Splunk Fundamentals 1

Question 1

Machine data makes up for more than __% of data accumulated by organizations

Answer 1

90%

Question 2

Index Data

Answer 2

Collects events and normalizes it with discrete time stamps into different sourcetypes

Question 3

Describe functions of indexers, search heads, and forwarders

Answer 3

The Indexer processes machine data from the Forwarders, and the search heads distributes searches to the indexers and extracts field value pairs.

Question 4

In most Splunk deployments, ________ serve as the primary way data is supplied for indexing.

Answer 4

Forwarders

Question 5

What are the three main processing components of Splunk?

Answer 5

Indexers, Forwarders, Search Heads

Question 6

Search strings are sent from the _________.

Answer 6

Search Head

Question 7

Which of these is not a main component of Splunk?

• Add knowledge
• Compress and archive
• Search and investigate
• Collect and index data

Answer 7

Compress and archive

Question 8

This role will only see their own knowledge objects and those that have been shared with them.

Answer 8

User

Question 9

What are the 3 roles in Splunk, from most to least powerful?

Answer 9

Admin, Power, User

Question 10

Which apps ship with Splunk Enterprise?

Answer 10

Home App, Search & Reporting

Question 11

You can launch and manage apps from the home app.

Answer 11

True

Question 12

_________ define what users can do in Splunk.

Answer 12

Roles

Question 13

The monitor input option will allow you to continuously monitor files.

Answer 13

True

Question 14

Splunk knows where to break the event, where the time stamp is located and how to automatically create field value pairs using these.

Answer 14

Source Types

Question 15

Splunk uses ________ to categorize the type of data being indexed.

Answer 15

Source Types

Question 16

In most production environments, _______ will be used as the source of data input.

Answer 16

Forwarders

Question 17

Files indexed using the the upload input option get indexed _____.

Answer 17

Once

Question 18

What are commands that create statistics and visualizations called?

Answer 18

Transforming Commands

Question 19

What booleans are used to tie events together in search?

Answer 19

AND OR NOT

Question 20

What is the order of operations for boolean evaluation?

Answer 20

0. Parenthesis() 1. NOT 2. OR 3. AND

Question 21

How do you search exact phrases?

Answer 21

place terms in quotes “”

Question 22

How do you escape quotes from being interpreted in a search?

Answer 22

Use a backslash character, eg info=”user "chrisv4" not in db”

This searches for the exact phrase user “chrisv4 not in db

Question 23

A search job will remain active for ___ minutes after it is run.

Answer 23

10 Minutes

Question 24

Shared search jobs remain active for _______ by default.

Answer 24

7 Days

Question 25

How is the asterisk used in splunk search?

Answer 25

As a wildcard

Question 26

What is the time stamp seen in events based on?

Answer 26

Your user account time zone

Question 27

Field names are ______ while values are not

Answer 27

Case sensitive

Question 28

What is the difference between != field operator and NOT

Answer 28

!= returns events where the contents of the field is not equal to the specified value

eg status !=200 shows all the events where the status field is not 200

NOT returns all events where there is no field status=200

NOT is more inclusing than !=, and will return events that don’t include the specified field

Question 29

What does the field operator IN do?

Answer 29

Alternative to chaining together operators inside parenthesis, Searches field for results inside parenthesis eg

index = web status IN(“500, “503”, “505”)

is the same as

index = web (status=500 AND status =503 AND status=505)

Question 30

Field Values are Case sensitive. T/F?

Answer 30

False, only field names are case sensitive

Question 31

Which is not a comparison operator in Splunk?

<=
?=
>
!=
=

Answer 31

?= is not a comparison operator

Question 32

Can wildcards be used in field searches?

Answer 32

Yes

Question 33

What are the 5 main components of Splunk ES

Answer 33

Index Data, Search & investigate, Add knowledge, Monitor & Alert, Report & Analyze.

Question 34

What attributes describe this field?

a dest 4

Answer 34

It contains 4 values, and it contains string values

Question 35

What is the most efficient way to filter events in a search?

Answer 35

Time

Question 36

Search best practices

Answer 36

• Index host sourcetype
• Inclusion better than exclusion
• Apply filtering commands as early as possible in search to limit events
• Only search index containing events you need
• Can also limit access with indexes, possible to search multiple indexes at the same time

Question 37

What 4 default fields are extracted at index time, and are the most powerful to search to limit events (disregarding time)?

Answer 37

index, source, host, sourcetype

These fields do not need to be extracted during search

Question 38

Which is better in a search, inclusion or exclusion?

Answer 38

Inclusion

Question 39

What is -30mon?

Answer 39

time modifier for 30 months in search

Question 40

How do you specify a time range in search?

Answer 40

By using earliest= latest=

eg: earliest=-2h latest=-1h

Question 41

What privileges does an admin user have?

Answer 41

Install apps, create knowledge objects for all users

Question 42

What privileges does a power user have?

Answer 42

Real time searches, create and share knowledge objects for users

Question 43

What app(s) does splunk come with by default?

Answer 43

Search and reporting

Question 44

What does the search and reporting app do?

Answer 44

Create knowledge objects, reports, and dashboards

Question 45

What is a knowledge object in splunk?

Answer 45

Everything outside the basic data – A user creation that enriches existing data, such as a saved search, event types, tags, field extractions, lookups, reports, alerts, data models, transactions, workflow actions, and fields

Question 46

The seven main components in splunk searching and reporting?

Answer 46

1. Splunk bar
2. App bar
3. Search bar
4. Time range picker
5. How to search panel
6. What to search panel
7. Search History

Question 47

The time range picker is set to ___ by default

Answer 47

All time

Question 48

What are the three main search modes?

Answer 48

Fast, smart, verbose

Question 49

_______ mode has discovery off for event searches. No event or field data for stats searches.

Answer 49

Fast

Question 50

______ mode has all events and field data; switches to this mode after visualization

Answer 50

Verbose

Question 51

______ mode (default-based on search string data) has field discovery ON for event searches. No event or field data for stats searches.

Answer 51

Smart

Question 52

What does the “Job V” action button do

Answer 52

Edits job settings, sends jobs to the background, inspects and deletes job.

Question 53

Saved searches are set to ___ by default

Answer 53

private

Question 54

Exact phrases use

Answer 54

quotes

Question 55

What boolean is implied if none is used?

Answer 55

AND

Question 56

_______ fields have values in at least 20% of the events

Answer 56

Interesting

Question 57

Clicking on a field shows a list of _______, ________, and ________.

Answer 57

Values, count, percentage

Question 58

These fields can launch a quick report by clicking on them (4)

Answer 58

top values, top values by time, rare values, events with this field

Question 59

What five components are the splunk search language made of?

Answer 59

Search terms
commands
functions
arguments
clauses

Question 60

What is the Fields command?

Answer 60

Allows you to include or exclude specific fields from results

Question 61

Would the ip column be removed in the results of this search? Why or why not?

sourcetype=a* | rename ip as “User” | fields - ip

Answer 61

No, because the name was changed

Question 62

Finish the rename command to change the name of the status field to HTTP Status.

Answer 62

status as “HTTP Status”

Question 63

What is missing from this search?

sourcetype=a* | rename ip as “User IP” | table User IP

Answer 63

Quotation marks around User IP

Question 64

What command would you use to remove the status field from the returned events?

sourcetype=a* status=404 | ________ status

Answer 64

fields -

Question 65

Which symbols are only used with numerical values?

Answer 65

> > = < <= –>

Question 66

Top command returns top ____ results with a count and percentage

Answer 66

10

Question 67

________ is an action that a saved search triggers based on the results of the search

Answer 67

Alert

Question 68

________ designs reports into a simple interface without having to craft a search string

Answer 68

Pivot

Question 69

The default time value for pivot is ______

Answer 69

All time

Question 70

_______ object is the main source of data

Answer 70

Root

Question 71

_______ object acts like an AND boolean

Answer 71

Child

Question 72

An instant pivot allows instant access to data without having a data model (T/F)

Answer 72

True

Question 73

alerts use a _______ search to check for events.

Answer 73

saved

Question 74

Use ________ alerts to check for events on a regular basis

Answer 74

Scheduled

Question 75

_______ alerts monitor for events continuously

Answer 75

Real-Time

Question 76

What is the difference between traditional Index Clusters and Non-Replicating Index Clusters?

Answer 76

Non-replicating does not provide HA but offers simplified management

Question 77

In addition to the three main splunk components, (Indexer, Forwarder, Search Head), what are the three other splunk components?

Answer 77

Deployment Server, Cluster Master, License Master

Question 78

Where are forwarders normally installed?

Answer 78

At the data source or server

Question 79

What is a search head cluster and what are its minimum requirements?

Answer 79

An aggregation of at least three search heads that allows users to share resources and searches

Question 80

What are the three phases of the splunk indexing process?

Answer 80

Input, parsing, indexing

Question 81

What five components does each event have?

Answer 81

Timestamp, Index, Sourcetype, Host, Source

Question 82

What are the abbreviations for time search?

Answer 82

@ - rounds down to the nearest specified unit

s - seconds
m - minutes
h - hours
d - days
w - week
mon - months
y - year

eg -30m@h searches back to the beginning of the closest hour and searches 30 minutes of data

Question 83

What are best practices for using wildcards?

Answer 83

Avoid using them at the beginning or middle of a string, only at the end.

When possible use OR instead of wildcards

Question 84

How do you use the sort command?

Answer 84

can add limit=# to limit results

sort fieldname1, +ascendingfieldname2, -descendingfieldname3

Question 85

How do you create a table in search?

Answer 85

table fieldnamecolumnone, fieldnamecolumntwo, column additionalfieldnames

Question 86

How do you use the rename command?

Answer 86

Note: further pipes need to reference the new field name

rename FieldName “New Name For Field”

Question 87

What does the fields command do?

Answer 87

Improves efficiency by specifying which fields to extract

eg | fields fieldname1, fieldname2, FieldName3

Can also remove fields to make table or results easier to read

eg | fields -NotNeededField

Question 88

How does the dedup command work?

Answer 88

Removes duplicate field value results

eg | dedup fieldname1, fieldname2 | table fieldname1, fieldname2

Question 89

What is a sourcetype in Splunk?

Answer 89

A default field used to identify the data structure of an incoming event so Splunk can format the data properly during indexing

Question 90

What do transforming commands do?

Answer 90

Visualize data, etc

Question 91

Top Command

Answer 91

automatically returns count and percent columns in a table and returns top 10 results

Can also use by clause

top fieldname

Question 92

What is the rare command?

Answer 92

Opposite of top command, uses same clauses

Question 93

What is the stats command, and what are the functions??

Answer 93

Allows you to calculate statistics on data returned in search

Functions:
count
distinct count (dc)
sum
avg
min
max
list

Question 94

Describe the count function

Answer 94

Part of the stats command, counts the number of events that match search criteria or field

Question 95

Describe the dc function

Answer 95

Part of the stats command, returns count of unique (distinct) values for a given field. Distinct Count

Question 96

Describe the sum function

Answer 96

part of the stats command, sums up all events of a given search

stats sum(fieldName) as “New Field Name” by AnotherField

Question 97

Describe the average function

Answer 97

part of the stats command, averages value of events for a given search

Question 98

How many results are shown by default with a top or rare command?

Answer 98

10

Question 99

Which stats command would you use to find the average value of a field?

Answer 99

AVG

Question 100

To display the most common values of a specific field, which command would you use?

Answer 100

Top

Question 101

Which clause would you use to rename the count field?

sourcetype=vendor* | stats count ___ “Units Sold”

Answer 101

As

Question 102

How do you limit the top command?

Answer 102

use limit=# clause

Question 103

How do you remove the percent column from a top search?

Answer 103

showperc=f

Question 104

Describe the list function

Answer 104

part of the stats command, lists all the values returned for a given field

Question 105

What’s the best way to share search results?

Answer 105

Generate a report

Question 106

What is a dashboard?

Answer 106

A collection of reports combined into a single pane

Question 107

How do you create a dashboard or a report?

Answer 107

Click the save as button top right

Question 108

How do you save or edit dashboards?

Answer 108

Save as dashboard, click existing tab. Can edit searches in the dashboard as well

Question 109

If a search returns _____, you can view the results as a chart

Answer 109

Statistical Values

Question 110

______ are reports gathered together under a single pane of glass

Answer 110

Dashboards

Question 111

T/F – Charts can be based on numbers, time, or location

Answer 111

True

Question 112

In a dashboard, a time range picker will only work on panels that include a(n) __________ search.

Answer 112

inline

Question 113

Which role(s) can create reports?

Answer 113

All - user, power, admin

Question 114

Why would you create panels from reports?

Answer 114

It’s efficient because any changes made to the reports update the dashboards, and a single report can be shared between dashboards

Question 115

What is pivot?

Answer 115

Ability for users to design reports from data models created by admins and power roles. Essentially GUIed splunk language

Question 116

What are child data sets in Pivots?

Answer 116

Child data sets are an AND boolean in splunk language

Question 117

What are Datasets in data models?

Answer 117

Allows users to create reports with pre-defined datasets without knowing splunk query action

Question 118

T/F Pivots cannot be saved as reports panels

Answer 118

False - pivots can be saved as report panels

Question 119

The instant pivot button is displayed in the statistics and visualization tabs when a ______ search is run

Answer 119

non-transforming

Question 120

Adding child data model objects is like the _____ Boolean in the Splunk search language

Answer 120

And

Question 121

T/F Pivots can be saved as dashboard panels

Answer 121

True

Question 122

Which role(s) can create data models?

Answer 122

Admin and Power

Question 123

What is a lookup?

Answer 123

A dataset imported into splunk which appears in the sidebar as fields to add additional context to events, such as a .csv file with status code information or geospatial data

Question 124

What is a lookup table?

Answer 124

a .csv or similar uploaded lookup table file available in a particular app context, eg search

Question 125

How is lookup used in search?

Answer 125

lookup specifyinputtedTableLookupSource SourceFieldName OUTPUT fieldname1 fieldname2

Question 126

How do automatic lookups function?

Answer 126

You create knowledge object in settings where you tell splunk how fields are mapped and defined

Question 127

When using a .csv file for lookups, the first row in the file represents this.

Answer 127

Field Names

Question 128

External data used by a lookup can come from sources like:

Answer 128

scripts, CSV files, Geospatial Data

Question 129

To keep from overwriting existing fields with your Lookup you can use the ____ clause

Answer 129

OUTPUTNEW

Question 130

Finish this search command so that it displays data from the http_status.csv lookup file

Answer 130

inputlookup http_status.csv

Question 131

T/F A lookup is categorized as a dataset

Answer 131

True

Question 132

What all can alert actions do?

Answer 132

Send an email
Run a script
Run webhook
Log event
Output results to lookup
Output results to telemetry endpoint

Question 133

T/F Real Time alerts will run the search continuously in the background

Answer 133

True

Question 134

An alert is an action triggered by a ____

Answer 134

Saved Search

Question 135

These are knowledge objects that provide the data structure for pivot

Answer 135

Data Models

Question 136

Describe the inputlookup command

Answer 136

ingests inputlookup from a .csv or other source

Question 137

T/F A lookup is categorized as a dataset

Answer 137

True

Question 138

To keep from overwriting existing fields with your Lookup you can use the ____________ clause.

Answer 138

OUTPUTNEW

Question 139

Before a report can be embedded, it must be _____

Answer 139

Scheduled

Question 140

Search terms include:

Answer 140

Keywords, booleans, phrases, fields, wildcards, and comparisons

Question 141

______ tell Splunk what we want to do with results (ex. stats)

(components of search language)

Answer 141

Commands

Question 142

______ are how we deal with results (ex. list)

components of search language

Answer 142

Functions

Question 143

______ are variables to apply to function (ex. Product name)

components of search language

Answer 143

Arguments

Question 144

_______ are how we want results defined.

components of search language

Answer 144

Clauses

Question 145

Field_____happens after field______only affecting displayed results.

Answer 145

Exclusion, Extraction

Question 146

This command combines fields from external sources to searched events, based on event field

Answer 146

Lookup

Question 147

This command shows the number of events matching search criteria

Answer 147

Stats count

Question 148

This command is the sum of numerical value

Answer 148

Stats sum

Question 149

This command preforms stats aggregation against time

Answer 149

timechart

Question 150

___ splits data by an additional field

Answer 150

by

Question 151

Uses Splunk search language, distributes search requests to indexers. Contains reports, dashboards, and visualizations

Answer 151

Search Heads

Question 152

Forwarder

Answer 152

Consumes and sends data to the indexer

Question 153

Can set read permissions, lifetime, and link to a job

Answer 153

Job settings

Each search is a job

Question 154

Searchable key/value pairs in your event data. They are case sensitive

Answer 154

Fields

Question 155

A location where Splunk stores and searches for event data

Answer 155

Indexer

Question 156

Search component that defines how you want to chart, compute, or evaluate results - get sum, get an average, transform the values, etc

Answer 156

Functions

Question 157

Search component that define what you are looking for - keywords, phrases Booleans, etc. These are case insensitive.

Answer 157

Search terms

Question 158

Are variables that you can apply to functions – can calculate average value for a specific field, convert milliseconds to seconds, etc

Answer 158

Argument

Question 159

Determines how you want to group or name the fields in the results, can give the field another name or group values by or over

Answer 159

Clauses

Question 160

The command that controls the number of returned results

Answer 160

Limit

Question 161

Three main methods to create tables and visualizations in Splunk are:

Answer 161

1) Select a field from the fields sidebar
2) Use the Pivot interface
3) Use a transforming command in the search ba

Question 162

Used when static or unchanging data is required for searches but isn’t available in the index

Answer 162

Lookups

Question 163

The command that loads results from a specified static lookup

Answer 163

inputlookup

Question 164

Which of the following are default roles in Splunk?

System
Admin
Power
User

Answer 164

Admin, Power and User

Question 165

Splunk is comprised of three main processing components, which ones?

License Master, Indexer & Forwarder
Indexer, Search head & Forwarder
Indexer, Cluster Master & Search head
Deployment Server, Indexer & Cluster Master

Answer 165

Indexer, Search head & Forwarder

Question 166

What is the minimum amount of search head(s) required to establish a search head cluster?

4
1
2
3

Answer 166

3, in case one fails there’s still a Captain and at least one member

Question 167

What is a deployer used for?

Management and distribution of apps to a cluster
Management and distribution of apps to a search head cluster
Management and distribution of apps to a indexer cluster
Management and distribution of apps to a forwarder cluster

Answer 167

Management and distribution of apps to a search head cluster

Question 168

Which of the following Splunk components can be installed from the Splunk Enterprise package?

Search head
Heavy Forwarder
Universal Forwarder
Indexer

Answer 168

Universal Forwarder

Question 169

What are the default metadata values that Splunk applies?

Punct
Source
Sourcetype
Host

Answer 169

Source, Sourcetype, Host

Question 170

Splunk allows users to search with different search modes, which ones?

Quick
Fast
Smart
Verbose

Answer 170

Fast, Smart, Verbose

Question 171

What are some search best practices?

Specify one or more index values in the end of your search string
Include as many search terms as possible
Exclusion is generally better than inclusion
Make your search terms as specific as possible

Answer 171

Make your search terms as specific as possible

Include as many search terms as possible

Question 172

avg,sum,tostring are examples of what?

Clauses
Commands
Arguments
Functions

Answer 172

Functions

Question 173

When using sort command, you can specify the number of results to return from the sorted results with limit argument. But what is the effect if you write | sort 0 .field.?

0 is an invalid argument counter
0 means that all results are returned
0 means that no results are returned
The correct argument is limit=0

Answer 173

0 means that all results are returned

Question 174

Which command is used to load the results from a specific static lookup file?

import
inputlookup
lookup
outputlookup

Answer 174

inputlookup

Question 175

Knowledge objects can be shared with different permissions(s), which one(s)?

Hidden
Owner(Private)
App
All apps(Global)

Answer 175

Owner(Private), App, All apps(Global)

Question 176

What is the default timerange for Pivots?

Past 7 Days
All Time
Past 1 Hour
Past 24 Hours

Answer 176

Past 7 Days

Question 177

Splunk fields are searchable key/value pairs in your data. In the picture shown below, which is the key and which is the value? (Select 1 option for key and 1 for value, minimum 2 options)

value: www1
key: host
key: www1
value: host

Answer 177

key: host, value: www1

Question 178

Splunk fields are searchable key/value pairs in your data. In the picture shown below, which is the key and which is the value? (Select 1 option for key and 1 for value, minimum 2 options)

value: www1
key: host
key: www1
value: host

Answer 178

key: host, value: www1