Splunk Power User 1002 Flashcards
Search Terms are not Case Sensitive? T or F
True
Command names are not Case Sensitive? T or F
True
Clauses and Functions are not case sensitive? T or F
True
If a command references a specific value, that value (Is / Is Not) case sensitive?
IS
What values from lookup tables ARE case-sensitive by default?
Field. Users with Admin Roles can set field values to not be case sensitive.
Booleans ARE Case Sensitive. T or F
True
Tag Values ARE case sensitive. T or F
True
Buckets have directories containing sets of:
Raw Data and indexing data
Buckets have configurable what set by admin users?
max size & max time span
What are the 3 searchable buckets in Splunk?
Hot, Warm, and Cold
When are “Hot” buckets rolled into “warm” buckets?
when it reaches max size, max time span, or indexer is restarted
When Splunk search is run, Splunk uses what on bucket directories to determine if it needs to open the bucket, uncompress raw data, and search content inside?
Timestamps
Wildcards are tested after all other search terms. T or F
True
Only ____ wildcards make efficient use of index
trailing
What happens when there is a wildcard at the beginning of a string?
Splunk searches all events in that time frame.
Wildcards ______ of string can cause inconsistent results
in the middle
Should you use wildcards to match punctuation?
No
What are the 3 search modes in Splunk?
Fast, Smart, and Verbose
As events are stored by time, what is the most efficient filter?
Time
After time, the default fields for _______ are most powerful.
index, source, host, and sourcetype.
o These fields are extracted at index time and do not need to be extracted for each search
o Use these fields to filter as early as possible in a search so processing is done on a minimum amount of data
Use _____ command to extract only the fields you will need for your search
“fields”
When should you apply filtering commands?
As early as possible
Helps determine which phase of a search is taking up the most time
Search Job Inspector
Search Job Inspector dissects the behavior of searches to help understand execution costs of ____ within a search.
knowledge objects, search commands, & other components
Any search job that has not expired can be inspected. T or F
True
Open job inspector by:
running a search, clicking “Job” dropdown menu, and then “Inspect Job”
The _______ component displays the time Splunk took when searching the index for the location of the raw data files
“Command Search Index”
The ______ component displays time Splunk took to filter out events that did not match
“Command Search Filter”
The ______ component is the time it took to read the events from the raw data files
“Command Search Raw Data”
Where do you find the “Search Job Properties” tab?
Under “Execution Costs”
Any search that returns ______ can be viewed as a chart
statistical values
Most visualizations require results structured as tables with at least __ columns
2
Looking at Statistics tab, if you see 2 columns, what values do the first column represent and what do the second column values represent?
First column = x-axis values
Second Column = y-axis values
Any stats function can be applied to the chart command. T or F
True
y-axis should always be numeric so that it can be charted. T or F
True
can remove NULL values by adding argument ______ to chart command
“usenull=f”
can remove OTHER column by adding argument ______
“usenull=f”
What do you use to show all of the plotted series?
limit=0
Performs stats aggregations against time
Timechart Command
_____ is always the x axis
Time
Timechart Command can split data with a ______ clause
“by”
Any stats function can be applied to timechart command. T or F
True
Only one value can be specified after the “by” modifier. T or F
True
Timechart command intelligently clusters data in time intervals dependent on ______.
time range selected
To change the span of the time of the cluster, you can use the ______ argument.
“span”
What command compares data over specific time periods?
Timewrap
To use timewrap command, we specify a period of time from the results of the:
timechart command
In a Line Graph, you can zoom in by clicking and dragging over a time period? T or F
True
Chart Overlay will allow you to lay a line chart of one series of data over another visualization. T or F
True
Area chart gives ability to show the data stacked. T or F
True
Can zoom into sections of the graph by clicking and dragging
Column chart
Uses horizontal bars to show comparisons, and can be stacked
Bar Graph
Takes the data and visualizes the percentage for each slice and can drill down to the events for a slice by clicking on the slice
Pie Chart
Shows the relationship between two discrete data values plotted on an x- and y-axis and is useful for values that do not occur at regular intervals or belong to a series
Scatter Chart
Provides a visual way to view a third dimension of data.
Each chart plots against 2-dimensions on the x and y axes and the size represents the value for the 3rd dimension. 3rd field in the table command will determine the size of the bubbles in our chart.
Bubble Chart
Trellis layout link allows us to split our visualizations by a selected field or aggregation. It has multiple visualizations, but originating search is only run ONCE. T or F
True
Can Transforming commands be used with visualizations?
yes
Top/rare – counts the frequency of fields. T or F
True
Calculates statistics between two or more fields when you do not need the data to be time-based
Stats
Calculates statistics with an arbitrary field as your x-axis that is not time
Chart
Calculates statistics with time as the x-axis
Timechart
Plots geographic coordinates as interactive markers on a world map
Marker Maps
Uses shading to show relative metrics for predefined geographic regions
Choropleth
Lookup and add location information to events. Data such as city, country, region, latitude, and longitude can be added to events that include external IP addresses
iplocation
Aggregates geographical data for use on a map visualization and uses the same functions as the stats command
Geostats Command
The Geostats command only accepts ___ “by” argument or arguments
1
To control column count, what argument can be used?
“globallimit”
Geostats can be used with iplocation. T or F
True
View data as a geographical location, uses shading to show relative metrics over predefined locations of a map
Choropleth Maps
To use choropleth you will need a ______ file that defines region boundaries
KMZ (Keyhold Markup Language) (.kml)
Used to prepare our events for use in a choropleth and
adds a field that includes geographical data structures that match polygons on our map
Geom Command
geom featureIdField=, or
sourcetype=crime_data cc=USA | lookup geo_us_states latitude, longitude | stats count by featureId | geom
2 different types of visualizations you can use to display
Single Value, Gauges
What computes moving averages of field values?
Trendline command
What 3 arguments are required in a Trendline command?
trendtype, time period, field
What options does the Field Format give you?
o Wrap results
o Show row numbers
o Change click selection from cell to row
o Add a data overlay – can be a heat map of values or highlight the high and low values in the table
Computes the sum of all numeric fields for each event/row and create a total column
Addtotals Command
Used to calculate and manipulate field values
Eval Command
Arithmetic, concatenation, and Booleans are supported by the Eval command. T or F
True
In the Eval Command, newly created field values are case-sensitive. T or F
True
Converts numerical values to strings so that they can be joined with other strings
Tostring Function. After using tostring, fields may not sort numerically because the field values are now ASCII values
Can be used if you want to format values without changing characteristics of underlying values
Fieldformat
Allows you to evaluate arguments and create values depending on the results
Eval command IF Function.
• takes 3 arguments [ “if(x, y, z)” ]
o x – a Boolean expression
o y – used if Boolean expression evaluates to true
o z – used if Boolean expression evaluates to false
o y & z must be in double quotes if not numerical
Can be used to filter results at any time in the search and allows you to use search terms further down the pipeline
Search Command
A Search command cannot compare values from 2 different fields. T or F
True
Filters events to only keep the results that evaluate as true
Where Command
Asterisks cannot be used as a wildcard inside eval or where commands. T or F
True
What replaces any null values in your events
Fillnull Command
Maximum total time between earliest and latest
maxspan
maximum total time between events
maxpause
Use Transactions when
o You need to see events correlated together
o When events need to be grouped on start and end values
Use stats when
o You want to see results of a calculation
o When events need to be grouped on a field value
Transaction has a limit of how many events?
1000
What is the limit for Stats?
no limit
If given a choice between stats and transactions, which should you use?
stats
What are tools that help you and your users discover and analyze your data?
Knowledge Objects
Knowledge objects are used for:
o Data interpretation o Classification o Enrichment o Normalization o Search time mapping
Properties of knowledge objects are that it:
o Can be created by one user and shared with other users based on permission settings
o Can be saved and reused by multiple people or in multiple apps
o Can be used in a search
Name 5 types of knowledge objects:
- data interpretation
- data classification
- data enrichment
- normalization
- datasets
What is the order for common naming convention of objects?
group, type, platform, category, time, and description
What are three predefined ways that knowledge objects can be displayed to users?
Private
Specific apps
all apps
What does CIM stand for?
Common Information Model
The _____ allows you to use a graphical user interface to extract fields that persist as knowledge objects making them reusable in searches
Field Extractor
2 different methods the field extractor can use to extract data
o Regular expressions – work well when you have unstructured data and events that you want to extract fields from
o Delimiters – used when your events contain fields separated by a character
_____ will display events that do not contain extracted fields
Non-matches
After manually editing a regular expression, you cannot go back to the Field Extractor UI. T or F
True
Delimiter can be a:
space, comma, tab, other
To be able to select a value from an already extracted field, you must open the “Existing Fields” menu, and turn off the highlight for the field that includes the value. T or F
True
_____ give you a way to normalize data over any default field.
Field Aliases
_____ are applied after field extractions, before lookups.
Field Aliases
How do you create a field alias?
“Settings” -> “Fields” -> “Field aliases”
Can apply aliases based on?
Sourcetype, source, host
Old fields are still available to search? T or F
True
Once a field alias is defined, they can be referenced in?
A lookup table
What are calculated fields used for?
repetitive, long, and complex eval commands
Calculated fields must be based on an extracted field? T or F
True
Select destination app and then which sourcetype, source, or host to apply the _____ to.
calculated field
Calculated fields must or must not be based on extracted or discovered fields?
MUST
Allows you to designate descriptive names for key-value pairs and enables you to search for events that contain particular field values
Tags
Are Tag values(names) case sensitive?
Yes
What are 3 ways to search for tags?
tag=privileged
tag::user=privileged
tag=p*
Allows you to categorize events based on search terms
Event Type
What do event types help with?
simplify searches
give quick visual feedback
Do event types show up in fields list?
yes
What does a word in Blue in a Splunk search mean?
command
What does a word in green in a Splunk search mean?
command argument
What does a word in pink in a Splunk search mean?
function
What does a word in orange in a Splunk search mean?
boolean or keyword modifier
What does a word in gray in a Splunk search mean?
inline comment (e.g. ```Plot the count of results over the past 24 hours.``)
In which is a time range not included? Event Type or Saved Reports
Event Type
Can you share saved reports with other Splunk users?
Yes
_____ are search strings, or portions of search strings, that can be reused in multiple places within Splunk
Macros
When are Macros useful
frequent searches with complicated search syntax
What are 3 features that distinguish macros from other knowledge objects?
Store entire search strings
They are time range independent
Can pass arguments to the search
How do you create a macro?
“Settings” > “Advanced Search” > “Search macros”
What is the syntax for a macro? (Flip card for reference)
o Ex: “… | convertUSD “
o Need to use backtick character (`)
How do you change the definition of a macro to accept an argument?
by adding the name of the argument surrounded by dollar signs ($)
o Required to name the macro with how many arguments it requires [ex: “us_sales(2)” ]
o Ex: “… eval $moolah$ = … “
What key combination allows you to preview your search without running it?
CTRL + SHIFT + E
What is a collection of hierarchically structured datasets?
Data Model
A data model consists of 3 types of datasets. What are they?
Events, Searches, & Transactions
Any field can be made available to the data model. T or F
True
Data models provide the datasets for what?
Pivots
_____ data models cannot be edited.
Accelerated
_____ data models cannot be accelerated.
Private
How do you add fields?
“Add field” Dropdown
What are the fields Splunk extracts from our data? These can be default fields or manually extracted fields.
Auto-Extracted Fields
What does selecting the type of data allow us to do?
allows us to decide how the data should be recognized (String, number, Boolean, IP data)
What does selecting a flag allow us to do?
allows us to choose what attributes are shown or required
What are the four settings for Flags?
Optional
Required
Hidden
Hidden & Required
What represents transactions using fields that have already been added to the data model?
Root Transactions
Root Transactions do not benefit from data model _____.
acceleration
What is the recommended way to use Pivot? UI or Pivot Command
UI
What does CIM stand for?
Common Information Model
What maps all data to a defined method and normalizes to common language for field values?
CIM
Data can be normalized at _____ time or at _____ time using knowledge objects.
Index, search
\_\_\_\_\_ should be used for: o Field extractions o Aliases o Event types o Tags
CIM schema
_____ _____ can be shared globally across all apps.
Knowledge objects
_____ is a methodology for normalizing data and can correlate data from different sources.
CIM
CIM is an app that can coexist with other apps on a _____ Splunk deployment
Single
By default, CIM datasets search across all _____
indexes
Where would you download the CIM app?
Splunkbase
What are the included data models in the CIM addon?
Alerts, Email, Database
CIM data models are/are not accelerated by default?
are not
Data model name and dataset name ARE/ARE NOT case-sensitive
Are
Fields used in Data Models do not have to be extracted before creating the datasets. T or F
T
It is suggested that you name your knowledge objects using _____ segmented keys.
6
_____ are knowledge objects that can be scheduled and run a script.
Reports
What is the only writeable bucket type?
The hot bucket
By what filter are indexes divided into buckets?
By time
What are the 4 types of searches in Splunk (by performance)
Dense, Sparse, Super Sparse, Rare
In searches, what is the scanCount?
The number of events scanned for that particular search
What are the requirement of the underlying search in order to get multi-series table?
The underlying search must use reporting search commands like chart or timechart
What are the seven chart types?
Line, Area, Column, Bar, Bubble, Scatter and Pie
What is a trait of scatter charts?
Can only show two dimensions. Shows trends in the relationship between discrete data values
What is a trait of bubble charts?
Provides a visual way to view a three dimensional series
What are two commonly used clauses for chart?
over and by
(True/False) Null values are not shown by default by chart and timechart
false
What is a workflow action
Execute workflow actions from an event in your search results to interact with external resources or run another search
What does the over and by clauses do when used with chart?
divides the data into sub-groupings
(True/False) You can only split chart results over two dimensions
True
Chart and timechart commands automatically filter results to include how many values?
10
What happens to surplus resulting values of chart and timechart commands?
They are grouped into other
What is always the value on the x-axis for timechart?
_time
(True/False) Functions and arguments used with stats and chart can not be used with timechart
False
(True/False) As with chart, it is possible to split timechart by two fields
False. It is only possible to split by one field
What is the argument for adjusting sampling interval of timechart?
span
What does the trendline command do?
allows you to overlay a computed moving average on a chart
What is the syntax of the trendline command?
trendline (field) [AS newfield]
What command can be used to look up and add location information to an event?
iplocation
What information does the iplocation command include?
city, country, region, latitude and longitude
What is the data-requirement for the geostats command?
Data must include latitude and longitude values
These arguments are used to control column counts when using the geostats command
globallimit and locallimit
This command is used to compute statistical functions and render a cluster map
geostats
What command can be used to show relative metrics for predefined geographic regions?
geom
(True/False) A sparkline is an inline chart, that can be added to timechart
True
(True/False) Automatically totaling of every columns can be done by using the Format option
True
This command can be used to add total of all or selected fields
addtotals
The row option for addtotals does what?(if enabled)
creates a column that contains numeric totals for each row
The column option for addtotals does what?(if enabled)
creates a row that contains numeric totals for each column
What does the labelfield option for addtotals specify?
What field the label should be placed in (in general, this should be the leftmost and first field)
The eval command can be used to
perform calculations, convert, round and format values, use conditional statements
This command allows you to calculate and manipulate field values in your report
eval
(True/false) Results of eval can be written to existing field
True
What happens with a destination field value if the field is the same as the resulting field of the eval command?
The field value gets overwritten by the resulting value outputted from the eval command
(True/False) Indexed data get modified after field values are overwritten by the eval command.
false
This operator is used for concatenation
+
This function can be used to set the value of a field to the number of decimals you specify
round
(True/False) The tostring function can be used with eval
True
How can you use eval to format numeric field values to strings?
By adding characters to the field values
What separator is used when having multiple expressions used with eval command?
comma
If function used with eval: What is field value of SalesTerritory for a VendorID of 80000 in the following evaluation?:
| eval SalesTerritory = if((VendorID >= 7000 AND VendorID <8000), “Asia”, “Rest of the World”)
Rest of the World
(True/False) The search command treats field values in a case-insensitive manner
True
(True/False) The where command treats field values in a case-insensitive manner
False
(True/False) Unqouted or single-quoted strings are treated as fields.
True
To be able to do wildcard searches with the where command, this operator must be used
like
What is the fillnull value used for?
To replace null values in fields. Default replacement value is 0.
What is a transaction?
A transaction is any group of related events that span time
What is the syntax of the transaction command?
transaction field-list. field-list argument is a list of one or multiple fields.
(True/False) Transaction command creates a single event from a group of events
True
This field is produced by running the transaction command
duration - difference between timestamp of first and last event in the transaction
