Splunk Fundamentals 1 Flashcards
Machine data makes up for more than __% of data accumulated by organizations
90%
Index Data
Collects events and normalizes it with discrete time stamps into different sourcetypes
Describe functions of indexers, search heads, and forwarders
The Indexer processes machine data from the Forwarders, and the search heads distributes searches to the indexers and extracts field value pairs.
In most Splunk deployments, ________ serve as the primary way data is supplied for indexing.
Forwarders
What are the three main processing components of Splunk?
Indexers, Forwarders, Search Heads
Search strings are sent from the _________.
Search Head
Which of these is not a main component of Splunk?
- Add knowledge
- Compress and archive
- Search and investigate
- Collect and index data
Compress and archive
This role will only see their own knowledge objects and those that have been shared with them.
User
What are the 3 roles in Splunk, from most to least powerful?
Admin, Power, User
Which apps ship with Splunk Enterprise?
Home App, Search & Reporting
You can launch and manage apps from the home app.
True
_________ define what users can do in Splunk.
Roles
The monitor input option will allow you to continuously monitor files.
True
Splunk knows where to break the event, where the time stamp is located and how to automatically create field value pairs using these.
Source Types
Splunk uses ________ to categorize the type of data being indexed.
Source Types
In most production environments, _______ will be used as the source of data input.
Forwarders
Files indexed using the the upload input option get indexed _____.
Once
What are commands that create statistics and visualizations called?
Transforming Commands
What booleans are used to tie events together in search?
AND OR NOT
What is the order of operations for boolean evaluation?
- Parenthesis() 1. NOT 2. OR 3. AND
How do you search exact phrases?
place terms in quotes “”
How do you escape quotes from being interpreted in a search?
Use a backslash character, eg info=”user "chrisv4" not in db”
This searches for the exact phrase user “chrisv4 not in db
A search job will remain active for ___ minutes after it is run.
10 Minutes
Shared search jobs remain active for _______ by default.
7 Days
How is the asterisk used in splunk search?
As a wildcard
What is the time stamp seen in events based on?
Your user account time zone
Field names are ______ while values are not
Case sensitive
What is the difference between != field operator and NOT
!= returns events where the contents of the field is not equal to the specified value
eg status !=200 shows all the events where the status field is not 200
NOT returns all events where there is no field status=200
NOT is more inclusing than !=, and will return events that don’t include the specified field
What does the field operator IN do?
Alternative to chaining together operators inside parenthesis, Searches field for results inside parenthesis eg
index = web status IN(“500, “503”, “505”)
is the same as
index = web (status=500 AND status =503 AND status=505)
Field Values are Case sensitive. T/F?
False, only field names are case sensitive
Which is not a comparison operator in Splunk?
<= ?= > != =
?= is not a comparison operator
Can wildcards be used in field searches?
Yes
What are the 5 main components of Splunk ES
Index Data, Search & investigate, Add knowledge, Monitor & Alert, Report & Analyze.
What attributes describe this field?
a dest 4
It contains 4 values, and it contains string values
What is the most efficient way to filter events in a search?
Time
Search best practices
- Index host sourcetype
- Inclusion better than exclusion
- Apply filtering commands as early as possible in search to limit events
- Only search index containing events you need
- Can also limit access with indexes, possible to search multiple indexes at the same time
What 4 default fields are extracted at index time, and are the most powerful to search to limit events (disregarding time)?
index, source, host, sourcetype
These fields do not need to be extracted during search
Which is better in a search, inclusion or exclusion?
Inclusion
What is -30mon?
time modifier for 30 months in search
How do you specify a time range in search?
By using earliest= latest=
eg: earliest=-2h latest=-1h
What privileges does an admin user have?
Install apps, create knowledge objects for all users
What privileges does a power user have?
Real time searches, create and share knowledge objects for users
What app(s) does splunk come with by default?
Search and reporting
What does the search and reporting app do?
Create knowledge objects, reports, and dashboards
What is a knowledge object in splunk?
Everything outside the basic data – A user creation that enriches existing data, such as a saved search, event types, tags, field extractions, lookups, reports, alerts, data models, transactions, workflow actions, and fields
The seven main components in splunk searching and reporting?
- Splunk bar
- App bar
- Search bar
- Time range picker
- How to search panel
- What to search panel
- Search History
The time range picker is set to ___ by default
All time
What are the three main search modes?
Fast, smart, verbose
_______ mode has discovery off for event searches. No event or field data for stats searches.
Fast
______ mode has all events and field data; switches to this mode after visualization
Verbose
______ mode (default-based on search string data) has field discovery ON for event searches. No event or field data for stats searches.
Smart
What does the “Job V” action button do
Edits job settings, sends jobs to the background, inspects and deletes job.
Saved searches are set to ___ by default
private
Exact phrases use
quotes
What boolean is implied if none is used?
AND
_______ fields have values in at least 20% of the events
Interesting
Clicking on a field shows a list of _______, ________, and ________.
Values, count, percentage
These fields can launch a quick report by clicking on them (4)
top values, top values by time, rare values, events with this field
What five components are the splunk search language made of?
Search terms commands functions arguments clauses
What is the Fields command?
Allows you to include or exclude specific fields from results
Would the ip column be removed in the results of this search? Why or why not?
sourcetype=a* | rename ip as “User” | fields - ip
No, because the name was changed
Finish the rename command to change the name of the status field to HTTP Status.
status as “HTTP Status”
What is missing from this search?
sourcetype=a* | rename ip as “User IP” | table User IP
Quotation marks around User IP
What command would you use to remove the status field from the returned events?
sourcetype=a* status=404 | ________ status
fields -
Which symbols are only used with numerical values?
> > = < <= –>
Top command returns top ____ results with a count and percentage
10
________ is an action that a saved search triggers based on the results of the search
Alert
________ designs reports into a simple interface without having to craft a search string
Pivot
The default time value for pivot is ______
All time
_______ object is the main source of data
Root
_______ object acts like an AND boolean
Child
An instant pivot allows instant access to data without having a data model (T/F)
True
alerts use a _______ search to check for events.
saved
Use ________ alerts to check for events on a regular basis
Scheduled
_______ alerts monitor for events continuously
Real-Time
What is the difference between traditional Index Clusters and Non-Replicating Index Clusters?
Non-replicating does not provide HA but offers simplified management
In addition to the three main splunk components, (Indexer, Forwarder, Search Head), what are the three other splunk components?
Deployment Server, Cluster Master, License Master
Where are forwarders normally installed?
At the data source or server
What is a search head cluster and what are its minimum requirements?
An aggregation of at least three search heads that allows users to share resources and searches
What are the three phases of the splunk indexing process?
Input, parsing, indexing
What five components does each event have?
Timestamp, Index, Sourcetype, Host, Source
What are the abbreviations for time search?
@ - rounds down to the nearest specified unit
s - seconds m - minutes h - hours d - days w - week mon - months y - year
eg -30m@h searches back to the beginning of the closest hour and searches 30 minutes of data
What are best practices for using wildcards?
Avoid using them at the beginning or middle of a string, only at the end.
When possible use OR instead of wildcards
How do you use the sort command?
can add limit=# to limit results
sort fieldname1, +ascendingfieldname2, -descendingfieldname3
How do you create a table in search?
table fieldnamecolumnone, fieldnamecolumntwo, column additionalfieldnames
How do you use the rename command?
Note: further pipes need to reference the new field name
rename FieldName “New Name For Field”
What does the fields command do?
Improves efficiency by specifying which fields to extract
eg | fields fieldname1, fieldname2, FieldName3
Can also remove fields to make table or results easier to read
eg | fields -NotNeededField
How does the dedup command work?
Removes duplicate field value results
eg | dedup fieldname1, fieldname2 | table fieldname1, fieldname2
What is a sourcetype in Splunk?
A default field used to identify the data structure of an incoming event so Splunk can format the data properly during indexing
What do transforming commands do?
Visualize data, etc
Top Command
automatically returns count and percent columns in a table and returns top 10 results
Can also use by clause
top fieldname
What is the rare command?
Opposite of top command, uses same clauses
What is the stats command, and what are the functions??
Allows you to calculate statistics on data returned in search
Functions: count distinct count (dc) sum avg min max list
Describe the count function
Part of the stats command, counts the number of events that match search criteria or field
Describe the dc function
Part of the stats command, returns count of unique (distinct) values for a given field. Distinct Count
Describe the sum function
part of the stats command, sums up all events of a given search
stats sum(fieldName) as “New Field Name” by AnotherField
Describe the average function
part of the stats command, averages value of events for a given search
How many results are shown by default with a top or rare command?
10
Which stats command would you use to find the average value of a field?
AVG
To display the most common values of a specific field, which command would you use?
Top
Which clause would you use to rename the count field?
sourcetype=vendor* | stats count ___ “Units Sold”
As
How do you limit the top command?
use limit=# clause
How do you remove the percent column from a top search?
showperc=f
Describe the list function
part of the stats command, lists all the values returned for a given field
What’s the best way to share search results?
Generate a report
What is a dashboard?
A collection of reports combined into a single pane
How do you create a dashboard or a report?
Click the save as button top right
How do you save or edit dashboards?
Save as dashboard, click existing tab. Can edit searches in the dashboard as well
If a search returns _____, you can view the results as a chart
Statistical Values
______ are reports gathered together under a single pane of glass
Dashboards
T/F – Charts can be based on numbers, time, or location
True
In a dashboard, a time range picker will only work on panels that include a(n) __________ search.
inline
Which role(s) can create reports?
All - user, power, admin
Why would you create panels from reports?
It’s efficient because any changes made to the reports update the dashboards, and a single report can be shared between dashboards
What is pivot?
Ability for users to design reports from data models created by admins and power roles. Essentially GUIed splunk language
What are child data sets in Pivots?
Child data sets are an AND boolean in splunk language
What are Datasets in data models?
Allows users to create reports with pre-defined datasets without knowing splunk query action
T/F Pivots cannot be saved as reports panels
False - pivots can be saved as report panels
The instant pivot button is displayed in the statistics and visualization tabs when a ______ search is run
non-transforming
Adding child data model objects is like the _____ Boolean in the Splunk search language
And
T/F Pivots can be saved as dashboard panels
True
Which role(s) can create data models?
Admin and Power
What is a lookup?
A dataset imported into splunk which appears in the sidebar as fields to add additional context to events, such as a .csv file with status code information or geospatial data
What is a lookup table?
a .csv or similar uploaded lookup table file available in a particular app context, eg search
How is lookup used in search?
lookup specifyinputtedTableLookupSource SourceFieldName OUTPUT fieldname1 fieldname2
How do automatic lookups function?
You create knowledge object in settings where you tell splunk how fields are mapped and defined
When using a .csv file for lookups, the first row in the file represents this.
Field Names
External data used by a lookup can come from sources like:
scripts, CSV files, Geospatial Data
To keep from overwriting existing fields with your Lookup you can use the ____ clause
OUTPUTNEW
Finish this search command so that it displays data from the http_status.csv lookup file
inputlookup http_status.csv
T/F A lookup is categorized as a dataset
True
What all can alert actions do?
Send an email Run a script Run webhook Log event Output results to lookup Output results to telemetry endpoint
T/F Real Time alerts will run the search continuously in the background
True
An alert is an action triggered by a ____
Saved Search
These are knowledge objects that provide the data structure for pivot
Data Models
Describe the inputlookup command
ingests inputlookup from a .csv or other source
T/F A lookup is categorized as a dataset
True
To keep from overwriting existing fields with your Lookup you can use the ____________ clause.
OUTPUTNEW
Before a report can be embedded, it must be _____
Scheduled
Search terms include:
Keywords, booleans, phrases, fields, wildcards, and comparisons
______ tell Splunk what we want to do with results (ex. stats)
(components of search language)
Commands
______ are how we deal with results (ex. list)
components of search language
Functions
______ are variables to apply to function (ex. Product name)
components of search language
Arguments
_______ are how we want results defined.
components of search language
Clauses
Field_____happens after field______only affecting displayed results.
Exclusion, Extraction
This command combines fields from external sources to searched events, based on event field
Lookup
This command shows the number of events matching search criteria
Stats count
This command is the sum of numerical value
Stats sum
This command preforms stats aggregation against time
timechart
___ splits data by an additional field
by
Uses Splunk search language, distributes search requests to indexers. Contains reports, dashboards, and visualizations
Search Heads
Forwarder
Consumes and sends data to the indexer
Can set read permissions, lifetime, and link to a job
Job settings
Each search is a job
Searchable key/value pairs in your event data. They are case sensitive
Fields
A location where Splunk stores and searches for event data
Indexer
Search component that defines how you want to chart, compute, or evaluate results - get sum, get an average, transform the values, etc
Functions
Search component that define what you are looking for - keywords, phrases Booleans, etc. These are case insensitive.
Search terms
Are variables that you can apply to functions – can calculate average value for a specific field, convert milliseconds to seconds, etc
Argument
Determines how you want to group or name the fields in the results, can give the field another name or group values by or over
Clauses
The command that controls the number of returned results
Limit
Three main methods to create tables and visualizations in Splunk are:
1) Select a field from the fields sidebar
2) Use the Pivot interface
3) Use a transforming command in the search ba
Used when static or unchanging data is required for searches but isn’t available in the index
Lookups
The command that loads results from a specified static lookup
inputlookup
Which of the following are default roles in Splunk?
System
Admin
Power
User
Admin, Power and User
Splunk is comprised of three main processing components, which ones?
License Master, Indexer & Forwarder
Indexer, Search head & Forwarder
Indexer, Cluster Master & Search head
Deployment Server, Indexer & Cluster Master
Indexer, Search head & Forwarder
What is the minimum amount of search head(s) required to establish a search head cluster?
4
1
2
3
3, in case one fails there’s still a Captain and at least one member
What is a deployer used for?
Management and distribution of apps to a cluster
Management and distribution of apps to a search head cluster
Management and distribution of apps to a indexer cluster
Management and distribution of apps to a forwarder cluster
Management and distribution of apps to a search head cluster
Which of the following Splunk components can be installed from the Splunk Enterprise package?
Search head
Heavy Forwarder
Universal Forwarder
Indexer
Universal Forwarder
What are the default metadata values that Splunk applies?
Punct
Source
Sourcetype
Host
Source, Sourcetype, Host
Splunk allows users to search with different search modes, which ones?
Quick
Fast
Smart
Verbose
Fast, Smart, Verbose
What are some search best practices?
Specify one or more index values in the end of your search string
Include as many search terms as possible
Exclusion is generally better than inclusion
Make your search terms as specific as possible
Make your search terms as specific as possible
Include as many search terms as possible
avg,sum,tostring are examples of what?
Clauses
Commands
Arguments
Functions
Functions
When using sort command, you can specify the number of results to return from the sorted results with limit argument. But what is the effect if you write | sort 0 .field.?
0 is an invalid argument counter
0 means that all results are returned
0 means that no results are returned
The correct argument is limit=0
0 means that all results are returned
Which command is used to load the results from a specific static lookup file?
import
inputlookup
lookup
outputlookup
inputlookup
Knowledge objects can be shared with different permissions(s), which one(s)?
Hidden
Owner(Private)
App
All apps(Global)
Owner(Private), App, All apps(Global)
What is the default timerange for Pivots?
Past 7 Days
All Time
Past 1 Hour
Past 24 Hours
Past 7 Days
Splunk fields are searchable key/value pairs in your data. In the picture shown below, which is the key and which is the value? (Select 1 option for key and 1 for value, minimum 2 options)
value: www1
key: host
key: www1
value: host
key: host, value: www1
Splunk fields are searchable key/value pairs in your data. In the picture shown below, which is the key and which is the value? (Select 1 option for key and 1 for value, minimum 2 options)
value: www1
key: host
key: www1
value: host
key: host, value: www1
