Splunk Fundamentals 2

Question 1

True or False. Tags, field values with “eval” and “where,” and “field values from lookup” are case insensitive.

Answer 1

False. They are case sensitive.

Question 2

True or False. Field names, regular expressions and Boolean operators are case sensitive.

Answer 2

True

Question 3

As events come into Splunk, they are placed into an index’s ____ ___ (which is the only writable bucket).

Answer 3

hot bucket

Question 4

Which command returns tables containing only specified fields in a result set?

Answer 4

table

Question 5

Which command renames a field in results?

Answer 5

rename

Question 6

Which command includes or excludes specified fields?

Answer 6

fields

Question 7

Which command sorts results by specified field?

Answer 7

sort

Question 8

Which command adds field values from an external source (e.g., csv files)?

Answer 8

lookup

Question 9

Are Boolean operators case sensitive?

Answer 9

yes

Question 10

Are field names case sensitive?

Answer 10

yes

Question 11

Using a ____ ____ in Splunk is a way to search through text to find pattern matches in your data.

Are they case sensitive?

Answer 11

regular expression

yes

Question 12

True or False. Field values from lookup, tags, and field values with “eval” and “where” commands are not case sensitive.

Answer 12

False. They are case sensitive.

Question 13

Are command names (i.e. stats, STATS), command clauses (i.e. “as,” “by,” “with), statistical functions (i.e. avg, AVG, Avg), search terms (i.e. failed, FAILED) and field values (i.e. host=www1, host=WWW1) case sensitive or case insensitive?

Answer 13

case insensitive

Question 14

As events age in Splunk, they move from the ____ bucket, to the ____ bucket and finally to the ____ bucket.

Answer 14

hot, warm, cold

Question 15

Who can configure settings and add more to buckets? Users, admins or power users?

Answer 15

admins

Question 16

What is the most efficient filter to use when searching events? After time, the most powerful fields to filter are what?

Answer 16

time

index, host, source and sourcetype

Question 17

What command would you use in order to only extract (discover) the fields you need?

Answer 17

fields command

Question 18

____ mode in Splunk = performance over completeness.

____ mode in Splunk balances speed and completeness.

____ mode in Splunk focuses on completeness over performance

Answer 18

fast
smart
verbose

Question 19

Removing duplicates then sorting is ____ (faster or slower) than sorting then removing duplicates?

Answer 19

faster

Question 20

____ commands massage raw data in tables and transform specified cell values for each event into numerical values that you can use for statistical purposes.

Answer 20

transforming

Question 21

What commands are required to ‘transform’ search results into visualizations?

Answer 21

transforming

Question 22

What type of commands are the following?

top
rare
chart
timechart
stats
geostats

Answer 22

transforming

Question 23

In fast mode, verbose mode, and smart mode what is not available for non-transforming searches?

Answer 23

statistics and visualizations

Question 24

Only metadata fields (host, source and sourcetype) and fields specified in a search are available in ___ mode.

Answer 24

fast

Question 25

In fast mode transforming searches, ____ and ___ are not available. However, statistics and visualizations are.

Answer 25

events, patterns

Question 26

In ___ mode, events and patterns are available in non-transforming searches, but statistics and visualizations are not.

Are events, patterns, statistics and visualizations available for transforming searches?

Answer 26

verbose

yes

Question 27

In smart mode, events and patterns are NOT available. However ____ and ____ are.

Answer 27

statistics and visualizations

Question 28

What tool allows you to examine the:

Overall stats of search (e.g., records processed and returned, processing time)

How search was processed

Where Splunk spent its time

Answer 28

Search Job Inspector tool

Question 29

What is used to troubleshoot a search’s performance and understand the impact of knowledge objects on processing (e.g., event types, tags, lookups)?

Answer 29

Search Job Inspector tool

Question 30

Header, execution costs and search job properties are the 3 ____ of what tool?

Answer 30

components

Search Job Inspector tool

Question 31

Which component of the Search Job Inspector tool provides basic information, including time to run and # of events scanned?

Answer 31

header

Question 32

Which component of the Search Job Inspector tool provides details on the cost to retrieve results?

Answer 32

execution costs

Question 33

command.search.index, command.search.filter, and command.search.rawdata are all ____ ___ shown in the Search Job Inspector tool.

Answer 33

execution costs

Question 34

Which execution cost of the Search Job Inspector tool specifies the time that it took to filter out events that did not match?

a. command.search.rawdata
b. command.search.index
c. command.search.filter

Answer 34

c. command.search.filter

Question 35

Which execution cost of the Search Job Inspector tool specifies the time that it took to search the index for the location to read in rawdata files?

a. command.search.rawdata
b. command.search.index
c. command.search.filter

Answer 35

b. command.search.index

Question 36

Which execution cost of the Search Job Inspector tool specifies the time that it took to read events from the rawdata files?

a. command.search.rawdata
b. command.search.index
c. command.search.filter

Answer 36

a. command.search.rawdata

Question 37

As events are stored by time, ______ is the most efficient filter.

a. _time
b. _raw
c. _introspection

Answer 37

a. _time

Question 38

Select all that are considered case sensitive.

a. Boolean operators
b. tags
c. keywords
d. command functions

Answer 38

a. Boolean operators

b. tags

Question 39

The Search Job Inspector has three components. Select all that apply.

a. Header
b. Health check
c. Search job properties
d. Execution costs

Answer 39

a. Header
c. Search job properties
d. Execution costs

Question 40

For general search best practices, only use
________ wildcards to make efficient use of index.

a. trailing
b. beginning
c. middle-of-string

Answer 40

a. trailing

Question 41

When a search returns statistical values, results can be viewed in a table on the ___ tab or as a ____.

Answer 41

statistics

visualization

Question 42

Lines, column charts, pie charts, single values, gauges, maps and many more are all examples of what?

Answer 42

visualizations

Question 43

A ___ ____ is a sequence of related data points that are plotted in a visualization. They can generate various statistical or visualization results.

Answer 43

data series

Question 44

Most visualizations require a ____ ___ table. A ___ ___ table consists of search results structured as a table with at least two columns.

Answer 44

single series

Question 45

The leftmost column of a single series table provides x-axis values or y-axis values? What axis are subsequent columns on?

Answer 45

x-axis values

the y-axis

Question 46

To get ___ ____ tables, you need to set up the underlying search with transforming commands such as “chart” and “timechart.”

Answer 46

multi-series tables

Question 47

___ ___ tables display statistical trends over time. They can be single-series or multi-series.

Answer 47

time series

Question 48

What command do you have to use for a time series result?

Answer 48

timechart command

Question 49

What type of chart shows trends in the relationships between discrete data values?

Answer 49

scatter charts

Question 50

____ charts show discrete values that do not occur at regular intervals or belong to a series.

Answer 50

scatter

Question 51

The ____ command can display any data series plotted across one or two dimensions.

Answer 51

chart

Question 52

What chart command function is being used in the following search strings? (Note: The difference between the two are the “over” clause and the “by” clause in the second lines).

index=security sourcetype=linux_secure
| chart count over vendor_action

index=security sourcetype=linux_secure
| chart count by vendor_action

Answer 52

count function

Question 53

When you use the ___ function in Splunk, a table is created with a column that tallies the number of events for each value in the result set.

Answer 53

count

Question 54

With the ____ command, you can use the “by” clause with the “over” clause to split results (ie. over vendor_action by user).

Or you can just use two “by” clauses (i.e. by vendor_action, user).

Answer 54

chart

Question 55

You can only split chart results over a maximum

of how many dimensions using the chart command?

Answer 55

two

Question 56

Chart and timechart commands automatically filter results to include the ____ highest values. Surplus values are grouped in “OTHER.” Results can be skewed by “NULL” and “OTHER.”

a. five
b. ten
c. twenty
d. fifteen

Answer 56

b. ten

Question 57

What chart and timechart command values are shown by default?

Answer 57

NULL and OTHER

Question 58

“useother=f” and “usenull=f” can be used to remove empty ____ and ____ values from display in a visualization using the chart command.

Answer 58

NULL and OTHER

Question 59

What can be used to adjust the default number of plotted series (10) when using the chart command?

Answer 59

limit argument

Question 60

The ____ command performs statistical aggregations against time. It also plots and trends data over time.

Answer 60

timechart command

Question 61

“_time” using the timechart command is always on the x-axis or y-axis?

Answer 61

x-axis

Question 62

Line or area charts are the best representation of what type of chart?

Answer 62

timecharts

Question 63

With the timechart command,the default time intervals (or time ranges of a search) that can be used are span=1m which equals _____ minutes and span=30m which equals ____ hours.

Answer 63

60 minutes

24 hours

Question 64

You can adjust the time interval of a timechart by using what argument?

Answer 64

“span” argument

Question 65

The ____ layout allows you to display multiple charts based on one result set and allows visual comparison between different categories.

Answer 65

trellis layout

Question 66

Which command displays the output of the timechart command, so that each time period is a separate series?

a. timechart command
b. chart command
c. timewrap command

Answer 66

c. timewrap command

Question 67

Which command can compare data over a specific time period, such as day-over-day or month-over-month?

a. timechart command
b. timewrap command
c. chart command

Answer 67

b. timewrap command

Question 68

What command is being used here?

index=security sourcetype=linux_secure
| stats count by src_ip, user, vendor_action, app

Answer 68

stats command

Question 69

What clause would you use to calculate statistics for two or more non time-based fields?

Answer 69

“by” clause

Question 70

To get multi-series tables, you need to set up the underlying search with transforming commands. Select all that apply.

a. chart
b. abstract
c. timechart

Answer 70

a. chart

c. timechart

Question 71

When using the timechart command, what option is used to specify the _time interval?

a. group
b. trend
c. span

Answer 71

c. span

Question 72

Which of the three transforming commands below allows you to split results over a maximum of TWO dimensions?

a. stats
b. chart
c. timechart

Answer 72

b. chart

Question 73

Which of the three transforming commands below allows you to split results over a maximum of ONE dimension?

a. stats
b. chart
c. timechart

Answer 73

c. timechart

Question 74

Which of the three transforming commands below allows you to split results over MANY dimensions?

a. stats
b. chart
c. timechart

Answer 74

a. stats

Question 75

Which of the three transforming commands below does not allow you to limit the number of series shown, filter “other” and “null” series, and set value groups along the x-axis?

a. stats
b. chart
c. timechart

Answer 75

a. stats

Question 76

Which transforming commands allow you to use “span” in order to set value groups along the x-axis?

a. stats
b. chart
c. timechart

Answer 76

b. chart

c. timechart

Question 77

Which commands would you use to count the frequency of a field(s)?

a. stats
b. chart
c. top/rare
d. timechart

Answer 77

c. top/rare

Question 78

Which command is non time-based and would be used to calculate statistics for two or more “by” fields?

a. stats
b. chart
c. top/rare
d. timechart

Answer 78

a. stats

Question 79

Which command is used to calculate statistics using an arbitrary field as the x-axis? This command also allows you to use “over” or “by” to specify the x-axis, and WILL NOT allow you to use “_time” on the x-axis.

a. stats
b. chart
c. top/rare
d. timechart

Answer 79

b. chart

Question 80

You would use the ____ command to calculate
statistics with “_time” as the x-axis.

a. stats
b. chart
c. top/rare
d. timechart

Answer 80

d. timechart

Question 81

If a “by” field is used for the timechart command, the output is a ____.

Answer 81

table

Question 82

To get multi-series tables, you need to set up the underlying search with transforming commands. Select all that apply.

a. chart
b. abstract
c. timechart

Answer 82

a. chart

c. timechart

Question 83

When using the timechart command, what option is used to specify the _time interval?

a. group
b. trend
c. span

Answer 83

c. span

Question 84

____ are aliases to field values. For example, if two host names refer to the same computer, you could give both host values the same ___ (for example, hal9000). When you search for ___=hal9000, Splunk returns events involving both host name values.

Note: Answers for all blanks are the same

Answer 84

tags

Question 85

top, stats, chart, and timechart are all what type of commands?

a. Sorting Results
b. Filtering Results
c. Grouping Results
d. Reporting Results
e. Filtering, Modifying, and Adding Fields

Answer 85

d. Reporting Results

Question 86

Which transforming command returns the most frequently occurring typle of field values, along with their count and percent?

a. stats
b. chart
c. top
d. rare
e. timechart

Answer 86

c. top

Question 87

This command computes the moving averages of a field.

Answer 87

trendline

Question 88

There are 3 ____ that must be included when using the trendline command. ____ (acronym for simple moving average), _____ (acronym for exponential moving average), and ____ (acronym for weighted moving average).

Answer 88

trendtypes
sma
ema
wma

Question 89

The ___ over which to compute a trend (which can be between whole numbers of 2 and 10,000) must be included when using the trend line command.

Answer 89

period

Question 90

When displaying data on maps, there are two types that can be used:

A ____ map (which shades areas based on metrics).

A ____ map (which displays statistical grouping based on geo location).

Answer 90

Choropleth

Cluster

Question 91

Which command is used to look up and add location information to an event (including city, country, region, latitude and longitude)?

a. geostats
b. iplocation
c. stats
d. chart
e. timechart

Answer 91

b. iplocation

Question 92

True or False. The iplocation command DOES NOT automatically define default lat and lon fields required by geostats.

Answer 92

False

The iplocation command AUTOMATICALLY defines default lat and lon fields required by geostats.

Question 93

The ____ command is used to compute statistical functions and render a cluster map. Data must include latitude and longitude values.

a. chart
b. iplocation
c. stats
d. geostats
e. timechart

Answer 93

d. geostats

Question 94

When using the geostats command, you can control the column count, using the ______ argument.

Answer 94

globallimit

Question 95

____ maps use shading to show relative metrics, such as sales, network intruders, etc. for predefined geographic regions.

Answer 95

Choropleth

Question 96

To define regional boundaries for a choropleth map, you must have what type of files? Select all that apply.

a. CSV
b. KML (Keyhole Markup Language)
c. JSON
d. KMZ (compressed Keyhole Markup Language)
e. XML

Answer 96

b. KML (Keyhole Markup Language)

d. KMZ (compressed Keyhole Markup Language)

Question 97

The standard geo searches that Splunk ships with for the choropleth maps is:

1. geo_us_states (which for what country?)
2. geo_countries (which is for ____)

and

…| geom [featureCollection] [featureIdField=string]
(Note: No answer needed for this one)

Answer 97

United States

countries of the world

Question 98

With gauge visualizations, you can make adjustments to color by using UI or the ____ command.

Answer 98

gauge

Question 99

____ layout displays multiple gauges when using a by clause in the stats command.

Answer 99

trellis

Question 100

With the timechart command, you can add a _____ and a trend. A ____ is an inline chart and is designed to display time-based trends associated with the primary key.

(Note: Same answer for both)

Answer 100

sparkline

Question 101

The ____ command is used to compute the sum of all or selected columns, and place the total in the last row and last column.

a. top
b. stats
c. chart
d. addtotals
e. timechart
f. iplocation
g. geostats

Answer 101

d. addtotals

Question 102

When using the add totals command, ___=t counts the fields in each row under a column named, while ____=t counts the fields in each row in a row named.

Answer 102

row=t

column=t

Question 103

The trendline command provides three trend types. Select all that apply.

a. tma (time)
b. sma (simple)
c. ema (exponential)
d. wma (weighted)

Answer 103

b. sma (simple)
c. ema (exponential)
d. wma (weighted)

Question 104

By default, the iplocation command adds fields to the results. Select all that apply.

a. City
b. lon
c. pid
d. Region

Answer 104

b. lon

Question 105

When using the addtotals command, the labelfield argument is valid only when _______.

a. col=true
b. row=true
c. fieldname=f

Answer 105

a. col=true

Question 106

This command calculates an expression and puts the resulting value into a new field. For instance if a user creates the following search string:

… | eval velocity=distance/time

The resulting table would have the value for distance in one column, the value for time in another column and the eval velocity column would be the result of the # for distance divided by the number for time.

Answer 106

eval command

Question 107

When using the eval command, expressions must be separated by what character?

a. >=
b. ,
c. !=

Answer 107

b. ,

Question 108

The ____ command allows you to:

Calculate expressions
Place the results in a field
Use that field in searches or other expressions

Answer 108

eval

Question 109

When using the eval command, the ____ function sets the value of a field to the number of decimals you specify. (ie. one number after the decimal, two numbers after the decimal, etc.)

Answer 109

round

Question 110

Which type of eval command is represented by the following operators?

+ - * / %

a. Boolean
b. Comparison
c. Arithmetic
d. Concatenation

Answer 110

Arithmetic

Question 111

Which type of eval command is represented by the following operators?

NOT AND OR XOR

a. Boolean
b. Comparison
c. Arithmetic
d. Concatenation

Answer 111

a. Boolean

Question 112

Which type of eval command is represented by the following operators?

< > <= >= != = LIKE

a. Boolean
b. Comparison
c. Arithmetic
d. Concatenation

Answer 112

b. Comparison

Question 113

Which type of eval command is represented by the following operators?

+ .

a. Boolean
b. Comparison
c. Arithmetic
d. Concatenation

Answer 113

d. Concatenation

Question 114

When using the eval command, and the round function for results, If the number of decimals is unspecified, what is the result?

Answer 114

a whole number

Question 115

When using the eval command, the ____ function converts a numeric field value to a string.

Answer 115

tostring

Question 116

When using the eval command and tostring function, there are 3 options that you can use to format the numbers in the table that is created:

a. _____ which apply commas to the numbers
b. _____ which format the numbers as hh:mm:ss
c. _____ which formats the number in a hexadecimal

Place the following terms in the correct blank:
“duration,” “commas,” “hex”

Answer 116

a. commas
b. duration
c. hex

Question 117

Which eval command function is described below?

1. takes three arguments
2. the first argument, X, is a boolean expression
3. if argument X evaluates to TRUE, the result evaluates to the second argument, Y
4. if argument X evaluates to FALSE, the result evaluates to the third argument, Z

Answer 117

“if” function

Question 118

When using the eval command “if” function, non numeric values must be enclosed in _______.

Are field values case sensitive when using this function, or case insensitive?

Answer 118

double quotes

case sensitive

Question 119

The eval command ____ function works similar to that of the “if” function. However, rather than the first argument being X, it’s X1. The following arguments are Y1, X2, Y2, etc.

Also, if none of the boolean expressions are true, the result evaluates to NULL.

Answer 119

case

Question 120

If none of the boolean expressions were true using the eval command “case” function, what would the result be?

Answer 120

NULL

Question 121

Identify the functions used in both search strings:

Search string #1:

index=network sourcetype=cisco_wsa_squid
| eval Risk = case(x_wbrs_score >= 5,"1 Very Safe",
x_wbrs_score >= 3,"2 Safe",
x_wbrs_score >= 0,"3 Neutral",
x_wbrs_score >= -5,"4 Dangerous",
x_wbrs_score < -5, "5 Very Dangerous")

Search string #2

index=sales sourcetype=vendor_sales
| eval SalesTerritory =
if ((VendorID >= 7000 AND VendorID < 8000), “Asia”, “Rest of the World”)

Answer 121

1. case function

2. if function

Question 122

The _____ command calculates an expression and puts the resulting value into a search results field.

Answer 122

eval

Question 123

Unlike the eval “command” (which calculates an expression and puts the resulting value into a search results field), the eval “____” counts the number of events that have a specific field value.

What function must be used along with the eval “____”?

Note: Same answers for the blank spaces.

Answer 123

function
count

Question 124

True or False. Field values ARE case sensitive when using the eval “FUNCTION.”

Answer 124

True

Question 125

Which command is described below? The “search” command, or the “where” command?

1. Can be used at any point in the search pipeline
2. Allows searching on keywords
3. Treats field values in a “case insensitive” manner

Answer 125

search

Question 126

Is the “search” command, or the “where” command being described below?

1. Functions are available, such as isnotnull()
2. Can’t appear before first pipe in search pipeline
3. Can’t filter with keywords
4. Treats field values in a “case-sensitive” manner
5. Can compare values from two different fields

Answer 126

where

Question 127

Which command is used here? Also describe what is happening?

source=job_listings | where salary > industry_average

Answer 127

“where” command

retrieves jobs listings and discards those whose salary is not greater than the industry average

Question 128

When using the “like” operator with the “where” command, you must use (_) for __ character and
(%) for _____ characters.

Note: The blank spaces should be filled with quantities (i.e. one, a couple, multiple)

Answer 128

one

multiple

Question 129

What where command operator is being used in the following search string?

index=security sourcetype=linux_secure
| where like (user,”adm%”)
| dedup user
| table user

Answer 129

like

Question 130

When using the “where” command, use _____ to find events with an empty value for a specific field, and ____ to find events that contain a non-empty value for a particular field. On the other hand, _____ should be used to replace null values in fields.

a. fillnull
b. isnull
c. isnotnull

Answer 130

b. isnull
c. isnotnull
a. fillnull

Question 131

Create a new field called velocity in each event. Calculate the velocity by dividing the values in the distance field by the values in the time field.

a. |eval {velocity} = Value, distance OVER time
b. |eval velocity=distance/time
c. |eval velocity=split(distance,time)

Answer 131

b. |eval velocity=distance/time

Question 132

If you use the following eval command with the round() function, select a possible result:

|eval bandwidth
= round(Bytes/pow(1024,2), 2)

a. 28
b. 124.032
c. 273.02

Answer 132

c. 273.02

Question 133

The eval command supports comparison and conditional functions. Select all that apply.

a. case (X1,”Y1”,X2,”Y2”,…)
b. if (X,Y,Z)
c. like (TEXT,PATTERN)
d. tostring(X,Y)

Answer 133

a. case (X1,”Y1”,X2,”Y2”,…)

b. if (X,Y,Z)

Question 134

If you want to use the fillnull command and show a specific text, which syntax would be correct?

a. | fillnull value=”nada”
b. | fillnull NULL=nada
c. | fillnull 0 as nada

Answer 134

a. | fillnull value=”nada”

Question 135

The ____ command groups related events that meet various constraints. The events are grouped into ____, which are collections of events, possibly from multiple sources.

Note: Same answer for both blank spaces.

Answer 135

transaction

Question 136

The following are common ____ that are used when the transaction command is used:

maxspan
maxpause
startswith
endswith

Answer 136

constraints

Question 137

What command would you use at any point in the search pipeline to filter the transactions created by the transaction command?

Answer 137

search command

Question 138

The transaction command produces two fields:

1. ____: difference between the timestamps for the first and last events in the transaction.
2. ____: number of events in the transaction.

Answer 138

duration

eventcount

Question 139

When using the transaction command, you can define a max overall time span and max gap between events.

Which definition describes maxspan, and which describes maxpause?

_____ is the maximum total time between events

_____ is the maximum total time between the
earliest and latest events

Answer 139

maxpause

maxspan

Question 140

What would the following indicate in an event where the transaction command is used?

maxspan=5m

Answer 140

The maximum total time between the first and last event of all of the transactions combined should be no more than 5 minutes.

Question 141

To form transactions based on terms, field values, or evaluations, use ____ and ___ options. For example, if you were determining how long it took for customers to complete a purchase online over the last 24 hours you might want the FIRST event in your transactions to include “addtocart” and the LAST event to include “purchase.”

Answer 141

startswith

endswith

Question 142

_____ can be useful when a single event does not provide enough information.

Answer 142

transactions

Question 143

True or False. You can use statistics and transforming commands with transactions.

Answer 143

True

Question 144

When you have a choice, would you use the transaction or stats command? Why?

Answer 144

stats

it’s more efficient

Question 145

Which of the following definitions describe the stats command? Which definition describes the transaction command?

The ____ command when you:
• Need to see events correlated together
• Must define event grouping based on start/end values or segment on time

The ____ command when you:
• Want to see the results of a calculation
• Can group events based on a field value (e.g., by src_ip)

Answer 145

transaction

stats

Question 146

There is a limit of ____ events when using the ____ command. However there is no limit when using the ____ command.

Note:
first blank: #
second and third blanks: pick transaction or stats

Answer 146

1,000
transaction
stats

Question 147

What’s the maximum number of events that can be grouped per transaction?

a. 100 events
b. 1,000 events
c. 10,000 events

Answer 147

b. 1,000 events

Question 148

What are the options that can be used to constrain transactions? Select all that apply.

a. startswith
b. endswith
c. maxspan
d. maxpause

Answer 148

c. maxspan

d. maxpause

Question 149

Which fields are created by the transaction command? Select all that apply.

a. duration
b. memcontrol
c. eventcount
d. txn_definitions

Answer 149

a. duration

c. eventcount

Question 150

What are tools you use to discover and analyze various aspects of your data?

Answer 150

knowledge objects

Question 151

Data interpretation, data classification, data enrichment, normalization and data sets are all different types of what?

Answer 151

knowledge objects

Question 152

Which knowledge object deals with fields and field extractions?

a. data classification
b. data sets
c. data interpretation
d. data enrichment

Answer 152

c. data interpretation

Question 153

Which knowledge object deals with event types?

a. data classification
b. data sets
c. data interpretation
d. data enrichment

Answer 153

a. data classification

Question 154

This type of knowledge object consists of lookups and workflow actions.

a. data classification
b. data sets
c. data interpretation
d. data enrichment

Answer 154

d. data enrichment

Question 155

This type of knowledge object deals with tags and field aliases.

a. data classification
b. data sets
c. data interpretation
d. data enrichment
e. normalization

Answer 155

e. normalization

Question 156

This type of knowledge object contains data models.

a. data classification
b. data sets
c. data interpretation
d. data enrichment
e. normalization

Answer 156

b. data sets

Question 157

____ ___ are also persistent objects that can be used by multiple people or apps, such as macros and reports.

Answer 157

knowledge objects

Question 158

A Knowledge Object Manager could be any of the 3 Splunk roles, but a person usually has to at least be a ______.

a. user
b. admin
c. power user

Answer 158

c. power user

Question 159

Select all knowledge objects.

a. lookups
b. field aliases
c. users
d. workflow actions

Answer 159

a. lookups
b. field aliases
d. workflow actions

Question 160

Splunk knowledge objects are persistent objects that can be used by multiple ________. Select all that apply.

a. users
b. apps
c. searches

Answer 160

a. users

b. apps

Question 161

Search-time operations are always applied in the same order when generating knowledge objects. Use the following information to put search time operation in the correct order.

a. Lookups
b. Calculated fields
c. Tags
d. Extractions
e. Field aliases
f. Event types

Answer 161

d. Extractions
e. Field aliases
b. Calculated fields
a. Lookups
f. Event types
c. Tags

Question 162

Field aliases are applied after __________, before ___________. Select all that apply.

a. lookups, field extractions
b. field extractions, lookups
c. field extractions, tags

Answer 162

b. field extractions, lookups

c. field extractions, tags

Question 163

Prior to search time in Splunk, some fields are already stored with the event in the index. ____ fields, such as host, source, and sourcetype, and ____ fields such as _time and _raw are those fields. However at search time, ____ _____extracts fields from raw event data,
including those directly related to the search’s results. Use the following answers to fill in the blanks.

a. internal
b. field discovery
c. meta

Answer 163

c. meta
a. internal
b. field discovery

Question 164

In addition to the many fields Splunk auto-extracts, you can also extract your own fields with the ____ ____.(FX)

Answer 164

Field Extractor

Question 165

You can use ___ __ to extract fields that are static and that you use often in searches.

Answer 165

Field Extractor

Question 166

You can extract fields in FX from events using ____ and ____.

Answer 166

regex, delimiter

Question 167

The are two extraction methods in Splunk. The first, ____ is used when your event contains unstructured data like a system log file. The second, ____ is used when your event contains structured data like a .csv file.

Answer 167

regex, delimiter

Question 168

You would use _____ field extractions when a consistently structured log has values that are separated by spaces, commas, or characters.

Answer 168

delimited

Question 169

Use _________ field extractions when fields are separated by spaces, commas, or characters.

a. delimited
b. regex
c. rename

Answer 169

a. delimited

Question 170

There are three ways to get to the Field Extractor (FX). Select all that apply.

a. Event Actions menu
b. Fields sidebar
c. Settings menu
d. Auto-Extract Fields Workflow

Answer 170

a. Event Actions menu
b. Fields sidebar
c. Settings menu

Question 171

Use ___ ____ to extract fields that are static and that you use often in searches including:

• Graphical UI
• Extract fields from events using regex or delimiter
• Extracted fields persist as knowledge objects
• Can be shared and re-used in multiple searches

Answer 171

Field Extractor

Question 172

When using regex for field extraction, what’s the first thing you have to do in the Field Extractor?

a. Select a value to extract
b. Provide a Field Name
c. Edit the regular expression
d. Set the Extractions Name

Answer 172

a. Select a value to extract

Question 173

____ ___ are a way to associate an additional (new) name with an existing field name, like a nickname (possibly for normalization purposes), and are evaluated by the “search parser” after field extractions, before ____.

Answer 173

field aliases

lookups

Question 174

Many source types contain some type of user name. In order to make data correlation and searching easier, you can normalize the username field by using a ____ ____.

Answer 174

field alias

Question 175

Put the following steps for creating a field alias in Splunk in sequential order:

a. Fields
b. New Field Alias
c. Settings
d. Field Aliases

Answer 175

c. Settings
a. Fields
d. Field Aliases
b. New Field Alias

Question 176

True or False. A new field alias is required for each sourcetype.

Answer 176

True

Question 177

True or False. When you create a field alias, the original field IS affected.

Answer 177

False. The original field is not affected.

Question 178

True or False. When you create a field alias, both fields appear in the all fields and Interesting Fields lists, if they appear in at least 20% of events.

Answer 178

True

Question 179

When you create a field alias, both fields appear in the all fields and Interesting Fields lists, if they appear in at least ____% of events.

Answer 179

20%

Question 180

After you have defined your field aliases, you can reference them in a ____ table.

Answer 180

lookup

Question 181

____ fields are shortcuts for performing repetitive, long, or complex transformations using the eval command. ____ fields must be based on an extracted field.

Note: Answer for both blanks are the same.

Answer 181

calculated

Question 182

When you create a field alias, the default behavior is that the original field is:

a. overwritten
b. not affected
c. cached

Answer 182

b. not affected

Question 183

When you create a calculated field, the field in the expression must be __________.

a. an extracted field
b. a lookup table
c. field/column generated from within

Answer 183

a. an extracted field

Question 184

____ fields reference field aliases. ___ ____ are created to rename an existing field extraction.

Answer 184

calculated fields, field aliases

Question 185

Can you, or can’t you do the following?

1. Create a field alias that references a calculated field
2. Create a calculated field that references a field added through a lookup operation

Answer 185

you CAN’T

Question 186

A ___ is a knowledge object that enables you to search for events that contain specific field/value combinations. They are like labels that you create for field/value pairs, and make your data more understandable and less ambiguous.

Answer 186

tag

Question 187

Are tags case sensitive or case insensitive?

Answer 187

case sensitive

Question 188

To search for a tag associated with a value you would type:

a. =
b. Use (*) wildcard
c. tag=

Answer 188

c. tag=

Question 189

To search for a tag associated with a value on a specific field you would type:

a. tag::=
b. Use (*) wildcard
c. tag=

Answer 189

a. tag::=

Question 190

To search for a tag using a partial field value you would:

a. =
b. Use (*) wildcard
c. tag=

Answer 190

b. Use (*) wildcard

Question 191

In order to manage tags (such as edit permissions and disable all tags for pairs) you would use the _____ ___ ____ ___ ____ menu.

Note: Answer contains 5 words.

Answer 191

List by Field Value Pair

Question 192

How would you change a tag name?

a. by editing permissions
b. by first clicking on the field value pair
c. by typing “tag=”

Answer 192

b. by first clicking on the field value pair

Question 193

An ___ type is a method of categorizing events based on a search.

Answer 193

event

Question 194

Can event types be tagged?

Answer 194

Yes, to group similar type of events

Question 195

What do you use to create event types?

Answer 195

Event Type Builder

Question 196

These are the two ways that you can ____ event types:

1. Settings > Event types
2. Event details > Actions

Answer 196

tag

Question 197

___ ____categorize events based on a search string.

Answer 197

Event types

Question 198

If you tag the field value of your home office’s IP address as ‘homeoffice’, what events are returned when you search for tag=homeoffice?

a. events with that IP address
b. events from _internal
c. field lookup table

Answer 198

a. events with that IP address

Question 199

To search for a tag associated with a value on a specific field, select the correct search string.

a. tag::user=privileged
b. tag=user==privileged
c. tag=user::privileged

Answer 199

a. tag::user=privileged

Question 200

Which of the following are ways you can create an event type. Select all that apply.

a. Settings > Event types
b. Run a search, and save as Event Type
c. From event details, select Event Actions > Build Event Type

Answer 200

b. Run a search, and save as Event Type

Question 201

_____ are useful when you frequently run searches or reports with similar search syntax, and can be a full search string or a portion of a search that can be reused in multiple places.

Answer 201

macros

Question 202

In order to use a basic macro, you need to do the following:

1. Type the macro name into the search bar
2. Surround the macro name with the ______ (or grave accent) character… NOT single quotes

Answer 202

backtick

Question 203

monthly_sales(3)

The Splunker that typed the above is trying to add an argument to a macro. What have they done first in order to get the process started?

Answer 203

added the number of arguments in parentheses after the macro name

Question 204

Within a search, macro _____ should look like the following examples:

$currency$
(which would be the argument for currency)

$symbol$
(which would be the argument for symbol)

$rate$
(which would be the argument for rate)

Answer 204

arguments

Question 205

When using a macro with arguments, you have to include the argument(s) in _____ following the macro name and list them in the EXACT SAME order that you listed them when creating the macro.

Answer 205

parentheses

Question 206

When working with macros, the time range is _____________.

a. Always set to Last 24 hours
b. Selected at search time
c. Always set to All time

Answer 206

b. Selected at search time

Question 207

When adding arguments to a macro, include the number of arguments in _____________.

a. Parentheses after the macro name
b. Parentheses before the macro name
c. Dollar signs within the search definition

Answer 207

a. Parentheses after the macro name

Question 208

Surround the macro name with the _______ when executing a macro.

a. Dollar signs
b. Backtick character
c. Single quote character

Answer 208

b. Backtick character

Question 209

You can execute ____ ____ from an event or field in your search results to interact with external resources or run another search.

Answer 209

workflow actions

Question 210

______ workflow actions retrieve information from an external resource.

a. POST
b. GET
c. Search

Answer 210

a. GET

Question 211

______ workflow actions send field values to an external resource.

a. POST
b. GET
c. Search

Answer 211

a. POST

Question 212

______ workflow actions use field values to perform a secondary search.

a. POST
b. GET
c. Search

Answer 212

c. Search

Question 213

Do GET workflow actions have spaces or special characters?

Answer 213

No

Question 214

In order to create GET and POST workflow actions, you have to enter the _____ (this is an acronym) for where the user will be directed. What does the acronym stand for?

Answer 214

URI (Uniform Resource Identifier)

Question 215

To perform a secondary search, use a _______ workflow action.

a. Search
b. POST
c. GET

Answer 215

a. Search

Question 216

Which workflow actions require you to specify if the behavior should open in a new window or current window? Select all that apply.

a. Search
b. POST
c. GET

Answer 216

a. Search
b. POST
c. GET

Question 217

_____ is used for creating dashboards, and its reports are based on datasets.

Answer 217

Pivot

Question 218

Hierarchically structured datasets used in Pivot that contain searches and fields are called _____ _____ (two words). Each event, search, or transaction is saved as a separate ______ (one word).

Answer 218

data models

data set

Question 219

The following are the 3 types of ____ that a data model can consist of.

Events
Searches
Transactions

Answer 219

datasets

Question 220

Which type of dataset contains constraints and fields?

a. Events
b. Transactions
c. Searches

Answer 220

a. Events

Question 221

_____ in “event” datasets are essentially a search broken down into a hierarchy. ____ are associated with the events.

Answer 221

constraints

fields

Question 222

Dataset fields are inherited from ____ ____.

a. data models
b. parent objects
c. root events

Answer 222

a. parent objects

Question 223

The inherited attributes in the root event of a data model are called _____ fields.

Answer 223

default

Question 224

You can add fields to a dataset through the auto-extracted menu, eval expression, lookup, regular expression and Geo IP. Which of the following is described below?

can be default fields or manually extracted fields…

a. lookup
b. auto-extracted
c. Geo IP
d. regular expression
e. eval expression

Answer 224

b. auto-extracted

Question 225

Which method of adding fields to a data set is described below?

leverage an existing lookup table…

a. lookup
b. auto-extracted
c. Geo IP
d. regular expression
e. eval expression

Answer 225

a. lookup

Question 226

Which method of adding fields to a data set is described below?

add geographical fields such as latitude/longitude, country, etc. …

a. lookup
b. auto-extracted
c. Geo IP
d. regular expression
e. eval expression

Answer 226

c. Geo IP

Question 227

Which method of adding fields to a data set is described below?

a new field based on an expression that you define…

a. lookup
b. auto-extracted
c. Geo IP
d. regular expression
e. eval expression

Answer 227

e. eval expression

Question 228

Which method of adding fields to a data set is described below?

extract a new field based on regex…

a. lookup
b. auto-extracted
c. Geo IP
d. regular expression
e. eval expression

Answer 228

d. regular expression

Question 229

This tool in the Splunk platform allows you to examine the overall stats of your search, examine how your search was processed and see where Splunk spent its time. You can use this tool to troubleshoot a search’s performance and understand impact of knowledge objects on processing.

Answer 229

Search Job Inspector Tool

Question 230

The 3 components of the Search Job Inspector tool are (select all that apply):

a. Header
b. Field Name
c. Execution costs
d. Search job properties
e. Tags

Answer 230

a. Header
c. Execution cost
d. Search job properties

Question 231

This component of the Job Search Inspector tool in Splunk provides basic information, including time to run and # of events scanned.

Answer 231

Header

Question 232

This component of the Job Search Inspector tool provides details on cost to retrieve results, such as:

command. search.index
command. search.filter
command. search.rawdata

Answer 232

Execution Costs

Question 233

The chart and timechart commands automatically filter results to include how many of the highest values?

a. fifteen
b. ten
c. five

Answer 233

b. ten

Question 234

After the chart and timechart commands automatically filter results to include the ten highest values, surplus values are grouped into…

a. other
b. null
c. not

Answer 234

a. other

Question 235

A ____ allows you to overlay a computed moving average on a chart. An example of one of these are stock market visualizations.

Answer 235

trendline

Question 236

____ reports are used for creating reports and dashboards. They are also based on datasets.

Answer 236

Pivot

Question 237

___ ____ are hierarchically structured datasets containing searches and fields. Each event, search, or transaction is saved as a separate dataset.

Answer 237

data models

Question 238

A data model can consist of 3 types of datasets. Select answers from below.

a. events
b. field values
c. searches
d. field names
e. lookups
f. transactions

Answer 238

a. events
c. searches
f. transactions

Question 239

Which type of dataset that’s used in Pivot contain constraints and fields?

a. events
b. field values
c. searches
d. field names
e. lookups
f. transactions

Answer 239

a. events

Question 240

In data models events, ____ are search terms used to further narrow your search, while fields are associated with the events.

Answer 240

constraints

Question 241

You can add more fields when creating a data model. There are four types of fields that you can add. Read the descriptions below and match the fields below with the correct description.

1. a new field based on an expression that you define
2. geographical fields such as latitude/longitude, country, etc.
3. default fields or manually extracted fields
4. a new field based on regex
5. leverage an existing lookup table

a. Auto-Extracted
b. Eval Expression
c. Lookup
d. Regular Expression
e. Geo IP

Answer 241

b. Eval Expression
e. Geo IP
a. Auto-Extracted
d. Regular Expression
c. Lookup

Question 242

Which type of Pivot dataset defines a dataset based on a search that includes transforming commands?

a. event
b. field value
c. search
d. field name
e. lookup
f. transaction

Answer 242

c. search

Question 243

Which type of Pivot dataset defines a dataset based on a transaction?

a. event
b. field value
c. search
d. field name
e. lookup
f. transaction

Answer 243

f. transaction

Question 244

A ___ event dataset represents a set of data that is defined by a constraint: a simple search that filters out events that aren’t relevant to the dataset.

Answer 244

root

Question 245

____ views allows you to create table datasets without using SPL.

Answer 245

table

Question 246

The Splunk ______ _____ _____ (CIM) provides a methodology to normalize data

Answer 246

Common Information Model

Question 247

____ is leveraged when creating field extractions, field aliases, event types, and tags to ensure:

1. Multiple apps can co-exist on a single Splunk deployment
2. Object permissions can be set to global for the use of multiple apps
3. Easier and more efficient correlation of data from different sources and source types

Answer 247

CIM (Common Information Model)

Question 248

True or False. If other apps in a Splunk environment are CIM compliant, then data is normalized across apps, making it easier to search for similar data.

Answer 248

True

Question 249

True or False. If other apps in a Splunk environment are NOT CIM compliant, then field aliases, tags, and event types can be used to normalize data

Answer 249

True

Question 250

The Splunk CIM Add-on has a set of ___ pre-configured data models.

Note: Answer is a number

Answer 250

26

Question 251

The ____ should be leveraged so that knowledge objects in multiple apps can co-exist on a single Splunk deployment.

Answer 251

CIM or Common Information Model

Question 252

What commands can be used to retrieve data from a specified data model dataset? Choose the answers below.

a. fields
b. transforming
c. from
d. datamodel

Answer 252

c. from

d. datamodel

Question 253

The CIM ___ and ___ commands are generating commands, meaning that they have to be the first command in the pipeline.

a. fields
b. transforming
c. from
d. datamodel

Answer 253

c. from

d. datamodel

Question 254

The Common Information Model ____ command retrieves data from a named dataset, saved search, report or lookup file.

a. from
b. datamodel

Answer 254

a. from

Question 255

The Common Information Model ____ command allows users to examine data models and search data model datasets.

a. from
b. datamodel

Answer 255

b. datamodel

Question 256

Select the available ways you can validate against a data model. Select all that apply.

a. | datamodel
b. Pivot
c. | transaction
d. Workflow actions

Answer 256

a. | datamodel

Question 257

What are the primary knowledge objects the CIM includes or relies upon? Select all that apply.

a. data models
b. field aliases and tags
c. event types
d. field extractions

Answer 257

b. field aliases and tags
c. event types
d. field extractions

Question 258

A data model can consist of the following three types of datasets. Select all that apply.

a. events
b. searches
c. Pivot reports
d. transactions

Answer 258

a. events
b. searches
d. transactions

Question 259

To add a Root Event Dataset, what field is required to be manually added?

a. Dataset Name
b. Dataset ID
c. Duration maxpause maxspan

Answer 259

c. Duration maxpause maxspan

Question 260

2. Data models contain the following. Select all that apply.

a. inherited and extracted fields
b. constraints
c. event object hierarchy

Answer 260

b. constraints

c. event object hierarchy

Question 261

The transaction command produces additional fields such as:

_____ which is the difference between the timestamps for the first and last event in a transaction

and

_____ which is the number of events in a transaction

a. time
b. duration
c. evencount
d. field

Answer 261

b. duration

c. evencount

Question 262

What command creates a single correlated event from a group of events based on the same field value?

Answer 262

transaction command