Splunk Fundamentals 1

Question 1

Each splunk event has:

Answer 1

1) timestamp
2) host
3) source
4) sourcetype
5) index

Question 2

Options to display search results:

Answer 2

1. Raw
2. List
3. Table

Question 3

@

Answer 3

rounds down to the nearest specified time unit

Question 4

Lifetime of a search job

Answer 4

1. Default is 10 minutes
2. Can be extended to 7 days
3. Schedule a report to keep search results longer

Question 5

Share link to Job

Answer 5

1. Gives everyone read permissions
2. Extends result retention to 7 days
3. More efficient than each running search separately

Question 6

Export search results formats

Answer 6

1. Raw events (text file)
2. CSV
3. XML
4. JSON

Question 7

Phases of Index Time Process

Answer 7

1. Input phase
2. Parsing phase
3. Indexing phase

Question 8

Input phase

Answer 8

1. handled at the source (usually forwarder)
2. the data sources are being opened and read
3. data is handled as streams and any configuration settings are applied to the entire stream

Question 9

Parsing phase

Answer 9

1. handled by indexers (or heavy forwarders)

2. data is broken up into events and advanced processing can be performed

Question 10

Indexing phase

Answer 10

1. License meter runs as data and is initially written to disk, prior to compression
2. After data is written to disk, it cannot be changed

Question 11

How to add data inputs

Answer 11

1. Apps and add-ons from Splunkbase
2. Splunk Web
3. CLI
4. Directly editing inputs.conf

Question 12

Metadata setting

Answer 12

1. metadata is applied to the entire source
2. applies default if not specified
3. can be overwritten at input time

Question 13

Upload file from my computer

Answer 13

1. local files only get indexed once

2. does not create inputs.conf

Question 14

Monitor (add data option)

Answer 14

1. one-time or continuous monitoring of files, directories, http events, network ports of data gathering scripts located on Splunk Enterprese instances
2. useful for testing inputs

Question 15

Forward option (add data)

Answer 15

1. Main source of input in prod

2. Remote machine gather and forward data to indexes over a receiving port

Question 16

Index once

Answer 16

does not create a stanza in inputs.conf

Question 17

Set source type

Answer 17

1. splunk automatically determines the source type for major data types when there is enough data
2. you can choose a different source type form the dropdown list
3. you can create a new type name for specific source

Question 18

Input configurations is saved in:

Answer 18

SPLUNK_HOME/etc/apps/search/local

Question 19

When are indexes events are available?

Answer 19

1. immediately after search

2. might take a minute for Splunk to start indexing the data

Question 20

Splunk Enterprise Install Package

Answer 20

1. Indexer (search peer)
2. Search Head
3. Deployment Server
4. License Master
5. Heavy Forwarder
6. Cluster Master
7. Search Head Cluster

Question 21

Required Splunk Ports

Answer 21

1. splunkweb: 8000
2. splunkd
3. forwarder

Question 22

Splunk Deployments

Answer 22

1. Splunk Enterprise
2. Splunk Cloud
3. Splunk Light

Question 23

Splunk Apps

Answer 23

1. Collections of files containing data inputs, UI elements, and/or knowledge objects
2. Allows multiple workspaces for different use cases/user roles to co-exist on a single Splunk instance

Question 24

Splunk Enhanced Solutions

Answer 24

1. Splunk IT Service Intelligence (ITSI)
2. Splunk Enterprise Security (ES)
3. Splunk User Behavior Analytics (UBA)

Question 25

Host

Answer 25

Unique identifier of where the events originated (host name, IP address, etc. )

Question 26

Source

Answer 26

Name of the file, stream or other input

Question 27

Sourcetype

Answer 27

Specific data type or data format

Question 28

Splunk Compotents

Answer 28

1. Indexer
2. Search Head
3. Forwarder

Question 29

Splunk Deployments

Answer 29

1. Standalone
2. Basic
3. Multi-Instance
4. Increasing Capacity
5. Index Cluster

Question 30

Additional Splunk Components

Answer 30

1. Deployment Server
2. Cluster Master
3. License Master

Question 31

Indexer

Answer 31

1. processes machine data
2. store the results in indexes as events
3. enable fast search and analysis
4. contains raw data (compressed) and indexes (uncompressed)

Question 32

Forwarders

Answer 32

1. Consume and send data to indexes
2. Require minimal resources and have little impact on performance
3. Typically reside on the machines where the data originates
4. Primary way data is supplied for indexing

Question 33

Search Heads

Answer 33

1. Allows users to use the search language to search indexed data
2. Distributes user search requests to indexers
3. Consolidates the results and extracts field value pairs from the events to the user
4. KO on search heads can be created to extract additional fields and transform the data without changing the underlying index data
5. Also provides tools for reports, dashboards and visualizations

Question 34

Use search results to modify search

Answer 34

1. Add the item to the search
2. Exclude the item from the search
3. Open a new search including only that item

Question 35

Fields extracted during the index time:

Answer 35

1. meta fields - host, source, sourcetype, index

2. internal fields: _time and _raw

Question 36

Selected fields

Answer 36

1. Set of configurable fields displayed for each event

2. Default: host, source, sourcetype

Question 37

Interesting fields

Answer 37

occur in at least 20% of resulting events

Question 38

Case sensitivity

Answer 38

1. Field names ARE case sensitive

2. Field values ARE NOT

Question 39

!= vs. NOT

Answer 39

1. Status != 200: returns events where status field exists and its value != 200
2. NOT status = 200: returns (1) and all events where status field does not exist

Question 40

Best practices

Answer 40

1. time is the most efficient filter
2. specify index values at the beginning of search string
3. include as many search terms as possible
4. make search terms as specific as possible
5. inclusion is better than exclusion
6. filter (i.e. remove duplicates) as early as possible
7. when possible use OR instead of wildcards
8. avoid wildcards at the beginning of string

Question 41

Wildcards location

Answer 41

1. at the beginning of the string - scan all events within timeframe
2. in the middle, may return inconsistent results

Question 42

Working with indexes

Answer 42

1. its possible to specify multiple indexes
2. its possible to use wildcard in index values
3. possible to search without an index - but not recommended

Question 43

Search Language Syntax Components

Answer 43

1. Search terms
2. Commands
3. Functions
4. Arguments
5. Clauses

Question 44

Syntax coloring

Answer 44

1. ORANGE: Boolean and command modifiers
2. BLUE: commands
3. GREEN: command arguments
4. PURPLE: functions

Question 45

fields command

Answer 45

1. field extraction is one of the most costly parts of search
2. fields+: occurs before field extraction => improves performance
3. fields-: occurs after field extraction => no performance benefit

Question 46

Sort command

Answer 46

1. sort +/-: sort results in the sign’s order

2. sort +/- : applies sort order to all following fields

Question 47

Top command

Answer 47

1. by default limit=10. limit=0 - unlimited results
2. automatically returns count and percent
3. common constraints: limit, countfield, showperc

Question 48

Count command

Answer 48

1. count: returns the number of matching events based on the current search criteria
2. count(field): the number of events where a value is present for specified field

Question 49

Avg function, does not include event if it

Answer 49

1. does not have the field

2. has an invalid value for the field

Question 50

What are reports?

Answer 50

1. saved searches
2. show events, statistics (tables) or visualizations (charts)
3. running a report returns fresh results every time you run it
4. allow drill downs to see underlying events
5. can be shared and added to dashboards

Question 51

Three main methods to create visualizations in Splunk

Answer 51

1. Select a field from the fields sidebar and choose a report to run
2. Pivot interface (dataset vs instant pivot)
3. Use Splunk search language transforming commands

Question 52

Reports for alphanumeric values

Answer 52

1. Top values
2. Top values by time
3. Rare values
4. Events with this field

Question 53

Reports for numeric fields

Answer 53

1. Average over time
2. Max / Min over time
3. • 6. Same as alphanumeric

Question 54

Why create panels from reports?

Answer 54

1. it is efficient
   a. single report can be used across different dashboards
   b. this links the report definition to the dashboard
2. any change to underlying report affects every panel that utilizes this report

Question 55

Drilldown options

Answer 55

1. None
2. Link to search
3. Link to report
4. Link to dashboard
5. Link to custom URL
6. Manage tokens on this dashboard

Question 56

Lookups

Answer 56

1. Allow you to add more fields to your events
2. After lookup is configured, can use lookup fields in searches
3. Lookup fields appear in the Fields sidebar
4. Lookup field values are case sensitive

Question 57

Creating a lookup

Answer 57

1. Upload the file for the lookup
2. Define the lookup type
3. Optionally: configure to run automatically

Question 58

Scheduled reports

Answer 58

1. time range picker cannot be used with scheduled reports

Question 59

Scheduled reports actions

Answer 59

1. Log event
2. Output results to lookup
3. Output results to telemetry endpoint
4. Run a script
5. Send email
6. Webhook

Question 60

Report permissions

Answer 60

Run as

1. Owner: all data accessible by the owner appears in the report
2. User: only data allowed to be accessed by the user role appears

Question 61

Alert Actions

Answer 61

1. Log event
2. Output results to lookup
3. Output results to telemetry endpoint
4. Run a script
5. Send email
6. Webhook

Question 62

Time selection Options

Answer 62

1. Presets
2. Relative (i.e. Earliest x seconds ago)
3. Real-time (NO)
4. Date Range (Between? dd x and dd y)
5. Date & Time Range
6. Advanced

Question 63

Top/Rare command options

Answer 63

1. countfield=
2. limit=
3. otherstr=
4. percentfield=
5. showcount=
6. showperc=
7. useother=

Question 64

Dashboard panel based on report

Answer 64

1. you cannot modify the search string in the panel
2. you can change and configure the visualization

Source: https://docs.splunk.com/Documentation/Splunk/7.2.6/Viz/WorkingWithDashboardPanels

Question 65

Dashboard panels

Answer 65

1. Inline panel (search directly in source code)

2. Report panel

Question 66

Primary function of scheduled report

Answer 66

Triggering an alert in your Splunk instance when certain conditions are met.

Question 67

Alerts are based on the searches that can be run:

Answer 67

1. in real time

2. in a scheduled interval

Question 68

When a Splunk search generates calculated data that appears in the Statistics tab, in what formats can the results be exported?

Answer 68

1. CSV
2. XML
3. JSON

Question 69

Triggered alert listing

Answer 69

1. Time
2. App
3. Type
4. Severity
5. Mode

Source: https://docs.splunk.com/Documentation/Splunk/7.2.6/Alert/Reviewtriggeredalerts

Question 70

Alert permissions

Answer 70

1. Private - only you can access
2. Shared in App
   
   • all users can view triggered alerts
   • power users have write access

Question 71

What type of search can be saved as a report?

Answer 71

Any search can be saved as a report.

Question 72

We should use heavy forwarder for sending event-based data to Indexers.

Answer 72

Source: http://karunsubramanian.com/splunk/what-is-the-difference-between-splunk-universal-forwarder-and-heavy-forwarder/

Question 73

You can view the search result in following format

Answer 73

1. Table
2. Raw
3. List

Question 74

You cannot accelerate a report if:

Answer 74

1. You created it though Pivot.
2. Your permissions do not enable you to accelerate searches.
3. Your role does not have write permissions for the report.
4. The search that the report is based upon is disqualified for acceleration.

Source: https://docs.splunk.com/Documentation/Splunk/latest/Report/Acceleratereports

Question 75

Dashboards can be exported as

Answer 75

1. pdf

2. printed

Question 76

Report time range

Answer 76

1. runs using the time range that was specified when it was saved
2. use time range picker to change if available