Splunk Fundamentals 2

Question 1

Knowledge Objects

Answer 1

Tools to discover and analyse various aspects of the data

Question 2

Some functions of knowledge objects

Answer 2

1. Data interpretation: fields and field extraction
2. Data classification: event types
3. Data enrichment: lookups and workflow action
4. Normalization: tags and field aliases
5. Datasets: data models

Question 3

Characteristics of Knowledge Objects

Answer 3

1. Shareable
2. Reusable (i.e. macros and reports can be shared by ppl, apps)
3. Searchable (persistent => can be used in search)

Question 4

Naming Convention for Knowledge Objects

Answer 4

Group_ObjectType_Description

Question 5

Common Information Model (CIM)

Answer 5

1. methodology for normalizing data
2. easily correlate data from different sources and source types
3. leverage to create various objects discussed in this course - field extractions, field aliases, event types, tags

Question 6

Fields stored prior to search time

Answer 6

1. meta fields: host, source, sourcetype

2. internal fields: _raw, _time

Question 7

Field Auto-Extraction

Answer 7

1. Splunk automatically discovers many fields based on source type and key/value pairs found in the data
2. At search time, field discovery discovers fields directly related to the search’s results
3. Splunk may discover other fields not directly related to search

Question 8

Use field extractor (FX) to extract fields that are:

Answer 8

1. static
2. often used in searches:
   
   • Graphical UI
   • Extract fields from events using reges or delimiter
   • Extracted fields persist as knowledge objects
   • Can be shared and re-used in multiple searches

Question 9

Field Extraction Methods

Answer 9

1. Regex

2. Delimiter

Question 10

Field Aliases and Original Fields

Answer 10

1. original field is not affected by creating an alias

2. both fields appear in the All Fields and Interesting Fields lists (if appear in more than 20% of events)

Question 11

Search Case Sensitivity: Sensitive

Answer 11

1. boolean operators
2. field names
3. field values from lookup (default, configurable)
4. regular expressions
5. eval and where commands
6. Tags

Question 12

Search Case Sensitivity: Insensible

Answer 12

1. command names (Stats, stats)
2. command clauses (AS vs as)
3. search terms
4. statistical functions
5. field values (unless from lookup)

Question 13

Splunk Search Buckets

Answer 13

1. index’s hot bucket = only writable bucket
2. each bucket has own raw data, metadata, index files
3. admins can add more
4. search is done through time and indexes
5. buckets transform from hot (now -8h) to warm (-9h to -48h) and cold state

Question 14

General search practices

Answer 14

1. time is the most efficient filter
2. most powerful keywords are host, source and source type
3. use fields commands to extract (discover) only fields you need
4. only trailing wildcards make efficient use of index
   
   • wildcards are tested after all other terms
5. inclusion is better than exclusion
6. filter as early as possible (i.e. remove duplicates)
7. use appropriate search mode

Question 15

Transforming commands

Answer 15

1. it is required to ‘transform’ search results into visualisations
2. massages raw data into a data table
3. examples of transforming commands:
   
   • top
   • rare
   • chart
   • timechart
   • stats
   • geostats

Question 16

Fast search mode

Answer 16

1. returns only essential and required data
2. content of interesting fields sidebar are lost
3. for non-transforming searches:
   + events, patterns
   
   • statistics, visualisations
4. for transforming searches
   
   • events, patterns
     + statistics, visualisations

Question 17

Smart search mode

Answer 17

1. default
2. combines fast and verbose modes
3. for non-transforming searches (verbose)
   + events, patterns
   
   • statistics, visualisations
4. for transforming searches
   
   • events, patterns
     + statistics or visualisations

Question 18

Verbose search mode

Answer 18

1. emphasises completeness by returning all possible fields and events data
2. much slower than other modes
3. for non-transforming searches
   + events (fields sidebar displays all fields), patterns
   
   • statistics, visualisation
4. for transforming searches
   + events, patterns, statistics, visualisations

Question 19

Types of Searches

Answer 19

1. Dense (CPU bound)
2. Sparse (CPU bound)
3. Super Sparse (I/O bound)
   
   • a small number of results from each index bucket matching the search
4. Rare (I/O bound)
   
   • bloom filter eliminates the buckets that do not include search results

Question 20

Search Job Inspector allows to examine:

Answer 20

1. overall search statistics
2. how search was processed
3. wheres plunk spent its time

=> troubleshoot issues, see impact of knowledge objects on performance

Question 21

Search Job Inspector Components

Answer 21

1. Header (basic info: time to run, #events scanned)
2. Execution costs
3. Search job properties

Question 22

Search Job Inspector Components

Answer 22

1. Header (basic info: time to run, #events scanned)
2. Execution costs
3. Search job properties