Splunk Core Certified User

Question 1

what are considered hosts by splunk ?

Answer 1

computers, sensors, virtual machines, web servers, network devices, databases

Question 2

hosts usually generate a variety of data including

Answer 2

fault
configuration
accounting
performance
security
system logs
application logs
metrics
tickets

Question 3

where can splunk index data from ?

Answer 3

• can index from any source

Question 4

what are the processing components of splunk ?

Answer 4

indexers
forwarders
search heads

Question 5

what are the management components of splunk ?

Answer 5

• Deployment servers
• indexer cluster manager
• search head cluster deployment
• license manager
• monitoring console

Question 6

what can a search head do once connected ?

Answer 6

• search
• analyze
• visualize
• reports
• alerts
• dashboard
• knowledge

Question 7

what are some details about splunk forwarders ?

Answer 7

forwarders are generally installed on host machines to collect source data and send to splunk

forwarders are the primary way to send data to splunk for indexing

Question 8

what are the two types of splunk forwarders ?

Answer 8

-Universal forwarder

Heavy forwarders
- configured from full splunk enterprise installation
- can parse and filter before forwarding

Question 9

what is a splunk component that resides on machines originating data ?

Answer 9

forwarder

Question 10

what is the difference between universal and heavy forwarders

Answer 10

heavy forwarders can parse data

Question 11

how does splunk data flow initially ?

Answer 11

data from hosts —> Indexer —-> indexes on disk

Question 12

what is an indexer in splunk ?

Answer 12

An indexer or search peer is a Splunk enterprise instance that processes and writes data into repositories as events

Question 13

what is processing in regards to splunk?

Answer 13

• transform data into events
• assign metadata
• identify or create timestamps
• data repositories are known as indexes
• repositories containing files with index data are called buckets

Question 14

what is thawed data in splunk ?

Answer 14

thawed data in splunk is when you are bringing data out of the archive

Question 15

what is an Indexer cluster ?

Answer 15

• an indexer cluster is when you group indexers together to provide data replication
• cluster manager - coordinates replication activities and manages the cluster

Question 16

what is a splunk component that transforms raw data into events?

Answer 16

indexer and heavy forwarders are the splunk components that transform raw data into events

Question 17

what are some of the details regarding search heads

Answer 17

• allows users to write search queries SPL to search the indexed data
• distributes search requests to the indexers and merges the result back to the user

Can create fields and other knowledge objects such as
- reports
- alerts
- visualizations
- dashboards

Question 18

what are some details regarding the search head cluster ?

Answer 18

• groups of search heads with identical configuration
• search requests from users are balanced across the SH groups
• Managed by a cluster captain
• cluster deployer, distributes apps and other configuration to cluster members

Question 19

what are some details of the configuration deployment server?

Answer 19

• distributes content, configuration, apps to other groups of splunk instances
• distributed content is known as deployment apps
• used mostly to distribute apps to splunk forwarders

Question 20

what is the forwarder manager for Splunk ?

Answer 20

provides a way to configure deployment servers and monitor updates

Question 21

what is the license manager in Splunk ?

Answer 21

Hosts licenses and assigns license volume to other splunk components in a distributed deployment

License meter runs during indexing

License types
- Volume based
- Infrastructure based
- Access to splunk features

Question 22

what is the monitoring console in Splunk ?

Answer 22

Used to view topology and performance information.

Question 23

what are the three main out of the box roles in Splunk ?

Answer 23

User
Power
Admin

Question 24

what are some of the default app examples ?

Answer 24

home app
search app

Question 25

what is the default port for Splunk web ?

Answer 25

port 8000

Question 26

what are some splunk default app examples ?

Answer 26

home app
search and reporting app

Question 27

what are splunk apps ?

Answer 27

splunk apps are custom solutions that allow you to extend the functionality of the splunk platform

Question 28

what can splunk apps do for us ?

Answer 28

What can Splunk Apps do for us ?

Separate workspaces for different use cases to co exist on a single instance.
- Alerts
- Reports
- Dashboards

Custom configurations to ingest data

Collections of
- Data inputs
- UI Elements
- Knowledge Objects

Question 29

how do we access splunk apps ?

Answer 29

you can access Splunk apps on Splunk-base

Question 30

what is SPL ?

Answer 30

SPL is Splunk processing language

Question 31

what can be changed using the account settings and preferences ?

Answer 31

preferences - time zone
Full name
Email
Password
change the theme

Question 32

what is the splunk search and reporting app ?

Answer 32

default app that provides an interface to search, analyze and visualize data in splunk

Question 33

what is the search bar used for in splunk ?

Answer 33

the search bar is where you specify search criteria

Question 34

what is the app navigation bar in Splunk?

Answer 34

shows views in the current applicationand the different apps avaliable

Question 35

what is the time range picker in splunk ?

Answer 35

allows us to specify the time period to search

Default value is 24 hours

Question 36

what are the three different types of search modes in splunk ?

Answer 36

Fast (better performance less info)

Smart (less performance but more info then fast mode)

Verbose (slowest performance but the most information)

Question 37

what is search history in splunk ?

Answer 37

See a history of your searches

You can select to re-run a search

Question 38

what are the different ways you can view counts of events in Splunk ?

Answer 38

Hosts

Sources

Source types

Question 39

what is a quick way to understand data in your deployment?

Answer 39

the data summary type

Question 40

what are the fields presented under the data summary tab ?

Answer 40

host
source
source type

Question 41

what are the three out of the box users in splunk ?

Answer 41

user
power
admin

Question 42

what is the user role in splunk ?

Answer 42

Limited access to Settings

Create private knowledge objects

Assign to basic users

Question 43

what is the power role in splunk ?

Answer 43

Limited access to settings

Create and publish share knowledge objects

Assign to power users

Question 44

what is the admin role in splunk ?

Answer 44

Access to all settings

Has the most capabilities

Assign to splunk admins

Question 45

which roles have minimum and maximum permissions

Answer 45

minimum permissions is the user role

Maximum permissions is the admin role

Question 46

Which Splunk component transforms raw data into events and distributes the result to an index?

Answer 46

Indexer

Question 47

Which component of splunk is primarily responsible for saving data ?

Answer 47

Indexer

Question 48

The three basic components of splunk are ?

Answer 48

Forwarder, indexer, Search head

Question 49

What is Splunk ?

Answer 49

Splunk is a software platform to search, analyze and visualize the machine generated data

Question 50

Which component of Splunk let us write SPL query to find the required data?

Answer 50

Search head

Question 51

What Splunk Components can perform log filtering/parsing ?

Answer 51

Heavy forwarders

Question 52

What is true about user account settings and preferences?

Answer 52

Full name, time zone, and default app can be defined by clicking the login name in the Splunk bar

Question 53

A collection of items contains things such as data inputs, UI elements and knowledge objects is known as what ?

Answer 53

An app

Question 54

explain what Splunk apps are ?

Answer 54

It is a collection of different Splunk config files like data inputs, UI and Knowledge objects

Question 55

What is the default app for Splunk Enterprise ?

Answer 55

Search and reporting

Question 56

How many main roles do you have in Splunk ?

Answer 56

3

Question 57

What is the default web port used by Splunk?

Answer 57

8000

Question 58

what are some of the ways we get data in Splunk ?

Answer 58

Get data from Files and Directories

Get data from network sources

Get data from Windows sources

Get data from other sources

Question 59

what are some of the ways we can get data from files and directories in splunk ?

Answer 59

Monitor files and directories

Upload static files

Question 60

what are some of the ways we can get data from network sources ?

Answer 60

Data that comes over a network port

Both TCP and UDP protocols supported

Question 61

what are some of the ways we can get data from windows sources in splunk ?

Answer 61

Windows Event logs

Windows registry

Windows Management Instrumentation

Active Directory

Performance monitoring

Question 62

what are some of the other sources we can get data from in Splunk ?

Answer 62

APIs

Databases

Metrics

FIFO queues

Question 63

what are some of the ways we can ingest data into Splunk ?

Answer 63

Use existing Apps and Add-ons

Use forwarders to get data

use HTTP event collector HEC

for custom data use

Question 64

what are some of the ways we can ingest data into Splunk using existing apps and Add ons

Answer 64

• Splunk add-on for windows
• Splunk add-ons for AWS
• Splunk DB connect
• Splunk stream

Question 65

what is the way we can use forwarders to get data ?

Answer 65

Install forwarders on the sources generating data

Use heavy forwarder when more processing is required before ingestion

Question 66

what are ways we can use the splunk HEC to ingest data into splunk?

Answer 66

Use HEC to get data from the HTTP or HTTPS protocol

Question 67

what is the splunk index time process ?

Answer 67

data is handled at the splunk data source and forwarded using the universal forwarder or heavy forwarder

then the data sources are open and read

configurations are applied to entire streams

data is sent out for indexing

Question 68

what are the three phases of the splunk index time process ?

Answer 68

The first phase of the Splunk index time process is the input phase

The second phase of this process is the parsing phase

The third phase of this is the indexing phase

Question 69

explain the parsing phase of the splunk index time process ?

Answer 69

Handled at
- Indexer
- Heavy forwarder

Data broken into events

Extract default metadata fields
- Host
- Source
- Sourcetype
- Index

Identify or create timestamps

Identify line termination

Question 70

explain the indexing phase of the splunk index time process ?

Answer 70

Handled at
- Indexer

• Run License meter
• Build index data structures
• Write data to disk

Question 71

what are the different ways of configuring data inputs in splunk ?

Answer 71

Splunk web

CLI

Configuration files edit inputs.conf

Apps and add-ons from Splunkbase

Question 72

what are the three ways we can add data inputs using splunk web ?

Answer 72

uploads

monitor

forward

Question 73

explain the upload function in splunk web

Answer 73

Upload local files from your computer

Only gets indexed once

Question 74

what is the monitor function in splunk web

Answer 74

Monitor files and directories, network ports

Data located on splunk enterprise instance

Useful for testing

Question 75

explain the forward function in Splunk web

Answer 75

Frequently used in production environments

Get data from remote machines over receiving port

Remote machines have the forwarder installed to forward data

Question 76

what is the default splunk installation directory in windows ?

Answer 76

C:\Program Files\Splunk

Question 77

what is the default splunk installation directory for linux ?

Answer 77

/opt/splunk/

Question 78

what is the default MAC os splunk installation directory ?

Answer 78

/Applications/Splunk

Question 79

Data source being open and read applies to?

Answer 79

The input phase

Question 80

Select the correct option that applies to index time processing

Answer 80

Input, parsing, indexing

Question 81

The splunk index time process can be broken down into how many phases

Answer 81

3

Question 82

Where does licensing meter happen ?

Answer 82

Indexer

Question 83

Which statement is true about heavy forwarders ?

Answer 83

Parsing, masking, forwarding

Question 84

We use keywords and phrases to retrieve matched events from the index:

Answer 84

When searching for keywords splunk is searching the keyword against raw events in the _raw filed

The _raw field contains the entire events

To search matching phrases, use double-quotes example “user ubuntu”

Question 85

what do we use wildcards for in Splunk ?

Answer 85

Use wildcards to match characters in string values for events in your index

Question 86

what is best practice for using wildcards ?

Answer 86

As best practice, use wildcards at the end of the term.

Question 87

in which situations do we want to avoid using wildcards ?

Answer 87

Avoid using at the beginning of a string example *fail

If you put a wildcard at the front it will scan every event

Can cause performance issues

Question 88

should we use wildcards in the middle of a string ?

Answer 88

Don’t use in the middle of a string

Might cause inconsistent results especially in string containing punctuation

Question 89

where should wildcards be used when searching in Splunk ?

Answer 89

To have better searches we should always place our wildcards at the end

The * character can be used as a wildcard

Question 90

what do we use Boolean operators for ?

Answer 90

Use boolean operators AND, OR, NOT to combine search terms

Boolean operators must be in uppercase

The AND operator is implied between terms

Example search for failed password is the same as failed AND password

Example user NOT administrator – search events that contain the word user and does not contain the word administrator

Question 91

what is the point of boolean operators ?

Answer 91

they are used to combine search terms

Question 92

what do we have to remember when using boolean operators ?

Answer 92

boolean operators are always in upper case

Question 93

what does the search assistant help us with in Splunk ?

Answer 93

The search assistant helps with writing searches by providing selections to complete strings

It helps matching searches based on recent search history

Shows list of commands after first pipe

Question 94

what are the three modes in search assistant ?

Answer 94

• compact (default)
• full
• none (used to disable search assistant)

Question 95

what is the difference between full mode and compact mode with the search assistant ?

Answer 95

Full mode shows more information than compact mode

Additionally, it displays count of how many times a term appears in indexed data

Question 96

what are some things to remember when identifying content of search results ?

Answer 96

• Each event contains a timestamp extracted at index time
• The newest events are going to be displayed at the top and the oldest are going to be displayed at the bottom
• Splunk also extracts metadata fields at index time . The metadata fields are the following
• Host
• Source
• Sourcetpye
• Index

Selected fields host,source,sourcetype are shown at the bottom of each event

Terms that match the search are highlighted in search results

Question 97

what are the three display options with the event viewer

Answer 97

• list
• raw
  -table

Question 98

what is the order of search results in splunk

Answer 98

reverse chronological order

Question 99

what are the metadata fields in the search results ?

Answer 99

• host
• source
• sourcetype
• index

Question 100

what do time unit abbreviations include ?

Answer 100

S = seconds

M = minutes

H = hours

D = days

W = weeks

Mon = months

Y= years

Question 101

what does the events timeline include ?

Answer 101

The events timeline shows distribution of events over time for a selected time range.

Question 102

Exam: what does using click and drag on the timeline do for us?

Answer 102

We are able to select specific times and timelines without having to re-execute the search

Question 103

what are the three different timeout controls ?

Answer 103

We are able to Format the timeline

Zoom out zoom in to edit the selection

We are able to deselect a section

Question 104

what are some of the search actions we can perform in Splunk ?

Answer 104

Every search you run is a job and generates a job id

Under the job menu you can do the following
- Change job settings
- Send a job to the background
- Can associate an email with this so it emails you when the job is done

• You can inspect a job
  
  • You can use this to find out why a job is taking a long time
  • Delete a job
• Pause/resume a job

-Stop job
- Will generate partial results

• Share job
  
  • Provides a link to bookmark or copy /share job
  • Can give read permissions to the people you have shared with

Export a job
- Export search results as Raw Events (text file)
- CSV
- XML
- JSON

• Print a job

Question 105

How do we access saved jobs in splunk ?

Answer 105

We have to go to the activity menu to access saved jobs

Question 106

What is the default time to retain a search job

Answer 106

10 minutes

Question 107

How do we keep search results longer then 7 days ?

Answer 107

To save the job longer then 7 days you have to save the job as a report

Question 108

When writing searches in Splunk, which of the following is true about Booleans?

Answer 108

They must be in uppercase

Question 109

How are events displayed after a search is executed?

Answer 109

In reverse chronological order

Question 110

Which time range picker option configuration would return real-time events for the past 30 seconds?

Answer 110

Real time – Earliest: 30-seconds ago, latest: Now

Question 111

Which Boolean operator is always implied between two search terms, unless otherwise specified?

Answer 111

AND

Question 112

What user interface component allows for time selection ?

Answer 112

Time Range Picker

Question 113

Which of the following searches will return results where fail, 400, and error exist in every event?

Answer 113

Error AND (fail AND 400)

Question 114

In a deployment with multiple indexes, what will happen when a search is run and an index is not specified in the search string?

Answer 114

Events from every index searched by default to which the user has access will be returned

Question 115

Which of the following is an option after clicking an item in search results ?

Answer 115

Adding the item to the search

Question 116

What does the following specified time range do?

earliest=-72h@h latest=@d

Answer 116

Look back from 3 days ago, up to the beginning of today

Question 117

What is the primary function of the timeline located under the search bar ?

Answer 117

To show peaks and or valleys in the timeline, which can indicate spikes in activity or downtime.

Question 118

According to splunk best practices which placement of the wildcard results in the most efficient search ?

Answer 118

Fail*

Question 119

Which of the following can be used as a wildcard in splunk

Answer 119

*

Question 120

What is search assistant in Splunk ?

Answer 120

Shows options to complete the search string

Question 121

You can use the following options to specify start and end time for the query range:

Answer 121

Earliest=, latest=

Question 122

Which of the following file types is an option for exporting splunk search results ?

Answer 122

Not pdf, not xls, not RTF, but JSON yes

Question 123

By default how long does splunk retain a search job ?

Answer 123

10 minutes

Question 124

what are indexers in splunk ?

Answer 124

In Splunk, indexers are the components responsible for ingesting, parsing, and storing data into indexes.

Indexers are a critical part of the Splunk architecture, as they handle the initial processing and storage of data before it can be searched and analyzed by search heads or other Splunk components.

Question 125

what are the main tasks with indexers in splunk ?

Answer 125

Data ingestion: They ingest data from various sources like log files, network data, APIs, etc.

Data parsing: They parse the incoming data to extract relevant information and structure it into events.

Data indexing: They index the parsed events by storing them in the appropriate indexes based on configured rules or settings.

Data distribution: In a distributed Splunk environment, indexers can forward data to other indexers for load balancing or data replication purposes.

Question 126

what is the main job of the splunk universal forwarder ?

Answer 126

The Splunk universal forwarder sends data to the splunk indexer

Question 127

what do the splunk search heads provide ?

Answer 127

The search heads provide an interface for the splunk users and allow searches to be made on the data

Question 128

what is a Splunk Indexer ?

Answer 128

Receives data from clients

Converts raw data into searchable events

Executes searches

Question 129

what is a splunk search head ?

Answer 129

Web interface for the user

Manages the searches

Dispatches searches to the indexers

Maintains access control

Question 130

what is a Splunk Universal forwarder ?

Answer 130

Collects data from the machine it is installed on

Keeps track of data ingestion

Very lightweight and production ready

Question 131

what is a splunk index cluster ?

Answer 131

Multiple copies of data replicated across the cluster members

Helps protect against hardware failure on one or more indexers

Cluster mater manages the cluster-level operations

Question 132

what is inside of an indexer ?

Answer 132

Splunk stores data in indexes

Indexes contain buckets

Data buckets contain raw data and index files

Data retention policies are configured at index level

Question 133

what are data buckets in Splunk ?

Answer 133

Data buckets are categorized as hot, warm, cold and frozen

As data ages the data buckets roll from hot to warm to cold to frozen

Data buckets expire when all events in it become older than the configured duration

Question 134

what are hot buckets in splunk ?

Answer 134

Contains the newest bucket

Open for both read and write

Splunk administrator can configure when data rolls to warm bucket

Question 135

what are warm buckets in splunk ?

Answer 135

Open for read only (no writes)

Hot and warm buckets are usually kept in faster storage

When data ages, they roll from warm to cold

Question 136

what are cold buckets in splunk ?

Answer 136

Open for read only (no writes)

Cold buckets can be kept in cheaper and hence slower storage

Question 137

what are frozen buckets in Splunk ?

Answer 137

Not searchable

Question 138

what does splunk implement for security?

Answer 138

Splunk implements role based access control

Three primary roles: user, power, admin

Only power users can share knowledge objects

Question 139

what are knowledge objects ?

Answer 139

Knowledge objects are tools you create and utilize for analyzing your data

Question 140

what are some examples of knowledge objects ?

Answer 140

Filed extractions

Lookups

Data models

Tags

Question 141

what are fields in splunk ?

Answer 141

Fields are searchable name/value pairs in your event data

Searches using fields are more efficient than searches using keywords or quoted phrases

Fields can be extracted from data at index time and at search time

Question 142

what is field discovery in splunk ?

Answer 142

Automatically discover fields based on sourcetype and name/value pairs in your data

Question 143

how would you describe field discovery in Splunk ?

Answer 143

In Splunk, Field Discovery is a feature that automatically identifies and extracts fields (key-value pairs) from events or log messages as they are ingested into Splunk. This process helps structure the data and makes it easier to search, analyze, and report on the information contained within the events.

Question 144

what are the metadata fields in splunk ?

Answer 144

Host

Source

Sourcetype

Index

Question 145

what is the fields sidebar in splunk ?

Answer 145

Fields sidebar displays fields discovered in your events

Question 146

what are selected fields under the fields sidebar ?

Answer 146

By default these are

Host

Source

Sourcetype

Can be configured to add/remove fields

Question 147

what are interesting fields under the field sidebar ?

Answer 147

Fields that appear in at least 20% of your events

Can always make an interesting field a selected field and vice versa

Question 148

what is the all fields option under the field sidebar for ?

Answer 148

Use this to see all fields in events

Will also include fields that appear in less than 20% of your events

Question 149

how do we make any fields a selected field in Splunk ?

Answer 149

Click on all fields

Click the checkboxes next to them to make them selected fields

Question 150

what are some of the different reports when you click on a field under the interesting fields tab ?

Answer 150

Top values / stats and visualizations of top 20 values

Top values by time – timechart for top values

Rare values – stats and visualizations of bottom 20 values

Events with this field – all events containing the field

Question 151

how do we add fields to the field sidebar ?

Answer 151

Have to click on all fields and select the check box next to the field you want to be added

Question 152

What are the field characteristics you need to know for the exam ?

Answer 152

• Numeric Fields

A – Alphanumeric field

Count of unique events

Question 153

What are the default selected fields

Answer 153

Host

Source

Sourcetype

Question 154

What are the reports that show up in the field window ?

Answer 154

Top values / stats and visualizations of top 20 values

Top values by time – timechart for top values

Rare values – stats and visualizations of bottom 20 values

Events with this field – all events containing the field

Question 155

what is the synatx for using fields in searches ?

Answer 155

<field_name>=<field_value>
</field_value></field_name>

Question 156

what is the most efficient way to search, using keywords, quoted strings, or field searches

Answer 156

Field searches

Question 157

what are some things to keep in mind when using fields in searches ?

Answer 157

Use quotation marks for field names with spaces

Field names are case sensitive

Field values are not case sensitive

You can use wildcards with fields

You can use Boolean operators AND, OR, NOT with fields

Question 158

are filed names case sensitive when searching ?

Answer 158

Field names are case sensitive field values are not

Question 159

can you use boolean operators with field searches ?

Answer 159

You can also use the boolean operators AND, OR, NOT with field searches

Question 160

what do boolean operators help us with when using searches ?

Answer 160

Narrow down searches specifically to what you want

Improves performance

Question 161

which boolean operator is usually implied ?

Answer 161

AND

Question 162

what is true about boolean operators ?

Answer 162

they always have to be uppercase

Question 163

what are some of the comparison operators

Answer 163

!= | not equal

> | Greater than

< | Less than

> = | greater than or equal to

<= | less than or equal to

Question 164

!=

Answer 164

not equal

Question 165

>

Answer 165

Greater than

Question 166

<

Answer 166

less than

Question 167

> =

Answer 167

greater than or equal to

Question 168

<=

Answer 168

less than or equal to

Question 169

what is the difference between the != and NOT operators ?

Answer 169

“NOT action=remove”
- All events where the action field exists, and value is different from remove
- All events where the action field does not exist

“action!=remove”
- All events where the action field exists and the value is different from remove
- The NOT and != operator will produce the same results when a field exists in all your events

Question 170

what are some features of the fast mode search in Splunk ?

Answer 170

Best performance, speed over completeness

Field discovery is disabled

Question 171

what are some features of the smart mode in Splunk ?

Answer 171

Balances speed and completeness

Field discovery is enabled

Question 172

what are some features of verbose mode in Splunk ?

Answer 172

More data, least performance, completeness over speed

Field discovery is enabled

Shows event when using transforming commands

Question 173

what are the three different search modes in Splunk ?

Answer 173

Fast mode

Smart mode

Verbose mode

Question 174

what are some common search best practices ?

Answer 174

Specify indexes at the beginning of a search string

Use OR instead of wildcards when possible

It is better to use inclusion than exclusion

Inclusion action=addtocart

Exclusion NOT action=addtocart

Include as many search terms as possible to narrow down your results

Specify time to narrow down the results of your search.

Question 175

Which search string only returns events from host WWW3?

Answer 175

Host=WWW3

Question 176

Which of the following searches would return events with failure in index netfw or warn or critical in index netops?

Answer 176

(index=netfw failure) OR (index=netops(warn OR critical))

Question 177

Which of the following is a Splunk search best practice?

Answer 177

Filter as early as possible

Question 178

by default which of the following fields would be listed in the fields sidebar under interesting fields?

Answer 178

Index

Question 179

Which of the following statements about case sensitivity is true?

Answer 179

Field names ARE case sensitive, field values are NOT

Question 180

A field exists in search results, but isn’t being displayed in the fields sidebar.

How can it be added to the fields sidebar?

Answer 180

Click All fields and select the field to add it to selected fields

Question 181

In the fields sidebar, which character denotes alphanumeric field values?

Answer 181

@

Question 182

What syntax is used to link key/value pairs in search strings?

Answer 182

action=purchase

Question 183

Which of the following is the most efficient filter for running searches in Splunk?

Answer 183

Time

Question 184

How does Splunk determine which fields to extract from data?

Answer 184

Splunk automatically discovers many fields based on sourcetype and key/value pairs found in the data

Question 185

What syntax is used to link key/value pairs in search strings?

Answer 185

Relational operators such as =,<, or >

Question 186

Which search would return events from the access_combined sourcetype?

Answer 186

sourcetype=Access_Combined

Question 187

Which of the following index searches would provide the most efficient search performance?

Answer 187

(index=web OR index=sales)

Question 188

In the fields sidebar, what indicates that a field is numeric?

Answer 188

A # symbol to the left of the field name.

Question 189

At index time, in which field does Splunk store the timestamp value?

Answer 189

_time

Question 190

Which events will be returned by the following search string? host=www3 status=503

Answer 190

All events with a host of www3, that also have a status of 503

Question 191

what are some specific commands we can apply to Splunk searches ?

Answer 191

Commands
- Specifies what to do with results retrieved
- Calculate Statistics, generate chart, evaluate new fields

Question 192

what are functions in regards to splunk search ?

Answer 192

Functions define how to perform a task required by the command

Function arguments provide the variables needed for the function to do the work

Question 193

what are arguments in regards to Splunk search ?

Answer 193

Variables needed for the command to work

Question 194

what character can sperate commands ?

Answer 194

|

Question 195

what are some common command examples in splunk ?

Answer 195

-eval

-top

-rename

Question 196

what color are functions in search splunk and what are some function examples ?

Answer 196

Functions are always in purple, function examples:
- If
- Count

Question 197

what color are boolean operators in splunk search and what are some examples ?

Answer 197

Boolean operators and clauses are in orange, examples
- AND
- OR
- NOT

Question 198

what color are command line arguments in splunk and what are some examples ?

Answer 198

Command arguments are in green
- Limit
- Span

Question 199

what does the fields command do in Splunk ?

Answer 199

Use the fields command to filter a list of fields returned in the search results

Note that internal fields _raw and _time are returned by default

To include fields
- Use the “fields” or “fields+” command

To exclude fields
- Use fields -

Question 200

what are some details about the table command ?

Answer 200

The table command creates a statistics table of the specified fields

Each row of the created table represents an event, and the columns represent field names

Columns are displayed in the order given in the command when using the table command

Question 201

what are some details regarding the rename command ?

Answer 201

Use the rename command to change the name of a field

Useful when you want to provide meaningful names

Use double-quotes when renaming field names with names that include spaces or special characters

Question 202

what is an example of the rename command ?

Answer 202

Rename command example:

Rename method as “HTTP Method”, status as “HTTP Status”, clientip as ClientIP_Address

Question 203

what are some details about the sort command ?

Answer 203

the sort command allows us to sort search results by specified fields

To sort in ascending order use the following command:
- Sort +<fieldname>
- Sort <filedname></filedname></fieldname>

To sort in descending order

Use sort - <fieldname></fieldname>

Use the limit argument to limit the number of results

Question 204

what does the dedup command do in splunk ?

Answer 204

the dedup command removes duplicates from your results

Question 205

When running searches, command modifiers in the search string are displayed in what color?

Answer 205

Orange

Question 206

When sorting on multiple fields with the sort command, what delimiter can be used between the field names in the search?

Answer 206

comma character ,

Question 207

How do you add or remove fields from search results?

Answer 207

Use Field + to add and field – to remove

Question 208

When placed early in a search, which command is most effective at reducing search execution time?

Answer 208

Fields +

Question 209

Search Language Syntax in Splunk can be broken down into the following components:

Answer 209

Search Term, Pipe, Command, Functions, Arguments, Clause

Question 210

Which command will rename action to customer action?

Answer 210

rename action as Customer Action

Question 211

When is the pipe character | used in search strings?

Answer 211

Before command, For example: | stats sum(bytes) by host

Question 212

Which search will return only events containing the word error and display the results as a table that includes the fields named action, src, and dest?

Answer 212

Error | table action,src,dest

Question 213

Which search string only returns events from hostWWW3?

A. host=*
B. host=WWW3
C. host=WWW*
D. Host=WWW3

Answer 213

B

Question 214

by default how long does splunk retain a search job ?

A. 10 Minutes
B. 15 Minutes
C. 1 Day
D. 7 Days

Answer 214

A. 10 Minutes

Question 215

What must be done before an automatic lookup can be created? (Choose all that apply.)

A. The lookup command must be used.

B. The lookup definition must be created.

C. The lookup file must be uploaded to Splunk.

D. The lookup file must be verified using the inputlookup command.

Answer 215

B the lookup definition must be created

Question 216

Which of the following Splunk components typically resides on the machines where data originates?

A. Indexer
B. Forwarder
C. Search head
D. Deployment server

Answer 216

B. Forwarder

Question 217

When writing searches in Splunk, which of the following is true about Booleans?

A. They must be lowercase.

B. They must be uppercase.

C. They must be in quotations.

D. They must be in parentheses.

Answer 217

B. They must be uppercase.

Question 218

Which of the following searches would return events with failure in index netfw or warn or critical in index netops?

A. (index=netfw failure) AND index=netops warn OR critical

B. (index=netfw failure) OR (index=netops (warn OR critical))

C. (index=netfw failure) AND (index=netops (warn OR critical))

D. (index=netfw failure) OR index=netops OR (warn OR critical)

Answer 218

B. (index=netfw failure) OR (index=netops (warn OR critical))

Question 219

Select the answer that displays the accurate placing of the pipe in the following search string: index=security sourcetype=access_* status=200 stats count by price

A. index=security sourcetype=access_* status=200 stats | count by price

B. index=security sourcetype=access_* status=200 | stats count by price

C. index=security sourcetype=access_* status=200 | stats count | by price

D. index=security sourcetype=access_* | status=200 | stats count by price

Answer 219

B. index=security sourcetype=access_* status=200 | stats count by price

Question 220

Which of the following constraints can be used with the top command?

A. limit
B. useperc
C. addtotals
D. fieldcount

Answer 220

A limit

Question 221

what are examples of keyword modifiers in splunk and what color are they ?

Answer 221

• Boolean operators (AND, OR, NOT) to combine or exclude terms
• Wildcard characters (*, ?) to match partial words or unknown characters
• Field qualifiers (fieldname:value) to search within specific fields

Keyword modifiers are orange

Question 222

When running searches, command modifiers in the search string are displayed in what color?

A. Red
B. Blue
C. Orange
D. Highlighted

Answer 222

B. Blue

Question 223

what is the recommended naming conventions for dashboards ?

Answer 223

Group_Object_Description

Question 224

What is a primary function of a scheduled report?

A. Auto-detect changes in performance.

B. Auto-generated PDF reports of overall data trends.

C. Regularly scheduled archiving to keep disk space use low.

D. Triggering an alert in your Splunk instance when certain conditions are met.

Answer 224

D. Triggering an alert in your Splunk instance when certain conditions are met.

Question 225

Which command is used to review the contents of a specified static lookup file?

A. lookup
B. csvlookup
C. inputlookup
D. outputlookup

Answer 225

C. inputlookup

Question 226

When sorting on multiple fields with the sort command, what delimiter can be used between the field names in the search?

A. |
B. $
C. !
D. ,

Answer 226

D. ,

Question 227

Which time range picker configuration would return real-time events for the past 30 seconds?

A. Preset - Relative: 30-seconds ago

B. Relative - Earliest: 30-seconds ago, Latest: Now

C. Real-time - Earliest: 30-seconds ago, Latest: Now

D. Advanced - Earliest: 30-seconds ago, Latest: Now

Answer 227

C. Real-time - Earliest: 30-seconds ago, Latest: Now

Question 228

What is the correct syntax to count the number of events containing a vendor_action field?

A. count stats vendor_action

B. count stats (vendor_action)

C. stats count (vendor_action)

D. stats vendor_action (count)

Answer 228

C. stats count (vendor_action)

Question 229

By default, which of the following fields would be listed in the fields sidebar under interesting Fields?

A. host
B. index 
C. source
D. sourcetype

Answer 229

B index

Question 230

Which of the following statements about case sensitivity is true?

A. Both field names and field values ARE case sensitive.

B. Field names ARE case sensitive; field values are NOT.

C. Field values ARE case sensitive; field names ARE NOT.

D. Both field names and field values ARE NOT case sensitive.

Answer 230

B. Field names ARE case sensitive; field values are NOT.

Question 231

What does the rare command do?

A. Returns the least common field values of a given field in the results.

B. Returns the most common field values of a given field in the results.

C. Returns the top 10 field values of a given field in the results.

D. Returns the lowest 10 field values of a given field in the results.

Answer 231

A. Returns the least common field values of a given field in the results.

Question 232

When an alert action is configured to run a script, Splunk must be able to locate the script.
Which is one of the directories Splunk will look in to find the script?

A. $SPLUNK_HOME/bin/scripts

B. $SPLUNK_HOME/etc/scripts

C. $SPLUNK_HOME/bin/etc/scripts

D. $SPLUNK_HOME/etc/scripts/bin

Answer 232

A. $SPLUNK_HOME/bin/scripts

Question 233

Which Boolean operator is always implied between two search terms, unless otherwise specified?

A. OR
B. NOT
C. AND
D. XOR

Answer 233

C. AND

Question 234

Which statement is true about Splunk alerts?

A. Alerts are based on searches that are either run on a scheduled interval or in real-time.

B. Alerts are based on searches and when triggered will only send an email notification.

C. Alerts are based on searches and require cron to run on scheduled interval.

D. Alerts are based on searches that are run exclusively as real-time.

Answer 234

A. Alerts are based on searches that are either run on a scheduled interval or in real-time.