Splunk Fundamentals 1 Flashcards
1
Q
Machine data makes up for more than __% of data accumulated by organizations
A
90%
2
Q
Index Data
A
Collects events and normalizes it with discrete time stamps into different sourcetypes
3
Q
Describe functions of indexers, search heads, and forwarders
A
The Indexer processes machine data from the Forwarders, and the search heads distributes searches to the indexers and extracts field value pairs.
4
Q
In most Splunk deployments, ________ serve as the primary way data is supplied for indexing.
A
Forwarders
5
Q
What are the three main processing components of Splunk?
A
Indexers, Forwarders, Search Heads
6
Q
Search strings are sent from the _________.
A
Search Head
7
Q
Which of these is not a main component of Splunk?
- Add knowledge
- Compress and archive
- Search and investigate
- Collect and index data
A
Compress and archive
8
Q
This role will only see their own knowledge objects and those that have been shared with them.
A
User
9
Q
What are the 3 roles in Splunk, from most to least powerful?
A
Admin, Power, User
10
Q
Which apps ship with Splunk Enterprise?
A
Home App, Search & Reporting
11
Q
You can launch and manage apps from the home app.
A
True
12
Q
_________ define what users can do in Splunk.
A
Roles
13
Q
The monitor input option will allow you to continuously monitor files.
A
True
14
Q
Splunk knows where to break the event, where the time stamp is located and how to automatically create field value pairs using these.
A
Source Types
15
Q
Splunk uses ________ to categorize the type of data being indexed.
A
Source Types
16
Q
In most production environments, _______ will be used as the source of data input.
A
Forwarders
17
Q
Files indexed using the the upload input option get indexed _____.
A
Once
18
Q
What are commands that create statistics and visualizations called?
A
Transforming Commands
19
Q
What booleans are used to tie events together in search?
A
AND OR NOT
20
Q
What is the order of operations for boolean evaluation?
A
- Parenthesis() 1. NOT 2. OR 3. AND
21
Q
How do you search exact phrases?
A
place terms in quotes “”
22
Q
How do you escape quotes from being interpreted in a search?
A
Use a backslash character, eg info=”user "chrisv4" not in db”
This searches for the exact phrase user “chrisv4 not in db
23
Q
A search job will remain active for ___ minutes after it is run.
A
10 Minutes
24
Q
Shared search jobs remain active for _______ by default.
A
7 Days
25
How is the asterisk used in splunk search?
As a wildcard
26
What is the time stamp seen in events based on?
Your user account time zone
27
Field names are ______ while values are not
Case sensitive
28
What is the difference between != field operator and NOT
!= returns events where the contents of the field is not equal to the specified value
eg status !=200 shows all the events where the status field is not 200
NOT returns all events where there is no field status=200
NOT is more inclusing than !=, and will return events that don't include the specified field
29
What does the field operator IN do?
Alternative to chaining together operators inside parenthesis, Searches field for results inside parenthesis eg
index = web status IN("500, "503", "505")
is the same as
index = web (status=500 AND status =503 AND status=505)
30
Field Values are Case sensitive. T/F?
False, only field names are case sensitive
31
Which is not a comparison operator in Splunk?
```
<=
?=
>
!=
=
```
?= is not a comparison operator
32
Can wildcards be used in field searches?
Yes
33
What are the 5 main components of Splunk ES
Index Data, Search & investigate, Add knowledge, Monitor & Alert, Report & Analyze.
34
What attributes describe this field?
a dest 4
It contains 4 values, and it contains string values
35
What is the most efficient way to filter events in a search?
Time
36
Search best practices
- Index host sourcetype
- Inclusion better than exclusion
- Apply filtering commands as early as possible in search to limit events
- Only search index containing events you need
- Can also limit access with indexes, possible to search multiple indexes at the same time
37
What 4 default fields are extracted at index time, and are the most powerful to search to limit events (disregarding time)?
index, source, host, sourcetype
These fields do not need to be extracted during search
38
Which is better in a search, inclusion or exclusion?
Inclusion
39
What is -30mon?
time modifier for 30 months in search
40
How do you specify a time range in search?
By using earliest= latest=
eg: earliest=-2h latest=-1h
41
What privileges does an admin user have?
Install apps, create knowledge objects for all users
42
What privileges does a power user have?
Real time searches, create and share knowledge objects for users
43
What app(s) does splunk come with by default?
Search and reporting
44
What does the search and reporting app do?
Create knowledge objects, reports, and dashboards
45
What is a knowledge object in splunk?
Everything outside the basic data -- A user creation that enriches existing data, such as a saved search, event types, tags, field extractions, lookups, reports, alerts, data models, transactions, workflow actions, and fields
46
The seven main components in splunk searching and reporting?
1. Splunk bar
2. App bar
3. Search bar
4. Time range picker
5. How to search panel
6. What to search panel
7. Search History
47
The time range picker is set to ___ by default
All time
48
What are the three main search modes?
Fast, smart, verbose
49
_______ mode has discovery off for event searches. No event or field data for stats searches.
Fast
50
______ mode has all events and field data; switches to this mode after visualization
Verbose
51
______ mode (default-based on search string data) has field discovery ON for event searches. No event or field data for stats searches.
Smart
52
What does the "Job V" action button do
Edits job settings, sends jobs to the background, inspects and deletes job.
53
Saved searches are set to ___ by default
private
54
Exact phrases use
quotes
55
What boolean is implied if none is used?
AND
56
_______ fields have values in at least 20% of the events
Interesting
57
Clicking on a field shows a list of _______, ________, and ________.
Values, count, percentage
58
These fields can launch a quick report by clicking on them (4)
top values, top values by time, rare values, events with this field
59
What five components are the splunk search language made of?
```
Search terms
commands
functions
arguments
clauses
```
60
What is the Fields command?
Allows you to include or exclude specific fields from results
61
Would the ip column be removed in the results of this search? Why or why not?
sourcetype=a* | rename ip as "User" | fields - ip
No, because the name was changed
62
Finish the rename command to change the name of the status field to HTTP Status.
status as "HTTP Status"
63
What is missing from this search?
sourcetype=a* | rename ip as "User IP" | table User IP
Quotation marks around User IP
64
What command would you use to remove the status field from the returned events?
sourcetype=a* status=404 | ________ status
fields -
65
Which symbols are only used with numerical values?
> >= < <= -->
66
Top command returns top ____ results with a count and percentage
10
67
________ is an action that a saved search triggers based on the results of the search
Alert
68
________ designs reports into a simple interface without having to craft a search string
Pivot
69
The default time value for pivot is ______
All time
70
_______ object is the main source of data
Root
71
_______ object acts like an AND boolean
Child
72
An instant pivot allows instant access to data without having a data model (T/F)
True
73
alerts use a _______ search to check for events.
saved
74
Use ________ alerts to check for events on a regular basis
Scheduled
75
_______ alerts monitor for events continuously
Real-Time
76
What is the difference between traditional Index Clusters and Non-Replicating Index Clusters?
Non-replicating does not provide HA but offers simplified management
77
In addition to the three main splunk components, (Indexer, Forwarder, Search Head), what are the three other splunk components?
Deployment Server, Cluster Master, License Master
78
Where are forwarders normally installed?
At the data source or server
79
What is a search head cluster and what are its minimum requirements?
An aggregation of at least three search heads that allows users to share resources and searches
80
What are the three phases of the splunk indexing process?
Input, parsing, indexing
81
What five components does each event have?
Timestamp, Index, Sourcetype, Host, Source
82
What are the abbreviations for time search?
@ - rounds down to the nearest specified unit
```
s - seconds
m - minutes
h - hours
d - days
w - week
mon - months
y - year
```
eg -30m@h searches back to the beginning of the closest hour and searches 30 minutes of data
83
What are best practices for using wildcards?
Avoid using them at the beginning or middle of a string, only at the end.
When possible use OR instead of wildcards
84
How do you use the sort command?
| sort fieldname1, +ascendingfieldname2, -descendingfieldname3
can add limit=# to limit results
85
How do you create a table in search?
| table fieldnamecolumnone, fieldnamecolumntwo, column additionalfieldnames
86
How do you use the rename command?
| rename FieldName "New Name For Field"
Note: further pipes need to reference the new field name
87
What does the fields command do?
Improves efficiency by specifying which fields to extract
eg | fields fieldname1, fieldname2, FieldName3
Can also remove fields to make table or results easier to read
eg | fields -NotNeededField
88
How does the dedup command work?
Removes duplicate field value results
eg | dedup fieldname1, fieldname2 | table fieldname1, fieldname2
89
What is a sourcetype in Splunk?
A default field used to identify the data structure of an incoming event so Splunk can format the data properly during indexing
90
What do transforming commands do?
Visualize data, etc
91
Top Command
| top fieldname
automatically returns count and percent columns in a table and returns top 10 results
Can also use by clause
92
What is the rare command?
Opposite of top command, uses same clauses
93
What is the stats command, and what are the functions??
Allows you to calculate statistics on data returned in search
```
Functions:
count
distinct count (dc)
sum
avg
min
max
list
```
94
Describe the count function
Part of the stats command, counts the number of events that match search criteria or field
95
Describe the dc function
Part of the stats command, returns count of unique (distinct) values for a given field. Distinct Count
96
Describe the sum function
part of the stats command, sums up all events of a given search
| stats sum(fieldName) as "New Field Name" by AnotherField
97
Describe the average function
part of the stats command, averages value of events for a given search
98
How many results are shown by default with a top or rare command?
10
99
Which stats command would you use to find the average value of a field?
AVG
100
To display the most common values of a specific field, which command would you use?
Top
101
Which clause would you use to rename the count field?
sourcetype=vendor* | stats count ___ "Units Sold"
As
102
How do you limit the top command?
use limit=# clause
103
How do you remove the percent column from a top search?
showperc=f
104
Describe the list function
part of the stats command, lists all the values returned for a given field
105
What's the best way to share search results?
Generate a report
106
What is a dashboard?
A collection of reports combined into a single pane
107
How do you create a dashboard or a report?
Click the save as button top right
108
How do you save or edit dashboards?
Save as dashboard, click existing tab. Can edit searches in the dashboard as well
109
If a search returns _____, you can view the results as a chart
Statistical Values
110
______ are reports gathered together under a single pane of glass
Dashboards
111
T/F -- Charts can be based on numbers, time, or location
True
112
In a dashboard, a time range picker will only work on panels that include a(n) __________ search.
inline
113
Which role(s) can create reports?
All - user, power, admin
114
Why would you create panels from reports?
It's efficient because any changes made to the reports update the dashboards, and a single report can be shared between dashboards
115
What is pivot?
Ability for users to design reports from data models created by admins and power roles. Essentially GUIed splunk language
116
What are child data sets in Pivots?
Child data sets are an AND boolean in splunk language
117
What are Datasets in data models?
Allows users to create reports with pre-defined datasets without knowing splunk query action
118
T/F Pivots cannot be saved as reports panels
False - pivots can be saved as report panels
119
The instant pivot button is displayed in the statistics and visualization tabs when a ______ search is run
non-transforming
120
Adding child data model objects is like the _____ Boolean in the Splunk search language
And
121
T/F Pivots can be saved as dashboard panels
True
122
Which role(s) can create data models?
Admin and Power
123
What is a lookup?
A dataset imported into splunk which appears in the sidebar as fields to add additional context to events, such as a .csv file with status code information or geospatial data
124
What is a lookup table?
a .csv or similar uploaded lookup table file available in a particular app context, eg search
125
How is lookup used in search?
| lookup specifyinputtedTableLookupSource SourceFieldName OUTPUT fieldname1 fieldname2
126
How do automatic lookups function?
You create knowledge object in settings where you tell splunk how fields are mapped and defined
127
When using a .csv file for lookups, the first row in the file represents this.
Field Names
128
External data used by a lookup can come from sources like:
scripts, CSV files, Geospatial Data
129
To keep from overwriting existing fields with your Lookup you can use the ____ clause
OUTPUTNEW
130
Finish this search command so that it displays data from the http_status.csv lookup file
| inputlookup http_status.csv
131
T/F A lookup is categorized as a dataset
True
132
What all can alert actions do?
```
Send an email
Run a script
Run webhook
Log event
Output results to lookup
Output results to telemetry endpoint
```
133
T/F Real Time alerts will run the search continuously in the background
True
134
An alert is an action triggered by a ____
Saved Search
135
These are knowledge objects that provide the data structure for pivot
Data Models
136
Describe the inputlookup command
ingests inputlookup from a .csv or other source
137
T/F A lookup is categorized as a dataset
True
138
To keep from overwriting existing fields with your Lookup you can use the ____________ clause.
OUTPUTNEW
139
Before a report can be embedded, it must be _____
Scheduled
140
Search terms include:
Keywords, booleans, phrases, fields, wildcards, and comparisons
141
______ tell Splunk what we want to do with results (ex. stats)
(components of search language)
Commands
142
______ are how we deal with results (ex. list)
| components of search language
Functions
143
______ are variables to apply to function (ex. Product name)
| components of search language
Arguments
144
_______ are how we want results defined.
| components of search language
Clauses
145
Field_____happens after field______only affecting displayed results.
Exclusion, Extraction
146
This command combines fields from external sources to searched events, based on event field
Lookup
147
This command shows the number of events matching search criteria
Stats count
148
This command is the sum of numerical value
Stats sum
149
This command preforms stats aggregation against time
timechart
150
___ splits data by an additional field
by
151
Uses Splunk search language, distributes search requests to indexers. Contains reports, dashboards, and visualizations
Search Heads
152
Forwarder
Consumes and sends data to the indexer
153
Can set read permissions, lifetime, and link to a job
Job settings
Each search is a job
154
Searchable key/value pairs in your event data. They are case sensitive
Fields
155
A location where Splunk stores and searches for event data
Indexer
156
Search component that defines how you want to chart, compute, or evaluate results - get sum, get an average, transform the values, etc
Functions
157
Search component that define what you are looking for - keywords, phrases Booleans, etc. These are case insensitive.
Search terms
158
Are variables that you can apply to functions -- can calculate average value for a specific field, convert milliseconds to seconds, etc
Argument
159
Determines how you want to group or name the fields in the results, can give the field another name or group values by or over
Clauses
160
The command that controls the number of returned results
Limit
161
Three main methods to create tables and visualizations in Splunk are:
1) Select a field from the fields sidebar
2) Use the Pivot interface
3) Use a transforming command in the search ba
162
Used when static or unchanging data is required for searches but isn't available in the index
Lookups
163
The command that loads results from a specified static lookup
inputlookup
164
Which of the following are default roles in Splunk?
System
Admin
Power
User
Admin, Power and User
165
Splunk is comprised of three main processing components, which ones?
License Master, Indexer & Forwarder
Indexer, Search head & Forwarder
Indexer, Cluster Master & Search head
Deployment Server, Indexer & Cluster Master
Indexer, Search head & Forwarder
166
What is the minimum amount of search head(s) required to establish a search head cluster?
4
1
2
3
3, in case one fails there's still a Captain and at least one member
167
What is a deployer used for?
Management and distribution of apps to a cluster
Management and distribution of apps to a search head cluster
Management and distribution of apps to a indexer cluster
Management and distribution of apps to a forwarder cluster
Management and distribution of apps to a search head cluster
168
Which of the following Splunk components can be installed from the Splunk Enterprise package?
Search head
Heavy Forwarder
Universal Forwarder
Indexer
Universal Forwarder
169
What are the default metadata values that Splunk applies?
Punct
Source
Sourcetype
Host
Source, Sourcetype, Host
170
Splunk allows users to search with different search modes, which ones?
Quick
Fast
Smart
Verbose
Fast, Smart, Verbose
171
What are some search best practices?
Specify one or more index values in the end of your search string
Include as many search terms as possible
Exclusion is generally better than inclusion
Make your search terms as specific as possible
Make your search terms as specific as possible
| Include as many search terms as possible
172
avg,sum,tostring are examples of what?
Clauses
Commands
Arguments
Functions
Functions
173
When using sort command, you can specify the number of results to return from the sorted results with limit argument. But what is the effect if you write | sort 0 .field.?
0 is an invalid argument counter
0 means that all results are returned
0 means that no results are returned
The correct argument is limit=0
0 means that all results are returned
174
Which command is used to load the results from a specific static lookup file?
import
inputlookup
lookup
outputlookup
inputlookup
175
Knowledge objects can be shared with different permissions(s), which one(s)?
Hidden
Owner(Private)
App
All apps(Global)
Owner(Private), App, All apps(Global)
176
What is the default timerange for Pivots?
Past 7 Days
All Time
Past 1 Hour
Past 24 Hours
Past 7 Days
177
Splunk fields are searchable key/value pairs in your data. In the picture shown below, which is the key and which is the value? (Select 1 option for key and 1 for value, minimum 2 options)
value: www1
key: host
key: www1
value: host
key: host, value: www1
178
Splunk fields are searchable key/value pairs in your data. In the picture shown below, which is the key and which is the value? (Select 1 option for key and 1 for value, minimum 2 options)
value: www1
key: host
key: www1
value: host
key: host, value: www1
