Splunk Fundamentals 2 Flashcards
True or False. Tags, field values with “eval” and “where,” and “field values from lookup” are case insensitive.
False. They are case sensitive.
True or False. Field names, regular expressions and Boolean operators are case sensitive.
True
As events come into Splunk, they are placed into an index’s ____ ___ (which is the only writable bucket).
hot bucket
Which command returns tables containing only specified fields in a result set?
table
Which command renames a field in results?
rename
Which command includes or excludes specified fields?
fields
Which command sorts results by specified field?
sort
Which command adds field values from an external source (e.g., csv files)?
lookup
Are Boolean operators case sensitive?
yes
Are field names case sensitive?
yes
Using a ____ ____ in Splunk is a way to search through text to find pattern matches in your data.
Are they case sensitive?
regular expression
yes
True or False. Field values from lookup, tags, and field values with “eval” and “where” commands are not case sensitive.
False. They are case sensitive.
Are command names (i.e. stats, STATS), command clauses (i.e. “as,” “by,” “with), statistical functions (i.e. avg, AVG, Avg), search terms (i.e. failed, FAILED) and field values (i.e. host=www1, host=WWW1) case sensitive or case insensitive?
case insensitive
As events age in Splunk, they move from the ____ bucket, to the ____ bucket and finally to the ____ bucket.
hot, warm, cold
Who can configure settings and add more to buckets? Users, admins or power users?
admins
What is the most efficient filter to use when searching events? After time, the most powerful fields to filter are what?
time
index, host, source and sourcetype
What command would you use in order to only extract (discover) the fields you need?
fields command
____ mode in Splunk = performance over completeness.
____ mode in Splunk balances speed and completeness.
____ mode in Splunk focuses on completeness over performance
fast
smart
verbose
Removing duplicates then sorting is ____ (faster or slower) than sorting then removing duplicates?
faster
____ commands massage raw data in tables and transform specified cell values for each event into numerical values that you can use for statistical purposes.
transforming
What commands are required to ‘transform’ search results into visualizations?
transforming
What type of commands are the following?
top rare chart timechart stats geostats
transforming
In fast mode, verbose mode, and smart mode what is not available for non-transforming searches?
statistics and visualizations
Only metadata fields (host, source and sourcetype) and fields specified in a search are available in ___ mode.
fast
In fast mode transforming searches, ____ and ___ are not available. However, statistics and visualizations are.
events, patterns
In ___ mode, events and patterns are available in non-transforming searches, but statistics and visualizations are not.
Are events, patterns, statistics and visualizations available for transforming searches?
verbose
yes
In smart mode, events and patterns are NOT available. However ____ and ____ are.
statistics and visualizations
What tool allows you to examine the:
Overall stats of search (e.g., records processed and returned, processing time)
How search was processed
Where Splunk spent its time
Search Job Inspector tool
What is used to troubleshoot a search’s performance and understand the impact of knowledge objects on processing (e.g., event types, tags, lookups)?
Search Job Inspector tool
Header, execution costs and search job properties are the 3 ____ of what tool?
components
Search Job Inspector tool
Which component of the Search Job Inspector tool provides basic information, including time to run and # of events scanned?
header
Which component of the Search Job Inspector tool provides details on the cost to retrieve results?
execution costs
command.search.index, command.search.filter, and command.search.rawdata are all ____ ___ shown in the Search Job Inspector tool.
execution costs
Which execution cost of the Search Job Inspector tool specifies the time that it took to filter out events that did not match?
a. command.search.rawdata
b. command.search.index
c. command.search.filter
c. command.search.filter
Which execution cost of the Search Job Inspector tool specifies the time that it took to search the index for the location to read in rawdata files?
a. command.search.rawdata
b. command.search.index
c. command.search.filter
b. command.search.index
Which execution cost of the Search Job Inspector tool specifies the time that it took to read events from the rawdata files?
a. command.search.rawdata
b. command.search.index
c. command.search.filter
a. command.search.rawdata
As events are stored by time, ______ is the most efficient filter.
a. _time
b. _raw
c. _introspection
a. _time
Select all that are considered case sensitive.
a. Boolean operators
b. tags
c. keywords
d. command functions
a. Boolean operators
b. tags
The Search Job Inspector has three components. Select all that apply.
a. Header
b. Health check
c. Search job properties
d. Execution costs
a. Header
c. Search job properties
d. Execution costs
For general search best practices, only use
________ wildcards to make efficient use of index.
a. trailing
b. beginning
c. middle-of-string
a. trailing
When a search returns statistical values, results can be viewed in a table on the ___ tab or as a ____.
statistics
visualization
Lines, column charts, pie charts, single values, gauges, maps and many more are all examples of what?
visualizations
A ___ ____ is a sequence of related data points that are plotted in a visualization. They can generate various statistical or visualization results.
data series
Most visualizations require a ____ ___ table. A ___ ___ table consists of search results structured as a table with at least two columns.
single series
The leftmost column of a single series table provides x-axis values or y-axis values? What axis are subsequent columns on?
x-axis values
the y-axis
To get ___ ____ tables, you need to set up the underlying search with transforming commands such as “chart” and “timechart.”
multi-series tables
___ ___ tables display statistical trends over time. They can be single-series or multi-series.
time series
What command do you have to use for a time series result?
timechart command
What type of chart shows trends in the relationships between discrete data values?
scatter charts
____ charts show discrete values that do not occur at regular intervals or belong to a series.
scatter
The ____ command can display any data series plotted across one or two dimensions.
chart
What chart command function is being used in the following search strings? (Note: The difference between the two are the “over” clause and the “by” clause in the second lines).
index=security sourcetype=linux_secure
| chart count over vendor_action
index=security sourcetype=linux_secure
| chart count by vendor_action
count function
When you use the ___ function in Splunk, a table is created with a column that tallies the number of events for each value in the result set.
count
With the ____ command, you can use the “by” clause with the “over” clause to split results (ie. over vendor_action by user).
Or you can just use two “by” clauses (i.e. by vendor_action, user).
chart
You can only split chart results over a maximum
of how many dimensions using the chart command?
two
Chart and timechart commands automatically filter results to include the ____ highest values. Surplus values are grouped in “OTHER.” Results can be skewed by “NULL” and “OTHER.”
a. five
b. ten
c. twenty
d. fifteen
b. ten
What chart and timechart command values are shown by default?
NULL and OTHER
“useother=f” and “usenull=f” can be used to remove empty ____ and ____ values from display in a visualization using the chart command.
NULL and OTHER
What can be used to adjust the default number of plotted series (10) when using the chart command?
limit argument
The ____ command performs statistical aggregations against time. It also plots and trends data over time.
timechart command
“_time” using the timechart command is always on the x-axis or y-axis?
x-axis
Line or area charts are the best representation of what type of chart?
timecharts
With the timechart command,the default time intervals (or time ranges of a search) that can be used are span=1m which equals _____ minutes and span=30m which equals ____ hours.
60 minutes
24 hours
You can adjust the time interval of a timechart by using what argument?
“span” argument
The ____ layout allows you to display multiple charts based on one result set and allows visual comparison between different categories.
trellis layout
Which command displays the output of the timechart command, so that each time period is a separate series?
a. timechart command
b. chart command
c. timewrap command
c. timewrap command
Which command can compare data over a specific time period, such as day-over-day or month-over-month?
a. timechart command
b. timewrap command
c. chart command
b. timewrap command
What command is being used here?
index=security sourcetype=linux_secure
| stats count by src_ip, user, vendor_action, app
stats command
What clause would you use to calculate statistics for two or more non time-based fields?
“by” clause
To get multi-series tables, you need to set up the underlying search with transforming commands. Select all that apply.
a. chart
b. abstract
c. timechart
a. chart
c. timechart
When using the timechart command, what option is used to specify the _time interval?
a. group
b. trend
c. span
c. span
Which of the three transforming commands below allows you to split results over a maximum of TWO dimensions?
a. stats
b. chart
c. timechart
b. chart
Which of the three transforming commands below allows you to split results over a maximum of ONE dimension?
a. stats
b. chart
c. timechart
c. timechart
Which of the three transforming commands below allows you to split results over MANY dimensions?
a. stats
b. chart
c. timechart
a. stats
Which of the three transforming commands below does not allow you to limit the number of series shown, filter “other” and “null” series, and set value groups along the x-axis?
a. stats
b. chart
c. timechart
a. stats
Which transforming commands allow you to use “span” in order to set value groups along the x-axis?
a. stats
b. chart
c. timechart
b. chart
c. timechart
Which commands would you use to count the frequency of a field(s)?
a. stats
b. chart
c. top/rare
d. timechart
c. top/rare
Which command is non time-based and would be used to calculate statistics for two or more “by” fields?
a. stats
b. chart
c. top/rare
d. timechart
a. stats
Which command is used to calculate statistics using an arbitrary field as the x-axis? This command also allows you to use “over” or “by” to specify the x-axis, and WILL NOT allow you to use “_time” on the x-axis.
a. stats
b. chart
c. top/rare
d. timechart
b. chart
You would use the ____ command to calculate
statistics with “_time” as the x-axis.
a. stats
b. chart
c. top/rare
d. timechart
d. timechart
If a “by” field is used for the timechart command, the output is a ____.
table
To get multi-series tables, you need to set up the underlying search with transforming commands. Select all that apply.
a. chart
b. abstract
c. timechart
a. chart
c. timechart
When using the timechart command, what option is used to specify the _time interval?
a. group
b. trend
c. span
c. span
____ are aliases to field values. For example, if two host names refer to the same computer, you could give both host values the same ___ (for example, hal9000). When you search for ___=hal9000, Splunk returns events involving both host name values.
Note: Answers for all blanks are the same
tags
top, stats, chart, and timechart are all what type of commands?
a. Sorting Results
b. Filtering Results
c. Grouping Results
d. Reporting Results
e. Filtering, Modifying, and Adding Fields
d. Reporting Results
Which transforming command returns the most frequently occurring typle of field values, along with their count and percent?
a. stats
b. chart
c. top
d. rare
e. timechart
c. top
This command computes the moving averages of a field.
trendline
There are 3 ____ that must be included when using the trendline command. ____ (acronym for simple moving average), _____ (acronym for exponential moving average), and ____ (acronym for weighted moving average).
trendtypes
sma
ema
wma
The ___ over which to compute a trend (which can be between whole numbers of 2 and 10,000) must be included when using the trend line command.
period
When displaying data on maps, there are two types that can be used:
A ____ map (which shades areas based on metrics).
A ____ map (which displays statistical grouping based on geo location).
Choropleth
Cluster
Which command is used to look up and add location information to an event (including city, country, region, latitude and longitude)?
a. geostats
b. iplocation
c. stats
d. chart
e. timechart
b. iplocation
True or False. The iplocation command DOES NOT automatically define default lat and lon fields required by geostats.
False
The iplocation command AUTOMATICALLY defines default lat and lon fields required by geostats.
The ____ command is used to compute statistical functions and render a cluster map. Data must include latitude and longitude values.
a. chart
b. iplocation
c. stats
d. geostats
e. timechart
d. geostats
When using the geostats command, you can control the column count, using the ______ argument.
globallimit
____ maps use shading to show relative metrics, such as sales, network intruders, etc. for predefined geographic regions.
Choropleth
To define regional boundaries for a choropleth map, you must have what type of files? Select all that apply.
a. CSV
b. KML (Keyhole Markup Language)
c. JSON
d. KMZ (compressed Keyhole Markup Language)
e. XML
b. KML (Keyhole Markup Language)
d. KMZ (compressed Keyhole Markup Language)
The standard geo searches that Splunk ships with for the choropleth maps is:
- geo_us_states (which for what country?)
- geo_countries (which is for ____)
and
…| geom [featureCollection] [featureIdField=string]
(Note: No answer needed for this one)
United States
countries of the world
With gauge visualizations, you can make adjustments to color by using UI or the ____ command.
gauge
____ layout displays multiple gauges when using a by clause in the stats command.
trellis
With the timechart command, you can add a _____ and a trend. A ____ is an inline chart and is designed to display time-based trends associated with the primary key.
(Note: Same answer for both)
sparkline
The ____ command is used to compute the sum of all or selected columns, and place the total in the last row and last column.
a. top
b. stats
c. chart
d. addtotals
e. timechart
f. iplocation
g. geostats
d. addtotals
When using the add totals command, ___=t counts the fields in each row under a column named, while ____=t counts the fields in each row in a row named.
row=t
column=t
The trendline command provides three trend types. Select all that apply.
a. tma (time)
b. sma (simple)
c. ema (exponential)
d. wma (weighted)
b. sma (simple)
c. ema (exponential)
d. wma (weighted)
By default, the iplocation command adds fields to the results. Select all that apply.
a. City
b. lon
c. pid
d. Region
b. lon
When using the addtotals command, the labelfield argument is valid only when _______.
a. col=true
b. row=true
c. fieldname=f
a. col=true
This command calculates an expression and puts the resulting value into a new field. For instance if a user creates the following search string:
… | eval velocity=distance/time
The resulting table would have the value for distance in one column, the value for time in another column and the eval velocity column would be the result of the # for distance divided by the number for time.
eval command
When using the eval command, expressions must be separated by what character?
a. >=
b. ,
c. !=
b. ,
The ____ command allows you to:
Calculate expressions
Place the results in a field
Use that field in searches or other expressions
eval
When using the eval command, the ____ function sets the value of a field to the number of decimals you specify. (ie. one number after the decimal, two numbers after the decimal, etc.)
round
Which type of eval command is represented by the following operators?
+ - * / %
a. Boolean
b. Comparison
c. Arithmetic
d. Concatenation
Arithmetic
Which type of eval command is represented by the following operators?
NOT AND OR XOR
a. Boolean
b. Comparison
c. Arithmetic
d. Concatenation
a. Boolean
Which type of eval command is represented by the following operators?
< > <= >= != = LIKE
a. Boolean
b. Comparison
c. Arithmetic
d. Concatenation
b. Comparison
Which type of eval command is represented by the following operators?
+ .
a. Boolean
b. Comparison
c. Arithmetic
d. Concatenation
d. Concatenation
When using the eval command, and the round function for results, If the number of decimals is unspecified, what is the result?
a whole number
When using the eval command, the ____ function converts a numeric field value to a string.
tostring
When using the eval command and tostring function, there are 3 options that you can use to format the numbers in the table that is created:
a. _____ which apply commas to the numbers
b. _____ which format the numbers as hh:mm:ss
c. _____ which formats the number in a hexadecimal
Place the following terms in the correct blank:
“duration,” “commas,” “hex”
a. commas
b. duration
c. hex
Which eval command function is described below?
- takes three arguments
- the first argument, X, is a boolean expression
- if argument X evaluates to TRUE, the result evaluates to the second argument, Y
- if argument X evaluates to FALSE, the result evaluates to the third argument, Z
“if” function
When using the eval command “if” function, non numeric values must be enclosed in _______.
Are field values case sensitive when using this function, or case insensitive?
double quotes
case sensitive
The eval command ____ function works similar to that of the “if” function. However, rather than the first argument being X, it’s X1. The following arguments are Y1, X2, Y2, etc.
Also, if none of the boolean expressions are true, the result evaluates to NULL.
case
If none of the boolean expressions were true using the eval command “case” function, what would the result be?
NULL
Identify the functions used in both search strings:
Search string #1:
index=network sourcetype=cisco_wsa_squid | eval Risk = case(x_wbrs_score >= 5,"1 Very Safe", x_wbrs_score >= 3,"2 Safe", x_wbrs_score >= 0,"3 Neutral", x_wbrs_score >= -5,"4 Dangerous", x_wbrs_score < -5, "5 Very Dangerous")
Search string #2
index=sales sourcetype=vendor_sales
| eval SalesTerritory =
if ((VendorID >= 7000 AND VendorID < 8000), “Asia”, “Rest of the World”)
- case function
2. if function
The _____ command calculates an expression and puts the resulting value into a search results field.
eval
Unlike the eval “command” (which calculates an expression and puts the resulting value into a search results field), the eval “____” counts the number of events that have a specific field value.
What function must be used along with the eval “____”?
Note: Same answers for the blank spaces.
function count
True or False. Field values ARE case sensitive when using the eval “FUNCTION.”
True
Which command is described below? The “search” command, or the “where” command?
- Can be used at any point in the search pipeline
- Allows searching on keywords
- Treats field values in a “case insensitive” manner
search
Is the “search” command, or the “where” command being described below?
- Functions are available, such as isnotnull()
- Can’t appear before first pipe in search pipeline
- Can’t filter with keywords
- Treats field values in a “case-sensitive” manner
- Can compare values from two different fields
where
Which command is used here? Also describe what is happening?
source=job_listings | where salary > industry_average
“where” command
retrieves jobs listings and discards those whose salary is not greater than the industry average
When using the “like” operator with the “where” command, you must use (_) for __ character and
(%) for _____ characters.
Note: The blank spaces should be filled with quantities (i.e. one, a couple, multiple)
one
multiple
What where command operator is being used in the following search string?
index=security sourcetype=linux_secure
| where like (user,”adm%”)
| dedup user
| table user
like
When using the “where” command, use _____ to find events with an empty value for a specific field, and ____ to find events that contain a non-empty value for a particular field. On the other hand, _____ should be used to replace null values in fields.
a. fillnull
b. isnull
c. isnotnull
b. isnull
c. isnotnull
a. fillnull
Create a new field called velocity in each event. Calculate the velocity by dividing the values in the distance field by the values in the time field.
a. |eval {velocity} = Value, distance OVER time
b. |eval velocity=distance/time
c. |eval velocity=split(distance,time)
b. |eval velocity=distance/time
If you use the following eval command with the round() function, select a possible result:
|eval bandwidth
= round(Bytes/pow(1024,2), 2)
a. 28
b. 124.032
c. 273.02
c. 273.02
The eval command supports comparison and conditional functions. Select all that apply.
a. case (X1,”Y1”,X2,”Y2”,…)
b. if (X,Y,Z)
c. like (TEXT,PATTERN)
d. tostring(X,Y)
a. case (X1,”Y1”,X2,”Y2”,…)
b. if (X,Y,Z)
If you want to use the fillnull command and show a specific text, which syntax would be correct?
a. | fillnull value=”nada”
b. | fillnull NULL=nada
c. | fillnull 0 as nada
a. | fillnull value=”nada”
The ____ command groups related events that meet various constraints. The events are grouped into ____, which are collections of events, possibly from multiple sources.
Note: Same answer for both blank spaces.
transaction
The following are common ____ that are used when the transaction command is used:
maxspan
maxpause
startswith
endswith
constraints
What command would you use at any point in the search pipeline to filter the transactions created by the transaction command?
search command
The transaction command produces two fields:
- ____: difference between the timestamps for the first and last events in the transaction.
- ____: number of events in the transaction.
duration
eventcount
When using the transaction command, you can define a max overall time span and max gap between events.
Which definition describes maxspan, and which describes maxpause?
_____ is the maximum total time between events
_____ is the maximum total time between the
earliest and latest events
maxpause
maxspan
What would the following indicate in an event where the transaction command is used?
maxspan=5m
The maximum total time between the first and last event of all of the transactions combined should be no more than 5 minutes.
To form transactions based on terms, field values, or evaluations, use ____ and ___ options. For example, if you were determining how long it took for customers to complete a purchase online over the last 24 hours you might want the FIRST event in your transactions to include “addtocart” and the LAST event to include “purchase.”
startswith
endswith
_____ can be useful when a single event does not provide enough information.
transactions
True or False. You can use statistics and transforming commands with transactions.
True
When you have a choice, would you use the transaction or stats command? Why?
stats
it’s more efficient
Which of the following definitions describe the stats command? Which definition describes the transaction command?
The ____ command when you:
• Need to see events correlated together
• Must define event grouping based on start/end values or segment on time
The ____ command when you:
• Want to see the results of a calculation
• Can group events based on a field value (e.g., by src_ip)
transaction
stats
There is a limit of ____ events when using the ____ command. However there is no limit when using the ____ command.
Note:
first blank: #
second and third blanks: pick transaction or stats
1,000
transaction
stats
What’s the maximum number of events that can be grouped per transaction?
a. 100 events
b. 1,000 events
c. 10,000 events
b. 1,000 events
What are the options that can be used to constrain transactions? Select all that apply.
a. startswith
b. endswith
c. maxspan
d. maxpause
c. maxspan
d. maxpause
Which fields are created by the transaction command? Select all that apply.
a. duration
b. memcontrol
c. eventcount
d. txn_definitions
a. duration
c. eventcount
What are tools you use to discover and analyze various aspects of your data?
knowledge objects
Data interpretation, data classification, data enrichment, normalization and data sets are all different types of what?
knowledge objects
Which knowledge object deals with fields and field extractions?
a. data classification
b. data sets
c. data interpretation
d. data enrichment
c. data interpretation
Which knowledge object deals with event types?
a. data classification
b. data sets
c. data interpretation
d. data enrichment
a. data classification
This type of knowledge object consists of lookups and workflow actions.
a. data classification
b. data sets
c. data interpretation
d. data enrichment
d. data enrichment
This type of knowledge object deals with tags and field aliases.
a. data classification
b. data sets
c. data interpretation
d. data enrichment
e. normalization
e. normalization
This type of knowledge object contains data models.
a. data classification
b. data sets
c. data interpretation
d. data enrichment
e. normalization
b. data sets
____ ___ are also persistent objects that can be used by multiple people or apps, such as macros and reports.
knowledge objects
A Knowledge Object Manager could be any of the 3 Splunk roles, but a person usually has to at least be a ______.
a. user
b. admin
c. power user
c. power user
Select all knowledge objects.
a. lookups
b. field aliases
c. users
d. workflow actions
a. lookups
b. field aliases
d. workflow actions
Splunk knowledge objects are persistent objects that can be used by multiple ________. Select all that apply.
a. users
b. apps
c. searches
a. users
b. apps
Search-time operations are always applied in the same order when generating knowledge objects. Use the following information to put search time operation in the correct order.
a. Lookups
b. Calculated fields
c. Tags
d. Extractions
e. Field aliases
f. Event types
d. Extractions
e. Field aliases
b. Calculated fields
a. Lookups
f. Event types
c. Tags
Field aliases are applied after __________, before ___________. Select all that apply.
a. lookups, field extractions
b. field extractions, lookups
c. field extractions, tags
b. field extractions, lookups
c. field extractions, tags
Prior to search time in Splunk, some fields are already stored with the event in the index. ____ fields, such as host, source, and sourcetype, and ____ fields such as _time and _raw are those fields. However at search time, ____ _____extracts fields from raw event data,
including those directly related to the search’s results. Use the following answers to fill in the blanks.
a. internal
b. field discovery
c. meta
c. meta
a. internal
b. field discovery
In addition to the many fields Splunk auto-extracts, you can also extract your own fields with the ____ ____.(FX)
Field Extractor
You can use ___ __ to extract fields that are static and that you use often in searches.
Field Extractor
You can extract fields in FX from events using ____ and ____.
regex, delimiter
The are two extraction methods in Splunk. The first, ____ is used when your event contains unstructured data like a system log file. The second, ____ is used when your event contains structured data like a .csv file.
regex, delimiter
You would use _____ field extractions when a consistently structured log has values that are separated by spaces, commas, or characters.
delimited
Use _________ field extractions when fields are separated by spaces, commas, or characters.
a. delimited
b. regex
c. rename
a. delimited
There are three ways to get to the Field Extractor (FX). Select all that apply.
a. Event Actions menu
b. Fields sidebar
c. Settings menu
d. Auto-Extract Fields Workflow
a. Event Actions menu
b. Fields sidebar
c. Settings menu
Use ___ ____ to extract fields that are static and that you use often in searches including:
- Graphical UI
- Extract fields from events using regex or delimiter
- Extracted fields persist as knowledge objects
- Can be shared and re-used in multiple searches
Field Extractor
When using regex for field extraction, what’s the first thing you have to do in the Field Extractor?
a. Select a value to extract
b. Provide a Field Name
c. Edit the regular expression
d. Set the Extractions Name
a. Select a value to extract
____ ___ are a way to associate an additional (new) name with an existing field name, like a nickname (possibly for normalization purposes), and are evaluated by the “search parser” after field extractions, before ____.
field aliases
lookups
Many source types contain some type of user name. In order to make data correlation and searching easier, you can normalize the username field by using a ____ ____.
field alias
Put the following steps for creating a field alias in Splunk in sequential order:
a. Fields
b. New Field Alias
c. Settings
d. Field Aliases
c. Settings
a. Fields
d. Field Aliases
b. New Field Alias
True or False. A new field alias is required for each sourcetype.
True
True or False. When you create a field alias, the original field IS affected.
False. The original field is not affected.
True or False. When you create a field alias, both fields appear in the all fields and Interesting Fields lists, if they appear in at least 20% of events.
True
When you create a field alias, both fields appear in the all fields and Interesting Fields lists, if they appear in at least ____% of events.
20%
After you have defined your field aliases, you can reference them in a ____ table.
lookup
____ fields are shortcuts for performing repetitive, long, or complex transformations using the eval command. ____ fields must be based on an extracted field.
Note: Answer for both blanks are the same.
calculated
When you create a field alias, the default behavior is that the original field is:
a. overwritten
b. not affected
c. cached
b. not affected
When you create a calculated field, the field in the expression must be __________.
a. an extracted field
b. a lookup table
c. field/column generated from within
a. an extracted field
____ fields reference field aliases. ___ ____ are created to rename an existing field extraction.
calculated fields, field aliases
Can you, or can’t you do the following?
- Create a field alias that references a calculated field
- Create a calculated field that references a field added through a lookup operation
you CAN’T
A ___ is a knowledge object that enables you to search for events that contain specific field/value combinations. They are like labels that you create for field/value pairs, and make your data more understandable and less ambiguous.
tag
Are tags case sensitive or case insensitive?
case sensitive
To search for a tag associated with a value you would type:
a. =
b. Use (*) wildcard
c. tag=
c. tag=
To search for a tag associated with a value on a specific field you would type:
a. tag::=
b. Use (*) wildcard
c. tag=
a. tag::=
To search for a tag using a partial field value you would:
a. =
b. Use (*) wildcard
c. tag=
b. Use (*) wildcard
In order to manage tags (such as edit permissions and disable all tags for pairs) you would use the _____ ___ ____ ___ ____ menu.
Note: Answer contains 5 words.
List by Field Value Pair
How would you change a tag name?
a. by editing permissions
b. by first clicking on the field value pair
c. by typing “tag=”
b. by first clicking on the field value pair
An ___ type is a method of categorizing events based on a search.
event
Can event types be tagged?
Yes, to group similar type of events
What do you use to create event types?
Event Type Builder
These are the two ways that you can ____ event types:
- Settings > Event types
- Event details > Actions
tag
___ ____categorize events based on a search string.
Event types
If you tag the field value of your home office’s IP address as ‘homeoffice’, what events are returned when you search for tag=homeoffice?
a. events with that IP address
b. events from _internal
c. field lookup table
a. events with that IP address
To search for a tag associated with a value on a specific field, select the correct search string.
a. tag::user=privileged
b. tag=user==privileged
c. tag=user::privileged
a. tag::user=privileged
Which of the following are ways you can create an event type. Select all that apply.
a. Settings > Event types
b. Run a search, and save as Event Type
c. From event details, select Event Actions > Build Event Type
b. Run a search, and save as Event Type
_____ are useful when you frequently run searches or reports with similar search syntax, and can be a full search string or a portion of a search that can be reused in multiple places.
macros
In order to use a basic macro, you need to do the following:
- Type the macro name into the search bar
- Surround the macro name with the ______ (or grave accent) character… NOT single quotes
backtick
monthly_sales(3)
The Splunker that typed the above is trying to add an argument to a macro. What have they done first in order to get the process started?
added the number of arguments in parentheses after the macro name
Within a search, macro _____ should look like the following examples:
$currency$
(which would be the argument for currency)
$symbol$
(which would be the argument for symbol)
$rate$
(which would be the argument for rate)
arguments
When using a macro with arguments, you have to include the argument(s) in _____ following the macro name and list them in the EXACT SAME order that you listed them when creating the macro.
parentheses
When working with macros, the time range is _____________.
a. Always set to Last 24 hours
b. Selected at search time
c. Always set to All time
b. Selected at search time
When adding arguments to a macro, include the number of arguments in _____________.
a. Parentheses after the macro name
b. Parentheses before the macro name
c. Dollar signs within the search definition
a. Parentheses after the macro name
Surround the macro name with the _______ when executing a macro.
a. Dollar signs
b. Backtick character
c. Single quote character
b. Backtick character
You can execute ____ ____ from an event or field in your search results to interact with external resources or run another search.
workflow actions
______ workflow actions retrieve information from an external resource.
a. POST
b. GET
c. Search
a. GET
______ workflow actions send field values to an external resource.
a. POST
b. GET
c. Search
a. POST
______ workflow actions use field values to perform a secondary search.
a. POST
b. GET
c. Search
c. Search
Do GET workflow actions have spaces or special characters?
No
In order to create GET and POST workflow actions, you have to enter the _____ (this is an acronym) for where the user will be directed. What does the acronym stand for?
URI (Uniform Resource Identifier)
To perform a secondary search, use a _______ workflow action.
a. Search
b. POST
c. GET
a. Search
Which workflow actions require you to specify if the behavior should open in a new window or current window? Select all that apply.
a. Search
b. POST
c. GET
a. Search
b. POST
c. GET
_____ is used for creating dashboards, and its reports are based on datasets.
Pivot
Hierarchically structured datasets used in Pivot that contain searches and fields are called _____ _____ (two words). Each event, search, or transaction is saved as a separate ______ (one word).
data models
data set
The following are the 3 types of ____ that a data model can consist of.
Events
Searches
Transactions
datasets
Which type of dataset contains constraints and fields?
a. Events
b. Transactions
c. Searches
a. Events
_____ in “event” datasets are essentially a search broken down into a hierarchy. ____ are associated with the events.
constraints
fields
Dataset fields are inherited from ____ ____.
a. data models
b. parent objects
c. root events
a. parent objects
The inherited attributes in the root event of a data model are called _____ fields.
default
You can add fields to a dataset through the auto-extracted menu, eval expression, lookup, regular expression and Geo IP. Which of the following is described below?
can be default fields or manually extracted fields…
a. lookup
b. auto-extracted
c. Geo IP
d. regular expression
e. eval expression
b. auto-extracted
Which method of adding fields to a data set is described below?
leverage an existing lookup table…
a. lookup
b. auto-extracted
c. Geo IP
d. regular expression
e. eval expression
a. lookup
Which method of adding fields to a data set is described below?
add geographical fields such as latitude/longitude, country, etc. …
a. lookup
b. auto-extracted
c. Geo IP
d. regular expression
e. eval expression
c. Geo IP
Which method of adding fields to a data set is described below?
a new field based on an expression that you define…
a. lookup
b. auto-extracted
c. Geo IP
d. regular expression
e. eval expression
e. eval expression
Which method of adding fields to a data set is described below?
extract a new field based on regex…
a. lookup
b. auto-extracted
c. Geo IP
d. regular expression
e. eval expression
d. regular expression
This tool in the Splunk platform allows you to examine the overall stats of your search, examine how your search was processed and see where Splunk spent its time. You can use this tool to troubleshoot a search’s performance and understand impact of knowledge objects on processing.
Search Job Inspector Tool
The 3 components of the Search Job Inspector tool are (select all that apply):
a. Header
b. Field Name
c. Execution costs
d. Search job properties
e. Tags
a. Header
c. Execution cost
d. Search job properties
This component of the Job Search Inspector tool in Splunk provides basic information, including time to run and # of events scanned.
Header
This component of the Job Search Inspector tool provides details on cost to retrieve results, such as:
command. search.index
command. search.filter
command. search.rawdata
Execution Costs
The chart and timechart commands automatically filter results to include how many of the highest values?
a. fifteen
b. ten
c. five
b. ten
After the chart and timechart commands automatically filter results to include the ten highest values, surplus values are grouped into…
a. other
b. null
c. not
a. other
A ____ allows you to overlay a computed moving average on a chart. An example of one of these are stock market visualizations.
trendline
____ reports are used for creating reports and dashboards. They are also based on datasets.
Pivot
___ ____ are hierarchically structured datasets containing searches and fields. Each event, search, or transaction is saved as a separate dataset.
data models
A data model can consist of 3 types of datasets. Select answers from below.
a. events
b. field values
c. searches
d. field names
e. lookups
f. transactions
a. events
c. searches
f. transactions
Which type of dataset that’s used in Pivot contain constraints and fields?
a. events
b. field values
c. searches
d. field names
e. lookups
f. transactions
a. events
In data models events, ____ are search terms used to further narrow your search, while fields are associated with the events.
constraints
You can add more fields when creating a data model. There are four types of fields that you can add. Read the descriptions below and match the fields below with the correct description.
- a new field based on an expression that you define
- geographical fields such as latitude/longitude, country, etc.
- default fields or manually extracted fields
- a new field based on regex
- leverage an existing lookup table
a. Auto-Extracted
b. Eval Expression
c. Lookup
d. Regular Expression
e. Geo IP
b. Eval Expression
e. Geo IP
a. Auto-Extracted
d. Regular Expression
c. Lookup
Which type of Pivot dataset defines a dataset based on a search that includes transforming commands?
a. event
b. field value
c. search
d. field name
e. lookup
f. transaction
c. search
Which type of Pivot dataset defines a dataset based on a transaction?
a. event
b. field value
c. search
d. field name
e. lookup
f. transaction
f. transaction
A ___ event dataset represents a set of data that is defined by a constraint: a simple search that filters out events that aren’t relevant to the dataset.
root
____ views allows you to create table datasets without using SPL.
table
The Splunk ______ _____ _____ (CIM) provides a methodology to normalize data
Common Information Model
____ is leveraged when creating field extractions, field aliases, event types, and tags to ensure:
- Multiple apps can co-exist on a single Splunk deployment
- Object permissions can be set to global for the use of multiple apps
- Easier and more efficient correlation of data from different sources and source types
CIM (Common Information Model)
True or False. If other apps in a Splunk environment are CIM compliant, then data is normalized across apps, making it easier to search for similar data.
True
True or False. If other apps in a Splunk environment are NOT CIM compliant, then field aliases, tags, and event types can be used to normalize data
True
The Splunk CIM Add-on has a set of ___ pre-configured data models.
Note: Answer is a number
26
The ____ should be leveraged so that knowledge objects in multiple apps can co-exist on a single Splunk deployment.
CIM or Common Information Model
What commands can be used to retrieve data from a specified data model dataset? Choose the answers below.
a. fields
b. transforming
c. from
d. datamodel
c. from
d. datamodel
The CIM ___ and ___ commands are generating commands, meaning that they have to be the first command in the pipeline.
a. fields
b. transforming
c. from
d. datamodel
c. from
d. datamodel
The Common Information Model ____ command retrieves data from a named dataset, saved search, report or lookup file.
a. from
b. datamodel
a. from
The Common Information Model ____ command allows users to examine data models and search data model datasets.
a. from
b. datamodel
b. datamodel
Select the available ways you can validate against a data model. Select all that apply.
a. | datamodel
b. Pivot
c. | transaction
d. Workflow actions
a. | datamodel
What are the primary knowledge objects the CIM includes or relies upon? Select all that apply.
a. data models
b. field aliases and tags
c. event types
d. field extractions
b. field aliases and tags
c. event types
d. field extractions
A data model can consist of the following three types of datasets. Select all that apply.
a. events
b. searches
c. Pivot reports
d. transactions
a. events
b. searches
d. transactions
To add a Root Event Dataset, what field is required to be manually added?
a. Dataset Name
b. Dataset ID
c. Duration maxpause maxspan
c. Duration maxpause maxspan
- Data models contain the following. Select all that apply.
a. inherited and extracted fields
b. constraints
c. event object hierarchy
b. constraints
c. event object hierarchy
The transaction command produces additional fields such as:
_____ which is the difference between the timestamps for the first and last event in a transaction
and
_____ which is the number of events in a transaction
a. time
b. duration
c. evencount
d. field
b. duration
c. evencount
What command creates a single correlated event from a group of events based on the same field value?
transaction command
