Splunk Fundamentals 1 Flashcards
1
Q
Each splunk event has:
A
1) timestamp
2) host
3) source
4) sourcetype
5) index
2
Q
Options to display search results:
A
- Raw
- List
- Table
3
Q
@
A
rounds down to the nearest specified time unit
4
Q
Lifetime of a search job
A
- Default is 10 minutes
- Can be extended to 7 days
- Schedule a report to keep search results longer
5
Q
Share link to Job
A
- Gives everyone read permissions
- Extends result retention to 7 days
- More efficient than each running search separately
6
Q
Export search results formats
A
- Raw events (text file)
- CSV
- XML
- JSON
7
Q
Phases of Index Time Process
A
- Input phase
- Parsing phase
- Indexing phase
8
Q
Input phase
A
- handled at the source (usually forwarder)
- the data sources are being opened and read
- data is handled as streams and any configuration settings are applied to the entire stream
9
Q
Parsing phase
A
- handled by indexers (or heavy forwarders)
2. data is broken up into events and advanced processing can be performed
10
Q
Indexing phase
A
- License meter runs as data and is initially written to disk, prior to compression
- After data is written to disk, it cannot be changed
11
Q
How to add data inputs
A
- Apps and add-ons from Splunkbase
- Splunk Web
- CLI
- Directly editing inputs.conf
12
Q
Metadata setting
A
- metadata is applied to the entire source
- applies default if not specified
- can be overwritten at input time
13
Q
Upload file from my computer
A
- local files only get indexed once
2. does not create inputs.conf
14
Q
Monitor (add data option)
A
- one-time or continuous monitoring of files, directories, http events, network ports of data gathering scripts located on Splunk Enterprese instances
- useful for testing inputs
15
Q
Forward option (add data)
A
- Main source of input in prod
2. Remote machine gather and forward data to indexes over a receiving port
16
Q
Index once
A
does not create a stanza in inputs.conf
17
Q
Set source type
A
- splunk automatically determines the source type for major data types when there is enough data
- you can choose a different source type form the dropdown list
- you can create a new type name for specific source
18
Q
Input configurations is saved in:
A
SPLUNK_HOME/etc/apps/search/local
19
Q
When are indexes events are available?
A
- immediately after search
2. might take a minute for Splunk to start indexing the data
20
Q
Splunk Enterprise Install Package
A
- Indexer (search peer)
- Search Head
- Deployment Server
- License Master
- Heavy Forwarder
- Cluster Master
- Search Head Cluster
21
Q
Required Splunk Ports
A
- splunkweb: 8000
- splunkd
- forwarder
22
Q
Splunk Deployments
A
- Splunk Enterprise
- Splunk Cloud
- Splunk Light
23
Q
Splunk Apps
A
- Collections of files containing data inputs, UI elements, and/or knowledge objects
- Allows multiple workspaces for different use cases/user roles to co-exist on a single Splunk instance
24
Q
Splunk Enhanced Solutions
A
- Splunk IT Service Intelligence (ITSI)
- Splunk Enterprise Security (ES)
- Splunk User Behavior Analytics (UBA)
25
Host
Unique identifier of where the events originated (host name, IP address, etc. )
26
Source
Name of the file, stream or other input
27
Sourcetype
Specific data type or data format
28
Splunk Compotents
1. Indexer
2. Search Head
3. Forwarder
29
Splunk Deployments
1. Standalone
2. Basic
3. Multi-Instance
4. Increasing Capacity
5. Index Cluster
30
Additional Splunk Components
1. Deployment Server
2. Cluster Master
3. License Master
31
Indexer
1. processes machine data
2. store the results in indexes as events
3. enable fast search and analysis
4. contains raw data (compressed) and indexes (uncompressed)
32
Forwarders
1. Consume and send data to indexes
2. Require minimal resources and have little impact on performance
3. Typically reside on the machines where the data originates
4. Primary way data is supplied for indexing
33
Search Heads
1. Allows users to use the search language to search indexed data
2. Distributes user search requests to indexers
3. Consolidates the results and extracts field value pairs from the events to the user
4. KO on search heads can be created to extract additional fields and transform the data without changing the underlying index data
5. Also provides tools for reports, dashboards and visualizations
34
Use search results to modify search
1. Add the item to the search
2. Exclude the item from the search
3. Open a new search including only that item
35
Fields extracted during the index time:
1. meta fields - host, source, sourcetype, index
| 2. internal fields: _time and _raw
36
Selected fields
1. Set of configurable fields displayed for each event
| 2. Default: host, source, sourcetype
37
Interesting fields
occur in at least 20% of resulting events
38
Case sensitivity
1. Field names ARE case sensitive
| 2. Field values ARE NOT
39
!= vs. NOT
1. Status != 200: returns events where status field exists and its value != 200
2. NOT status = 200: returns (1) and all events where status field does not exist
40
Best practices
1. time is the most efficient filter
2. specify index values at the beginning of search string
3. include as many search terms as possible
4. make search terms as specific as possible
5. inclusion is better than exclusion
6. filter (i.e. remove duplicates) as early as possible
7. when possible use OR instead of wildcards
8. avoid wildcards at the beginning of string
41
Wildcards location
1. at the beginning of the string - scan all events within timeframe
2. in the middle, may return inconsistent results
42
Working with indexes
1. its possible to specify multiple indexes
2. its possible to use wildcard in index values
3. possible to search without an index - but not recommended
43
Search Language Syntax Components
1. Search terms
2. Commands
3. Functions
4. Arguments
5. Clauses
44
Syntax coloring
1. ORANGE: Boolean and command modifiers
2. BLUE: commands
3. GREEN: command arguments
4. PURPLE: functions
45
fields command
1. field extraction is one of the most costly parts of search
2. fields+: occurs before field extraction => improves performance
3. fields-: occurs after field extraction => no performance benefit
46
Sort command
1. sort +/-: sort results in the sign's order
| 2. sort +/- : applies sort order to all following fields
47
Top command
1. by default limit=10. limit=0 - unlimited results
2. automatically returns count and percent
3. common constraints: limit, countfield, showperc
48
Count command
1. count: returns the number of matching events based on the current search criteria
2. count(field): the number of events where a value is present for specified field
49
Avg function, does not include event if it
1. does not have the field
| 2. has an invalid value for the field
50
What are reports?
1. saved searches
2. show events, statistics (tables) or visualizations (charts)
3. running a report returns fresh results every time you run it
4. allow drill downs to see underlying events
5. can be shared and added to dashboards
51
Three main methods to create visualizations in Splunk
1. Select a field from the fields sidebar and choose a report to run
2. Pivot interface (dataset vs instant pivot)
3. Use Splunk search language transforming commands
52
Reports for alphanumeric values
1. Top values
2. Top values by time
3. Rare values
4. Events with this field
53
Reports for numeric fields
1. Average over time
2. Max / Min over time
3. - 6. Same as alphanumeric
54
Why create panels from reports?
1. it is efficient
a. single report can be used across different dashboards
b. this links the report definition to the dashboard
2. any change to underlying report affects every panel that utilizes this report
55
Drilldown options
1. None
2. Link to search
3. Link to report
4. Link to dashboard
5. Link to custom URL
6. Manage tokens on this dashboard
56
Lookups
1. Allow you to add more fields to your events
2. After lookup is configured, can use lookup fields in searches
3. Lookup fields appear in the Fields sidebar
4. Lookup field values are case sensitive
57
Creating a lookup
1. Upload the file for the lookup
2. Define the lookup type
3. Optionally: configure to run automatically
58
Scheduled reports
1. time range picker cannot be used with scheduled reports
59
Scheduled reports actions
1. Log event
2. Output results to lookup
3. Output results to telemetry endpoint
4. Run a script
5. Send email
6. Webhook
60
Report permissions
Run as
1. Owner: all data accessible by the owner appears in the report
2. User: only data allowed to be accessed by the user role appears
61
Alert Actions
1. Log event
2. Output results to lookup
3. Output results to telemetry endpoint
4. Run a script
5. Send email
6. Webhook
62
Time selection Options
1. Presets
2. Relative (i.e. Earliest x seconds ago)
3. Real-time (NO)
4. Date Range (Between? dd x and dd y)
5. Date & Time Range
6. Advanced
63
Top/Rare command options
1. countfield=
2. limit=
3. otherstr=
4. percentfield=
5. showcount=
6. showperc=
7. useother=
64
Dashboard panel based on report
1. you cannot modify the search string in the panel
2. you can change and configure the visualization
Source: https://docs.splunk.com/Documentation/Splunk/7.2.6/Viz/WorkingWithDashboardPanels
65
Dashboard panels
1. Inline panel (search directly in source code)
| 2. Report panel
66
Primary function of scheduled report
Triggering an alert in your Splunk instance when certain conditions are met.
67
Alerts are based on the searches that can be run:
1. in real time
| 2. in a scheduled interval
68
When a Splunk search generates calculated data that appears in the Statistics tab, in what formats can the results be exported?
1. CSV
2. XML
3. JSON
69
Triggered alert listing
1. Time
2. App
3. Type
4. Severity
5. Mode
Source: https://docs.splunk.com/Documentation/Splunk/7.2.6/Alert/Reviewtriggeredalerts
70
Alert permissions
1. Private - only you can access
2. Shared in App
* all users can view triggered alerts
* power users have write access
71
What type of search can be saved as a report?
Any search can be saved as a report.
72
We should use heavy forwarder for sending event-based data to Indexers.
Source: http://karunsubramanian.com/splunk/what-is-the-difference-between-splunk-universal-forwarder-and-heavy-forwarder/
73
You can view the search result in following format
1. Table
2. Raw
3. List
74
You cannot accelerate a report if:
1. You created it though Pivot.
2. Your permissions do not enable you to accelerate searches.
3. Your role does not have write permissions for the report.
4. The search that the report is based upon is disqualified for acceleration.
Source: https://docs.splunk.com/Documentation/Splunk/latest/Report/Acceleratereports
75
Dashboards can be exported as
1. pdf
| 2. printed
76
Report time range
1. runs using the time range that was specified when it was saved
2. use time range picker to change if available
