Splunk Fundamentals 1 Flashcards

1
Q

Each splunk event has:

A

1) timestamp
2) host
3) source
4) sourcetype
5) index

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Options to display search results:

A
  1. Raw
  2. List
  3. Table
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

@

A

rounds down to the nearest specified time unit

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Lifetime of a search job

A
  1. Default is 10 minutes
  2. Can be extended to 7 days
  3. Schedule a report to keep search results longer
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Share link to Job

A
  1. Gives everyone read permissions
  2. Extends result retention to 7 days
  3. More efficient than each running search separately
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Export search results formats

A
  1. Raw events (text file)
  2. CSV
  3. XML
  4. JSON
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Phases of Index Time Process

A
  1. Input phase
  2. Parsing phase
  3. Indexing phase
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Input phase

A
  1. handled at the source (usually forwarder)
  2. the data sources are being opened and read
  3. data is handled as streams and any configuration settings are applied to the entire stream
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Parsing phase

A
  1. handled by indexers (or heavy forwarders)

2. data is broken up into events and advanced processing can be performed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Indexing phase

A
  1. License meter runs as data and is initially written to disk, prior to compression
  2. After data is written to disk, it cannot be changed
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

How to add data inputs

A
  1. Apps and add-ons from Splunkbase
  2. Splunk Web
  3. CLI
  4. Directly editing inputs.conf
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Metadata setting

A
  1. metadata is applied to the entire source
  2. applies default if not specified
  3. can be overwritten at input time
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Upload file from my computer

A
  1. local files only get indexed once

2. does not create inputs.conf

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Monitor (add data option)

A
  1. one-time or continuous monitoring of files, directories, http events, network ports of data gathering scripts located on Splunk Enterprese instances
  2. useful for testing inputs
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Forward option (add data)

A
  1. Main source of input in prod

2. Remote machine gather and forward data to indexes over a receiving port

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Index once

A

does not create a stanza in inputs.conf

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Set source type

A
  1. splunk automatically determines the source type for major data types when there is enough data
  2. you can choose a different source type form the dropdown list
  3. you can create a new type name for specific source
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Input configurations is saved in:

A

SPLUNK_HOME/etc/apps/search/local

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

When are indexes events are available?

A
  1. immediately after search

2. might take a minute for Splunk to start indexing the data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Splunk Enterprise Install Package

A
  1. Indexer (search peer)
  2. Search Head
  3. Deployment Server
  4. License Master
  5. Heavy Forwarder
  6. Cluster Master
  7. Search Head Cluster
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Required Splunk Ports

A
  1. splunkweb: 8000
  2. splunkd
  3. forwarder
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Splunk Deployments

A
  1. Splunk Enterprise
  2. Splunk Cloud
  3. Splunk Light
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Splunk Apps

A
  1. Collections of files containing data inputs, UI elements, and/or knowledge objects
  2. Allows multiple workspaces for different use cases/user roles to co-exist on a single Splunk instance
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Splunk Enhanced Solutions

A
  1. Splunk IT Service Intelligence (ITSI)
  2. Splunk Enterprise Security (ES)
  3. Splunk User Behavior Analytics (UBA)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Host

A

Unique identifier of where the events originated (host name, IP address, etc. )

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Source

A

Name of the file, stream or other input

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Sourcetype

A

Specific data type or data format

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Splunk Compotents

A
  1. Indexer
  2. Search Head
  3. Forwarder
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Splunk Deployments

A
  1. Standalone
  2. Basic
  3. Multi-Instance
  4. Increasing Capacity
  5. Index Cluster
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Additional Splunk Components

A
  1. Deployment Server
  2. Cluster Master
  3. License Master
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Indexer

A
  1. processes machine data
  2. store the results in indexes as events
  3. enable fast search and analysis
  4. contains raw data (compressed) and indexes (uncompressed)
32
Q

Forwarders

A
  1. Consume and send data to indexes
  2. Require minimal resources and have little impact on performance
  3. Typically reside on the machines where the data originates
  4. Primary way data is supplied for indexing
33
Q

Search Heads

A
  1. Allows users to use the search language to search indexed data
  2. Distributes user search requests to indexers
  3. Consolidates the results and extracts field value pairs from the events to the user
  4. KO on search heads can be created to extract additional fields and transform the data without changing the underlying index data
  5. Also provides tools for reports, dashboards and visualizations
34
Q

Use search results to modify search

A
  1. Add the item to the search
  2. Exclude the item from the search
  3. Open a new search including only that item
35
Q

Fields extracted during the index time:

A
  1. meta fields - host, source, sourcetype, index

2. internal fields: _time and _raw

36
Q

Selected fields

A
  1. Set of configurable fields displayed for each event

2. Default: host, source, sourcetype

37
Q

Interesting fields

A

occur in at least 20% of resulting events

38
Q

Case sensitivity

A
  1. Field names ARE case sensitive

2. Field values ARE NOT

39
Q

!= vs. NOT

A
  1. Status != 200: returns events where status field exists and its value != 200
  2. NOT status = 200: returns (1) and all events where status field does not exist
40
Q

Best practices

A
  1. time is the most efficient filter
  2. specify index values at the beginning of search string
  3. include as many search terms as possible
  4. make search terms as specific as possible
  5. inclusion is better than exclusion
  6. filter (i.e. remove duplicates) as early as possible
  7. when possible use OR instead of wildcards
  8. avoid wildcards at the beginning of string
41
Q

Wildcards location

A
  1. at the beginning of the string - scan all events within timeframe
  2. in the middle, may return inconsistent results
42
Q

Working with indexes

A
  1. its possible to specify multiple indexes
  2. its possible to use wildcard in index values
  3. possible to search without an index - but not recommended
43
Q

Search Language Syntax Components

A
  1. Search terms
  2. Commands
  3. Functions
  4. Arguments
  5. Clauses
44
Q

Syntax coloring

A
  1. ORANGE: Boolean and command modifiers
  2. BLUE: commands
  3. GREEN: command arguments
  4. PURPLE: functions
45
Q

fields command

A
  1. field extraction is one of the most costly parts of search
  2. fields+: occurs before field extraction => improves performance
  3. fields-: occurs after field extraction => no performance benefit
46
Q

Sort command

A
  1. sort +/-: sort results in the sign’s order

2. sort +/- : applies sort order to all following fields

47
Q

Top command

A
  1. by default limit=10. limit=0 - unlimited results
  2. automatically returns count and percent
  3. common constraints: limit, countfield, showperc
48
Q

Count command

A
  1. count: returns the number of matching events based on the current search criteria
  2. count(field): the number of events where a value is present for specified field
49
Q

Avg function, does not include event if it

A
  1. does not have the field

2. has an invalid value for the field

50
Q

What are reports?

A
  1. saved searches
  2. show events, statistics (tables) or visualizations (charts)
  3. running a report returns fresh results every time you run it
  4. allow drill downs to see underlying events
  5. can be shared and added to dashboards
51
Q

Three main methods to create visualizations in Splunk

A
  1. Select a field from the fields sidebar and choose a report to run
  2. Pivot interface (dataset vs instant pivot)
  3. Use Splunk search language transforming commands
52
Q

Reports for alphanumeric values

A
  1. Top values
  2. Top values by time
  3. Rare values
  4. Events with this field
53
Q

Reports for numeric fields

A
  1. Average over time
  2. Max / Min over time
      1. Same as alphanumeric
54
Q

Why create panels from reports?

A
  1. it is efficient
    a. single report can be used across different dashboards
    b. this links the report definition to the dashboard
  2. any change to underlying report affects every panel that utilizes this report
55
Q

Drilldown options

A
  1. None
  2. Link to search
  3. Link to report
  4. Link to dashboard
  5. Link to custom URL
  6. Manage tokens on this dashboard
56
Q

Lookups

A
  1. Allow you to add more fields to your events
  2. After lookup is configured, can use lookup fields in searches
  3. Lookup fields appear in the Fields sidebar
  4. Lookup field values are case sensitive
57
Q

Creating a lookup

A
  1. Upload the file for the lookup
  2. Define the lookup type
  3. Optionally: configure to run automatically
58
Q

Scheduled reports

A
  1. time range picker cannot be used with scheduled reports
59
Q

Scheduled reports actions

A
  1. Log event
  2. Output results to lookup
  3. Output results to telemetry endpoint
  4. Run a script
  5. Send email
  6. Webhook
60
Q

Report permissions

A

Run as

  1. Owner: all data accessible by the owner appears in the report
  2. User: only data allowed to be accessed by the user role appears
61
Q

Alert Actions

A
  1. Log event
  2. Output results to lookup
  3. Output results to telemetry endpoint
  4. Run a script
  5. Send email
  6. Webhook
62
Q

Time selection Options

A
  1. Presets
  2. Relative (i.e. Earliest x seconds ago)
  3. Real-time (NO)
  4. Date Range (Between? dd x and dd y)
  5. Date & Time Range
  6. Advanced
63
Q

Top/Rare command options

A
  1. countfield=
  2. limit=
  3. otherstr=
  4. percentfield=
  5. showcount=
  6. showperc=
  7. useother=
64
Q

Dashboard panel based on report

A
  1. you cannot modify the search string in the panel
  2. you can change and configure the visualization

Source: https://docs.splunk.com/Documentation/Splunk/7.2.6/Viz/WorkingWithDashboardPanels

65
Q

Dashboard panels

A
  1. Inline panel (search directly in source code)

2. Report panel

66
Q

Primary function of scheduled report

A

Triggering an alert in your Splunk instance when certain conditions are met.

67
Q

Alerts are based on the searches that can be run:

A
  1. in real time

2. in a scheduled interval

68
Q

When a Splunk search generates calculated data that appears in the Statistics tab, in what formats can the results be exported?

A
  1. CSV
  2. XML
  3. JSON
69
Q

Triggered alert listing

A
  1. Time
  2. App
  3. Type
  4. Severity
  5. Mode

Source: https://docs.splunk.com/Documentation/Splunk/7.2.6/Alert/Reviewtriggeredalerts

70
Q

Alert permissions

A
  1. Private - only you can access
  2. Shared in App
    • all users can view triggered alerts
    • power users have write access
71
Q

What type of search can be saved as a report?

A

Any search can be saved as a report.

72
Q

We should use heavy forwarder for sending event-based data to Indexers.

A

Source: http://karunsubramanian.com/splunk/what-is-the-difference-between-splunk-universal-forwarder-and-heavy-forwarder/

73
Q

You can view the search result in following format

A
  1. Table
  2. Raw
  3. List
74
Q

You cannot accelerate a report if:

A
  1. You created it though Pivot.
  2. Your permissions do not enable you to accelerate searches.
  3. Your role does not have write permissions for the report.
  4. The search that the report is based upon is disqualified for acceleration.

Source: https://docs.splunk.com/Documentation/Splunk/latest/Report/Acceleratereports

75
Q

Dashboards can be exported as

A
  1. pdf

2. printed

76
Q

Report time range

A
  1. runs using the time range that was specified when it was saved
  2. use time range picker to change if available