sends data from a device to the splunk device

Question 568

What is an event

Answer 568

A single entity such as an row in a table.

Or if you have an alert that comes into splunk which will be timestamped

Question 569

What is SPL

Answer 569

Splunk Processing Language

Question 570

and

Answer 570

a space is an implied ____ in a search string

Question 571

by default, search results are NOT returned in ____ order.

Answer 571

chronological, alphabetical, ascii

Question 572

Search controls that will NOT re-run a search

Answer 572

1. selecting a range of bars on the timeline
2. selecting a bar on the timeline
3. deselect

Question 573

Using the export function, you can export a maximum of 2000 results

Answer 573

false

Question 574

default fields are NOT added to every event in Splunk at INDEX time

Answer 574

false

Question 575

these kinds of fields are identified in your data at INDEX time.

Answer 575

default fields

Question 576

field discovery occurs at _____ time

Answer 576

search

Question 577

the fields sidebar does NOT show________

Answer 577

all extracted fields

Question 578

fast, optimized, verbose are all selectable search modes

Answer 578

false (fast, smart, verbose)

Question 579

only splunk admninistrators can assign selected fields

Answer 579

false

Question 580

which search mode automatically decides how to return fields based on your search?

Answer 580

smart

Question 581

splunk alerts are based on historical searches only

Answer 581

false

Question 582

splunk alerts can be based on searches that run ______

Answer 582

1. on a regular schedule

2. in real-time

Question 583

A real-time alert is __________

Answer 583

constantly running in the background

Question 584

dashboards are

Answer 584

views

Question 585

Running a scheduled saved report ___________

Answer 585

returns a fresh result set

Question 586

Once you create a report you can

Answer 586

1. add the report to a dashboard
2. open the report and edit it
3. accelerate slow running reports

Question 587

the stats command will create a _______ by default

Answer 587

table

Question 588

A pivot table is a _______

Answer 588

table, chart or visualization based on a datamodel set

Question 589

after you create a pivot you can save it as a ___________

Answer 589

1. dashboard panel

2. report

Question 590

which of the following would match this search? SEARCH: “accounting response”

Answer 590

accounting response for TradeID

Question 591

true about Splunk search language

Answer 591

1. treats field values in a case-INsensitive manner

2. allows searching on a keyword

Question 592

the following searches will NOT return the same results: search 1 purchase ==== search 2 action=purchase

Answer 592

true

Question 593

use this command to control which fields are extracted at search time and to (typically) improve search

Answer 593

fields -

Question 594

this command displays the least common values in a specific field

Answer 594

rare

Question 595

this command returns an unlimited number of results. search: error | top host limit =9999

Answer 595

false

Question 596

this list clause is used to group the output of a stats command by a specific name

Answer 596

rex

Question 597

which of the following will show the maximum bytes?

Answer 597

sourcetype=access_* | stats max(bytes)

Question 598

when a search returns _________, you can view the results as a list

Answer 598

statistical values

Question 599

clicking a segment on a chart ________________

Answer 599

adds the highlighted value to the search criteria

Question 600

lookups can be private for a user

Answer 600

true

Question 601

use this command to use lookup fields in a search and see the lookup fields in the field sidebar

Answer 601

inputlookup

Question 602

what is the correct order of steps for creating a new lookup?

Answer 602

1. create the lookup table
2. define the lookup
3. configure the lookup to run automatically

Question 603

in automatic lookup definitions, you can only have 3 output fields maximum

Answer 603

false

Question 604

lookups allow you to overwrite your raw event

Answer 604

true

Question 605

which of the following are responsible for collecting data and sending it for further processing?

Answer 605

forwarders

Question 606

which of the following are responsible for parsing incoming data and storing data on disc?

Answer 606

indexers

Question 607

which of the following are responsible for dispatching a search request?

Answer 607

search head

Question 608

it is not possible for a single instance of Splunk to manage the input, parsing, and indexing of machine data.

Answer 608

false

Question 609

two types of splunk indexes

Answer 609

raw data (full log files) 
index files (key keywords from logs)

Question 610

raw data

Answer 610

full log files

Question 611

index files

Answer 611

key keywords from logs

Question 612

splunk preconfigured indexes

Answer 612

main
_internal
_audit:

Question 613

_internal

Answer 613

Stores Splunk Enterprise internal logs and processing metrics.

Question 614

_audit

Answer 614

Contains events related to the file system change monitor, auditing, and all user search history

Question 615

main

Answer 615

This is the default Splunk Enterprise index. All processed data is stored here unless otherwise specified.

Question 616

Splunk indexer working can be divided in two stages:

Answer 616

parsing phase and indexing phase

Question 617

Parsing stage

Answer 617

While parsing splunk performs and extracts a set of default for each event like host, source, and sourcetype.

Question 618

Source

Answer 618

The source of an event is the name of the file, stream, or other input from which the event originates

Question 619

Sourcetype

Answer 619

The source type of an event is the format of the data input from which it originates like for windows .evt files from event viewer

Question 620

Host

Answer 620

An event’s host value is typically the hostname, IP address, or fully qualified domain name of the network host from which the event originated

Question 621

Configuring character set encoding

Answer 621

Its nothing but way of storing character/words in memory

Question 622

Identifying line termination using linebreaking rules

Answer 622

if your logs are very long or messy then it will break them in small parts easy to understand

Question 623

Identifying timestamps or creating them if they don’t exis

Answer 623

sort logs as per time or as they occurred.

Question 624

Indexing stage

Answer 624

Splunk indexing process:

a) Breaking all events into segments called buckets that can then be searched upon. You can determine the level of segmentation, which affects indexing and searching speed, search capability, and efficiency of disk compression.
b) Building the index data structures.

c) Writing the raw data and index files to disk, where post-indexing compression occurs
Splunk parsing and indexing phases

Question 625

How splunk stores Data?

Answer 625

Splunk stores all its data in directories on server called buckets. Buckets are nothing but directories on servers. A bucket moves through several stages as it ages - hot,warm,cold,frozen

Question 626

Hot

Answer 626

this is the directory where all data is written and the most recent data is kept here.
Warm - the next tier down, read only and likely still searched

Question 627

Cold

Answer 627

• rarely searched data as it has aged or been archived (rolled) to this bucket. While read only and still searchable, this is considered the archive tier.

Question 628

Frozen

Answer 628

this is data that is pushed to a dead media like tape or deleted. There is a thawing process possible if not deleted completely to allow data to be pushed back into higher tier buckets

Question 629

Freeze data when an index grows too large

Answer 629

Set maxTotalDataSizeMB

Question 630

How to create new index in splunk?

Answer 630

There are multiple ways to create new index in splunk indexer. You can achieve it t through GUI/CLI or simply editing index.conf at
$splunk home/etc/system/local.

Simplest way is through GUI (front-end). If number of index are more then simply edit inputs.conf and add all index name to it. Below are steps for the same.

Question 631

How to create a new index using index.conf?

Answer 631

To add a new index, add a stanza to indexes.conf in $SPLUNK_HOME/etc/system/local, identified by the name of the new index.

For example:
[newindex] homePath= coldPath= thawedPath= …

Question 632

Props.conf is used to define following configurations

Answer 632

Configuring timestamp recognition
Convertig timeformat to our default timeformat
Configuring linebreaking for multiline events.
Setting up character set encoding
Defining manual filed extarction regex
Allowing processing of binary files.
Configuring event segmentation.
Overriding Splunk’s automated host and source type matching
Defining where to lookup for lookup table etc

Question 633

Location of props.conf:

Answer 633

/opt/splunk/etc/system/default/props.conf —>never edit this file as its conatians default configuration

/opt/splunk/etc/system/local/props.conf —–>We can edit this file for configurations

Question 634

How to configure props.conf in splunk?

Answer 634

There happens to be seven attributes you want to set in props.conf every time you bring data into Splunk

Question 635

TIME_PREFIX

Answer 635

This is the first attribute is used to tell Splunk where to start to look for the timestamp in your event.

Question 636

MAX_TIMESTAMP_LOOKAHEAD

Answer 636

Setting this attribute makes Splunk happy and run more efficiently because it will not have to spend any extra time and resources to find the time stamp. You can tell Splunk that your timestamp is 20 characters into your event so Splunk will not waste any time looking through the entire event.

Question 637

TIME_FORMAT

Answer 637

Many people “sleep” on this attribute and shouldn’t. It is very important to help Splunk interpret your data. With this attribute you are telling Splunk the format your time stamp is in using strptime Splunk will not have to try to figure out if 10/2/12 is October 2, 2012, February 10, 2012, or even something weird like December 2, 2010.

Question 638

SHOULD_LINEMERGE

Answer 638

this attribute is the leader and decision maker of the group. Depending on the value of this attribute, other attributes are required. This setting should be set to “false” and used along with the LINE_BREAKER attribute, which can greatly increase processing speed.

Question 639

LINE_BREAKER

Answer 639

This attribute looks the toughest and most intimidating. It identifies how your events should be broken apart. This is important because if this is not set correctly you can have data that is spread across multiple events. Using regular expressions, Splunk will look for that specific pattern and break up your events accordingly, and as mentioned before, this should be used in conjunction with SHOULD_LINEMERGE = false.

Question 640

TRUNCATE

Answer 640

• This attribute is nothing to sneeze at. Measured in bytes, this attribute limits the length of an event (line of data), and will break when the limit is met. The default value is 10000 so set this to 999999 bytes or more depending on the size of your event. Because your data is not being broken up into multiline events (given SHOULD_LINEMERGE = false) you will want to ensure your events do not get broken up incorrectly.

Question 641

TZ

Answer 641

the time zone attribute is probably the most forgotten of the group. You will want to set the time zone for each host in your Splunk environment. This will ensure the time is displayed correctly on your search head.

Question 642

what is a bucket in splunk?

Answer 642

• a bucket are directories on servers in splunk: hot, warm, cold, frozen, thawed.
• events within splunk are broken down into
  segments called buckets
• inside indexes, files, collection of databases, subdirectories

Question 643

9997

Answer 643

port open for indexing

Question 644

metadata

Answer 644

host, source, source type, time stamp

Question 645

case(X,”Y”,…)

Answer 645

Works like a case statement in shell scripting. This function takes pairs of arguments X and Y. The X arguments are Boolean expressions that will be evaluated from first to last. When the first X expression is encountered that evaluates to TRUE, the corresponding Y argument will be returned. The function defaults to NULL if none are true.

Question 646

An admin does what?

Answer 646

Install apps, create knowledge objects for all users (what apps a user will see by default)

Question 647

A power user does what?

Answer 647

Creates and shares knowledge objects for users of app, real-time searches

Question 648

A Splunk user does what?

Answer 648

Only see own knowledge objects and those shared to them.

Question 649

The seven main components in splunk searching and reporting?

Answer 649

1. Splunk bar
2. App bar
3. Search bar
4. Time range picker
5. How to search panel
6. What to search panel
7. Search History

Question 650

The time range picker is set to _________ by default.

Answer 650

All-time

Question 651

________ tab is default tab for searches

Answer 651

Event

Question 652

_______ mode discovery off for event searches. No event or field data for stats searches.

Answer 652

Fast

Question 653

______ mode all events and field data; switches to this mode after visualization

Answer 653

Verbose

Question 654

______ mode (default-based on search string data). Field discovery ON for event searches. No event or field data for stats searches.

Answer 654

Smart

Question 655

This search action button “Job V” does what?

Answer 655

Edit job settings, send job to background, inspect and delete job.

Question 656

Saved searches are set to ______ by default.

Answer 656

private

Question 657

________boolean is used if none is implied.

Answer 657

AND

Question 658

Exact phrases use______

Answer 658

quotes

Question 659

Use a _______ for searching a string with quotes in the string.

Answer 659

Backslash

Example: info=”user “chrisV4” not in database” info=”user"chrisV4" not in database “

Question 660

Three default search fields automatically selected?

Answer 660

Source, Host, Sourcetype

Question 661

_______ sidebar shows all field extracted at search time.

Answer 661

Fields

Question 662

_______ Fields appear in event, default-host, sourcetype, source

Answer 662

Selected

Question 663

Clicking on a field shows a list of _______, ________, and ________.

Answer 663

values, count, and percentage

Question 664

These fields can launch a quick report by clicking on them (4)

Answer 664

top values, top values by time, rare values, events with this field

Question 665

Use ______ to limit search to only one sourcetype

Answer 665

sourcetype=

Question 666

Field names _____ case sensitive- Values _______ case sensitive

Answer 666

are, are not

Question 667

The field operators are used with numerical string values (symbols)

Answer 667

= != –>

Question 668

These symbols are only used with numerical values?

Answer 668

> > = < <= –>

Question 669

Using _____ and ____ (symbols) would return the same results.

Answer 669

NOT, !=

Question 670

Use _______ to nest boolean searches

Answer 670

parenthesis

Question 671

When creating reports you can edit, clone, embed, and delete under the ______ tab

Answer 671

report

Question 672

What are the three ways to create visualizations?

Answer 672

1. Select a field from the fields sidebar
2. Use the pivot interface
3. Use the Splunk search language commands in the search bar with statistics and visualization tabs

Question 673

Save visual reports as _______ or _______

Answer 673

report or dashboard pannel

Question 674

Dashboards are searches gathered together and can use _______input or ________ visualization

Answer 674

form or custom

Question 675

Default time for pivot is ______

Answer 675

all the time

Question 676

_______ object is the main source of data

Answer 676

Root

Question 677

_______ object acts like an AND boolean

Answer 677

Child

Question 678

_________ pivot allows instant access to data without having a data model

Answer 678

Instant

Question 679

Search terms include (6)

Answer 679

Keywords, booleans, phrases, fields, wildcards, and comparisons.

Question 680

Comparison symbols

Answer 680

=, !=, <=, >, >=

Question 681

Best practices to use while searching in Splunk (4)

Answer 681

1. Time is the most efficient filter
2. More you tell search the better your results
3. Inclusion is better than exclusion
4. Filter as early as possible

Question 682

_____ are case insensitive.

components of search language

Answer 682

Search terms

Question 683

______ tell Splunk what we want to do with results (ex. stats)
(components of search language)

Answer 683

Commands

Question 684

______how we want to deal with results (ex. list)

components of search language

Answer 684

Functions

Question 685

______ variables to apply to function (ex. Product name)

components of search language

Answer 685

Arguments

Question 686

_______ how we want results defined.

components of search language

Answer 686

Clauses

Question 687

_____ is used to pass current results to the next component

Answer 687

Pipe

Question 688

_________ command works from left to right

Answer 688

Search

Question 689

Once and item is filtered _____ it is no longer available in the search string

Answer 689

Out

Question 690

_____ command include or exclude fields from search results.

Answer 690

Fields

Question 691

Exclude a field by using ______ symbol

Answer 691

minus (-)

Question 692

Primary fields _______ and _______ will always be extracted, but can also be removed by using the minus symbol

Answer 692

_time & _raw

Question 693

Field_____happens after field______only affecting displayed results.

Answer 693

exclusion, extraction

Question 694

________ command retains searched data in a tabulated format

Answer 694

table

Question 695

In regards to a rename command, once a field is renamed the ______ name is not available to later search commands

Answer 695

original

Question 696

This command removes events with duplicate values

Answer 696

Dedup

Question 697

This command displays results in ascending or descending order.

Answer 697

Sort

Question 698

This command combine fields from external sources to searched events, based on event field

Answer 698

Lookup

Question 699

This command produces statistics of a search result

Answer 699

Stats command

Question 700

This command shows number of events matching search criteria

Answer 700

Stats count

Question 701

This command is the sum of numerical value

Answer 701

Stats Sum command

Question 702

This is a command that preforms stats aggregation against time

Answer 702

Timechart command

Question 703

___ split data by an additional field

Answer 703

by

Question 704

Usenull = _____ will remove NULL values

Answer 704

f

Question 705

5 Main components of Splunk ES

Answer 705

Index Data, Search & investigate, Add knowledge, Monitor & Alert, Report & Analyze.

Question 706

len(x)

Answer 706

Description: This function returns the character length of a string X.

Basic example
… | eval n=len(field)

Question 707

lower(x)

Answer 707

Description: This function takes one string argument and returns the string in lowercase.

Basic example
The following example returns the value provided by the field username in lowercase.

… | eval username=lower(username)

Question 708

ltrim(x,y)

Answer 708

Description: This function takes one or two arguments X and Y, and returns X with the characters in Y trimmed from the left side. If Y is not specified, spaces and tabs are removed.

Basic example
The following example trims the leading spaces and all of the occurrences of the letter Z from the left side of the string. The value that is returned is x=”abcZZ “.

… | eval x=ltrim(“ ZZZZabcZZ “, “ Z”)

Question 709

replace(x,y,z)

Answer 709

Description: This function returns a string formed by substituting string Z for every occurrence of regex string Y in string X. The third argument Z can also reference groups that are matched in the regex.

Basic example: The following example returns date, with the month and day numbers switched. If the input is 1/14/2017 the return value would be 14/1/2017.

… | eval n=replace(date, “^(\d{1,2})/(\d{1,2})/”, “\2/\1/”)

Question 710

rtrim(x,y)

Answer 710

Description: This function takes one or two arguments X and Y, and returns X with the characters in Y trimmed from the right side. If Y is not specified, spaces and tabs are removed.

Basic example: The following example returns n=”ZZZZabc”.
… | eval n=rtrim(“ ZZZZabcZZ “, “ Z”)

Question 711

spath(x,y)

Answer 711

Description: This function takes two arguments, an input source field X and an spath expression Y, that is the XML or JSON formatted location path to the value that you want to extract from X.

Basic example: The following example returns the hashtags from a twitter event.

index=twitter | eval output=spath(_raw, “entities.hashtags”)

Question 712

substr(x,y,z)

Answer 712

Description: This function returns a substring of X, starting at the index specified by Y with the number of characters specified by Z. If Z is not provided, the function returns the rest of the string

Basic example: The following example concatenates “str” and “ing” together, returning “string”:

… | eval n=substr(“string”, 1, 3) + substr(“string”, -3)

Question 713

trim(x,y)

Answer 713

Description: This function takes one or two arguments X and Y and returns X with the characters in Y trimmed from both sides. If Y is not specified, spaces and tabs are removed.

Basic example: The following example returns “abc”.

… | eval n=trim(“ ZZZZabcZZ “, “ Z”)

Question 714

upper(x)

Answer 714

Description: This function takes one string argument and returns the string in uppercase.

Basic example: The following example returns the value provided by the field username in uppercase.

… | eval n=upper(username)

Question 715

urldecode(x)

Answer 715

Description: This function takes one URL string argument X and returns the unescaped or decoded URL string.

Basic example
The following example returns “http://www.splunk.com/download?r=header”.

… | eval n=urldecode(“http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fr%3Dheader”)

Question 716

A group of indexers configured to replicate each other’s data is called a ________.

Answer 716

Index Cluster

Question 717

__________ is often the biggest bottle neck in the Splunk indexing pipeline.

Answer 717

Disk I/O

Question 718

Search heads do not require as much ______ as indexers but require more _________.

Answer 718

1. disk space

2. CPU power

Question 719

Adding more machines no matter the hardware will make your deployment perform better.

Answer 719

False

Question 720

Splunk indexers and Search Heads on virtual machines should have ____ of the vCPU reserved to them.

Answer 720

100%

Question 721

Keeping ____ synchronized across your deployment, makes sure events are returned in the proper order.

Answer 721

time

Question 722

What command is used to start the Splunk Enterprise server?

Answer 722

./splunk start

Question 723

This command can be used to make Splunk start each time the server is booted.

Answer 723

./splunk enable boot-start

Question 724

When logging into Splunk Enterprise for the first time, a username of ______ and a password of are used.

Answer 724

1. admin

2. changeme

Question 725

The functions of the data pipeline vary drastically depending on the deployment.

Answer 725

False

Question 726

Splunk Enterprise licenses specify how much data you can index per __________.

Answer 726

day

Question 727

Any editing done to .conf files should be done in the ________ directory.

Answer 727

local

Question 728

The ________ index is used when an index is not specified at input time.

Answer 728

main

Question 729

Having multiple indexes allows:

Answer 729

Faster searches
Access limiting
Multiple retention policies

Question 730

As data is input into Splunk Enterprise, it is first placed into a ________ bucket.

Answer 730

hot

Question 731

Some differences between hot and warm buckets are:

Answer 731

Hot buckets are writable, warm buckets are not.
Hot buckets are searched first.
The naming convention.

Question 732

When a bucket is frozen, by default it is moved to a different location before deleting.

Answer 732

False

Question 733

The timezone setting in a user’s account will effect the timestamp shown in events.

Answer 733

True

Question 734

Only the ________ role can use the Delete Command by default.

Answer 734

can_delete

Question 735

When mixing authentication sources, scripted authentication will always take precedence.

Answer 735

False

Question 736

In most production environments, _______ will be used as your main source of data input.

Answer 736

forwarders

Question 737

Splunk uses ____________ to categorize the type of data being indexed.

Answer 737

sourcetypes

Question 738

The server that data is forwarded to is called the ______________.

Answer 738

receiver

Question 739

Indexing on a Heavy Forwarder does not affect your license.

Answer 739

False

Question 740

The following can be used to build apps for Splunk:

Answer 740

Simple XML
Splunk JavaScript
SDKs

Question 741

When migrating from a single instance deployment to a distributed environment, you will want to use the existing instance as an _______.

Answer 741

indexer

Question 742

An indexer in a distributed search environment is called a __________.

Answer 742

search peer

Question 743

It is a best practice to ____________ forwarders across all indexers in a search peer group.

Answer 743

load balance

Question 744

The management port is required when adding a search peer to a search head.

Answer 744

True

Question 745

Splunk Enterprise can be installed virtual environments.

Answer 745

True

Question 746

____________ is the system process that handles indexing, searching, forwarding and the web interface for Splunk Enterprise.

Answer 746

Splunkd

Question 747

Splunk Enterprise should always be run as root in a *NIX environment.

Answer 747

False

Question 748

It is suggested that you have a single deployment instance available for _________.

Answer 748

testing and development

Question 749

A total of ____ cores are recommended per search head.

Answer 749

16

Question 750

Forwarders should never be installed on Windows servers.

Answer 750

False

Question 751

SplunkWeb is accessed on port _______ by default.

Answer 751

8000

Question 752

Properties in the _______ file allow you to configure how data is transformed as it is processed.

Answer 752

not later

Question 753

The segment of the data pipeline that stores user’s knowledge objects is the __________ segment.

Answer 753

not indexing
not data ainput
not parsing

Question 754

This component is NOT installed from the Splunk Enterprise Package.

Answer 754

Universal Forwarder

Question 755

Splunk Enterprise deployment typically has ___ processing tiers.

Answer 755

3

Question 756

The segment of the data pipeline that stores user’s knowledge objects is the _______ segment.

Answer 756

not parsing not data input

Question 757

The default management port for Splunkd is:

Answer 757

8089

Question 758

Search Heads require more _____ than indexers.

Answer 758

CPU Power

Question 759

Splunk uses the ________ index when indexing it’s own logs and metrics.

Answer 759

_internal

Question 760

Event separation happens during the __________ segment of the data pipeline.

Answer 760

parsing

Question 761

A license violation causes all data to stop being indexed.

Answer 761

False

Question 762

The functions of the data pipeline vary drastically depending on the deployment.

Answer 762

False

Question 763

properties in the _______ file allow you to configure how data is transformed as it is processed.

Answer 763

not alter.conf

Question 764

Which Splunk search command allows you to perform mathematical functions on field values?

Answer 764

Eval

Question 765

If you want to format values without changing their characteristics, which would you use?

Answer 765

The Fieldformat Command.

Question 766

By default, the Fillnull Command replaces null values with this:

Answer 766

0

Question 767

You can only use one Eval Command per search.

Answer 767

False

Question 768

Knowledge objects can be used to normalize data?

Answer 768

True

Question 769

A Common Information Model (CIM) is supported by Splunk.

Answer 769

True

Question 770

What are the predefined ways knowledge objects can be shared?

Answer 770

All apps
Private
Specifiic App

Question 771

Field aliases are used to __________ data.

Answer 771

normalize

Question 772

You can only have one field alias per field.

Answer 772

False

Question 773

Field Aliases ___________________

Answer 773

Can be referenced by lookup tables.
Are applicable to a specified app context.
Make correlation easier.

Question 774

Calculated fields are shortcuts for _______________.

Answer 774

Eval Commands

Question 775

Calculated fields can use lookup tables.

Answer 775

False

Question 776

The easiest way to extract a field is from ____________, allowing you to skip a few steps.

Answer 776

The event actions menu

Question 777

When editing a field extraction, you will be working with _________________.

Answer 777

The regular expression.

Question 778

You can extract multiple fields with the field extractor.

Answer 778

True

Question 779

______________ is a field extraction method for events that contain fields separated by a character.

Answer 779

delimiter

Question 780

Fields extracted with the field extractor

Answer 780

Are persistent
Are specific to a host, source or sourcetype.
Are reusable in multiple searches.

Question 781

You can only add one tag per field value pair.

Answer 781

False

Question 782

Which search would limit an “alert” tag to the “host” field?

Answer 782

tag::host=alert

Question 783

__________ allow you to categorize events based on search terms.

Answer 783

Event Types

Question 784

Tags can be added to event types.

Answer 784

True

Question 785

Event types do NOT show up in the field list.

Answer 785

False

Question 786

Splunk suggests naming your Knowledge Objects using _______ segmented keys.

Answer 786

6

Question 787

A workflow action can _________________.

Answer 787

Send field values to external resources.
Pass variables to a URL.
Execute a secondary search.

Question 788

To escape the “fieldname” value which command would you use? $_________fieldname$

Answer 788

!

Question 789

Which actions can be triggered by an alert?

Answer 789

List in triggered alerts
Send Email
Run a script

Question 790

What is the correct way to name a macro with two arguments?

Answer 790

dostuff(2)

Question 791

Validating macro arguments can be done with which type of command?

Answer 791

boolean expressions

eval expressions

Question 792

After creating your data model, the next step is to ___________

Answer 792

Add a root object

Question 793

Root search objects benefit from acceleration.

Answer 793

False

Question 794

_________ objects can be added to a root event object to narrow down the search.

Answer 794

Child

Question 795

What attributes can be added to an object?

Answer 795

Auto-Extracted
Eval Expression
Lookup
Regular Expression
Geo IP

Question 796

You can add additional child objects to either existing objects or the root object.

Answer 796

True

Question 797

After you configure a lookup, its fields can be found in the fields sidebar and you can use them in a search.

Answer 797

True

Question 798

No matter what user role creates the field alias, it is always set to Private by default.

Answer 798

True

Question 799

Running concurrent reports and the searches behind them puts very low demand on your system hardware.

Answer 799

False

Question 800

Search macros can only be used once in a given search.

Answer 800

False

Question 801

The results of a macro can not be piped to other commands.

Answer 801

False

Question 802

When building your data model, Splunk suggests you use root search objects whenever possible.

Answer 802

False

Question 803

Some differences between hot and warm buckets are:

Answer 803

Hot buckets are writable, warm buckets are not.
Hot buckets are searched first.
The naming convention.

Question 804

When a bucket is frozen, by default it is moved to a different location before deleting.

Answer 804

False

Question 805

The timezone setting in a user’s account will effect the timestamp shown in events.

Answer 805

True

Question 806

Only the ________ role can use the Delete Command by default.

Answer 806

can_delete

Question 807

The ______ role has the most capabilities of the predefined splunk roles.

Answer 807

admin`

Question 808

When mixing authentication sources, scripted authentication will always take precedence.

Answer 808

False

Question 809

An indexer in a distributed search environment is called a __________.

Answer 809

search peer

Question 810

It is a best practice to ____________ forwarders across all indexers in a search peer group.

Answer 810

load balance

Question 811

The management port is required when adding a search peer to a search head.

Answer 811

True

Question 812

DMC stands for

Answer 812

Distributed Management Console

Question 813

The segment of the data pipeline that stores user’s knowledge objects is the __________ segment.

Answer 813

not indexing
not data ainput
not parsing

Question 814

The default management port for Splunkd is:

Answer 814

8089

Question 815

The following searches will return the same results: SEARCH 1: web AND error SEARCH 2: web and error

Answer 815

False

Question 816

Time stamp are stored ____

Answer 816

in a consistent format

Question 817

Max events displayed by transaction command

Answer 817

1,000

Question 818

5 Main components of Splunk ES

Answer 818

Index Data, Search & investigate, Add knowledge, Monitor & Alert, Report & Analyze.

Question 819

What does index data do? (3)

Answer 819

1. Collects data
2. Label data with source type
3. Stored in splunk index

Question 820

Usenull = _____ will remove NULL values

Answer 820

f

Question 821

append

Answer 821

Appends subsearch results to current results.

Question 822

appendcols

Answer 822

Appends the fields of the subsearch results to current results. first results to first result. second to second etc.

Question 823

appendpipe

Answer 823

Appends the result of the subpipeline applied to the current result set to results.

Question 824

arules

Answer 824

Finds association rules between field values.

Question 825

associate

Answer 825

Identifies correlations between fields.

Question 826

contingency

Answer 826

Builds a contingency table for two fields.

Question 827

counttable

Answer 827

Builds a contingency table for two fields.

Question 828

ctable

Answer 828

Builds a contingency table for two fields.

Question 829

correlate

Answer 829

Calculates the correlation between different fields.

Question 830

diff

Answer 830

Returns the difference between two search results.

Question 831

join

Answer 831

SQL-like joining of results from the main results pipeline with the results from the subpipeline.

Question 832

selfjoin

Answer 832

Joins results with itself.

Question 833

set

Answer 833

Performs set operations (union diff intersect) on subsearches.

Question 834

stats

Answer 834

Provides statistics grouped optionally by fields. See Functions for stats chart and timechart in the Splunk Enterprise Search Reference.

Question 835

transaction

Answer 835

Groups search results into transactions.

Question 836

audit

Answer 836

Returns audit trail information that is stored in the local audit index.

Question 837

dbinspect

Answer 837

Returns information about the specified index.

Question 838

eventcount

Answer 838

Returns the number of events in an index.

Question 839

metadata

Answer 839

Returns a list of source sourcetypes or hosts from a specified index or distributed search peer.

Question 840

typeahead

Answer 840

Returns typeahead information on a specified prefix.

Question 841

crawl

Answer 841

Crawls the filesystem for new sources to add to an index.

Question 842

delete

Answer 842

Delete specific events or search results.

Question 843

input

Answer 843

Adds sources to Splunk or disables sources from being processed by Splunk.

Question 844

accum

Answer 844

Keeps a running total of the specified numeric field.

Question 845

addinfo

Answer 845

Add fields that contain common information about the current search.

Question 846

addtotals

Answer 846

Computes the sum of all numeric fields for each result.

Question 847

delta

Answer 847

Computes the difference in field value between nearby results.

Question 848

eval

Answer 848

Calculates an expression and puts the value into a field. See Functions for eval and where in the Splunk Enterprise Search Reference.

Question 849

iplocation

Answer 849

Adds location information such as city country latitude longitude and so on based on IP addresses.

Question 850

multikv

Answer 850

Extracts field-values from table-formatted events.

Question 851

rangemap

Answer 851

Sets RANGE field to the name of the ranges that match.

Question 852

relevancy

Answer 852

Adds a relevancy field which indicates how well the event matches the query.

Question 853

strcat

Answer 853

Concatenates string values and saves the result to a specified field.

Question 854

erex

Answer 854

Allows you to specify example or counter example values to automatically extract fields that have similar values.

Question 855

extract and kv

Answer 855

Extracts field-value pairs from search results.

Question 856

kvform

Answer 856

Extracts values from search results using a form template.

Question 857

rex

Answer 857

Specify a Perl regular expression named groups to extract fields while you search.

Question 858

spath

Answer 858

Provides a straightforward means for extracting fields from structured data formats XML and JSON.

Question 859

xmlkv

Answer 859

Extracts XML key-value pairs.

Question 860

convert

Answer 860

Converts field values into numerical values.

Question 861

filldown

Answer 861

Replaces NULL values with the last non-NULL value.

Question 862

fillnull

Answer 862

Replaces null values with a specified value.

Question 863

makemv

Answer 863

Change a specified field into a multivalued field during a search.

Question 864

nomv

Answer 864

Changes a specified multivalued field into a single-value field at search time.

Question 865

reltime

Answer 865

Converts the difference between ‘now’ and ‘_time’ to a human-readable value and adds adds this value to the field ‘reltime’ in your search results.

Question 866

rename

Answer 866

Renames a specified field; wildcards can be used to specify multiple fields.

Question 867

replace

Answer 867

Replaces values of specified fields with a specified new value.

Question 868

analyzefields and af

Answer 868

Analyze numerical fields for their ability to predict another discrete field.

Question 869

anomalies

Answer 869

Computes an “unexpectedness” score for an event.

Question 870

anomalousvalue

Answer 870

Finds and summarizes irregular or uncommon search results.

Question 871

cluster

Answer 871

Clusters similar events together.

Question 872

kmeans

Answer 872

Performs k-means clustering on selected fields.

Question 873

outlier

Answer 873

Removes outlying numerical values.

Question 874

rare

Answer 874

Displays the least common values of a field.

Question 875

iplocation

Answer 875

returns location information such as city country latitude longitude and so on based on IP addresses.

Question 876

geostats

Answer 876

Generate statistics which are clustered into geographical bins to be rendered on a world map.

Question 877

predict

Answer 877

Enables you to use time series algorithms to predict future values of fields.

Question 878

trendline

Answer 878

Computes moving averages of fields.

Question 879

x11

Answer 879

Enables you to determine the trend in your data by removing the seasonal pattern.

Question 880

addtotals

Answer 880

Computes the sum of all numeric fields for each result.

Question 881

bin and discretize

Answer 881

Puts continuous numerical values into discrete sets.

Question 882

chart

Answer 882

Returns results in a tabular output for charting. See Statistical and charting functions in the Splunk Enterprise Search Reference.

Question 883

contingency and counttable and ctable

Answer 883

Builds a contingency table for two fields.

Question 884

correlate

Answer 884

Calculates the correlation between different fields.

Question 885

eventcount

Answer 885

Returns the number of events in an index.

Question 886

eventstats

Answer 886

Adds summary statistics to all search results.

Question 887

gauge

Answer 887

Transforms results into a format suitable for display by the Gauge chart types.

Question 888

makecontinuous

Answer 888

Makes a field that is supposed to be the x-axis continuous (invoked by chart/timechart)

Question 889

outlier

Answer 889

Removes outlying numerical values.

Question 890

rare

Answer 890

Displays the least common values of a field.

Question 891

stats

Answer 891

Provides statistics grouped optionally by fields. See Statistical and charting functions in the Splunk Enterprise Search Reference.

Question 892

streamstats

Answer 892

Adds summary statistics to all search results in a streaming manner.

Question 893

timechart

Answer 893

Create a time series chart and corresponding table of statistics. See Statistical and charting functions in the Splunk Enterprise Search Reference.

Question 894

top

Answer 894

Displays the most common values of a field.

Question 895

trendline

Answer 895

Computes moving averages of fields.

Question 896

untable

Answer 896

Converts results from a tabular format to a format similar to stats output. Inverse of xyseries and maketable.

Question 897

xyseries

Answer 897

Converts results into a format suitable for graphing.

Question 898

sendemail

Answer 898

Emails search results, either inline or as an attachment, to

one or more specified email addresses

Question 899

mvcombine

Answer 899

Combines events in search results that have a single differing field value into one result with a multivalue field of the differing field.

Question 900

regex

Answer 900

Removes results that do not match the specified regular expression.

Question 901

searchtxn

Answer 901

Finds transaction events within specified search constraints.

Question 902

table

Answer 902

Creates a table using the specified fields.

Question 903

uniq

Answer 903

Removes any search that is an exact duplicate with a previous result.

Question 904

where

Answer 904

Performs arbitrary filtering on your data. See Evaluation functions in the Splunk Enterprise Search Reference.

Question 905

untable

Answer 905

Converts results from a tabular format to a format similar to stats output. Inverse of xyseries and maketable.

Question 906

gentimes

Answer 906

Returns results that match a time-range.

Question 907

mvexpand

Answer 907

Expands the values of a multivalue field into separate events for each value of the multivalue field.

Question 908

savedsearch

Answer 908

Returns the search results of a saved search.

Question 909

search

Answer 909

Searches Splunk indexes for matching events. This command is implicit at the start of every search pipeline that does not begin with another generating command.

Question 910

loadjob

Answer 910

Loads events or results of a previously completed search job.

Question 911

typer

Answer 911

Calculates the eventtypes for the search results.

Question 912

head

Answer 912

Returns the first number n of specified results.

Question 913

reverse

Answer 913

Reverses the order of the results.

Question 914

sort

Answer 914

Sorts search results by the specified fields.

Question 915

tail

Answer 915

Returns the last number N of specified results

Question 916

inputcsv

Answer 916

Loads search results from the specified CSV file.

Question 917

loadjob

Answer 917

Loads events or results of a previously completed search job.

Question 918

outputcsv

Answer 918

Outputs search results to a specified CSV file.

Question 919

outputtext

Answer 919

Ouputs the raw text field (_raw) of results into the _xml field.

Question 920

sendemail

Answer 920

Emails search results either inline or as an attachment to one or more specified email addresses.

Question 921

map

Answer 921

A looping operator, performs a search over each search result.

Question 922

search

Answer 922

Searches Splunk indexes for matching events. This command is implicit at the start of every search pipeline that does not begin with another generating command.

Question 923

format

Answer 923

Takes the results of a subsearch and formats them into a single result.

Question 924

join

Answer 924

SQL-like joining of results from the main results pipeline with the results from the subpipeline.

Question 925

return

Answer 925

Specify the values to return from a subsearch.

Question 926

set

Answer 926

Performs set operations (union diff intersect) on subsearches.

Question 927

localize

Answer 927

Returns a list of the time ranges in which the search results were found.

Question 928

reltime

Answer 928

Converts the difference between ‘now’ and ‘_time’ to a human-readable value and adds adds this value to the field ‘reltime’ in your search results.

Question 929

analyzefields

Answer 929

Analyze numerical fields for their ability to predict another discrete field. See Also anomalousvalue.

Question 930

anomalies

Answer 930

Computes an “unexpectedness” score for an event. See Also anomalousvalue & cluster & kmeans & outlier.

Question 931

anomalousvalue

Answer 931

Finds and summarizes irregular or uncommon search results. See Also analyzefields & anomalies & cluster & kmeans & outlier.

Question 932

append

Answer 932

Appends subsearch results to current results. See Also appendcols & appendcsv & join & set.

Question 933

appendcols

Answer 933

Appends the fields of the subsearch results to current results first results to first result second to second etc. See Also append & appendcsv & join & set.

Question 934

appendpipe

Answer 934

Appends the result of the subpipeline applied to the current result set to results. See Also append & appendcols & join & set.

Question 935

arules

Answer 935

Finds association rules between field values. See Also associate & correlate.

Question 936

associate

Answer 936

Identifies correlations between fields. See Also correlate and contingency.

Question 937

audit

Answer 937

Returns audit trail information that is stored in the local audit index.

Question 938

autoregress

Answer 938

Sets up data for calculating the moving average. See Also accum & autoregress & delta & trendline & streamstats.

Question 939

bin and discretize

Answer 939

Puts continuous numerical values into discrete sets. See Also chart and timechart.

Question 940

bucketdir

Answer 940

Replaces a field value with higher-level grouping such as replacing filenames with directories. See Also cluster and dedup.

Question 941

chart

Answer 941

Returns results in a tabular output for charting. See Functions for stats chart and timechart in the Splunk Enterprise Search Reference. See Also timechart

Question 942

cluster

Answer 942

Clusters similar events together. See Also anomalies anomalousvalue cluster kmeans outlier

Question 943

concurrency

Answer 943

Uses a duration field to find the number of “concurrent” events for each event. See Also timechart

Question 944

contingency and counttable and ctable

Answer 944

Builds a contingency table for two fields. See Also associate correlate

Question 945

convert

Answer 945

Converts field values into numerical values. See Also eval

Question 946

correlate

Answer 946

Calculates the correlation between different fields. See Also associate & contingency

Question 947

dbinspect

Answer 947

Returns information about the specified index.

Question 948

delta

Answer 948

Computes the difference in field value between nearby results. See Also accum & autoregress & trendline & streamstats

Question 949

diff

Answer 949

Returns the difference between two search results.

Question 950

erex

Answer 950

Allows you to specify example or counter example values to automatically extract fields that have similar values. See Also extract & kvform & multikv & regex & rex & xmlkv

Question 951

eventcount

Answer 951

Returns the number of events in an index. See Also dbinspect

Question 952

eventstats

Answer 952

Adds summary statistics to all search results. See Also stats

Question 953

extract and kv

Answer 953

Extracts field-value pairs from search results. See Also kvform & multikv & xmlkv & rex

Question 954

fieldformat

Answer 954

Expresses how to render a field at output time without changing the underlying value. See Also eval & where

Question 955

fields

Answer 955

Removes fields from search results.

Question 956

fieldsummary

Answer 956

Generates summary information for all or a subset of the fields. See Also af & anomalies & anomalousvalue & stats

Question 957

filldown

Answer 957

Replaces NULL values with the last non-NULL value. See Also fillnull

Question 958

fillnull

Answer 958

Replaces null values with a specified value.

Question 959

findtypes

Answer 959

Generates a list of suggested event types. See Also typer

Question 960

foreach

Answer 960

Run a templatized streaming subsearch for each field in a wildcarded field list. See Also eval

Question 961

format

Answer 961

Takes the results of a subsearch and formats them into a single result.

Question 962

from

Answer 962

Retrieves data from a dataset such as a data model dataset a CSV lookup a KV Store lookup a saved search or a table dataset.

Question 963

gauge

Answer 963

Transforms results into a format suitable for display by the Gauge chart types.

Question 964

gentimes

Answer 964

Generates time-range results.

Question 965

geostats

Answer 965

Generate statistics which are clustered into geographical bins to be rendered on a world map. See Also stats & xyseries

Question 966

head

Answer 966

Returns the first number n of specified results. See Also reverse & tail

Question 967

highlight

Answer 967

Causes Splunk Web to highlight specified terms.

Question 968

history

Answer 968

Returns a history of searches formatted as an events list or as a table. See Also search

Question 969

input

Answer 969

Adds sources to Splunk or disables sources from being processed by Splunk.

Question 970

inputcsv

Answer 970

Loads search results from the specified CSV file. See Also loadjob & outputcsv

Question 971

iplocation

Answer 971

Extracts location information from IP addresses.

Question 972

join

Answer 972

SQL-like joining of results from the main results pipeline with the results from the subpipeline. See Also selfjoin & appendcols

Question 973

kmeans

Answer 973

Performs k-means clustering on selected fields. See Also anomalies & anomalousvalue & cluster & outlier

Question 974

kvform

Answer 974

Extracts values from search results using a form template. See Also extract & kvform & multikv & xmlkv & rex

Question 975

loadjob

Answer 975

Loads events or results of a previously completed search job. See Also inputcsv

Question 976

localize

Answer 976

Returns a list of the time ranges in which the search results were found. See Also map & transaction

Question 977

makecontinuous

Answer 977

Makes a field that is supposed to be the x-axis continuous (invoked by chart/timechart) See Also chart & timechart

Question 978

makemv

Answer 978

Change a specified field into a multivalued field during a search. See Also mvcombine & mvexpand & nomv

Question 979

map

Answer 979

A looping operator performs a search over each search result.

Question 980

metadata

Answer 980

Returns a list of source sourcetypes or hosts from a specified index or distributed search peer. See Also dbinspect

Question 981

metasearch

Answer 981

Retrieves event metadata from indexes based on terms in the logical expression. See Also metadata & search

Question 982

mstats

Answer 982

Calculates statistics for the measurement metric_name and dimension fields in metric indexes. See Also stats

Question 983

multikv

Answer 983

Extracts field-values from table-formatted events.

Question 984

multisearch

Answer 984

Run multiple streaming searches at the same time. See Also append & join

Question 985

mvcombine

Answer 985

Combines events in search results that have a single differing field value into one result with a multivalue field of the differing field. See Also mvexpand & makemv & nomv

Question 986

mvexpand

Answer 986

Expands the values of a multivalue field into separate events for each value of the multivalue field. See Also mvcombine & makemv & nomv

Question 987

nomv

Answer 987

Changes a specified multivalued field into a single-value field at search time. See Also makemv & mvcombine & mvexpand

Question 988

outlier

Answer 988

Removes outlying numerical values. See Also anomalies & anomalousvalue & cluster & kmeans

Question 989

outputcsv

Answer 989

Outputs search results to a specified CSV file. See Also inputcsv & outputtext

Question 990

outputtext

Answer 990

Ouputs the raw text field (_raw) of results into the _xml field. See Also outputtext

Question 991

predict

Answer 991

Enables you to use time series algorithms to predict future values of fields. See Also x11

Question 992

rangemap

Answer 992

Sets RANGE field to the name of the ranges that match.

Question 993

rare

Answer 993

Displays the least common values of a field. See Also stats & top

Question 994

regex

Answer 994

Removes results that do not match the specified regular expression. See Also rex & search

Question 995

relevancy

Answer 995

Calculates how well the event matches the query.

Question 996

reltime

Answer 996

Converts the difference between ‘now’ and ‘_time’ to a human-readable value and adds adds this value to the field ‘reltime’ in your search results. See Also convert

Question 997

rename

Answer 997

Renames a specified field; wildcards can be used to specify multiple fields.

Question 998

replace

Answer 998

Replaces values of specified fields with a specified new value.

Question 999

rest

Answer 999

Access a REST endpoint and display the returned entities as search results.

Question 1000

return

Answer 1000

Specify the values to return from a subsearch. See Also format & search

Question 1001

reverse

Answer 1001

Reverses the order of the results. See Also head & sort & tail

Question 1002

rex

Answer 1002

Specify a Perl regular expression named groups to extract fields while you search. See Also extract & kvform & multikv & xmlkv & regex

Question 1003

rtorder

Answer 1003

Buffers events from real-time search to emit them in ascending time order when possible.

Question 1004

savedsearch

Answer 1004

Returns the search results of a saved search.

Question 1005

script and run

Answer 1005

Runs an external Perl or Python script as part of your search.

Question 1006

scrub

Answer 1006

Anonymizes the search results.

Question 1007

search

Answer 1007

Searches Splunk indexes for matching events.

Question 1008

searchtxn

Answer 1008

Finds transaction events within specified search constraints. See Also transaction

Question 1009

selfjoin

Answer 1009

Joins results with itself. See Also join

Question 1010

sendemail

Answer 1010

Emails search results to a specified email address.

Question 1011

set

Answer 1011

Performs set operations (union, diff, intersect) on subsearches. See Also append & appendcols & join & diff

Question 1012

setfields

Answer 1012

Sets the field values for all results to a common value. See Also eval & fillnull & rename

Question 1013

sort

Answer 1013

Sorts search results by the specified fields. See Also reverse

Question 1014

spath

Answer 1014

Provides a straightforward means for extracting fields from structured data formats, XML and JSON. See Also xpath

Question 1015

stats

Answer 1015

Provides statistics, grouped optionally by fields. See Functions for stats, chart, and timechart in the Splunk Enterprise Search Reference. See Also eventstats & top & rare

Question 1016

strcat

Answer 1016

Concatenates string values.

Question 1017

streamstats

Answer 1017

Adds summary statistics to all search results in a streaming manner. See Also eventstats & stats

Question 1018

table

Answer 1018

Creates a table using the specified fields. See Also fields

Question 1019

tags

Answer 1019

Annotates specified fields in your search results with tags. See Also eval

Question 1020

tail

Answer 1020

Returns the last number n of specified results. See Also head & reverse

Question 1021

timechart

Answer 1021

Create a time series chart and corresponding table of statistics. See Functions for stats, chart, and timechart in the Splunk Enterprise Search Reference. See Also chart & bucket

Question 1022

top

Answer 1022

Displays the most common values of a field. See Also rare & stats

Question 1023

transaction

Answer 1023

Groups search results into transactions.

Question 1024

transpose

Answer 1024

Reformats rows of search results as columns.

Question 1025

trendline

Answer 1025

Computes moving averages of fields. See Also timechart

Question 1026

typeahead

Answer 1026

Returns typeahead information on a specified prefix.

Question 1027

typer

Answer 1027

Calculates the eventtypes for the search results. See Also typelearner

Question 1028

uniq

Answer 1028

Removes any search that is an exact duplicate with a previous result. See Also dedup

Question 1029

untable

Answer 1029

Converts results from a tabular format to a format similar to stats output. Inverse of xyseries and maketable.

Question 1030

where

Answer 1030

Performs arbitrary filtering on your data. See Functions for eval and where in the Splunk Enterprise Search Reference. See Also eval

Question 1031

x11

Answer 1031

Extracts XML key-value pairs. See Also extract & kvform & multikv & rex

Question 1032

xmlkv

Answer 1032

Unescapes XML.

Question 1033

xpath

Answer 1033

Redefines the XML path.

Question 1034

xyseries

Answer 1034

Converts results into a format suitable for graphing.

Question 1035

What is the Difference between NOT and !=

Answer 1035

Suppose you have the following fields: fieldA, FieldB, fieldC – If you search for fieldB!=value3
You will get Results fieldB=value1, fieldB=value2

If fieldB does not exist, nothing is returned.

Searching with NOT:

If you search for NOT fieldB=value3, the search returns everything except fieldB=value3:

fieldA=value1, fieldA=value2, fieldA=value3
fieldB=value1, fieldB=value2
fieldC=value1, fieldC=value2, fieldC=value3

If fieldB does not exist, NOT fieldB=value3 returns:
fieldA=value1, fieldA=value2, fieldA=value3
fieldC=value1, fieldC=value2, fieldC=value3

Question 1036

seconds

Answer 1036

s, sec, secs, second, seconds

Question 1037

minutes

Answer 1037

m, min, minute, minutes

Question 1038

hours

Answer 1038

h, hr, hrs, hour, hours

Question 1039

days

Answer 1039

d, day, days

Question 1040

weeks

Answer 1040

w, week, weeks

Question 1041

months

Answer 1041

mon, month, months

Question 1042

quarters

Answer 1042

q, qtr, qtrs, quarter, quarters

Question 1043

years

Answer 1043

y, yr, yrs, year, years

Question 1044

For exact time ranges, the syntax for the time modifiers is %m/%d/%Y:%H:%M:%S. For example, the following search specifies a time range from 12 A.M. October 19, 2016 to 12 A.M. October 27, 2016.

Answer 1044

earliest=10/19/2016:0:0:0 latest=10/27/2016:0:0:0

Question 1045

The syntax for the snap to time unit is

Answer 1045

[+|-]@.

Question 1046

When snapping to the nearest or latest time

Answer 1046

Splunk software always snaps backwards or rounds down to the latest time that is not after the specified time. For example, the current time is 15:45:00 and the snap to time is earliest=-h@h. The time modifier snaps to 14:00.

Question 1047

You can also define the relative time modifier using only the snap to time unit.

Answer 1047

to snap to a specific day of the week, use @w0 for Sunday, @w1 for Monday, and so forth. For Sunday, you can specify either w0 or w7.

Question 1048

if you want to search for events in the previous month

Answer 1048

specify earliest=-mon@mon latest=@mon. This example begins at the start of the previous month and ends at the start of the current month.

Question 1049

Difference between relative time and relative snap to time

Answer 1049

On April 28th, you decide to run a search at 14:05.

If you specify earliest=-2d, the search goes back exactly two days, starting at 14:05 on April 26th.

If you specify earliest=-2d@d, the search goes back to two days and snaps to the beginning of the day. The search looks for events starting from 00:00 on April 26th.

Question 1050

earliest=1

Answer 1050

If you want to search events from the start of UTC epoch time, use earliest=1. (earliest=0 in the search string indicates that time is not used in the search.)
When earliest=1 and latest=now or latest=<a>, the search will run over all time. The difference is that:</a>

Specifying latest=now (which is the default) does not return future events.
Specifying latest=</a><a> returns future events, which are events that contain timestamps later than the current time, now.</a>

</a>

Question 1051

latest=now

Answer 1051

Specify that the search starts or ends at the current time.

Question 1052

@q, @qtr, or @quarter

Answer 1052

Specify a snap to the beginning of the most recent quarter: Jan 1, Apr 1, July 1, or Oct 1.

Question 1053

w0, w1, w2, w3, w4, w5, w6, and w7

Answer 1053

Specify “snap to” days of the week; where w0 is Sunday, w1 is Monday, etc. When you snap to a week, @w or @week, it is equivalent to snapping to Sunday or @w0. You can use either w0 or w7 for Sunday.

Question 1054

now

Answer 1054

Now, the current time

Wednesday, 05 February 2017, 01:37:05 P.M. now

Question 1055

-60m

Answer 1055

60 minutes ago
Wednesday, 05 February 2017, 12:37:05 P.M.
Equivalent modifiers -60m@s

Question 1056

-1h@h

Answer 1056

1 hour ago, to the hour

Wednesday, 05 February 2017, 12:00:00 P.M.

Question 1057

-1d@d

Answer 1057

Yesterday

Tuesday, 04 February 2017, 12:00:00 A.M.

Question 1058

-24h

Answer 1058

24 hours ago (yesterday)

Tuesday, 04 February 2017, 01:37:05 P.M. Equivalent modifiers -24h@s

Question 1059

-7d@d

Answer 1059

7 days ago, 1 week ago today

Wednesday, 28 January 2017, 12:00:00 A.M.

Question 1060

-7d@m

Answer 1060

7 days ago, snap to minute boundary Wednesday, 28 January 2017, 01:37:00 P.M.

Question 1061

@w0

Answer 1061

Beginning of the current week

Sunday, 02 February 2017, 12:00:00 A.M.

Question 1062

+1d@d

Answer 1062

Tomorrow

Thursday, 06 February 2017, 12:00:00 A.M.

Question 1063

+24h

Answer 1063

24 hours from now, tomorrow

Thursday, 06 February 2017, 01:37:05 P.M. Equivalent modifiers +24h@s

Question 1064

chained relative time offsets

Answer 1064

You can also specify offsets from the snap-to-time or “chain” together the time modifiers for more specific relative time definitions.

Question 1065

@d-2h

Answer 1065

Snap to the beginning of today (12 A.M.) and subtract 2 hours from that time.
Resulting Time 10 P.M. last night.

Question 1066

-mon@mon+7d

Answer 1066

One month ago, snapped to the first of the month at midnight, and add 7 days.
Resulting Time The 8th of last month at 12 A.M.

Question 1067

searches with relative time modifiers.

Answer 1067

Example 1: Web access errors from the beginning of the week to the current time of your search (now).

eventtype=webaccess error earliest=@w0

Example 2: Web access errors from the current business week (Monday to Friday).

eventtype=webaccess error earliest=@w1 latest=+7d@w6

This search returns matching events starting from 12:00 A.M. of the Monday of the current week and ending at 11:59 P.M. of the Friday of the current week.

If you run this search on Monday at noon, you will only see events for 12 hours of data. Whereas, if you run this search on Friday, you will see events from the beginning of the week to the current time on Friday. The timeline however, will display for the full business week.

Example 3: Web access errors from the last full business week.

eventtype=webaccess error earliest=-7d@w1 latest=@w6

This search returns matching events starting from 12:00 A.M. of last Monday and ending at 11:59 P.M. of last Friday

Question 1068

access_combined

Answer 1068

NCSA combined format http web server logs (can be generated by apache or other web servers)

Example:
10.1.1.43 - webdev [08/Aug/2005:13:18:16 -0700] “GET / HTTP/1.0” 200 0442 “-“ “check_http/1.10 (nagios-plugins 1.4)”

Question 1069

access_combined_wcookie

Answer 1069

NCSA combined format http web server logs (can be generated by apache or other web servers), with cookie field added at end

Example:
“66.249.66.102.1124471045570513” 59.92.110.121 - - [19/Aug/2005:10:04:07 -0700] “GET /themes/splunk_com/images/logo_splunk.png HTTP/1.1” 200 994 “http://www.splunk.org/index.php/docs” “Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050524 Fedora/1.0.4-4 Firefox/1.0.4” “61.3.110.148.1124404439914689”

Question 1070

access_common

Answer 1070

NCSA common format http web server logs (can be generated by apache or other web servers)

Examples:
10.1.1.140 - - [16/May/2005:15:01:52 -0700] “GET /themes/ComBeta/images/bullet.png HTTP/1.1” 404 304

Question 1071

apache_error

Answer 1071

Standard Apache web server error log

Example:
[Sun Aug 7 12:17:35 2005] [error] [client 10.1.1.015] File does not exist: /home/reba/public_html/images/bullet_image.gif

Question 1072

access_combined

Answer 1072

NCSA combined format http web server logs (can be generated by apache or other web servers)

Question 1073

access_combined_wcookie

Answer 1073

NCSA combined format http web server logs (can be generated by apache or other web servers) with cookie field added at end

Question 1074

access_common

Answer 1074

NCSA common format http web server logs (can be generated by apache or other web servers)

Question 1075

asterisk_cdr

Answer 1075

Standard Asterisk IP PBX call detail record

Question 1076

asterisk_event

Answer 1076

Standard Asterisk event log (management events)

Question 1077

asterisk_messages

Answer 1077

Standard Asterisk messages log (errors and warnings)

Question 1078

asterisk_queue

Answer 1078

Standard Asterisk queue log

Question 1079

cisco_syslog

Answer 1079

Standard Cisco syslog produced by all Cisco network devices including PIX firewalls routers ACS etc. usually via remote syslog to a central log host

Question 1080

db2_diag

Answer 1080

Standard IBM DB2 database administrative and error log

Question 1081

exim_main

Answer 1081

Exim MTA mainlog

Question 1082

exim_reject

Answer 1082

Exim reject log

Question 1083

linux_messages_syslog

Answer 1083

Standard linux syslog (/var/log/messages on most platforms)

Question 1084

linux_secure

Answer 1084

Linux securelog

Question 1085

log4j

Answer 1085

Log4j standard output produced by any J2EE server using log4j

Question 1086

mysqld_error

Answer 1086

Standard mysql error log

Question 1087

mysqld

Answer 1087

Standard MySQL query log; also matches the MySQL binary log following conversion to text

Question 1088

postfix_syslog

Answer 1088

Standard Postfix MTA log reported via the Unix/Linux syslog facility

Question 1089

sendmail_syslog

Answer 1089

Standard Sendmail MTA log reported via the Unix/Linux syslog facility

Question 1090

sugarcrm_log4php

Answer 1090

Standard Sugarcrm activity log reported using the log4php utility

Question 1091

weblogic_stdout

Answer 1091

Weblogic server log in the standard native BEA format

Question 1092

websphere_activity

Answer 1092

Websphere activity log also often referred to as the service log

Question 1093

websphere_core

Answer 1093

Corefile export from Websphere

Question 1094

websphere_trlog_syserr

Answer 1094

Standard Websphere system error log in the IBM native trlog format

Question 1095

websphere_trlog_sysout

Answer 1095

Standard Websphere system out log in the IBM native trlog format; similar to the log4j server log for Resin and Jboss sample format as the system error log but containing lower severity and informational events

Question 1096

windows_snare_syslog

Answer 1096

Standard windows event log reported through a 3rd party Intersect Alliance Snare agent to remote syslog on a Unix or Linuxserver

Question 1097

Differentiators

Answer 1097

Real Time Architecture
Universal Machine Data Platform
Schema on the Fly
Agile Reporting and Analytics 
Scales from Desktop to Enterprise 
Fast Time to Value 
Passionate and Vibrant Community

Question 1098

Splunk Offerings (core products)

Answer 1098

Splunk Enterprise
Splunk Cloud
Splunk Light

Question 1099

Real Time Architecture

Answer 1099

Real-time collection, search, monitoring and analysis across massive streams of machine data in a single solution

Question 1100

Universal Machine Data Platform

Answer 1100

Open, extensible platform delivering integrated, end-to-end data collection, management and analysis

Question 1101

Schema on the Fly

Answer 1101

Search-time schema delivers flexibility to interact with the data and change perspective on the fly at search time

Question 1102

Agile Reporting and Analytics

Answer 1102

Interactive search and reporting, enabling rapid, interactive analysis and visualization of data.

Question 1103

Market Segments

Answer 1103

IT Operations
Application Delivery
Security and Compliance

Question 1104

Splunk Premium Products

Answer 1104

Splunk Enterprise Security
Splunk IT Service Intelligence
Splunk User Behavior Analytics (UBA)
Premium Apps

Question 1105

Splunk Enterprise Security

Answer 1105

Analytics driven SIEM: user to monitor, detect, analyze, investigate and repond to threats and attacks
Complimentary product. Customers must have an equivalent license of Core Splunk (same GB Volume)

Question 1106

Splunk IT Service Intelligence

Answer 1106

Data Driven service insight for root cause isolation and improved service operations
Complimentary Product. Customers must have an equivalent license of Core Splunk (same GB Volume)

Question 1107

Splunk User Behavior Analytics (UBA)

Answer 1107

Detect cyber-attacks and insider threats using data science, machine learning, behavior baseline, peer group analytics, and advanced correlation

Licensing: Number of authorized users(the number of users or system accounts in Microsoft AD, lightweight directory access protocol (LDAP) or an similar service that is used to authenticate users inside the network.
needs to be sold with content subscription packs

Question 1108

Splunk Services

Answer 1108

Community
Standard
Enterprise and Global Support
PS and CSM

Question 1109

Splunk Sale Stages

Answer 1109

Business Qualification 
Technical Interlock 
Champion Tested
Proof Completed
Mutually Agreed Closed Plan

Question 1110

Splunk Value Stack

Answer 1110

Corporate Objectives
Business Strategy 
Initiatives
Risks and Critical Capabilities 
C Level Commercial Insights

Question 1111

4 Key Assets in Every Sales Play

Answer 1111

Prospecting Guide
Meeting Guide
Differentiation Pitch
Champion Guide

Question 1112

Splunks Core Selling Tools

Answer 1112

Value Stack
Whiteboard
Differentiators
best used together

Question 1113

Splunk Market

Answer 1113

Vertical and Segments

Question 1114

Splunk Light

Answer 1114

Delivers a light version of Splunk for Small IT environment
5 users
Cheaper
20GB of daily data indexing

Question 1115

What is Machine Data

Answer 1115

Machine data is one of the fastest, growing, most complex and most valuable segments of big data

Question 1116

Splunk Cloud

Answer 1116

All the power of Splunk Enterprise, delivered as a service. Runs in an Amazon Web Service
AWS GovCloud-Splunk Cloud solution hosted in secure enviornment for public sector
1.33X more expensive but its in the cloud and support is included

Question 1117

Passionate and Vibrant Community

Answer 1117

Splunk online communities include splunk base, splunk answers, and spunk dev
Active communities including Facebook and Linkedin; regional customer events, user group meetings and annual user conference.

Question 1118

Scales from Desktop to Enterprise

Answer 1118

Flexible data engine that scales to index terabytes of data per day and permits thousands of users to concurrently search petabytes of data