Splunk Fundamentals 1 Flashcards
1
Q
Splunk allows you to _____, analyze, and get _____ from your machine data.
A
aggregate, answers
2
Q
What are the 3 main components of Splunk?
A
search head, indexer, forwarder
3
Q
What are the 2 different types of Splunk deployment?
A
Splunk Enterprise and Splunk Cloud
4
Q
Splunk components are installed and administered on premises with this type of Splunk deployment.
A
Splunk Enterprise
5
Q
Splunk Enterprise is used as a scalable service and requires minimal infrastructure with this type of deployment.
A
Splunk Cloud
6
Q
A ____ ___ is designed to address a wide variety of use cases and to extend the power of Splunk.
A
Splunk app
7
Q
What do you use to download Splunk apps?
A
Splunkbase
8
Q
True or False. There are 1,000 + ready-made apps available on Splunkbase.
A
True
9
Q
Out of the box, what are the 3 main roles used in Splunk?
A
admin, power, user
10
Q
What is the default app that comes with Splunk?
A
Search & Reporting
11
Q
The ______ app provides a default interface for searching and analyzing data.
A
Search & Reporting
12
Q
A _____ is unique identifier identifying where Splunk events originated (whether it’s from a laptop, phone, etc). In other words, this is the actual device that’s generating the data.
a. source
b. host
c. sourcetype
A
b. host
13
Q
The name of a file (ie. Word file named “Splunk Class”), stream, or other input (where data is specifically coming from – i.e. “picture” folder on a phone) is the ______.
a. source
b. host
c. sourcetype
A
a. source
14
Q
In the Search & Reporting app, the Data Summary contains three summary tabs. Select all that apply.
a. host
b. source
c. index
d. sourcetype
A
a. host
b. source
d. sourcetype
15
Q
True or false: Search term values are case sensitive.
A
False
16
Q
NOT, OR and AND are called ____ in Splunk.
A
booleans
17
Q
The Boolean ____ is implied between terms.
A
AND
18
Q
_____ are locations where Splunk stores and searches for event data
A
Indexes
19
Q
Splunk admins _____ data into separate indexes in order to establish different retention policies on different types of data, improve search performance, and limit access by role.
A
segregate
20
Q
Improving search ____ is one reason why Splunk admins segregate data into separate indexes.
A
performance
21
Q
Limiting ____ by role is one reason why Splunk admins segregate data into separate indexes.
A
access
22
Q
Establishing ___ policies (how long data is kept) on different types of data is one reason why Splunk admins segregate data into separate indexes.
A
retention
23
Q
An ____ is a Splunk component that processes machine data. Information within ____ are stored in _____, enabling fast search and analysis. (visual example: file folder with separate files within the file folder)
A
indexer, indexers, indexes
24
Q
What Boolean can you use to search against multiple indexes?
A
OR
25
____ ____ shows a list of commands that can be entered into the search string
Search Assistant
26
When search results display in Splunk do they display in reverse chronological order (newest first), or chronological order (oldest first) by default?
reverse chronological order
27
True or False. Matching search terms are not highlighted in Splunk.
False
28
Each event in Splunk contains the following metadata: timestamp, _____, index, ____ and host.
source, sourcetype
29
The results that come up in a search of Splunk are called _____.
events
30
The 3 layout options for displaying search results (or 3 ways to view results) are ____, ____ and ____.
list, table, raw
31
The ___ symbol "snaps" to the time unit that you specify in Splunk, and rounds down to the nearest specified unit. For example, if the current time was 09:37:12 on March 31st, and you want to look back to 30 minutes ago, you would type -30m___h.
@
32
After search results come up in Splunk, to select across a narrower time range on the timeline, what would you need to do?
click/drag across a series of bars
33
Every search in Splunk is called a ____. By default, how long is each ____ available for?
job, 10 minutes
34
The job bar in a search allows you to ___ a job (toggle to resume a search), or ____ (finalizes the search in progress).
pause, stop
35
What in Splunk shows the distribution of events in the time range?
timeline
36
The ____ tool allows you to examine the following:
Overall stats of the search (e.g., records processed/returned, processing time)
How the search was processed
Where Splunk spent its time
Search Job Inspector tool
37
There are 3 types of search modes that you can use in Splunk. Which search mode emphasizes speed over completeness?
fast
38
There are 3 types of search modes that you can use in Splunk. Which search mode balances speed and completeness, and is the default search mode?
smart
39
There are 3 types of search modes that you can use in Splunk. The ____ search mode emphasizes completeness over speed. It also allows access to underlying events when using transforming commands (in addition to totals and stats)
verbose
40
There are ___ types of read permissions. The default mode which is ____, only allows the creator access. If a read permission is set to ____, all app users can access search results.
private, everyone
41
___ is the most efficient factor to use as a filter in Splunk. ____is the second most efficient item to use as a Splunk filter.
time, index
42
After time and index, what are the 3 next filters that are the most efficient?
host, source, sourcetype
43
Is inclusion or exclusion generally better when it comes to search practices? Meaning including or excluding information?
inclusion
44
You should avoid using ____ at the beginning or middle of a string. ____ at the beginning of a string scan all events within timeframe, while ____ in the middle of string may return inconsistent results.
What should be used instead?
wildcards (all 3 blanks)
Use instead: OR, IN
45
True or false: Search term values are case sensitive.
False
46
Current time when the search starts is 08:31:15. -30m@h looks back to:
a. 8:00:00
b. 8:01:15
c. 9:00:00
b. 8:01:15
47
When you specify the following time range:
earliest=-2d@d
latest=@d
a. Looks back from two days ago, up to the beginning of today
b. Looks back exactly 48 hours ago
c. Looks back two days ago up to now
a. Looks back from two days ago, up to the beginning of today
48
Select one of the following that uses Splunk search best practices as it relates to wildcards.
a. *fail
b. fa*l
c. fail*
c. fail*
49
Between search terms, ____ is implied unless otherwise specified
AND
50
Host, index, source, sourcetype, splunk_server, and timestamp are ___ fields that are already stored with the events in indexes.
default
51
____ fields that are listed within an index include _raw, and _time.
internal
52
The fields sidebar includes two types of fields. What are they?
selected, interesting
53
What type of fields occur in at least 20% of resulting events in Splunk?
interesting
54
By default, the selected fields are what 3 metadata fields?
host, source, sourcetype
55
What does the following mean?
status=404
error message for a webpage
56
What does the following mean?
area_code=404
for a specific area code
57
If a value contains a space, it must be enclosed in ____ ____.
i.e. VendorCountry= "United States"
double quotes
58
Field ____ are case sensitive, while field ____ are not.
Take a look at the following example? Would it return results?
HOST=ww3
names, values
| no
59
Search for multiple values for a given field
by using the _____ operator.
i.e.
VendorCountry="United States" ____ VendorCountry="Canada")
Alternatively, you can use the ___ operator
```
i.e.
VendorCountry ___ ("United States", "Canada")
```
OR, IN
60
Both ! and NOT ____ events from your search, but can produced different results.
exclude
61
NOT status=200 returns events where status field exists and value in field doesn't equal 200. However it ALSO returns events where status field ___ exist.
doesn't
62
status!=200 returns events where status field ___ and value in field ____ equal 200.
exists, doesn't
63
By default, which are the three selected fields?
a. host
b. source
c. sourcetype
d. action
a. host
b. source
c. sourcetype
64
True or false: Field names are case sensitive.
True
65
True or false: Field values are case sensitive.
False, field values are NOT case sensitive
66
Clicking ______ actually opens a report for editing, while clicking the report _____ simply runs the report.
Open in Search
| Title
67
By default, all reports are _____ (meaning only the report’s creator/owner can access or edit it), and the report is run using the privileges of the report’s creator/owner.
private
68
The three main ways to either create a ___ or ____ include selecting a field from the fields sidebar and choosing a quick report to run, using the Pivot interface, OR using the Splunk search language transforming commands in the Search bar.
table, visualization
69
The statistics tab allows you to view your results in Splunk as a ____.
table
70
_____ assigns colors based on the range of values.
Heat map
71
_____ and ____ ____ highlights max and min of non-zero values
high and low values
72
What consists of one or more panels displaying data visually in a useful way – such as events, tables, or charts?
a dashboard
73
In Splunk Enterprise, reports are _______ searches.
a. grouped
b. saved
c. archived
b. saved
74
When editing a report, you can do the following to the report. Select all that apply.
a. clone
b. edit schedule
c. delete
d. like
a. clone
b. edit schedule
c. delete
75
There are three main methods to create tables and visualizations in Splunk. Select all that apply.
a. Use the fields sidebar
b. Use the Pivot interface
c. Use transforming commands
d. Click Splunk banner icon
a. Use the fields sidebar
b. Use the Pivot interface
c. Use transforming commands
76
True or false: The Dashboard ID is automatically populated with a unique value.
True
77
True or false: You must be a Splunk Admin user to choose the home dashboard (default dashboard).
True
78
____ ____ ____ is used in your search language that tell Splunk what you want it to search for.
search language syntax
79
There are 5 basic ____ ___ that someone using Splunk may use when doing a search in Splunk.
syntax components
80
This language syntax components deals with what a Splunker is looking for. Examples include keywords, phrases and Booleans
search terms
81
This syntax component is blue and tells Splunk what you want to do with your results.
Examples include: creating a chart, computing statistics, evaluating and formatting, etc.
commands
82
This syntax component is pink and tells Splunk how you want to chart, compute, or evaluate results.
Examples include: getting a sum, getting an average, transforming values, etc.
functions
83
What color is the "commands" syntax component? What about the "functions" syntax component? How about Boolean operators and Command modifiers? How about command arguments?
blue
pink
orange
black
84
What color are the following syntax components in search language?
clauses, arguments and search terms
black
85
This syntax component deals with variables that you want to apply to a function.
Examples include: getting a sum of or sum up all the values in the price field.
arguments
86
____ (which are a syntax component in Splunk) deal with how you want to group or rename fields in your results.
clauses
87
What command changes the name of a field? (i.e. If you wanted to change "productId" to "ProductID")
rename
88
True or False. Once you rename a field, the new field name CANNOT be used in the rest of the search string.
False
Once you rename a field, the new field name must be used in the rest of the search string
89
Collections of files containing data inputs, UI elements, and/or knowledge objects are called _____.
apps
90
How many Splunk products are there for IT Operations?
8
91
Splunk for ____ generates real-time and predictive insights from industrial operational data.
Splunk for IoT
92
What does "IoT" in Splunk for IoT stand for?
internet of things
93
The ___ is the specific data type or data format where data comes from (ie. Word doc, PDF, Excel file, etc.)
sourcetype
94
What are quotation marks used for in Splunk search strings?
phrases
95
_________ in Splunk search strings are used to force precedence (meaning whatever is in ______ will be executed first. (Note: Same answer for both)
parentheses
96
____ process machine data. They then store the results in ____ as events, thereby enabling fast search and analysis.
indexers, indexes
97
You can search against multiple indexes by using the ___ operator.
OR
98
Search Assistant is enabled by default in the user preferences of the ___ Editor.
SPL
99
What control in the SPL Editor determines whether or not numbers show next to each line within the search syntax?
Line numbers control
100
The SPL Editor "Search ____ format" option allows for automatic formatting of search syntax (which improves readability).
auto
101
These type of fields occur in at least 20% of resulting events. ____ fields on the other hand are a set of fields that display for each event.
interesting fields
| selected fields
102
There are two types of default fields that are already stored with the event in the index. ____ fields have underscores and automatically come up when you start a search string. Examples include: "_raw," and "_time." ____ fields are things like host, index, source, sourcetype, splunk_server, timestamp.
internal
| default
103
The ____ command returns a table formed by only fields in the argument list. Column ____ consist of field names.
table
| headers
104
True or False. Once you rename a field, the new field name does not have to be used in the rest of the search string.
False
The new field name DOES have to remain the rest of the search string.
105
What character (on your keyboard) can be used to rename multiple fields that match a pattern? For example, if you want to change the word "date" to "DATE" in date_minute and date_second in your table, you can input the following search string:
| rename date_ as DATE_
What character goes in each blank?
a wildcard
106
The ___ command allows to include or exclude fields in your search or report. The command includes either a + or – sign. Entering a + sign is not required because it's the default. Entering the – sign after a field makes tables or display output easier to read. However there are no performance benefits since the excluded fields are processed after all fields are already extracted.
fields
107
The ____ command is used to remove duplicates from your results.
dedup
108
This command arranges events in ascending or descending order.
sort command
109
If you wanted Splunk to only give you a maximum of 20 events, you would use the ____ command.
limit
110
If you put a + or – sign right next to only one field name in a search string with many field names, it will only sort that one field name. What will happen if you add a space in between sort and multiple field names in a search string?
Example:
| sort – name, thread
(space added here between "sort" and "name")
in comparison to:
| sort –name, thread
(NO space added before the field name "name")
It will sort ALL of the field names
111
____ is used as an alternate method to access data without using search language, but requires use of data models and/or lookups.
Pivot
112
____ creates visualizations based on datasets, time ranges and additional filters that you select.
Pivot
113
The table command returns:
a. A table formed by only the fields in the argument list
b. A data table with statistical results
c. A bulleted list of key events
a. A table formed by only the fields in the argument list
114
When renaming fields with spaces or special characters, use the rename command and include the new field name in _________.
a. single quotes
b. double quotes
c. parentheses
b. double quotes
115
Use the dedup command to _________.
a. rename fields using alias
b. remove duplicate results
c. sort your results in descending order
b. remove duplicate results
116
By default, the sort command lists results in __________ order.
a. ascending
b. descending
a. ascending
117
What do Pivots require to create visualizations in
Splunk? Select all that apply.
a. data models
b. lookups
c. web filters
d. spreadsheets
a. data models
| b. lookups
118
The ___ command finds the most common values of a given field in results. What format does the output for the same command display in? Events, table, or visualizations?
top
| table
119
When you use the top command, how many results display in the table by default?
10
120
You can control the number of results that are displayed in the top command table by using the ____ command.
limit
121
If you type limit=5 after using the top command, it will display ___ results.
5
122
When using the top command, typing "limit=0" will return a(n) ____ number of results.
unlimited
123
True or False
A percent column ("showperc=t" command) is displayed by default in a table when using the top command. If you want to remove the percent column, "showperc=t" needs to be added to the search string.
True
124
The top command "___" clause groups results.
by
125
By default, the name of the "count" column (or count field) is "count."
countfield=string (or countfield= the name you create) does what?
renames the field for display purposes
126
The ____ command returns the least common field values of a given field in the results. How are the results sorted by default? In descending order, or ascending order?
rare
| ascending order
127
The ____ command enables you to calculate statistics on data that matches your search criteria. The common functions for the command are count, dc, sum, avg, max, min, list and values.
stats
128
Which of the following stats commands only return an average of numeric values?
a. avg
b. max
c. dc
d. count
e. sum
f. min
g. value
h. list
a. avg
129
Which of the following stats commands returns the number of matching events based on the current search criteria?
a. avg
b. max
c. dc
d. count
e. sum
f. min
g. value
h. list
d. count
130
Which of the following stats commands refers to the minimum numeric value?
a. avg
b. max
c. dc
d. count
e. sum
f. min
g. value
h. list
f. min
131
Which of the following stats commands return a sum of numeric values only?
a. avg
b. max
c. dc
d. count
e. sum
f. min
g. value
h. list
e. sum
132
Which of the following stats commands list all values of a given field?
a. avg
b. max
c. dc
d. count
e. sum
f. min
g. value
h. list
h. list
133
The ___ stats command provides a count of how many unique values there are for a given field in the result set.
a. avg
b. max
c. dc, distinct_count
d. count
e. sum
f. min
g. value
h. list
c. dc, distinct_count
134
Which of the following stats commands refers to the maximum numeric value?
a. avg
b. max
c. dc
d. count
e. sum
f. min
g. value
h. list
b. max
135
The ___ stats command lists unique values of a given field.
a. avg
b. max
c. dc
d. count
e. sum
f. min
g. value
h. list
g. value
136
What clause would you use to rename the "count" field in your results?
as
137
When using the top command, add the BY clause to _______.
a. return results grouped by the field you specify in the BY clause
b. specify how many results to return
c. return a percentage of events
a. return results grouped by the field you specify in the BY clause
138
To display the least common values of a field, use the _________ command.
a. top
b. rare
c. stats
b. rare
139
When you use the stats command with a BY clause, what is returned?
a. a statistical output for each value of the named field
b. one row
c. computes numerical statistics on each field if and only if all of the values of that of that field are numerical
a. a statistical output for each value of the named field
140
index=sales sourcetype=vendor_sales
| stats count(price) as "Units Sold", sum(price) as "Total Sales" BY product_name
In this search using the stats command, the BY clause is applied to:
a. count ( ) function
b. sum ( ) function
c. both count ( ) and sum ( ) functions
c. both count ( ) and sum ( ) functions
141
Which UI (UI = user interface) formatting options can be applied to a data table on the Statistics tab? Select all that apply.
a. Add row numbers, highlight high/low values, and show totals and percentages
b. Color-code data in each column
c. Add number formatting, such as, currency symbols and thousands separators
d. Rename a field for display purposes
a. Add row numbers, highlight high/low values, and show totals and percentages
b. Color-code data in each column
c. Add number formatting, such as, currency symbols and thousands separators
142
The four types of Splunk _____ out-of-the-box are file-based, external, KV store and Geospatial.
lookups
143
____ provide enrichment to your event data by appending fields from another data source, also called lookup output fields.
Lookups
144
____ ____ sometimes pull static (or relatively unchanging) data from standalone files at search time and add it to the search results.
file-based lookups
145
True or False. Lookup field values are NOT case sensitive by default.
False
| Lookups are case sensitive by default
146
Which command is used to search the contents of a lookup table?
inputlookup command
147
True or False. If a lookup is not configured to run automatically, use the lookup command in your search to use the lookup fields.
True
148
_____ lookups populate your events with fields pulled from CSV files.
a. KV Store
b. File-based
c. Geospatial
d. External
b. File-based
149
____ lookups use Python scripts or binary executables to append.
a. KV Store
b. File-based
c. Geospatial
d. External
d. External
150
____ lookups are KMZ or KML.
a. KV Store
b. File-based
c. Geospatial
d. External
c. Geospatial
151
____ lookups are the KV Store collection.
a. KV Store
b. File-based
c. Geospatial
d. External
a. KV Store
152
File-based lookups populate your events with fields pulled from _________ files.
a. KMZ (Keyhole Markup language Zipped)
b. Python script
c. CSV (comma-separated values)
d. KV Store collection
c. CSV (comma-separated values)
153
File-based lookups pull data from standalone files at ___________ and add it to search results.
a. index time
b. search time
c. _time
b. search time
154
3. In Splunk, there are up to 3 steps involved to create a lookup. Select all that apply.
a. List existing lookup tables or upload a new file
b. Edit existing lookup definitions or define a
new file-based or external lookup
c. Edit existing automatic lookups or configure a new lookup to run automatically
d. Download from Lookup Library
a. List existing lookup tables or upload a new file
b. Edit existing lookup definitions or define a new file-based or external lookup
c. Edit existing automatic lookups or configure a new lookup to run automatically
155
_____ reports are useful for:
–Monthly, weekly, daily executive/managerial roll up reports
–Dashboard performance
– Automatically sending reports via email
– Enriching event data, such as, generating a statistical output of historical events to a CSV file
scheduled
