Splunk Core Certified User Flashcards
what are considered hosts by splunk ?
computers, sensors, virtual machines, web servers, network devices, databases
hosts usually generate a variety of data including
fault
configuration
accounting
performance
security
system logs
application logs
metrics
tickets
where can splunk index data from ?
- can index from any source
what are the processing components of splunk ?
indexers
forwarders
search heads
what are the management components of splunk ?
- Deployment servers
- indexer cluster manager
- search head cluster deployment
- license manager
- monitoring console
what can a search head do once connected ?
- search
- analyze
- visualize
- reports
- alerts
- dashboard
- knowledge
what are some details about splunk forwarders ?
forwarders are generally installed on host machines to collect source data and send to splunk
forwarders are the primary way to send data to splunk for indexing
what are the two types of splunk forwarders ?
-Universal forwarder
Heavy forwarders
- configured from full splunk enterprise installation
- can parse and filter before forwarding
what is a splunk component that resides on machines originating data ?
forwarder
what is the difference between universal and heavy forwarders
heavy forwarders can parse data
how does splunk data flow initially ?
data from hosts —> Indexer —-> indexes on disk
what is an indexer in splunk ?
An indexer or search peer is a Splunk enterprise instance that processes and writes data into repositories as events
what is processing in regards to splunk?
- transform data into events
- assign metadata
- identify or create timestamps
- data repositories are known as indexes
- repositories containing files with index data are called buckets
what is thawed data in splunk ?
thawed data in splunk is when you are bringing data out of the archive
what is an Indexer cluster ?
- an indexer cluster is when you group indexers together to provide data replication
- cluster manager - coordinates replication activities and manages the cluster
what is a splunk component that transforms raw data into events?
indexer and heavy forwarders are the splunk components that transform raw data into events
what are some of the details regarding search heads
- allows users to write search queries SPL to search the indexed data
- distributes search requests to the indexers and merges the result back to the user
Can create fields and other knowledge objects such as
- reports
- alerts
- visualizations
- dashboards
what are some details regarding the search head cluster ?
- groups of search heads with identical configuration
- search requests from users are balanced across the SH groups
- Managed by a cluster captain
- cluster deployer, distributes apps and other configuration to cluster members
what are some details of the configuration deployment server?
- distributes content, configuration, apps to other groups of splunk instances
- distributed content is known as deployment apps
- used mostly to distribute apps to splunk forwarders
what is the forwarder manager for Splunk ?
provides a way to configure deployment servers and monitor updates
what is the license manager in Splunk ?
Hosts licenses and assigns license volume to other splunk components in a distributed deployment
License meter runs during indexing
License types
- Volume based
- Infrastructure based
- Access to splunk features
what is the monitoring console in Splunk ?
Used to view topology and performance information.
what are the three main out of the box roles in Splunk ?
User
Power
Admin
what are some of the default app examples ?
home app
search app
what is the default port for Splunk web ?
port 8000
what are some splunk default app examples ?
home app
search and reporting app
what are splunk apps ?
splunk apps are custom solutions that allow you to extend the functionality of the splunk platform
what can splunk apps do for us ?
What can Splunk Apps do for us ?
Separate workspaces for different use cases to co exist on a single instance.
- Alerts
- Reports
- Dashboards
Custom configurations to ingest data
Collections of
- Data inputs
- UI Elements
- Knowledge Objects
how do we access splunk apps ?
you can access Splunk apps on Splunk-base
what is SPL ?
SPL is Splunk processing language
what can be changed using the account settings and preferences ?
preferences - time zone
Full name
Email
Password
change the theme
what is the splunk search and reporting app ?
default app that provides an interface to search, analyze and visualize data in splunk
what is the search bar used for in splunk ?
the search bar is where you specify search criteria
what is the app navigation bar in Splunk?
shows views in the current applicationand the different apps avaliable
what is the time range picker in splunk ?
allows us to specify the time period to search
Default value is 24 hours
what are the three different types of search modes in splunk ?
Fast (better performance less info)
Smart (less performance but more info then fast mode)
Verbose (slowest performance but the most information)
what is search history in splunk ?
See a history of your searches
You can select to re-run a search
what are the different ways you can view counts of events in Splunk ?
Hosts
Sources
Source types
what is a quick way to understand data in your deployment?
the data summary type
what are the fields presented under the data summary tab ?
host
source
source type
what are the three out of the box users in splunk ?
user
power
admin
what is the user role in splunk ?
Limited access to Settings
Create private knowledge objects
Assign to basic users
what is the power role in splunk ?
Limited access to settings
Create and publish share knowledge objects
Assign to power users
what is the admin role in splunk ?
Access to all settings
Has the most capabilities
Assign to splunk admins
which roles have minimum and maximum permissions
minimum permissions is the user role
Maximum permissions is the admin role
Which Splunk component transforms raw data into events and distributes the result to an index?
Indexer
Which component of splunk is primarily responsible for saving data ?
Indexer
The three basic components of splunk are ?
Forwarder, indexer, Search head
What is Splunk ?
Splunk is a software platform to search, analyze and visualize the machine generated data
Which component of Splunk let us write SPL query to find the required data?
Search head
What Splunk Components can perform log filtering/parsing ?
Heavy forwarders
What is true about user account settings and preferences?
Full name, time zone, and default app can be defined by clicking the login name in the Splunk bar
A collection of items contains things such as data inputs, UI elements and knowledge objects is known as what ?
An app
explain what Splunk apps are ?
It is a collection of different Splunk config files like data inputs, UI and Knowledge objects
What is the default app for Splunk Enterprise ?
Search and reporting
How many main roles do you have in Splunk ?
3
What is the default web port used by Splunk?
8000
what are some of the ways we get data in Splunk ?
Get data from Files and Directories
Get data from network sources
Get data from Windows sources
Get data from other sources
what are some of the ways we can get data from files and directories in splunk ?
Monitor files and directories
Upload static files
what are some of the ways we can get data from network sources ?
Data that comes over a network port
Both TCP and UDP protocols supported
what are some of the ways we can get data from windows sources in splunk ?
Windows Event logs
Windows registry
Windows Management Instrumentation
Active Directory
Performance monitoring
what are some of the other sources we can get data from in Splunk ?
APIs
Databases
Metrics
FIFO queues
what are some of the ways we can ingest data into Splunk ?
Use existing Apps and Add-ons
Use forwarders to get data
use HTTP event collector HEC
for custom data use
what are some of the ways we can ingest data into Splunk using existing apps and Add ons
- Splunk add-on for windows
- Splunk add-ons for AWS
- Splunk DB connect
- Splunk stream
what is the way we can use forwarders to get data ?
Install forwarders on the sources generating data
Use heavy forwarder when more processing is required before ingestion
what are ways we can use the splunk HEC to ingest data into splunk?
Use HEC to get data from the HTTP or HTTPS protocol
what is the splunk index time process ?
data is handled at the splunk data source and forwarded using the universal forwarder or heavy forwarder
then the data sources are open and read
configurations are applied to entire streams
data is sent out for indexing
what are the three phases of the splunk index time process ?
The first phase of the Splunk index time process is the input phase
The second phase of this process is the parsing phase
The third phase of this is the indexing phase
explain the parsing phase of the splunk index time process ?
Handled at
- Indexer
- Heavy forwarder
Data broken into events
Extract default metadata fields
- Host
- Source
- Sourcetype
- Index
Identify or create timestamps
Identify line termination
explain the indexing phase of the splunk index time process ?
Handled at
- Indexer
- Run License meter
- Build index data structures
- Write data to disk
what are the different ways of configuring data inputs in splunk ?
Splunk web
CLI
Configuration files edit inputs.conf
Apps and add-ons from Splunkbase
what are the three ways we can add data inputs using splunk web ?
uploads
monitor
forward
explain the upload function in splunk web
Upload local files from your computer
Only gets indexed once
what is the monitor function in splunk web
Monitor files and directories, network ports
Data located on splunk enterprise instance
Useful for testing
explain the forward function in Splunk web
Frequently used in production environments
Get data from remote machines over receiving port
Remote machines have the forwarder installed to forward data
what is the default splunk installation directory in windows ?
C:\Program Files\Splunk
what is the default splunk installation directory for linux ?
/opt/splunk/
what is the default MAC os splunk installation directory ?
/Applications/Splunk
Data source being open and read applies to?
The input phase
Select the correct option that applies to index time processing
Input, parsing, indexing
The splunk index time process can be broken down into how many phases
3
Where does licensing meter happen ?
Indexer
Which statement is true about heavy forwarders ?
Parsing, masking, forwarding
We use keywords and phrases to retrieve matched events from the index:
When searching for keywords splunk is searching the keyword against raw events in the _raw filed
The _raw field contains the entire events
To search matching phrases, use double-quotes example “user ubuntu”
what do we use wildcards for in Splunk ?
Use wildcards to match characters in string values for events in your index
what is best practice for using wildcards ?
As best practice, use wildcards at the end of the term.
in which situations do we want to avoid using wildcards ?
Avoid using at the beginning of a string example *fail
If you put a wildcard at the front it will scan every event
Can cause performance issues
should we use wildcards in the middle of a string ?
Don’t use in the middle of a string
Might cause inconsistent results especially in string containing punctuation
where should wildcards be used when searching in Splunk ?
To have better searches we should always place our wildcards at the end
The * character can be used as a wildcard
what do we use Boolean operators for ?
Use boolean operators AND, OR, NOT to combine search terms
Boolean operators must be in uppercase
The AND operator is implied between terms
Example search for failed password is the same as failed AND password
Example user NOT administrator – search events that contain the word user and does not contain the word administrator
what is the point of boolean operators ?
they are used to combine search terms
what do we have to remember when using boolean operators ?
boolean operators are always in upper case
what does the search assistant help us with in Splunk ?
The search assistant helps with writing searches by providing selections to complete strings
It helps matching searches based on recent search history
Shows list of commands after first pipe
what are the three modes in search assistant ?
- compact (default)
- full
- none (used to disable search assistant)
what is the difference between full mode and compact mode with the search assistant ?
Full mode shows more information than compact mode
Additionally, it displays count of how many times a term appears in indexed data
what are some things to remember when identifying content of search results ?
- Each event contains a timestamp extracted at index time
- The newest events are going to be displayed at the top and the oldest are going to be displayed at the bottom
- Splunk also extracts metadata fields at index time . The metadata fields are the following
- Host
- Source
- Sourcetpye
- Index
Selected fields host,source,sourcetype are shown at the bottom of each event
Terms that match the search are highlighted in search results
what are the three display options with the event viewer
- list
- raw
-table
what is the order of search results in splunk
reverse chronological order
what are the metadata fields in the search results ?
- host
- source
- sourcetype
- index
what do time unit abbreviations include ?
S = seconds
M = minutes
H = hours
D = days
W = weeks
Mon = months
Y= years
what does the events timeline include ?
The events timeline shows distribution of events over time for a selected time range.
Exam: what does using click and drag on the timeline do for us?
We are able to select specific times and timelines without having to re-execute the search
what are the three different timeout controls ?
We are able to Format the timeline
Zoom out zoom in to edit the selection
We are able to deselect a section
what are some of the search actions we can perform in Splunk ?
Every search you run is a job and generates a job id
Under the job menu you can do the following
- Change job settings
- Send a job to the background
- Can associate an email with this so it emails you when the job is done
- You can inspect a job
- You can use this to find out why a job is taking a long time
- Delete a job
- Pause/resume a job
-Stop job
- Will generate partial results
- Share job
- Provides a link to bookmark or copy /share job
- Can give read permissions to the people you have shared with
Export a job
- Export search results as Raw Events (text file)
- CSV
- XML
- JSON
- Print a job
How do we access saved jobs in splunk ?
We have to go to the activity menu to access saved jobs
What is the default time to retain a search job
10 minutes
How do we keep search results longer then 7 days ?
To save the job longer then 7 days you have to save the job as a report
When writing searches in Splunk, which of the following is true about Booleans?
They must be in uppercase
How are events displayed after a search is executed?
In reverse chronological order
Which time range picker option configuration would return real-time events for the past 30 seconds?
Real time – Earliest: 30-seconds ago, latest: Now
Which Boolean operator is always implied between two search terms, unless otherwise specified?
AND
What user interface component allows for time selection ?
Time Range Picker
Which of the following searches will return results where fail, 400, and error exist in every event?
Error AND (fail AND 400)
In a deployment with multiple indexes, what will happen when a search is run and an index is not specified in the search string?
Events from every index searched by default to which the user has access will be returned
Which of the following is an option after clicking an item in search results ?
Adding the item to the search
What does the following specified time range do?
earliest=-72h@h latest=@d
Look back from 3 days ago, up to the beginning of today
What is the primary function of the timeline located under the search bar ?
To show peaks and or valleys in the timeline, which can indicate spikes in activity or downtime.
According to splunk best practices which placement of the wildcard results in the most efficient search ?
Fail*
Which of the following can be used as a wildcard in splunk
*
What is search assistant in Splunk ?
Shows options to complete the search string
You can use the following options to specify start and end time for the query range:
Earliest=, latest=
Which of the following file types is an option for exporting splunk search results ?
Not pdf, not xls, not RTF, but JSON yes
By default how long does splunk retain a search job ?
10 minutes
what are indexers in splunk ?
In Splunk, indexers are the components responsible for ingesting, parsing, and storing data into indexes.
Indexers are a critical part of the Splunk architecture, as they handle the initial processing and storage of data before it can be searched and analyzed by search heads or other Splunk components.
what are the main tasks with indexers in splunk ?
Data ingestion: They ingest data from various sources like log files, network data, APIs, etc.
Data parsing: They parse the incoming data to extract relevant information and structure it into events.
Data indexing: They index the parsed events by storing them in the appropriate indexes based on configured rules or settings.
Data distribution: In a distributed Splunk environment, indexers can forward data to other indexers for load balancing or data replication purposes.
what is the main job of the splunk universal forwarder ?
The Splunk universal forwarder sends data to the splunk indexer
what do the splunk search heads provide ?
The search heads provide an interface for the splunk users and allow searches to be made on the data
what is a Splunk Indexer ?
Receives data from clients
Converts raw data into searchable events
Executes searches
what is a splunk search head ?
Web interface for the user
Manages the searches
Dispatches searches to the indexers
Maintains access control
what is a Splunk Universal forwarder ?
Collects data from the machine it is installed on
Keeps track of data ingestion
Very lightweight and production ready
what is a splunk index cluster ?
Multiple copies of data replicated across the cluster members
Helps protect against hardware failure on one or more indexers
Cluster mater manages the cluster-level operations
what is inside of an indexer ?
Splunk stores data in indexes
Indexes contain buckets
Data buckets contain raw data and index files
Data retention policies are configured at index level
what are data buckets in Splunk ?
Data buckets are categorized as hot, warm, cold and frozen
As data ages the data buckets roll from hot to warm to cold to frozen
Data buckets expire when all events in it become older than the configured duration
what are hot buckets in splunk ?
Contains the newest bucket
Open for both read and write
Splunk administrator can configure when data rolls to warm bucket
what are warm buckets in splunk ?
Open for read only (no writes)
Hot and warm buckets are usually kept in faster storage
When data ages, they roll from warm to cold
what are cold buckets in splunk ?
Open for read only (no writes)
Cold buckets can be kept in cheaper and hence slower storage
what are frozen buckets in Splunk ?
Not searchable
what does splunk implement for security?
Splunk implements role based access control
Three primary roles: user, power, admin
Only power users can share knowledge objects
what are knowledge objects ?
Knowledge objects are tools you create and utilize for analyzing your data
what are some examples of knowledge objects ?
Filed extractions
Lookups
Data models
Tags
what are fields in splunk ?
Fields are searchable name/value pairs in your event data
Searches using fields are more efficient than searches using keywords or quoted phrases
Fields can be extracted from data at index time and at search time
what is field discovery in splunk ?
Automatically discover fields based on sourcetype and name/value pairs in your data
how would you describe field discovery in Splunk ?
In Splunk, Field Discovery is a feature that automatically identifies and extracts fields (key-value pairs) from events or log messages as they are ingested into Splunk. This process helps structure the data and makes it easier to search, analyze, and report on the information contained within the events.
what are the metadata fields in splunk ?
Host
Source
Sourcetype
Index
what is the fields sidebar in splunk ?
Fields sidebar displays fields discovered in your events
what are selected fields under the fields sidebar ?
By default these are
Host
Source
Sourcetype
Can be configured to add/remove fields
what are interesting fields under the field sidebar ?
Fields that appear in at least 20% of your events
Can always make an interesting field a selected field and vice versa
what is the all fields option under the field sidebar for ?
Use this to see all fields in events
Will also include fields that appear in less than 20% of your events
how do we make any fields a selected field in Splunk ?
Click on all fields
Click the checkboxes next to them to make them selected fields
what are some of the different reports when you click on a field under the interesting fields tab ?
Top values / stats and visualizations of top 20 values
Top values by time – timechart for top values
Rare values – stats and visualizations of bottom 20 values
Events with this field – all events containing the field
how do we add fields to the field sidebar ?
Have to click on all fields and select the check box next to the field you want to be added
What are the field characteristics you need to know for the exam ?
- Numeric Fields
A – Alphanumeric field
Count of unique events
What are the default selected fields
Host
Source
Sourcetype
What are the reports that show up in the field window ?
Top values / stats and visualizations of top 20 values
Top values by time – timechart for top values
Rare values – stats and visualizations of bottom 20 values
Events with this field – all events containing the field
what is the synatx for using fields in searches ?
<field_name>=<field_value>
</field_value></field_name>
what is the most efficient way to search, using keywords, quoted strings, or field searches
Field searches
what are some things to keep in mind when using fields in searches ?
Use quotation marks for field names with spaces
Field names are case sensitive
Field values are not case sensitive
You can use wildcards with fields
You can use Boolean operators AND, OR, NOT with fields
are filed names case sensitive when searching ?
Field names are case sensitive field values are not
can you use boolean operators with field searches ?
You can also use the boolean operators AND, OR, NOT with field searches
what do boolean operators help us with when using searches ?
Narrow down searches specifically to what you want
Improves performance
which boolean operator is usually implied ?
AND
what is true about boolean operators ?
they always have to be uppercase
what are some of the comparison operators
!= | not equal
> | Greater than
< | Less than
> = | greater than or equal to
<= | less than or equal to
!=
not equal
>
Greater than
<
less than
> =
greater than or equal to
<=
less than or equal to
what is the difference between the != and NOT operators ?
“NOT action=remove”
- All events where the action field exists, and value is different from remove
- All events where the action field does not exist
“action!=remove”
- All events where the action field exists and the value is different from remove
- The NOT and != operator will produce the same results when a field exists in all your events
what are some features of the fast mode search in Splunk ?
Best performance, speed over completeness
Field discovery is disabled
what are some features of the smart mode in Splunk ?
Balances speed and completeness
Field discovery is enabled
what are some features of verbose mode in Splunk ?
More data, least performance, completeness over speed
Field discovery is enabled
Shows event when using transforming commands
what are the three different search modes in Splunk ?
Fast mode
Smart mode
Verbose mode
what are some common search best practices ?
Specify indexes at the beginning of a search string
Use OR instead of wildcards when possible
It is better to use inclusion than exclusion
Inclusion action=addtocart
Exclusion NOT action=addtocart
Include as many search terms as possible to narrow down your results
Specify time to narrow down the results of your search.
Which search string only returns events from host WWW3?
Host=WWW3
Which of the following searches would return events with failure in index netfw or warn or critical in index netops?
(index=netfw failure) OR (index=netops(warn OR critical))
Which of the following is a Splunk search best practice?
Filter as early as possible
by default which of the following fields would be listed in the fields sidebar under interesting fields?
Index
Which of the following statements about case sensitivity is true?
Field names ARE case sensitive, field values are NOT
A field exists in search results, but isn’t being displayed in the fields sidebar.
How can it be added to the fields sidebar?
Click All fields and select the field to add it to selected fields
In the fields sidebar, which character denotes alphanumeric field values?
@
What syntax is used to link key/value pairs in search strings?
action=purchase
Which of the following is the most efficient filter for running searches in Splunk?
Time
How does Splunk determine which fields to extract from data?
Splunk automatically discovers many fields based on sourcetype and key/value pairs found in the data
What syntax is used to link key/value pairs in search strings?
Relational operators such as =,<, or >
Which search would return events from the access_combined sourcetype?
sourcetype=Access_Combined
Which of the following index searches would provide the most efficient search performance?
(index=web OR index=sales)
In the fields sidebar, what indicates that a field is numeric?
A # symbol to the left of the field name.
At index time, in which field does Splunk store the timestamp value?
_time
Which events will be returned by the following search string? host=www3 status=503
All events with a host of www3, that also have a status of 503
what are some specific commands we can apply to Splunk searches ?
Commands
- Specifies what to do with results retrieved
- Calculate Statistics, generate chart, evaluate new fields
what are functions in regards to splunk search ?
Functions define how to perform a task required by the command
Function arguments provide the variables needed for the function to do the work
what are arguments in regards to Splunk search ?
Variables needed for the command to work
what character can sperate commands ?
|
what are some common command examples in splunk ?
-eval
-top
-rename
what color are functions in search splunk and what are some function examples ?
Functions are always in purple, function examples:
- If
- Count
what color are boolean operators in splunk search and what are some examples ?
Boolean operators and clauses are in orange, examples
- AND
- OR
- NOT
what color are command line arguments in splunk and what are some examples ?
Command arguments are in green
- Limit
- Span
what does the fields command do in Splunk ?
Use the fields command to filter a list of fields returned in the search results
Note that internal fields _raw and _time are returned by default
To include fields
- Use the “fields” or “fields+” command
To exclude fields
- Use fields -
what are some details about the table command ?
The table command creates a statistics table of the specified fields
Each row of the created table represents an event, and the columns represent field names
Columns are displayed in the order given in the command when using the table command
what are some details regarding the rename command ?
Use the rename command to change the name of a field
Useful when you want to provide meaningful names
Use double-quotes when renaming field names with names that include spaces or special characters
what is an example of the rename command ?
Rename command example:
Rename method as “HTTP Method”, status as “HTTP Status”, clientip as ClientIP_Address
what are some details about the sort command ?
the sort command allows us to sort search results by specified fields
To sort in ascending order use the following command:
- Sort +<fieldname>
- Sort <filedname></filedname></fieldname>
To sort in descending order
Use sort - <fieldname></fieldname>
Use the limit argument to limit the number of results
what does the dedup command do in splunk ?
the dedup command removes duplicates from your results
When running searches, command modifiers in the search string are displayed in what color?
Orange
When sorting on multiple fields with the sort command, what delimiter can be used between the field names in the search?
comma character ,
How do you add or remove fields from search results?
Use Field + to add and field – to remove
When placed early in a search, which command is most effective at reducing search execution time?
Fields +
Search Language Syntax in Splunk can be broken down into the following components:
Search Term, Pipe, Command, Functions, Arguments, Clause
Which command will rename action to customer action?
rename action as Customer Action
When is the pipe character | used in search strings?
Before command, For example: | stats sum(bytes) by host
Which search will return only events containing the word error and display the results as a table that includes the fields named action, src, and dest?
Error | table action,src,dest
Which search string only returns events from hostWWW3?
A. host=* B. host=WWW3 C. host=WWW* D. Host=WWW3
B
by default how long does splunk retain a search job ?
A. 10 Minutes B. 15 Minutes C. 1 Day D. 7 Days
A. 10 Minutes
What must be done before an automatic lookup can be created? (Choose all that apply.)
A. The lookup command must be used.
B. The lookup definition must be created.
C. The lookup file must be uploaded to Splunk.
D. The lookup file must be verified using the inputlookup command.
B the lookup definition must be created
Which of the following Splunk components typically resides on the machines where data originates?
A. Indexer B. Forwarder C. Search head D. Deployment server
B. Forwarder
When writing searches in Splunk, which of the following is true about Booleans?
A. They must be lowercase.
B. They must be uppercase.
C. They must be in quotations.
D. They must be in parentheses.
B. They must be uppercase.
Which of the following searches would return events with failure in index netfw or warn or critical in index netops?
A. (index=netfw failure) AND index=netops warn OR critical
B. (index=netfw failure) OR (index=netops (warn OR critical))
C. (index=netfw failure) AND (index=netops (warn OR critical))
D. (index=netfw failure) OR index=netops OR (warn OR critical)
B. (index=netfw failure) OR (index=netops (warn OR critical))
Select the answer that displays the accurate placing of the pipe in the following search string: index=security sourcetype=access_* status=200 stats count by price
A. index=security sourcetype=access_* status=200 stats | count by price
B. index=security sourcetype=access_* status=200 | stats count by price
C. index=security sourcetype=access_* status=200 | stats count | by price
D. index=security sourcetype=access_* | status=200 | stats count by price
B. index=security sourcetype=access_* status=200 | stats count by price
Which of the following constraints can be used with the top command?
A. limit B. useperc C. addtotals D. fieldcount
A limit
what are examples of keyword modifiers in splunk and what color are they ?
- Boolean operators (AND, OR, NOT) to combine or exclude terms
- Wildcard characters (*, ?) to match partial words or unknown characters
- Field qualifiers (fieldname:value) to search within specific fields
Keyword modifiers are orange
When running searches, command modifiers in the search string are displayed in what color?
A. Red B. Blue C. Orange D. Highlighted
B. Blue
what is the recommended naming conventions for dashboards ?
Group_Object_Description
What is a primary function of a scheduled report?
A. Auto-detect changes in performance.
B. Auto-generated PDF reports of overall data trends.
C. Regularly scheduled archiving to keep disk space use low.
D. Triggering an alert in your Splunk instance when certain conditions are met.
D. Triggering an alert in your Splunk instance when certain conditions are met.
Which command is used to review the contents of a specified static lookup file?
A. lookup B. csvlookup C. inputlookup D. outputlookup
C. inputlookup
When sorting on multiple fields with the sort command, what delimiter can be used between the field names in the search?
A. | B. $ C. ! D. ,
D. ,
Which time range picker configuration would return real-time events for the past 30 seconds?
A. Preset - Relative: 30-seconds ago
B. Relative - Earliest: 30-seconds ago, Latest: Now
C. Real-time - Earliest: 30-seconds ago, Latest: Now
D. Advanced - Earliest: 30-seconds ago, Latest: Now
C. Real-time - Earliest: 30-seconds ago, Latest: Now
What is the correct syntax to count the number of events containing a vendor_action field?
A. count stats vendor_action
B. count stats (vendor_action)
C. stats count (vendor_action)
D. stats vendor_action (count)
C. stats count (vendor_action)
By default, which of the following fields would be listed in the fields sidebar under interesting Fields?
A. host B. index C. source D. sourcetype
B index
Which of the following statements about case sensitivity is true?
A. Both field names and field values ARE case sensitive.
B. Field names ARE case sensitive; field values are NOT.
C. Field values ARE case sensitive; field names ARE NOT.
D. Both field names and field values ARE NOT case sensitive.
B. Field names ARE case sensitive; field values are NOT.
What does the rare command do?
A. Returns the least common field values of a given field in the results.
B. Returns the most common field values of a given field in the results.
C. Returns the top 10 field values of a given field in the results.
D. Returns the lowest 10 field values of a given field in the results.
A. Returns the least common field values of a given field in the results.
When an alert action is configured to run a script, Splunk must be able to locate the script.
Which is one of the directories Splunk will look in to find the script?
A. $SPLUNK_HOME/bin/scripts
B. $SPLUNK_HOME/etc/scripts
C. $SPLUNK_HOME/bin/etc/scripts
D. $SPLUNK_HOME/etc/scripts/bin
A. $SPLUNK_HOME/bin/scripts
Which Boolean operator is always implied between two search terms, unless otherwise specified?
A. OR B. NOT C. AND D. XOR
C. AND
Which statement is true about Splunk alerts?
A. Alerts are based on searches that are either run on a scheduled interval or in real-time.
B. Alerts are based on searches and when triggered will only send an email notification.
C. Alerts are based on searches and require cron to run on scheduled interval.
D. Alerts are based on searches that are run exclusively as real-time.
A. Alerts are based on searches that are either run on a scheduled interval or in real-time.
