Splunk Core Certified User Flashcards

Question

what is the default port for Splunk web ?

Answer 1

home app search and reporting app

Answer 2

splunk apps are custom solutions that allow you to extend the functionality of the splunk platform

Answer 3

What can Splunk Apps do for us ? Separate workspaces for different use cases to co exist on a single instance. - Alerts - Reports - Dashboards Custom configurations to ingest data Collections of - Data inputs - UI Elements - Knowledge Objects

Answer 4

you can access Splunk apps on Splunk-base

Answer 5

SPL is Splunk processing language

Answer 6

preferences - time zone Full name Email Password change the theme

Answer 7

default app that provides an interface to search, analyze and visualize data in splunk

Answer 8

the search bar is where you specify search criteria

Answer 9

shows views in the current applicationand the different apps avaliable

Answer 10

allows us to specify the time period to search Default value is 24 hours

Answer 11

Fast (better performance less info) Smart (less performance but more info then fast mode) Verbose (slowest performance but the most information)

Answer 12

See a history of your searches You can select to re-run a search

Answer 13

Hosts Sources Source types

Answer 14

the data summary type

Answer 15

host source source type

Answer 16

user power admin

Answer 17

Limited access to Settings Create private knowledge objects Assign to basic users

Answer 18

Limited access to settings Create and publish share knowledge objects Assign to power users

Answer 19

Access to all settings Has the most capabilities Assign to splunk admins

Answer 20

minimum permissions is the user role Maximum permissions is the admin role

Answer 21

Forwarder, indexer, Search head

Answer 22

Splunk is a software platform to search, analyze and visualize the machine generated data

Answer 23

Search head

Answer 24

Heavy forwarders

Answer 25

Full name, time zone, and default app can be defined by clicking the login name in the Splunk bar

Answer 26

It is a collection of different Splunk config files like data inputs, UI and Knowledge objects

Answer 27

Search and reporting

Answer 28

Get data from Files and Directories Get data from network sources Get data from Windows sources Get data from other sources

Answer 29

Monitor files and directories Upload static files

Answer 30

Data that comes over a network port Both TCP and UDP protocols supported

Answer 31

Windows Event logs Windows registry Windows Management Instrumentation Active Directory Performance monitoring

Answer 32

APIs Databases Metrics FIFO queues

Answer 33

Use existing Apps and Add-ons Use forwarders to get data use HTTP event collector HEC for custom data use

Answer 34

- Splunk add-on for windows - Splunk add-ons for AWS - Splunk DB connect - Splunk stream

Answer 35

Install forwarders on the sources generating data Use heavy forwarder when more processing is required before ingestion

Answer 36

Use HEC to get data from the HTTP or HTTPS protocol

Answer 37

data is handled at the splunk data source and forwarded using the universal forwarder or heavy forwarder then the data sources are open and read configurations are applied to entire streams data is sent out for indexing

Answer 38

The first phase of the Splunk index time process is the input phase The second phase of this process is the parsing phase The third phase of this is the indexing phase

Answer 39

Handled at - Indexer - Heavy forwarder Data broken into events Extract default metadata fields - Host - Source - Sourcetype - Index Identify or create timestamps Identify line termination

Answer 40

Handled at - Indexer - Run License meter - Build index data structures - Write data to disk

Answer 41

Splunk web CLI Configuration files edit inputs.conf Apps and add-ons from Splunkbase

Answer 42

uploads monitor forward

Answer 43

Upload local files from your computer Only gets indexed once

Answer 44

Monitor files and directories, network ports Data located on splunk enterprise instance Useful for testing

Answer 45

Frequently used in production environments Get data from remote machines over receiving port Remote machines have the forwarder installed to forward data

Answer 46

C:\Program Files\Splunk

Answer 47

/opt/splunk/

Answer 48

/Applications/Splunk

Answer 49

The input phase

Answer 50

Input, parsing, indexing

Answer 51

Parsing, masking, forwarding

Answer 52

When searching for keywords splunk is searching the keyword against raw events in the _raw filed The _raw field contains the entire events To search matching phrases, use double-quotes example "user ubuntu"

Answer 53

Use wildcards to match characters in string values for events in your index

Answer 54

As best practice, use wildcards at the end of the term.

Answer 55

Avoid using at the beginning of a string example *fail If you put a wildcard at the front it will scan every event Can cause performance issues

Answer 56

Don’t use in the middle of a string Might cause inconsistent results especially in string containing punctuation

Answer 57

To have better searches we should always place our wildcards at the end The * character can be used as a wildcard

Answer 58

Use boolean operators AND, OR, NOT to combine search terms Boolean operators must be in uppercase The AND operator is implied between terms Example search for failed password is the same as failed AND password Example user NOT administrator – search events that contain the word user and does not contain the word administrator

Answer 59

they are used to combine search terms

Answer 60

boolean operators are always in upper case

Answer 61

The search assistant helps with writing searches by providing selections to complete strings It helps matching searches based on recent search history Shows list of commands after first pipe

Answer 62

- compact (default) - full - none (used to disable search assistant)

Answer 63

Full mode shows more information than compact mode Additionally, it displays count of how many times a term appears in indexed data

Answer 64

- Each event contains a timestamp extracted at index time - The newest events are going to be displayed at the top and the oldest are going to be displayed at the bottom - Splunk also extracts metadata fields at index time . The metadata fields are the following - Host - Source - Sourcetpye - Index Selected fields host,source,sourcetype are shown at the bottom of each event Terms that match the search are highlighted in search results

Answer 65

- list - raw -table

Answer 66

reverse chronological order

Answer 67

- host - source - sourcetype - index

Answer 68

S = seconds M = minutes H = hours D = days W = weeks Mon = months Y= years

Answer 69

The events timeline shows distribution of events over time for a selected time range.

Answer 70

We are able to select specific times and timelines without having to re-execute the search

Answer 71

We are able to Format the timeline Zoom out zoom in to edit the selection We are able to deselect a section

Answer 72

Every search you run is a job and generates a job id Under the job menu you can do the following - Change job settings - Send a job to the background - Can associate an email with this so it emails you when the job is done - You can inspect a job - You can use this to find out why a job is taking a long time - Delete a job - Pause/resume a job -Stop job - Will generate partial results - Share job - Provides a link to bookmark or copy /share job - Can give read permissions to the people you have shared with Export a job - Export search results as Raw Events (text file) - CSV - XML - JSON - Print a job

Answer 73

We have to go to the activity menu to access saved jobs

Answer 74

10 minutes

Answer 75

To save the job longer then 7 days you have to save the job as a report

Answer 76

They must be in uppercase

Answer 77

In reverse chronological order

Answer 78

Real time – Earliest: 30-seconds ago, latest: Now

Answer 79

Time Range Picker

Answer 80

Error AND (fail AND 400)

Answer 81

Events from every index searched by default to which the user has access will be returned

Answer 82

Adding the item to the search

Answer 83

Look back from 3 days ago, up to the beginning of today

Answer 84

To show peaks and or valleys in the timeline, which can indicate spikes in activity or downtime.

Answer 85

Shows options to complete the search string

Answer 86

Earliest=, latest=

Answer 87

Not pdf, not xls, not RTF, but JSON yes

Answer 88

10 minutes

Answer 89

In Splunk, indexers are the components responsible for ingesting, parsing, and storing data into indexes. Indexers are a critical part of the Splunk architecture, as they handle the initial processing and storage of data before it can be searched and analyzed by search heads or other Splunk components.

Answer 90

Data ingestion: They ingest data from various sources like log files, network data, APIs, etc. Data parsing: They parse the incoming data to extract relevant information and structure it into events. Data indexing: They index the parsed events by storing them in the appropriate indexes based on configured rules or settings. Data distribution: In a distributed Splunk environment, indexers can forward data to other indexers for load balancing or data replication purposes.

Answer 91

The Splunk universal forwarder sends data to the splunk indexer

Answer 92

The search heads provide an interface for the splunk users and allow searches to be made on the data

Answer 93

Receives data from clients Converts raw data into searchable events Executes searches

Answer 94

Web interface for the user Manages the searches Dispatches searches to the indexers Maintains access control

Answer 95

Collects data from the machine it is installed on Keeps track of data ingestion Very lightweight and production ready

Answer 96

Multiple copies of data replicated across the cluster members Helps protect against hardware failure on one or more indexers Cluster mater manages the cluster-level operations

Answer 97

Splunk stores data in indexes Indexes contain buckets Data buckets contain raw data and index files Data retention policies are configured at index level

Answer 98

Data buckets are categorized as hot, warm, cold and frozen As data ages the data buckets roll from hot to warm to cold to frozen Data buckets expire when all events in it become older than the configured duration

Answer 99

Contains the newest bucket Open for both read and write Splunk administrator can configure when data rolls to warm bucket

Answer 100

Open for read only (no writes) Hot and warm buckets are usually kept in faster storage When data ages, they roll from warm to cold

Answer 101

Open for read only (no writes) Cold buckets can be kept in cheaper and hence slower storage

Answer 102

Not searchable

Answer 103

Splunk implements role based access control Three primary roles: user, power, admin Only power users can share knowledge objects

Answer 104

Knowledge objects are tools you create and utilize for analyzing your data

Answer 105

Filed extractions Lookups Data models Tags

Answer 106

Fields are searchable name/value pairs in your event data Searches using fields are more efficient than searches using keywords or quoted phrases Fields can be extracted from data at index time and at search time

Answer 107

Automatically discover fields based on sourcetype and name/value pairs in your data

Answer 108

In Splunk, Field Discovery is a feature that automatically identifies and extracts fields (key-value pairs) from events or log messages as they are ingested into Splunk. This process helps structure the data and makes it easier to search, analyze, and report on the information contained within the events.

Answer 109

Host Source Sourcetype Index

Answer 110

Fields sidebar displays fields discovered in your events

Answer 111

By default these are Host Source Sourcetype Can be configured to add/remove fields

Answer 112

Fields that appear in at least 20% of your events Can always make an interesting field a selected field and vice versa

Answer 113

Use this to see all fields in events Will also include fields that appear in less than 20% of your events

Answer 114

Click on all fields Click the checkboxes next to them to make them selected fields

Answer 115

Top values / stats and visualizations of top 20 values Top values by time – timechart for top values Rare values – stats and visualizations of bottom 20 values Events with this field – all events containing the field

Answer 116

Have to click on all fields and select the check box next to the field you want to be added

Answer 117

- Numeric Fields A – Alphanumeric field Count of unique events

Answer 118

Host Source Sourcetype

Answer 119

Top values / stats and visualizations of top 20 values Top values by time – timechart for top values Rare values – stats and visualizations of bottom 20 values Events with this field – all events containing the field

Answer 120

Field searches

Answer 121

Use quotation marks for field names with spaces Field names are case sensitive Field values are not case sensitive You can use wildcards with fields You can use Boolean operators AND, OR, NOT with fields

Answer 122

Field names are case sensitive field values are not

Answer 123

You can also use the boolean operators AND, OR, NOT with field searches

Answer 124

Narrow down searches specifically to what you want Improves performance

Answer 125

they always have to be uppercase

Answer 126

Answer 127

Greater than

Answer 128

greater than or equal to

Answer 129

less than or equal to

Answer 130

"NOT action=remove" - All events where the action field exists, and value is different from remove - All events where the action field does not exist "action!=remove" - All events where the action field exists and the value is different from remove - The NOT and != operator will produce the same results when a field exists in all your events

Answer 131

Best performance, speed over completeness Field discovery is disabled

Answer 132

Balances speed and completeness Field discovery is enabled

Answer 133

More data, least performance, completeness over speed Field discovery is enabled Shows event when using transforming commands

Answer 134

Fast mode Smart mode Verbose mode

Answer 135

Specify indexes at the beginning of a search string Use OR instead of wildcards when possible It is better to use inclusion than exclusion Inclusion action=addtocart Exclusion NOT action=addtocart Include as many search terms as possible to narrow down your results Specify time to narrow down the results of your search.

Answer 136

(index=netfw failure) OR (index=netops(warn OR critical))

Answer 137

Filter as early as possible

Answer 138

Field names ARE case sensitive, field values are NOT

Answer 139

Click All fields and select the field to add it to selected fields

Answer 140

action=purchase

Answer 141

Splunk automatically discovers many fields based on sourcetype and key/value pairs found in the data

Answer 142

Relational operators such as =,<, or >

Answer 143

sourcetype=Access_Combined

Answer 144

(index=web OR index=sales)

Answer 145

A # symbol to the left of the field name.

Answer 146

All events with a host of www3, that also have a status of 503

Answer 147

Commands - Specifies what to do with results retrieved - Calculate Statistics, generate chart, evaluate new fields

Answer 148

Functions define how to perform a task required by the command Function arguments provide the variables needed for the function to do the work

Answer 149

Variables needed for the command to work

Answer 150

-eval -top -rename

Answer 151

Functions are always in purple, function examples: - If - Count

Answer 152

Boolean operators and clauses are in orange, examples - AND - OR - NOT

Answer 153

Command arguments are in green - Limit - Span

Answer 154

Use the fields command to filter a list of fields returned in the search results Note that internal fields _raw and _time are returned by default To include fields - Use the "fields" or "fields+" command To exclude fields - Use fields -

Answer 155

The table command creates a statistics table of the specified fields Each row of the created table represents an event, and the columns represent field names Columns are displayed in the order given in the command when using the table command

Answer 156

Use the rename command to change the name of a field Useful when you want to provide meaningful names Use double-quotes when renaming field names with names that include spaces or special characters

Answer 157

Rename command example: Rename method as "HTTP Method", status as "HTTP Status", clientip as ClientIP_Address

Answer 158

the sort command allows us to sort search results by specified fields To sort in ascending order use the following command: - Sort + - Sort To sort in descending order Use sort - Use the limit argument to limit the number of results

Answer 159

the dedup command removes duplicates from your results

Answer 160

comma character ,

Answer 161

Use Field + to add and field – to remove

Answer 162

Search Term, Pipe, Command, Functions, Arguments, Clause

Answer 163

rename action as Customer Action

Answer 164

Before command, For example: | stats sum(bytes) by host

Answer 165

Error | table action,src,dest

Answer 166

A. 10 Minutes

Answer 167

B the lookup definition must be created

Answer 168

B. Forwarder

Answer 169

B. They must be uppercase.

Answer 170

B. (index=netfw failure) OR (index=netops (warn OR critical))

Answer 171

B. index=security sourcetype=access_* status=200 | stats count by price

Answer 172

- Boolean operators (AND, OR, NOT) to combine or exclude terms - Wildcard characters (*, ?) to match partial words or unknown characters - Field qualifiers (fieldname:value) to search within specific fields Keyword modifiers are orange

Answer 173

Group_Object_Description

Answer 174

D. Triggering an alert in your Splunk instance when certain conditions are met.

Answer 175

C. inputlookup

Answer 176

C. Real-time - Earliest: 30-seconds ago, Latest: Now

Answer 177

C. stats count (vendor_action)

Answer 178

B. Field names ARE case sensitive; field values are NOT.

Answer 179

A. Returns the least common field values of a given field in the results.

Answer 180

A. $SPLUNK_HOME/bin/scripts

Answer 181

A. Alerts are based on searches that are either run on a scheduled interval or in real-time.