Splunk Power User 1002

Question 1

Search Terms are not Case Sensitive? T or F

Answer 1

True

Question 2

Command names are not Case Sensitive? T or F

Answer 2

True

Question 3

Clauses and Functions are not case sensitive? T or F

Answer 3

True

Question 4

If a command references a specific value, that value (Is / Is Not) case sensitive?

Answer 4

IS

Question 5

What values from lookup tables ARE case-sensitive by default?

Answer 5

Field. Users with Admin Roles can set field values to not be case sensitive.

Question 6

Booleans ARE Case Sensitive. T or F

Answer 6

True

Question 7

Tag Values ARE case sensitive. T or F

Answer 7

True

Question 8

Buckets have directories containing sets of:

Answer 8

Raw Data and indexing data

Question 9

Buckets have configurable what set by admin users?

Answer 9

max size & max time span

Question 10

What are the 3 searchable buckets in Splunk?

Answer 10

Hot, Warm, and Cold

Question 11

When are “Hot” buckets rolled into “warm” buckets?

Answer 11

when it reaches max size, max time span, or indexer is restarted

Question 12

When Splunk search is run, Splunk uses what on bucket directories to determine if it needs to open the bucket, uncompress raw data, and search content inside?

Answer 12

Timestamps

Question 13

Wildcards are tested after all other search terms. T or F

Answer 13

True

Question 14

Only ____ wildcards make efficient use of index

Answer 14

trailing

Question 15

What happens when there is a wildcard at the beginning of a string?

Answer 15

Splunk searches all events in that time frame.

Question 16

Wildcards ______ of string can cause inconsistent results

Answer 16

in the middle

Question 17

Should you use wildcards to match punctuation?

Answer 17

No

Question 18

What are the 3 search modes in Splunk?

Answer 18

Fast, Smart, and Verbose

Question 19

As events are stored by time, what is the most efficient filter?

Answer 19

Time

Question 20

After time, the default fields for _______ are most powerful.

Answer 20

index, source, host, and sourcetype.
o These fields are extracted at index time and do not need to be extracted for each search
o Use these fields to filter as early as possible in a search so processing is done on a minimum amount of data

Question 21

Use _____ command to extract only the fields you will need for your search

Answer 21

“fields”

Question 22

When should you apply filtering commands?

Answer 22

As early as possible

Question 23

Helps determine which phase of a search is taking up the most time

Answer 23

Search Job Inspector

Question 24

Search Job Inspector dissects the behavior of searches to help understand execution costs of ____ within a search.

Answer 24

knowledge objects, search commands, & other components

Question 25

Any search job that has not expired can be inspected. T or F

Answer 25

True

Question 26

Open job inspector by:

Answer 26

running a search, clicking “Job” dropdown menu, and then “Inspect Job”

Question 27

The _______ component displays the time Splunk took when searching the index for the location of the raw data files

Answer 27

“Command Search Index”

Question 28

The ______ component displays time Splunk took to filter out events that did not match

Answer 28

“Command Search Filter”

Question 29

The ______ component is the time it took to read the events from the raw data files

Answer 29

“Command Search Raw Data”

Question 30

Where do you find the “Search Job Properties” tab?

Answer 30

Under “Execution Costs”

Question 31

Any search that returns ______ can be viewed as a chart

Answer 31

statistical values

Question 32

Most visualizations require results structured as tables with at least __ columns

Answer 32

2

Question 33

Looking at Statistics tab, if you see 2 columns, what values do the first column represent and what do the second column values represent?

Answer 33

First column = x-axis values

Second Column = y-axis values

Question 34

Any stats function can be applied to the chart command. T or F

Answer 34

True

Question 35

y-axis should always be numeric so that it can be charted. T or F

Answer 35

True

Question 36

can remove NULL values by adding argument ______ to chart command

Answer 36

“usenull=f”

Question 37

can remove OTHER column by adding argument ______

Answer 37

“usenull=f”

Question 38

What do you use to show all of the plotted series?

Answer 38

limit=0

Question 39

Performs stats aggregations against time

Answer 39

Timechart Command

Question 40

_____ is always the x axis

Answer 40

Time

Question 41

Timechart Command can split data with a ______ clause

Answer 41

“by”

Question 42

Any stats function can be applied to timechart command. T or F

Answer 42

True

Question 43

Only one value can be specified after the “by” modifier. T or F

Answer 43

True

Question 44

Timechart command intelligently clusters data in time intervals dependent on ______.

Answer 44

time range selected

Question 45

To change the span of the time of the cluster, you can use the ______ argument.

Answer 45

“span”

Question 46

What command compares data over specific time periods?

Answer 46

Timewrap

Question 47

To use timewrap command, we specify a period of time from the results of the:

Answer 47

timechart command

Question 48

In a Line Graph, you can zoom in by clicking and dragging over a time period? T or F

Answer 48

True

Question 49

Chart Overlay will allow you to lay a line chart of one series of data over another visualization. T or F

Answer 49

True

Question 50

Area chart gives ability to show the data stacked. T or F

Answer 50

True

Question 51

Can zoom into sections of the graph by clicking and dragging

Answer 51

Column chart

Question 52

Uses horizontal bars to show comparisons, and can be stacked

Answer 52

Bar Graph

Question 53

Takes the data and visualizes the percentage for each slice and can drill down to the events for a slice by clicking on the slice

Answer 53

Pie Chart

Question 54

Shows the relationship between two discrete data values plotted on an x- and y-axis and is useful for values that do not occur at regular intervals or belong to a series

Answer 54

Scatter Chart

Question 55

Provides a visual way to view a third dimension of data.
Each chart plots against 2-dimensions on the x and y axes and the size represents the value for the 3rd dimension. 3rd field in the table command will determine the size of the bubbles in our chart.

Answer 55

Bubble Chart

Question 56

Trellis layout link allows us to split our visualizations by a selected field or aggregation. It has multiple visualizations, but originating search is only run ONCE. T or F

Answer 56

True

Question 57

Can Transforming commands be used with visualizations?

Answer 57

yes

Question 58

Top/rare – counts the frequency of fields. T or F

Answer 58

True

Question 59

Calculates statistics between two or more fields when you do not need the data to be time-based

Answer 59

Stats

Question 60

Calculates statistics with an arbitrary field as your x-axis that is not time

Answer 60

Chart

Question 61

Calculates statistics with time as the x-axis

Answer 61

Timechart

Question 62

Plots geographic coordinates as interactive markers on a world map

Answer 62

Marker Maps

Question 63

Uses shading to show relative metrics for predefined geographic regions

Answer 63

Choropleth

Question 64

Lookup and add location information to events. Data such as city, country, region, latitude, and longitude can be added to events that include external IP addresses

Answer 64

iplocation

Question 65

Aggregates geographical data for use on a map visualization and uses the same functions as the stats command

Answer 65

Geostats Command

Question 66

The Geostats command only accepts ___ “by” argument or arguments

Answer 66

1

Question 67

To control column count, what argument can be used?

Answer 67

“globallimit”

Question 68

Geostats can be used with iplocation. T or F

Answer 68

True

Question 69

View data as a geographical location, uses shading to show relative metrics over predefined locations of a map

Answer 69

Choropleth Maps

Question 70

To use choropleth you will need a ______ file that defines region boundaries

Answer 70

KMZ (Keyhold Markup Language) (.kml)

Question 71

Used to prepare our events for use in a choropleth and

adds a field that includes geographical data structures that match polygons on our map

Answer 71

Geom Command

geom featureIdField=, or
sourcetype=crime_data cc=USA | lookup geo_us_states latitude, longitude | stats count by featureId | geom

Question 72

2 different types of visualizations you can use to display

Answer 72

Single Value, Gauges

Question 73

What computes moving averages of field values?

Answer 73

Trendline command

Question 74

What 3 arguments are required in a Trendline command?

Answer 74

trendtype, time period, field

Question 75

What options does the Field Format give you?

Answer 75

o Wrap results
o Show row numbers
o Change click selection from cell to row
o Add a data overlay – can be a heat map of values or highlight the high and low values in the table

Question 76

Computes the sum of all numeric fields for each event/row and create a total column

Answer 76

Addtotals Command

Question 77

Used to calculate and manipulate field values

Answer 77

Eval Command

Question 78

Arithmetic, concatenation, and Booleans are supported by the Eval command. T or F

Answer 78

True

Question 79

In the Eval Command, newly created field values are case-sensitive. T or F

Answer 79

True

Question 80

Converts numerical values to strings so that they can be joined with other strings

Answer 80

Tostring Function. After using tostring, fields may not sort numerically because the field values are now ASCII values

Question 81

Can be used if you want to format values without changing characteristics of underlying values

Answer 81

Fieldformat

Question 82

Allows you to evaluate arguments and create values depending on the results

Answer 82

Eval command IF Function.
• takes 3 arguments [ “if(x, y, z)” ]
o x – a Boolean expression
o y – used if Boolean expression evaluates to true
o z – used if Boolean expression evaluates to false
o y & z must be in double quotes if not numerical

Question 83

Can be used to filter results at any time in the search and allows you to use search terms further down the pipeline

Answer 83

Search Command

Question 84

A Search command cannot compare values from 2 different fields. T or F

Answer 84

True

Question 85

Filters events to only keep the results that evaluate as true

Answer 85

Where Command

Question 86

Asterisks cannot be used as a wildcard inside eval or where commands. T or F

Answer 86

True

Question 87

What replaces any null values in your events

Answer 87

Fillnull Command

Question 88

Maximum total time between earliest and latest

Answer 88

maxspan

Question 89

maximum total time between events

Answer 89

maxpause

Question 90

Use Transactions when

Answer 90

o You need to see events correlated together

o When events need to be grouped on start and end values

Question 91

Use stats when

Answer 91

o You want to see results of a calculation

o When events need to be grouped on a field value

Question 92

Transaction has a limit of how many events?

Answer 92

1000

Question 93

What is the limit for Stats?

Answer 93

no limit

Question 94

If given a choice between stats and transactions, which should you use?

Answer 94

stats

Question 95

What are tools that help you and your users discover and analyze your data?

Answer 95

Knowledge Objects

Question 96

Knowledge objects are used for:

Answer 96

o	Data interpretation
o	Classification
o	Enrichment
o	Normalization
o	Search time mapping

Question 97

Properties of knowledge objects are that it:

Answer 97

o Can be created by one user and shared with other users based on permission settings
o Can be saved and reused by multiple people or in multiple apps
o Can be used in a search

Question 98

Name 5 types of knowledge objects:

Answer 98

1. data interpretation
2. data classification
3. data enrichment
4. normalization
5. datasets

Question 99

What is the order for common naming convention of objects?

Answer 99

group, type, platform, category, time, and description

Question 100

What are three predefined ways that knowledge objects can be displayed to users?

Answer 100

Private
Specific apps
all apps

Question 101

What does CIM stand for?

Answer 101

Common Information Model

Question 102

The _____ allows you to use a graphical user interface to extract fields that persist as knowledge objects making them reusable in searches

Answer 102

Field Extractor

Question 103

2 different methods the field extractor can use to extract data

Answer 103

o Regular expressions – work well when you have unstructured data and events that you want to extract fields from
o Delimiters – used when your events contain fields separated by a character

Question 104

_____ will display events that do not contain extracted fields

Answer 104

Non-matches

Question 105

After manually editing a regular expression, you cannot go back to the Field Extractor UI. T or F

Answer 105

True

Question 106

Delimiter can be a:

Answer 106

space, comma, tab, other

Question 107

To be able to select a value from an already extracted field, you must open the “Existing Fields” menu, and turn off the highlight for the field that includes the value. T or F

Answer 107

True

Question 108

_____ give you a way to normalize data over any default field.

Answer 108

Field Aliases

Question 109

_____ are applied after field extractions, before lookups.

Answer 109

Field Aliases

Question 110

How do you create a field alias?

Answer 110

“Settings” -> “Fields” -> “Field aliases”

Question 111

Can apply aliases based on?

Answer 111

Sourcetype, source, host

Question 112

Old fields are still available to search? T or F

Answer 112

True

Question 113

Once a field alias is defined, they can be referenced in?

Answer 113

A lookup table

Question 114

What are calculated fields used for?

Answer 114

repetitive, long, and complex eval commands

Question 115

Calculated fields must be based on an extracted field? T or F

Answer 115

True

Question 116

Select destination app and then which sourcetype, source, or host to apply the _____ to.

Answer 116

calculated field

Question 117

Calculated fields must or must not be based on extracted or discovered fields?

Answer 117

MUST

Question 118

Allows you to designate descriptive names for key-value pairs and enables you to search for events that contain particular field values

Answer 118

Tags

Question 119

Are Tag values(names) case sensitive?

Answer 119

Yes

Question 120

What are 3 ways to search for tags?

Answer 120

tag=privileged
tag::user=privileged
tag=p*

Question 121

Allows you to categorize events based on search terms

Answer 121

Event Type

Question 122

What do event types help with?

Answer 122

simplify searches

give quick visual feedback

Question 123

Do event types show up in fields list?

Answer 123

yes

Question 124

What does a word in Blue in a Splunk search mean?

Answer 124

command

Question 125

What does a word in green in a Splunk search mean?

Answer 125

command argument

Question 126

What does a word in pink in a Splunk search mean?

Answer 126

function

Question 127

What does a word in orange in a Splunk search mean?

Answer 127

boolean or keyword modifier

Question 128

What does a word in gray in a Splunk search mean?

Answer 128

inline comment (e.g. ```Plot the count of results over the past 24 hours.``)

Question 129

In which is a time range not included? Event Type or Saved Reports

Answer 129

Event Type

Question 130

Can you share saved reports with other Splunk users?

Answer 130

Yes

Question 131

_____ are search strings, or portions of search strings, that can be reused in multiple places within Splunk

Answer 131

Macros

Question 132

When are Macros useful

Answer 132

frequent searches with complicated search syntax

Question 133

What are 3 features that distinguish macros from other knowledge objects?

Answer 133

Store entire search strings
They are time range independent
Can pass arguments to the search

Question 134

How do you create a macro?

Answer 134

“Settings” > “Advanced Search” > “Search macros”

Question 135

What is the syntax for a macro? (Flip card for reference)

Answer 135

o Ex: “… | convertUSD “

o Need to use backtick character (`)

Question 136

How do you change the definition of a macro to accept an argument?

Answer 136

by adding the name of the argument surrounded by dollar signs ($)
o Required to name the macro with how many arguments it requires [ex: “us_sales(2)” ]
o Ex: “… eval $moolah$ = … “

Question 137

What key combination allows you to preview your search without running it?

Answer 137

CTRL + SHIFT + E

Question 138

What is a collection of hierarchically structured datasets?

Answer 138

Data Model

Question 139

A data model consists of 3 types of datasets. What are they?

Answer 139

Events, Searches, & Transactions

Question 140

Any field can be made available to the data model. T or F

Answer 140

True

Question 141

Data models provide the datasets for what?

Answer 141

Pivots

Question 142

_____ data models cannot be edited.

Answer 142

Accelerated

Question 143

_____ data models cannot be accelerated.

Answer 143

Private

Question 144

How do you add fields?

Answer 144

“Add field” Dropdown

Question 145

What are the fields Splunk extracts from our data? These can be default fields or manually extracted fields.

Answer 145

Auto-Extracted Fields

Question 146

What does selecting the type of data allow us to do?

Answer 146

allows us to decide how the data should be recognized (String, number, Boolean, IP data)

Question 147

What does selecting a flag allow us to do?

Answer 147

allows us to choose what attributes are shown or required

Question 148

What are the four settings for Flags?

Answer 148

Optional
Required
Hidden
Hidden & Required

Question 149

What represents transactions using fields that have already been added to the data model?

Answer 149

Root Transactions

Question 150

Root Transactions do not benefit from data model _____.

Answer 150

acceleration

Question 151

What is the recommended way to use Pivot? UI or Pivot Command

Answer 151

UI

Question 152

What does CIM stand for?

Answer 152

Common Information Model

Question 153

What maps all data to a defined method and normalizes to common language for field values?

Answer 153

CIM

Question 154

Data can be normalized at _____ time or at _____ time using knowledge objects.

Answer 154

Index, search

Question 155

\_\_\_\_\_ should be used for:
o	Field extractions
o	Aliases
o	Event types
o	Tags

Answer 155

CIM schema

Question 156

_____ _____ can be shared globally across all apps.

Answer 156

Knowledge objects

Question 157

_____ is a methodology for normalizing data and can correlate data from different sources.

Answer 157

CIM

Question 158

CIM is an app that can coexist with other apps on a _____ Splunk deployment

Answer 158

Single

Question 159

By default, CIM datasets search across all _____

Answer 159

indexes

Question 160

Where would you download the CIM app?

Answer 160

Splunkbase

Question 161

What are the included data models in the CIM addon?

Answer 161

Alerts, Email, Database

Question 162

CIM data models are/are not accelerated by default?

Answer 162

are not

Question 163

Data model name and dataset name ARE/ARE NOT case-sensitive

Answer 163

Are

Question 164

Fields used in Data Models do not have to be extracted before creating the datasets. T or F

Answer 164

T

Question 165

It is suggested that you name your knowledge objects using _____ segmented keys.

Answer 165

6

Question 166

_____ are knowledge objects that can be scheduled and run a script.

Answer 166

Reports

Question 167

What is the only writeable bucket type?

Answer 167

The hot bucket

Question 168

By what filter are indexes divided into buckets?

Answer 168

By time

Question 169

What are the 4 types of searches in Splunk (by performance)

Answer 169

Dense, Sparse, Super Sparse, Rare

Question 170

In searches, what is the scanCount?

Answer 170

The number of events scanned for that particular search

Question 171

What are the requirement of the underlying search in order to get multi-series table?

Answer 171

The underlying search must use reporting search commands like chart or timechart

Question 172

What are the seven chart types?

Answer 172

Line, Area, Column, Bar, Bubble, Scatter and Pie

Question 173

What is a trait of scatter charts?

Answer 173

Can only show two dimensions. Shows trends in the relationship between discrete data values

Question 174

What is a trait of bubble charts?

Answer 174

Provides a visual way to view a three dimensional series

Question 175

What are two commonly used clauses for chart?

Answer 175

over and by

Question 176

(True/False) Null values are not shown by default by chart and timechart

Answer 176

false

Question 177

What is a workflow action

Answer 177

Execute workflow actions from an event in your search results to interact with external resources or run another search

Question 178

What does the over and by clauses do when used with chart?

Answer 178

divides the data into sub-groupings

Question 179

(True/False) You can only split chart results over two dimensions

Answer 179

True

Question 180

Chart and timechart commands automatically filter results to include how many values?

Answer 180

10

Question 181

What happens to surplus resulting values of chart and timechart commands?

Answer 181

They are grouped into other

Question 182

What is always the value on the x-axis for timechart?

Answer 182

_time

Question 183

(True/False) Functions and arguments used with stats and chart can not be used with timechart

Answer 183

False

Question 184

(True/False) As with chart, it is possible to split timechart by two fields

Answer 184

False. It is only possible to split by one field

Question 185

What is the argument for adjusting sampling interval of timechart?

Answer 185

span

Question 186

What does the trendline command do?

Answer 186

allows you to overlay a computed moving average on a chart

Question 187

What is the syntax of the trendline command?

Answer 187

trendline (field) [AS newfield]

Question 188

What command can be used to look up and add location information to an event?

Answer 188

iplocation

Question 189

What information does the iplocation command include?

Answer 189

city, country, region, latitude and longitude

Question 190

What is the data-requirement for the geostats command?

Answer 190

Data must include latitude and longitude values

Question 191

These arguments are used to control column counts when using the geostats command

Answer 191

globallimit and locallimit

Question 192

This command is used to compute statistical functions and render a cluster map

Answer 192

geostats

Question 193

What command can be used to show relative metrics for predefined geographic regions?

Answer 193

geom

Question 194

(True/False) A sparkline is an inline chart, that can be added to timechart

Answer 194

True

Question 195

(True/False) Automatically totaling of every columns can be done by using the Format option

Answer 195

True

Question 196

This command can be used to add total of all or selected fields

Answer 196

addtotals

Question 197

The row option for addtotals does what?(if enabled)

Answer 197

creates a column that contains numeric totals for each row

Question 198

The column option for addtotals does what?(if enabled)

Answer 198

creates a row that contains numeric totals for each column

Question 199

What does the labelfield option for addtotals specify?

Answer 199

What field the label should be placed in (in general, this should be the leftmost and first field)

Question 200

The eval command can be used to

Answer 200

perform calculations, convert, round and format values, use conditional statements

Question 201

This command allows you to calculate and manipulate field values in your report

Answer 201

eval

Question 202

(True/false) Results of eval can be written to existing field

Answer 202

True

Question 203

What happens with a destination field value if the field is the same as the resulting field of the eval command?

Answer 203

The field value gets overwritten by the resulting value outputted from the eval command

Question 204

(True/False) Indexed data get modified after field values are overwritten by the eval command.

Answer 204

false

Question 205

This operator is used for concatenation

Answer 205

+

Question 206

This function can be used to set the value of a field to the number of decimals you specify

Answer 206

round

Question 207

(True/False) The tostring function can be used with eval

Answer 207

True

Question 208

How can you use eval to format numeric field values to strings?

Answer 208

By adding characters to the field values

Question 209

What separator is used when having multiple expressions used with eval command?

Answer 209

comma

Question 210

If function used with eval: What is field value of SalesTerritory for a VendorID of 80000 in the following evaluation?:
| eval SalesTerritory = if((VendorID >= 7000 AND VendorID <8000), “Asia”, “Rest of the World”)

Answer 210

Rest of the World

Question 211

(True/False) The search command treats field values in a case-insensitive manner

Answer 211

True

Question 212

(True/False) The where command treats field values in a case-insensitive manner

Answer 212

False

Question 213

(True/False) Unqouted or single-quoted strings are treated as fields.

Answer 213

True

Question 214

To be able to do wildcard searches with the where command, this operator must be used

Answer 214

like

Question 215

What is the fillnull value used for?

Answer 215

To replace null values in fields. Default replacement value is 0.

Question 216

What is a transaction?

Answer 216

A transaction is any group of related events that span time

Question 217

What is the syntax of the transaction command?

Answer 217

transaction field-list. field-list argument is a list of one or multiple fields.

Question 218

(True/False) Transaction command creates a single event from a group of events

Answer 218

True

Question 219

This field is produced by running the transaction command

Answer 219

duration - difference between timestamp of first and last event in the transaction