Splunk Fundamentals 1 Flashcards
Splunk allows you to _____, analyze, and get _____ from your machine data.
aggregate, answers
What are the 3 main components of Splunk?
search head, indexer, forwarder
What are the 2 different types of Splunk deployment?
Splunk Enterprise and Splunk Cloud
Splunk components are installed and administered on premises with this type of Splunk deployment.
Splunk Enterprise
Splunk Enterprise is used as a scalable service and requires minimal infrastructure with this type of deployment.
Splunk Cloud
A ____ ___ is designed to address a wide variety of use cases and to extend the power of Splunk.
Splunk app
What do you use to download Splunk apps?
Splunkbase
True or False. There are 1,000 + ready-made apps available on Splunkbase.
True
Out of the box, what are the 3 main roles used in Splunk?
admin, power, user
What is the default app that comes with Splunk?
Search & Reporting
The ______ app provides a default interface for searching and analyzing data.
Search & Reporting
A _____ is unique identifier identifying where Splunk events originated (whether it’s from a laptop, phone, etc). In other words, this is the actual device that’s generating the data.
a. source
b. host
c. sourcetype
b. host
The name of a file (ie. Word file named “Splunk Class”), stream, or other input (where data is specifically coming from – i.e. “picture” folder on a phone) is the ______.
a. source
b. host
c. sourcetype
a. source
In the Search & Reporting app, the Data Summary contains three summary tabs. Select all that apply.
a. host
b. source
c. index
d. sourcetype
a. host
b. source
d. sourcetype
True or false: Search term values are case sensitive.
False
NOT, OR and AND are called ____ in Splunk.
booleans
The Boolean ____ is implied between terms.
AND
_____ are locations where Splunk stores and searches for event data
Indexes
Splunk admins _____ data into separate indexes in order to establish different retention policies on different types of data, improve search performance, and limit access by role.
segregate
Improving search ____ is one reason why Splunk admins segregate data into separate indexes.
performance
Limiting ____ by role is one reason why Splunk admins segregate data into separate indexes.
access
Establishing ___ policies (how long data is kept) on different types of data is one reason why Splunk admins segregate data into separate indexes.
retention
An ____ is a Splunk component that processes machine data. Information within ____ are stored in _____, enabling fast search and analysis. (visual example: file folder with separate files within the file folder)
indexer, indexers, indexes
What Boolean can you use to search against multiple indexes?
OR
____ ____ shows a list of commands that can be entered into the search string
Search Assistant
When search results display in Splunk do they display in reverse chronological order (newest first), or chronological order (oldest first) by default?
reverse chronological order
True or False. Matching search terms are not highlighted in Splunk.
False
Each event in Splunk contains the following metadata: timestamp, _____, index, ____ and host.
source, sourcetype
The results that come up in a search of Splunk are called _____.
events
The 3 layout options for displaying search results (or 3 ways to view results) are ____, ____ and ____.
list, table, raw
The ___ symbol “snaps” to the time unit that you specify in Splunk, and rounds down to the nearest specified unit. For example, if the current time was 09:37:12 on March 31st, and you want to look back to 30 minutes ago, you would type -30m___h.
@
After search results come up in Splunk, to select across a narrower time range on the timeline, what would you need to do?
click/drag across a series of bars
Every search in Splunk is called a ____. By default, how long is each ____ available for?
job, 10 minutes
The job bar in a search allows you to ___ a job (toggle to resume a search), or ____ (finalizes the search in progress).
pause, stop
What in Splunk shows the distribution of events in the time range?
timeline
The ____ tool allows you to examine the following:
Overall stats of the search (e.g., records processed/returned, processing time)
How the search was processed
Where Splunk spent its time
Search Job Inspector tool
There are 3 types of search modes that you can use in Splunk. Which search mode emphasizes speed over completeness?
fast
There are 3 types of search modes that you can use in Splunk. Which search mode balances speed and completeness, and is the default search mode?
smart
There are 3 types of search modes that you can use in Splunk. The ____ search mode emphasizes completeness over speed. It also allows access to underlying events when using transforming commands (in addition to totals and stats)
verbose
There are ___ types of read permissions. The default mode which is ____, only allows the creator access. If a read permission is set to ____, all app users can access search results.
private, everyone
___ is the most efficient factor to use as a filter in Splunk. ____is the second most efficient item to use as a Splunk filter.
time, index
After time and index, what are the 3 next filters that are the most efficient?
host, source, sourcetype
Is inclusion or exclusion generally better when it comes to search practices? Meaning including or excluding information?
inclusion
You should avoid using ____ at the beginning or middle of a string. ____ at the beginning of a string scan all events within timeframe, while ____ in the middle of string may return inconsistent results.
What should be used instead?
wildcards (all 3 blanks)
Use instead: OR, IN
True or false: Search term values are case sensitive.
False
Current time when the search starts is 08:31:15. -30m@h looks back to:
a. 8:00:00
b. 8:01:15
c. 9:00:00
b. 8:01:15
When you specify the following time range:
earliest=-2d@d
latest=@d
a. Looks back from two days ago, up to the beginning of today
b. Looks back exactly 48 hours ago
c. Looks back two days ago up to now
a. Looks back from two days ago, up to the beginning of today
Select one of the following that uses Splunk search best practices as it relates to wildcards.
a. fail
b. fal
c. fail*
c. fail*
Between search terms, ____ is implied unless otherwise specified
AND
Host, index, source, sourcetype, splunk_server, and timestamp are ___ fields that are already stored with the events in indexes.
default
____ fields that are listed within an index include _raw, and _time.
internal
The fields sidebar includes two types of fields. What are they?
selected, interesting
What type of fields occur in at least 20% of resulting events in Splunk?
interesting
By default, the selected fields are what 3 metadata fields?
host, source, sourcetype
What does the following mean?
status=404
error message for a webpage
What does the following mean?
area_code=404
for a specific area code
If a value contains a space, it must be enclosed in ____ ____.
i.e. VendorCountry= “United States”
double quotes
Field ____ are case sensitive, while field ____ are not.
Take a look at the following example? Would it return results?
HOST=ww3
names, values
no
Search for multiple values for a given field
by using the _____ operator.
i.e.
VendorCountry=”United States” ____ VendorCountry=”Canada”)
Alternatively, you can use the ___ operator
i.e.
VendorCountry \_\_\_ ("United States", "Canada")
OR, IN
Both ! and NOT ____ events from your search, but can produced different results.
exclude
NOT status=200 returns events where status field exists and value in field doesn’t equal 200. However it ALSO returns events where status field ___ exist.
doesn’t
status!=200 returns events where status field ___ and value in field ____ equal 200.
exists, doesn’t
By default, which are the three selected fields?
a. host
b. source
c. sourcetype
d. action
a. host
b. source
c. sourcetype
True or false: Field names are case sensitive.
True
True or false: Field values are case sensitive.
False, field values are NOT case sensitive
Clicking ______ actually opens a report for editing, while clicking the report _____ simply runs the report.
Open in Search
Title
By default, all reports are _____ (meaning only the report’s creator/owner can access or edit it), and the report is run using the privileges of the report’s creator/owner.
private
The three main ways to either create a ___ or ____ include selecting a field from the fields sidebar and choosing a quick report to run, using the Pivot interface, OR using the Splunk search language transforming commands in the Search bar.
table, visualization
The statistics tab allows you to view your results in Splunk as a ____.
table
_____ assigns colors based on the range of values.
Heat map
_____ and ____ ____ highlights max and min of non-zero values
high and low values
What consists of one or more panels displaying data visually in a useful way – such as events, tables, or charts?
a dashboard
In Splunk Enterprise, reports are _______ searches.
a. grouped
b. saved
c. archived
b. saved
When editing a report, you can do the following to the report. Select all that apply.
a. clone
b. edit schedule
c. delete
d. like
a. clone
b. edit schedule
c. delete
There are three main methods to create tables and visualizations in Splunk. Select all that apply.
a. Use the fields sidebar
b. Use the Pivot interface
c. Use transforming commands
d. Click Splunk banner icon
a. Use the fields sidebar
b. Use the Pivot interface
c. Use transforming commands
True or false: The Dashboard ID is automatically populated with a unique value.
True
True or false: You must be a Splunk Admin user to choose the home dashboard (default dashboard).
True
____ ____ ____ is used in your search language that tell Splunk what you want it to search for.
search language syntax
There are 5 basic ____ ___ that someone using Splunk may use when doing a search in Splunk.
syntax components
This language syntax components deals with what a Splunker is looking for. Examples include keywords, phrases and Booleans
search terms
This syntax component is blue and tells Splunk what you want to do with your results.
Examples include: creating a chart, computing statistics, evaluating and formatting, etc.
commands
This syntax component is pink and tells Splunk how you want to chart, compute, or evaluate results.
Examples include: getting a sum, getting an average, transforming values, etc.
functions
What color is the “commands” syntax component? What about the “functions” syntax component? How about Boolean operators and Command modifiers? How about command arguments?
blue
pink
orange
black
What color are the following syntax components in search language?
clauses, arguments and search terms
black
This syntax component deals with variables that you want to apply to a function.
Examples include: getting a sum of or sum up all the values in the price field.
arguments
____ (which are a syntax component in Splunk) deal with how you want to group or rename fields in your results.
clauses
What command changes the name of a field? (i.e. If you wanted to change “productId” to “ProductID”)
rename
True or False. Once you rename a field, the new field name CANNOT be used in the rest of the search string.
False
Once you rename a field, the new field name must be used in the rest of the search string
Collections of files containing data inputs, UI elements, and/or knowledge objects are called _____.
apps
How many Splunk products are there for IT Operations?
8
Splunk for ____ generates real-time and predictive insights from industrial operational data.
Splunk for IoT
What does “IoT” in Splunk for IoT stand for?
internet of things
The ___ is the specific data type or data format where data comes from (ie. Word doc, PDF, Excel file, etc.)
sourcetype
What are quotation marks used for in Splunk search strings?
phrases
_________ in Splunk search strings are used to force precedence (meaning whatever is in ______ will be executed first. (Note: Same answer for both)
parentheses
____ process machine data. They then store the results in ____ as events, thereby enabling fast search and analysis.
indexers, indexes
You can search against multiple indexes by using the ___ operator.
OR
Search Assistant is enabled by default in the user preferences of the ___ Editor.
SPL
What control in the SPL Editor determines whether or not numbers show next to each line within the search syntax?
Line numbers control
The SPL Editor “Search ____ format” option allows for automatic formatting of search syntax (which improves readability).
auto
These type of fields occur in at least 20% of resulting events. ____ fields on the other hand are a set of fields that display for each event.
interesting fields
selected fields
There are two types of default fields that are already stored with the event in the index. ____ fields have underscores and automatically come up when you start a search string. Examples include: “_raw,” and “_time.” ____ fields are things like host, index, source, sourcetype, splunk_server, timestamp.
internal
default
The ____ command returns a table formed by only fields in the argument list. Column ____ consist of field names.
table
headers
True or False. Once you rename a field, the new field name does not have to be used in the rest of the search string.
False
The new field name DOES have to remain the rest of the search string.
What character (on your keyboard) can be used to rename multiple fields that match a pattern? For example, if you want to change the word “date” to “DATE” in date_minute and date_second in your table, you can input the following search string:
What character goes in each blank?
rename date_ as DATE_
a wildcard
The ___ command allows to include or exclude fields in your search or report. The command includes either a + or – sign. Entering a + sign is not required because it’s the default. Entering the – sign after a field makes tables or display output easier to read. However there are no performance benefits since the excluded fields are processed after all fields are already extracted.
fields
The ____ command is used to remove duplicates from your results.
dedup
This command arranges events in ascending or descending order.
sort command
If you wanted Splunk to only give you a maximum of 20 events, you would use the ____ command.
limit
If you put a + or – sign right next to only one field name in a search string with many field names, it will only sort that one field name. What will happen if you add a space in between sort and multiple field names in a search string?
Example:
| sort – name, thread
(space added here between “sort” and “name”)
in comparison to:
sort –name, thread
(NO space added before the field name “name”)
It will sort ALL of the field names
____ is used as an alternate method to access data without using search language, but requires use of data models and/or lookups.
Pivot
____ creates visualizations based on datasets, time ranges and additional filters that you select.
Pivot
The table command returns:
a. A table formed by only the fields in the argument list
b. A data table with statistical results
c. A bulleted list of key events
a. A table formed by only the fields in the argument list
When renaming fields with spaces or special characters, use the rename command and include the new field name in _________.
a. single quotes
b. double quotes
c. parentheses
b. double quotes
Use the dedup command to _________.
a. rename fields using alias
b. remove duplicate results
c. sort your results in descending order
b. remove duplicate results
By default, the sort command lists results in __________ order.
a. ascending
b. descending
a. ascending
What do Pivots require to create visualizations in
Splunk? Select all that apply.
a. data models
b. lookups
c. web filters
d. spreadsheets
a. data models
b. lookups
The ___ command finds the most common values of a given field in results. What format does the output for the same command display in? Events, table, or visualizations?
top
table
When you use the top command, how many results display in the table by default?
10
You can control the number of results that are displayed in the top command table by using the ____ command.
limit
If you type limit=5 after using the top command, it will display ___ results.
5
When using the top command, typing “limit=0” will return a(n) ____ number of results.
unlimited
True or False
A percent column (“showperc=t” command) is displayed by default in a table when using the top command. If you want to remove the percent column, “showperc=t” needs to be added to the search string.
True
The top command “___” clause groups results.
by
By default, the name of the “count” column (or count field) is “count.”
countfield=string (or countfield= the name you create) does what?
renames the field for display purposes
The ____ command returns the least common field values of a given field in the results. How are the results sorted by default? In descending order, or ascending order?
rare
ascending order
The ____ command enables you to calculate statistics on data that matches your search criteria. The common functions for the command are count, dc, sum, avg, max, min, list and values.
stats
Which of the following stats commands only return an average of numeric values?
a. avg
b. max
c. dc
d. count
e. sum
f. min
g. value
h. list
a. avg
Which of the following stats commands returns the number of matching events based on the current search criteria?
a. avg
b. max
c. dc
d. count
e. sum
f. min
g. value
h. list
d. count
Which of the following stats commands refers to the minimum numeric value?
a. avg
b. max
c. dc
d. count
e. sum
f. min
g. value
h. list
f. min
Which of the following stats commands return a sum of numeric values only?
a. avg
b. max
c. dc
d. count
e. sum
f. min
g. value
h. list
e. sum
Which of the following stats commands list all values of a given field?
a. avg
b. max
c. dc
d. count
e. sum
f. min
g. value
h. list
h. list
The ___ stats command provides a count of how many unique values there are for a given field in the result set.
a. avg
b. max
c. dc, distinct_count
d. count
e. sum
f. min
g. value
h. list
c. dc, distinct_count
Which of the following stats commands refers to the maximum numeric value?
a. avg
b. max
c. dc
d. count
e. sum
f. min
g. value
h. list
b. max
The ___ stats command lists unique values of a given field.
a. avg
b. max
c. dc
d. count
e. sum
f. min
g. value
h. list
g. value
What clause would you use to rename the “count” field in your results?
as
When using the top command, add the BY clause to _______.
a. return results grouped by the field you specify in the BY clause
b. specify how many results to return
c. return a percentage of events
a. return results grouped by the field you specify in the BY clause
To display the least common values of a field, use the _________ command.
a. top
b. rare
c. stats
b. rare
When you use the stats command with a BY clause, what is returned?
a. a statistical output for each value of the named field
b. one row
c. computes numerical statistics on each field if and only if all of the values of that of that field are numerical
a. a statistical output for each value of the named field
index=sales sourcetype=vendor_sales
| stats count(price) as “Units Sold”, sum(price) as “Total Sales” BY product_name
In this search using the stats command, the BY clause is applied to:
a. count ( ) function
b. sum ( ) function
c. both count ( ) and sum ( ) functions
c. both count ( ) and sum ( ) functions
Which UI (UI = user interface) formatting options can be applied to a data table on the Statistics tab? Select all that apply.
a. Add row numbers, highlight high/low values, and show totals and percentages
b. Color-code data in each column
c. Add number formatting, such as, currency symbols and thousands separators
d. Rename a field for display purposes
a. Add row numbers, highlight high/low values, and show totals and percentages
b. Color-code data in each column
c. Add number formatting, such as, currency symbols and thousands separators
The four types of Splunk _____ out-of-the-box are file-based, external, KV store and Geospatial.
lookups
____ provide enrichment to your event data by appending fields from another data source, also called lookup output fields.
Lookups
____ ____ sometimes pull static (or relatively unchanging) data from standalone files at search time and add it to the search results.
file-based lookups
True or False. Lookup field values are NOT case sensitive by default.
False
Lookups are case sensitive by default
Which command is used to search the contents of a lookup table?
inputlookup command
True or False. If a lookup is not configured to run automatically, use the lookup command in your search to use the lookup fields.
True
_____ lookups populate your events with fields pulled from CSV files.
a. KV Store
b. File-based
c. Geospatial
d. External
b. File-based
____ lookups use Python scripts or binary executables to append.
a. KV Store
b. File-based
c. Geospatial
d. External
d. External
____ lookups are KMZ or KML.
a. KV Store
b. File-based
c. Geospatial
d. External
c. Geospatial
____ lookups are the KV Store collection.
a. KV Store
b. File-based
c. Geospatial
d. External
a. KV Store
File-based lookups populate your events with fields pulled from _________ files.
a. KMZ (Keyhole Markup language Zipped)
b. Python script
c. CSV (comma-separated values)
d. KV Store collection
c. CSV (comma-separated values)
File-based lookups pull data from standalone files at ___________ and add it to search results.
a. index time
b. search time
c. _time
b. search time
- In Splunk, there are up to 3 steps involved to create a lookup. Select all that apply.
a. List existing lookup tables or upload a new file
b. Edit existing lookup definitions or define a
new file-based or external lookup
c. Edit existing automatic lookups or configure a new lookup to run automatically
d. Download from Lookup Library
a. List existing lookup tables or upload a new file
b. Edit existing lookup definitions or define a new file-based or external lookup
c. Edit existing automatic lookups or configure a new lookup to run automatically
_____ reports are useful for:
–Monthly, weekly, daily executive/managerial roll up reports
–Dashboard performance
– Automatically sending reports via email
– Enriching event data, such as, generating a statistical output of historical events to a CSV file
scheduled
