Splunk Fundamentals 1

Question 1

Splunk allows you to _____, analyze, and get _____ from your machine data.

Answer 1

aggregate, answers

Question 2

What are the 3 main components of Splunk?

Answer 2

search head, indexer, forwarder

Question 3

What are the 2 different types of Splunk deployment?

Answer 3

Splunk Enterprise and Splunk Cloud

Question 4

Splunk components are installed and administered on premises with this type of Splunk deployment.

Answer 4

Splunk Enterprise

Question 5

Splunk Enterprise is used as a scalable service and requires minimal infrastructure with this type of deployment.

Answer 5

Splunk Cloud

Question 6

A ____ ___ is designed to address a wide variety of use cases and to extend the power of Splunk.

Answer 6

Splunk app

Question 7

What do you use to download Splunk apps?

Answer 7

Splunkbase

Question 8

True or False. There are 1,000 + ready-made apps available on Splunkbase.

Answer 8

True

Question 9

Out of the box, what are the 3 main roles used in Splunk?

Answer 9

admin, power, user

Question 10

What is the default app that comes with Splunk?

Answer 10

Search & Reporting

Question 11

The ______ app provides a default interface for searching and analyzing data.

Answer 11

Search & Reporting

Question 12

A _____ is unique identifier identifying where Splunk events originated (whether it’s from a laptop, phone, etc). In other words, this is the actual device that’s generating the data.

a. source
b. host
c. sourcetype

Answer 12

b. host

Question 13

The name of a file (ie. Word file named “Splunk Class”), stream, or other input (where data is specifically coming from – i.e. “picture” folder on a phone) is the ______.

a. source
b. host
c. sourcetype

Answer 13

a. source

Question 14

In the Search & Reporting app, the Data Summary contains three summary tabs. Select all that apply.

a. host
b. source
c. index
d. sourcetype

Answer 14

a. host
b. source
d. sourcetype

Question 15

True or false: Search term values are case sensitive.

Answer 15

False

Question 16

NOT, OR and AND are called ____ in Splunk.

Answer 16

booleans

Question 17

The Boolean ____ is implied between terms.

Answer 17

AND

Question 18

_____ are locations where Splunk stores and searches for event data

Answer 18

Indexes

Question 19

Splunk admins _____ data into separate indexes in order to establish different retention policies on different types of data, improve search performance, and limit access by role.

Answer 19

segregate

Question 20

Improving search ____ is one reason why Splunk admins segregate data into separate indexes.

Answer 20

performance

Question 21

Limiting ____ by role is one reason why Splunk admins segregate data into separate indexes.

Answer 21

access

Question 22

Establishing ___ policies (how long data is kept) on different types of data is one reason why Splunk admins segregate data into separate indexes.

Answer 22

retention

Question 23

An ____ is a Splunk component that processes machine data. Information within ____ are stored in _____, enabling fast search and analysis. (visual example: file folder with separate files within the file folder)

Answer 23

indexer, indexers, indexes

Question 24

What Boolean can you use to search against multiple indexes?

Answer 24

OR

Question 25

____ ____ shows a list of commands that can be entered into the search string

Answer 25

Search Assistant

Question 26

When search results display in Splunk do they display in reverse chronological order (newest first), or chronological order (oldest first) by default?

Answer 26

reverse chronological order

Question 27

True or False. Matching search terms are not highlighted in Splunk.

Answer 27

False

Question 28

Each event in Splunk contains the following metadata: timestamp, _____, index, ____ and host.

Answer 28

source, sourcetype

Question 29

The results that come up in a search of Splunk are called _____.

Answer 29

events

Question 30

The 3 layout options for displaying search results (or 3 ways to view results) are ____, ____ and ____.

Answer 30

list, table, raw

Question 31

The ___ symbol “snaps” to the time unit that you specify in Splunk, and rounds down to the nearest specified unit. For example, if the current time was 09:37:12 on March 31st, and you want to look back to 30 minutes ago, you would type -30m___h.

Answer 31

@

Question 32

After search results come up in Splunk, to select across a narrower time range on the timeline, what would you need to do?

Answer 32

click/drag across a series of bars

Question 33

Every search in Splunk is called a ____. By default, how long is each ____ available for?

Answer 33

job, 10 minutes

Question 34

The job bar in a search allows you to ___ a job (toggle to resume a search), or ____ (finalizes the search in progress).

Answer 34

pause, stop

Question 35

What in Splunk shows the distribution of events in the time range?

Answer 35

timeline

Question 36

The ____ tool allows you to examine the following:

Overall stats of the search (e.g., records processed/returned, processing time)

How the search was processed

Where Splunk spent its time

Answer 36

Search Job Inspector tool

Question 37

There are 3 types of search modes that you can use in Splunk. Which search mode emphasizes speed over completeness?

Answer 37

fast

Question 38

There are 3 types of search modes that you can use in Splunk. Which search mode balances speed and completeness, and is the default search mode?

Answer 38

smart

Question 39

There are 3 types of search modes that you can use in Splunk. The ____ search mode emphasizes completeness over speed. It also allows access to underlying events when using transforming commands (in addition to totals and stats)

Answer 39

verbose

Question 40

There are ___ types of read permissions. The default mode which is ____, only allows the creator access. If a read permission is set to ____, all app users can access search results.

Answer 40

private, everyone

Question 41

___ is the most efficient factor to use as a filter in Splunk. ____is the second most efficient item to use as a Splunk filter.

Answer 41

time, index

Question 42

After time and index, what are the 3 next filters that are the most efficient?

Answer 42

host, source, sourcetype

Question 43

Is inclusion or exclusion generally better when it comes to search practices? Meaning including or excluding information?

Answer 43

inclusion

Question 44

You should avoid using ____ at the beginning or middle of a string. ____ at the beginning of a string scan all events within timeframe, while ____ in the middle of string may return inconsistent results.

What should be used instead?

Answer 44

wildcards (all 3 blanks)

Use instead: OR, IN

Question 45

True or false: Search term values are case sensitive.

Answer 45

False

Question 46

Current time when the search starts is 08:31:15. -30m@h looks back to:

a. 8:00:00
b. 8:01:15
c. 9:00:00

Answer 46

b. 8:01:15

Question 47

When you specify the following time range:

earliest=-2d@d
latest=@d

a. Looks back from two days ago, up to the beginning of today
b. Looks back exactly 48 hours ago
c. Looks back two days ago up to now

Answer 47

a. Looks back from two days ago, up to the beginning of today

Question 48

Select one of the following that uses Splunk search best practices as it relates to wildcards.

a. fail
b. fal
c. fail*

Answer 48

c. fail*

Question 49

Between search terms, ____ is implied unless otherwise specified

Answer 49

AND

Question 50

Host, index, source, sourcetype, splunk_server, and timestamp are ___ fields that are already stored with the events in indexes.

Answer 50

default

Question 51

____ fields that are listed within an index include _raw, and _time.

Answer 51

internal

Question 52

The fields sidebar includes two types of fields. What are they?

Answer 52

selected, interesting

Question 53

What type of fields occur in at least 20% of resulting events in Splunk?

Answer 53

interesting

Question 54

By default, the selected fields are what 3 metadata fields?

Answer 54

host, source, sourcetype

Question 55

What does the following mean?

status=404

Answer 55

error message for a webpage

Question 56

What does the following mean?

area_code=404

Answer 56

for a specific area code

Question 57

If a value contains a space, it must be enclosed in ____ ____.

i.e. VendorCountry= “United States”

Answer 57

double quotes

Question 58

Field ____ are case sensitive, while field ____ are not.

Take a look at the following example? Would it return results?

HOST=ww3

Answer 58

names, values

no

Question 59

Search for multiple values for a given field
by using the _____ operator.

i.e.
VendorCountry=”United States” ____ VendorCountry=”Canada”)

Alternatively, you can use the ___ operator

i.e. 
VendorCountry \_\_\_ ("United States", "Canada")

Answer 59

OR, IN

Question 60

Both ! and NOT ____ events from your search, but can produced different results.

Answer 60

exclude

Question 61

NOT status=200 returns events where status field exists and value in field doesn’t equal 200. However it ALSO returns events where status field ___ exist.

Answer 61

doesn’t

Question 62

status!=200 returns events where status field ___ and value in field ____ equal 200.

Answer 62

exists, doesn’t

Question 63

By default, which are the three selected fields?

a. host
b. source
c. sourcetype
d. action

Answer 63

a. host
b. source
c. sourcetype

Question 64

True or false: Field names are case sensitive.

Answer 64

True

Question 65

True or false: Field values are case sensitive.

Answer 65

False, field values are NOT case sensitive

Question 66

Clicking ______ actually opens a report for editing, while clicking the report _____ simply runs the report.

Answer 66

Open in Search

Title

Question 67

By default, all reports are _____ (meaning only the report’s creator/owner can access or edit it), and the report is run using the privileges of the report’s creator/owner.

Answer 67

private

Question 68

The three main ways to either create a ___ or ____ include selecting a field from the fields sidebar and choosing a quick report to run, using the Pivot interface, OR using the Splunk search language transforming commands in the Search bar.

Answer 68

table, visualization

Question 69

The statistics tab allows you to view your results in Splunk as a ____.

Answer 69

table

Question 70

_____ assigns colors based on the range of values.

Answer 70

Heat map

Question 71

_____ and ____ ____ highlights max and min of non-zero values

Answer 71

high and low values

Question 72

What consists of one or more panels displaying data visually in a useful way – such as events, tables, or charts?

Answer 72

a dashboard

Question 73

In Splunk Enterprise, reports are _______ searches.

a. grouped
b. saved
c. archived

Answer 73

b. saved

Question 74

When editing a report, you can do the following to the report. Select all that apply.

a. clone
b. edit schedule
c. delete
d. like

Answer 74

a. clone
b. edit schedule
c. delete

Question 75

There are three main methods to create tables and visualizations in Splunk. Select all that apply.

a. Use the fields sidebar
b. Use the Pivot interface
c. Use transforming commands
d. Click Splunk banner icon

Answer 75

a. Use the fields sidebar
b. Use the Pivot interface
c. Use transforming commands

Question 76

True or false: The Dashboard ID is automatically populated with a unique value.

Answer 76

True

Question 77

True or false: You must be a Splunk Admin user to choose the home dashboard (default dashboard).

Answer 77

True

Question 78

____ ____ ____ is used in your search language that tell Splunk what you want it to search for.

Answer 78

search language syntax

Question 79

There are 5 basic ____ ___ that someone using Splunk may use when doing a search in Splunk.

Answer 79

syntax components

Question 80

This language syntax components deals with what a Splunker is looking for. Examples include keywords, phrases and Booleans

Answer 80

search terms

Question 81

This syntax component is blue and tells Splunk what you want to do with your results.

Examples include: creating a chart, computing statistics, evaluating and formatting, etc.

Answer 81

commands

Question 82

This syntax component is pink and tells Splunk how you want to chart, compute, or evaluate results.

Examples include: getting a sum, getting an average, transforming values, etc.

Answer 82

functions

Question 83

What color is the “commands” syntax component? What about the “functions” syntax component? How about Boolean operators and Command modifiers? How about command arguments?

Answer 83

blue
pink
orange
black

Question 84

What color are the following syntax components in search language?

clauses, arguments and search terms

Answer 84

black

Question 85

This syntax component deals with variables that you want to apply to a function.

Examples include: getting a sum of or sum up all the values in the price field.

Answer 85

arguments

Question 86

____ (which are a syntax component in Splunk) deal with how you want to group or rename fields in your results.

Answer 86

clauses

Question 87

What command changes the name of a field? (i.e. If you wanted to change “productId” to “ProductID”)

Answer 87

rename

Question 88

True or False. Once you rename a field, the new field name CANNOT be used in the rest of the search string.

Answer 88

False

Once you rename a field, the new field name must be used in the rest of the search string

Question 89

Collections of files containing data inputs, UI elements, and/or knowledge objects are called _____.

Answer 89

apps

Question 90

How many Splunk products are there for IT Operations?

Answer 90

8

Question 91

Splunk for ____ generates real-time and predictive insights from industrial operational data.

Answer 91

Splunk for IoT

Question 92

What does “IoT” in Splunk for IoT stand for?

Answer 92

internet of things

Question 93

The ___ is the specific data type or data format where data comes from (ie. Word doc, PDF, Excel file, etc.)

Answer 93

sourcetype

Question 94

What are quotation marks used for in Splunk search strings?

Answer 94

phrases

Question 95

_________ in Splunk search strings are used to force precedence (meaning whatever is in ______ will be executed first. (Note: Same answer for both)

Answer 95

parentheses

Question 96

____ process machine data. They then store the results in ____ as events, thereby enabling fast search and analysis.

Answer 96

indexers, indexes

Question 97

You can search against multiple indexes by using the ___ operator.

Answer 97

OR

Question 98

Search Assistant is enabled by default in the user preferences of the ___ Editor.

Answer 98

SPL

Question 99

What control in the SPL Editor determines whether or not numbers show next to each line within the search syntax?

Answer 99

Line numbers control

Question 100

The SPL Editor “Search ____ format” option allows for automatic formatting of search syntax (which improves readability).

Answer 100

auto

Question 101

These type of fields occur in at least 20% of resulting events. ____ fields on the other hand are a set of fields that display for each event.

Answer 101

interesting fields

selected fields

Question 102

There are two types of default fields that are already stored with the event in the index. ____ fields have underscores and automatically come up when you start a search string. Examples include: “_raw,” and “_time.” ____ fields are things like host, index, source, sourcetype, splunk_server, timestamp.

Answer 102

internal

default

Question 103

The ____ command returns a table formed by only fields in the argument list. Column ____ consist of field names.

Answer 103

table

headers

Question 104

True or False. Once you rename a field, the new field name does not have to be used in the rest of the search string.

Answer 104

False

The new field name DOES have to remain the rest of the search string.

Question 105

What character (on your keyboard) can be used to rename multiple fields that match a pattern? For example, if you want to change the word “date” to “DATE” in date_minute and date_second in your table, you can input the following search string:

What character goes in each blank?

rename date_ as DATE_

Answer 105

a wildcard

Question 106

The ___ command allows to include or exclude fields in your search or report. The command includes either a + or – sign. Entering a + sign is not required because it’s the default. Entering the – sign after a field makes tables or display output easier to read. However there are no performance benefits since the excluded fields are processed after all fields are already extracted.

Answer 106

fields

Question 107

The ____ command is used to remove duplicates from your results.

Answer 107

dedup

Question 108

This command arranges events in ascending or descending order.

Answer 108

sort command

Question 109

If you wanted Splunk to only give you a maximum of 20 events, you would use the ____ command.

Answer 109

limit

Question 110

If you put a + or – sign right next to only one field name in a search string with many field names, it will only sort that one field name. What will happen if you add a space in between sort and multiple field names in a search string?

Example:
| sort – name, thread
(space added here between “sort” and “name”)

in comparison to:

sort –name, thread
(NO space added before the field name “name”)

Answer 110

It will sort ALL of the field names

Question 111

____ is used as an alternate method to access data without using search language, but requires use of data models and/or lookups.

Answer 111

Pivot

Question 112

____ creates visualizations based on datasets, time ranges and additional filters that you select.

Answer 112

Pivot

Question 113

The table command returns:

a. A table formed by only the fields in the argument list
b. A data table with statistical results
c. A bulleted list of key events

Answer 113

a. A table formed by only the fields in the argument list

Question 114

When renaming fields with spaces or special characters, use the rename command and include the new field name in _________.

a. single quotes
b. double quotes
c. parentheses

Answer 114

b. double quotes

Question 115

Use the dedup command to _________.

a. rename fields using alias
b. remove duplicate results
c. sort your results in descending order

Answer 115

b. remove duplicate results

Question 116

By default, the sort command lists results in __________ order.

a. ascending
b. descending

Answer 116

a. ascending

Question 117

What do Pivots require to create visualizations in
Splunk? Select all that apply.

a. data models
b. lookups
c. web filters
d. spreadsheets

Answer 117

a. data models

b. lookups

Question 118

The ___ command finds the most common values of a given field in results. What format does the output for the same command display in? Events, table, or visualizations?

Answer 118

top

table

Question 119

When you use the top command, how many results display in the table by default?

Answer 119

10

Question 120

You can control the number of results that are displayed in the top command table by using the ____ command.

Answer 120

limit

Question 121

If you type limit=5 after using the top command, it will display ___ results.

Answer 121

5

Question 122

When using the top command, typing “limit=0” will return a(n) ____ number of results.

Answer 122

unlimited

Question 123

True or False

A percent column (“showperc=t” command) is displayed by default in a table when using the top command. If you want to remove the percent column, “showperc=t” needs to be added to the search string.

Answer 123

True

Question 124

The top command “___” clause groups results.

Answer 124

by

Question 125

By default, the name of the “count” column (or count field) is “count.”

countfield=string (or countfield= the name you create) does what?

Answer 125

renames the field for display purposes

Question 126

The ____ command returns the least common field values of a given field in the results. How are the results sorted by default? In descending order, or ascending order?

Answer 126

rare

ascending order

Question 127

The ____ command enables you to calculate statistics on data that matches your search criteria. The common functions for the command are count, dc, sum, avg, max, min, list and values.

Answer 127

stats

Question 128

Which of the following stats commands only return an average of numeric values?

a. avg
b. max
c. dc
d. count
e. sum
f. min
g. value
h. list

Answer 128

a. avg

Question 129

Which of the following stats commands returns the number of matching events based on the current search criteria?

a. avg
b. max
c. dc
d. count
e. sum
f. min
g. value
h. list

Answer 129

d. count

Question 130

Which of the following stats commands refers to the minimum numeric value?

a. avg
b. max
c. dc
d. count
e. sum
f. min
g. value
h. list

Answer 130

f. min

Question 131

Which of the following stats commands return a sum of numeric values only?

a. avg
b. max
c. dc
d. count
e. sum
f. min
g. value
h. list

Answer 131

e. sum

Question 132

Which of the following stats commands list all values of a given field?

a. avg
b. max
c. dc
d. count
e. sum
f. min
g. value
h. list

Answer 132

h. list

Question 133

The ___ stats command provides a count of how many unique values there are for a given field in the result set.

a. avg
b. max
c. dc, distinct_count
d. count
e. sum
f. min
g. value
h. list

Answer 133

c. dc, distinct_count

Question 134

Which of the following stats commands refers to the maximum numeric value?

a. avg
b. max
c. dc
d. count
e. sum
f. min
g. value
h. list

Answer 134

b. max

Question 135

The ___ stats command lists unique values of a given field.

a. avg
b. max
c. dc
d. count
e. sum
f. min
g. value
h. list

Answer 135

g. value

Question 136

What clause would you use to rename the “count” field in your results?

Answer 136

as

Question 137

When using the top command, add the BY clause to _______.

a. return results grouped by the field you specify in the BY clause

b. specify how many results to return
c. return a percentage of events

Answer 137

a. return results grouped by the field you specify in the BY clause

Question 138

To display the least common values of a field, use the _________ command.

a. top
b. rare
c. stats

Answer 138

b. rare

Question 139

When you use the stats command with a BY clause, what is returned?

a. a statistical output for each value of the named field
b. one row
c. computes numerical statistics on each field if and only if all of the values of that of that field are numerical

Answer 139

a. a statistical output for each value of the named field

Question 140

index=sales sourcetype=vendor_sales
| stats count(price) as “Units Sold”, sum(price) as “Total Sales” BY product_name

In this search using the stats command, the BY clause is applied to:

a. count ( ) function
b. sum ( ) function
c. both count ( ) and sum ( ) functions

Answer 140

c. both count ( ) and sum ( ) functions

Question 141

Which UI (UI = user interface) formatting options can be applied to a data table on the Statistics tab? Select all that apply.

a. Add row numbers, highlight high/low values, and show totals and percentages
b. Color-code data in each column
c. Add number formatting, such as, currency symbols and thousands separators
d. Rename a field for display purposes

Answer 141

a. Add row numbers, highlight high/low values, and show totals and percentages
b. Color-code data in each column
c. Add number formatting, such as, currency symbols and thousands separators

Question 142

The four types of Splunk _____ out-of-the-box are file-based, external, KV store and Geospatial.

Answer 142

lookups

Question 143

____ provide enrichment to your event data by appending fields from another data source, also called lookup output fields.

Answer 143

Lookups

Question 144

____ ____ sometimes pull static (or relatively unchanging) data from standalone files at search time and add it to the search results.

Answer 144

file-based lookups

Question 145

True or False. Lookup field values are NOT case sensitive by default.

Answer 145

False

Lookups are case sensitive by default

Question 146

Which command is used to search the contents of a lookup table?

Answer 146

inputlookup command

Question 147

True or False. If a lookup is not configured to run automatically, use the lookup command in your search to use the lookup fields.

Answer 147

True

Question 148

_____ lookups populate your events with fields pulled from CSV files.

a. KV Store
b. File-based
c. Geospatial
d. External

Answer 148

b. File-based

Question 149

____ lookups use Python scripts or binary executables to append.

a. KV Store
b. File-based
c. Geospatial
d. External

Answer 149

d. External

Question 150

____ lookups are KMZ or KML.

a. KV Store
b. File-based
c. Geospatial
d. External

Answer 150

c. Geospatial

Question 151

____ lookups are the KV Store collection.

a. KV Store
b. File-based
c. Geospatial
d. External

Answer 151

a. KV Store

Question 152

File-based lookups populate your events with fields pulled from _________ files.

a. KMZ (Keyhole Markup language Zipped)
b. Python script
c. CSV (comma-separated values)
d. KV Store collection

Answer 152

c. CSV (comma-separated values)

Question 153

File-based lookups pull data from standalone files at ___________ and add it to search results.

a. index time
b. search time
c. _time

Answer 153

b. search time

Question 154

3. In Splunk, there are up to 3 steps involved to create a lookup. Select all that apply.
   a. List existing lookup tables or upload a new file

b. Edit existing lookup definitions or define a
new file-based or external lookup

c. Edit existing automatic lookups or configure a new lookup to run automatically
d. Download from Lookup Library

Answer 154

a. List existing lookup tables or upload a new file
b. Edit existing lookup definitions or define a new file-based or external lookup
c. Edit existing automatic lookups or configure a new lookup to run automatically

Question 155

_____ reports are useful for:

–Monthly, weekly, daily executive/managerial roll up reports

–Dashboard performance

– Automatically sending reports via email

– Enriching event data, such as, generating a statistical output of historical events to a CSV file

Answer 155

scheduled