splunk videos Flashcards
_______ and _______ are the time modifiers that override the time range picker in a historical report.
A. earliest
B. latest
C. first
D. last
B. latest
A. earliest
Using earliest=-30d@d latest=@d is how to return results from 30 days ago up until the time the search was executed.
A. TRUE
B. FALSE
B. False
What will the strftime function return when using the %H argument? Select all that apply.
A. convert the hour into your local time based on your time zone setting of your Splunk web sessions
B. time of raw event in UTC
C. hour of the event generated at index time
A. convert the hour into your local time based on your time zone setting of your Splunk web sessions
Choose the search that will sort events into one minute groups. Select all that apply.
A. | bin _time span=1m
B. | bin _time span=1mins
C. | bin span=1minutes _time
A. | bin _time span=1m
B. | bin _time span=1mins
C. | bin span=1minutes _time
When using the following search arguments, what will be returned? | timechart count span=1h
A. determine time range of events to scale
B. chart events in 1 hour chunks
C. events in the last 24 hours
D. chart only events over a 1 hour period
B. chart events in 1 hour chunks
date_time always reflects your local time zone and not the time/date from raw events.
A. True
B. False
B. False
@timeUnit will always round up and go forward through time.
A. True
B. False
B. False
Which of the following are default time fields? Select all that apply.
A. date_hour
B. date_mday
C. date_year
D. date_day
A. date_hour
B. date_mday
C. date_year
True or False: Using an OVER and a BY clause with the chart command will create a multiseries data series.
A. TRUE
B. FALSE
A. True
Which of these functions lists ALL values of the field X?
A.list(X)
B.values(X)
A. list(X)
True or False: Only one field can be created when using the eval command.
A. FALSE
B. TRUE
A. False
Which of these eval functions takes no arguments?
A. pow
B. min
C. random
D. max
C. random
When renaming fields with spaces or special characters, use the rename command and include the new field name in ___.
A. Parenthesis
B. Single quotes
C. None of the above
D. Double quotes
D. Double quotes
True or False: You can use wildcards (*) with the rename command to rename multiple fields that match a pattern.
A. FALSE
B. TRUE
B. True
When using the top command, add the BY clause to ___.
A. specify how many results to return
B. return a percentage of events
C. return results grouped by the field you specify in the BY clause
D. specify which search mode to return results by
C. return results grouped by the field you specify in the BY clause
By default, the sort command lists results in ___ order.
A. Ascending
B. Descending
A. Ascending
To round numerical values, use the ___ function of the eval command.
round
The ___(X,Y) eval function returns X to the power of Y.
pow
If you use the stats command with two functions and a BY clause, which function is the BY clause applied to?
A. both functions if they are both aggregate functions
B. the first function
C. both functions
D. the second function
C. Both functions
To display the least common values of a field, use the ___ command.
A. stats
B. top
C. timechart with common=f option
D. rare
D. rare
Use ___=false with the chart command if you want to hide the OTHER column.
useother
The ___ command will always have _time as the X-axis.
timechart
When you use the stats command with a BY clause, what is returned?
A. a statistical output for each value of the named field
B. an error message because you did not include a statistical function
C. numerical statistics on each field if and only if all of the values of that field are numerical
D. one row
A. a statistical output for each value of the named field
The eval command calculates an expression and puts the resulting ____ into a new or existing field.
A. command
B. argument
C. value
C. value
True or False: Temporary fields created by using eval can be referenced in the search pipeline following creation.
A. TRUE
B. FALSE
A. True
True or False: Specify a wildcard by using the * character with the where command.
A. TRUE
B. FALSE
B. False
Which of the following functions must be used with the in function? Select all that apply.
A. if
B. validate
C. case
D. sum
A. if
C. case
Which are the Boolean operators that can be used by the eval command? Select all that apply.
A. NAND
B. AND
C. XOR
D. OR
B. AND
C. XOR
D. OR
The where command only returns results that evaluate to TRUE.
A. FALSE
B. TRUE
B. True
True or False: eval cannot exist as an expression.
A. FALSE
B. TRUE
A. False
What is the order of Boolean Expression of Evaluation for where and eval commands?
A. Expressions with parenthesis, NOT, AND, OR
B. NOT, AND, OR, Expressions with parenthesis
C. AND, OR, NOT, Expressions with parenthesis
D. AND, NOT, Expressions with parenthesis, OR
A. Expressions with parenthesis, NOT, AND, OR
The where command interprets unquoted or single-quoted strings as _____ and double-quoted strings as _____.
A. integers, field values
B. field, field values
C. field values, fields
D. field values, integers
B. field, field values
True of False: When using the eval command, all field values are treated in a case-sensitive manner and must be double-quoted.
A.FALSE
B.TRUE
B. True
Which of the following functions can be used to filter null values?
A. usenull=f
B. usenull=t
C. isnotnull
D. isnull
C. isnotnull
D. isnull
True or False: eventstats and streamstats support multiple stats functions, just like stats.
A. True
B. False
A. True
You would use the ___ function to convert a string to uppercase and the ___ function to convert a string to lowercase.
A. lowercase(), uppercase()
B. lower(), upper()
C. uppercase(), lowercase()
D. upper(), lower()
D. upper(), lower()
True or False: The foreach command can be used without a subsearch.
A. True
B. False
B. False
Which of these expressions will accurately normalize values from the OperatingSys and CompSys fields into a new field called OS?
A.| eval replace(OperatingSys OR CompSys,OS”
B.| eval OS = case(OperatingSys=OperatingSys,”OS”,CompSys=CompSys,”OS”,true(),”OS”)
C.| eval OS = coalesce(OperatingSys,CompSys)
C.| eval OS = coalesce(OperatingSys,CompSys)
___ is the process of organizing data to appear similar across all records, making the information easier to search.
A. Splunkification
B. Segmentation
C. Collating
D. Normalization
D. Normalization
Which two commands when used together are equivalent to chart <fieldA> over <filedB> by <fieldC>? Select all that apply.
A. stats <fieldA> by <fieldB>,<fieldC> followed by xyseries <fieldB> <fieldC> <fieldA>
B. stats <fieldA> by <fieldB>,<fieldC> followed by additional commands and then xyseries <fieldB> <fieldC> <fieldA>
C. stats <fieldA> by <fieldB>,<fieldC> followed by additional commands and then untable <fieldB> <fieldC> <fieldA>
D. stats <fieldA> by <fieldB>,<fieldC> followed by untable <fieldB> <fieldC> <fieldA>
A. stats <fieldA> by <fieldB>,<fieldC> followed by xyseries <fieldB> <fieldC> <fieldA>
B. stats <fieldA> by <fieldB>,<fieldC> followed by additional commands and then xyseries <fieldB> <fieldC> <fieldA>
Which statement(s) about appendpipe is/are false?
A. Only one appendpipe can exist in a search because the search head can only process two searches simultaneously
B. appendpipe transforms results and adds new lines to the bottom of the results set because appendpipe is always the last command to be executed
C. appendpipe transforms results and adds new lines to the bottom of the results set without overwriting original results
D. The subpipeline is executed only when Splunk reaches the appendpipe command
A. Only one appendpipe can exist in a search because the search head can only process two searches simultaneously
B. appendpipe transforms results and adds new lines to the bottom of the results set because appendpipe is always the last command to be executed
Which command uses a template subsearch to replace the values of specific fields?
A. replace
B. eval
C. foreach
D. none; commands only use functions to replace field values, not templates or subsearches
C. foreach
Which of these tostring expressions will format the PROFIT field in the USD currency format, $x,xxx?
A.| eval PROFIT = tostring(“$x,xxx”,PROFIT)
B.| eval PROFIT = tostring(PROFIT,”$”.”commas”)
C.| eval PROFIT = “$”.tostring(PROFIT,”commas”)
D.| eval PROFIT = tostring(PROFIT,”$x,xxx”)
C.| eval PROFIT = “$”.tostring(PROFIT,”commas”)
True or False: If there is an appendpipe in a search, its subpipeline will always be executed last.
A. TRUE
B. FALSE
B. False
Transactions contain the _____ field contents and the _____ of the earliest member.
A. _time, timestamp
B. _raw, timestamp
C. host, timestamp
D. source, timestamp
B. _raw, timestamp
The ______ option controls the maximum total time between the earliest and latest events.
A. maxpause
B. maxspan
C. span
D. minpause
B. maxspan
Which fields are added to raw events by the transaction command? Select all that apply.
A. _time
B. index
C. duration
D. eventcount
C.duration
D.eventcount
True or False: The transaction command is resource intensive.
A. True
B. False
A. True
The ___ command combines results from two or more datasets and returns a single result set.
A. join
B. union
C. append
B. union
The append command attaches results of a subsearch to the _____ of current results.
A. end
B. start
C. append command does not attach to the current results.
A. end
True or False: If a transaction fails to meet any conditions, it is evicted from the results.
A. True
B. False
A. True
Which of the following statements about subsearches are true?
A. Multiple searches can be used.
B. They can be nested.
C. They can not be nested.
D. Great for filtering data.
A. Multiple searches can be used.
B. They can be nested.
D. Great for filtering data.
When present in a search pipleine, a subsearch is executed _____ and it sends its _____ to the basic search.
A. first, results
B. first, search query
C. last, results
D. last, search query
A. first, results
If field data is missing, using the _____ command can create misleading results.
A.appendcols
B.union
C.append
D.transaction
A.appendcols
Which of the following options can be used with the transaction command?
A.endswith
B.startswith
C.maxpause
D.maxevents
A.endswith
B.startswith
C.maxpause
D.maxevents
True or False: Splunk knowledge objects can only be used privately.
A. True
B. False
B. False
Which workflow actions require you to specify if the behavior should open in a new window or current window? Select all that apply.
A. GET
B. POST
C. Search
D. PUT
A. GET
B. POST
C. Search
If you have a tag label called “homeoffice” associated with the field/value pair system_ip=<your>, when you run a search using the tag=homeoffice constraint, what events will be returned?
A. events from _internal
B. events with the value of the system_ip field equal to your ip address
C. field lookup table</your>
B. events with the value of the system_ip field equal to your ip address
Which function is used to send field values externally in Workflow Actions?
A. Search
B. POST
C. PUT
D. GET
B. POST
Field aliases are applied after _________ and before ________ . Select all that apply.
A.lookups, field extractions
B.tags, field extractions
C.field extractions, tags
D.field extractions, lookups
C.field extractions, tags
D.field extractions, lookups
Select all knowledge objects.
A. lookups
B. users
C. workflow actions
D. field aliases
A.lookups
C.workflow actions
D.field aliases
When adding arguments to a macro, include the number of arguments in_____
A. Parentheses after the macro name
B. Using the pipe function
C. Dollar signs with the search definition
D. Parentheses before the macro name
A. Parentheses after the macro name
To search for a tag associated with a value on a specific field, select the correct string.
A. tag::user=privileged
B. tag=user::privileged
C. tag=user=privileged
D. tag-user::privileged
A. tag::user=privileged
Surround the macro name with the _____ when executing the macro in search.
A. Single quote character
B. Dollar sign
C. Double quote character
D. Backtick character
D. Backtick character
To perform a secondary search, use a _______ workflow action
A. PUT
B. POST
C. GET
D. Search
D. Search
Which statements best describe an Event Type. Select all that apply.
A. Allow users to interact with web resources
B. Can be used to normalize field names, tags and field extractions
C. tags, field extractions
D. Categorizes events based on search constraints
B. Can be used to normalize field names, tags and field extractions
D. Categorizes events based on search constraints
Which of the following are ways you can create an event type. Select all that apply.
A. From event details, select Event Actions > Build Event Type
B. Settings > Event types > “New Event Type”
C. Run a search, then save as Event Type
A. From event details, select Event Actions > Build Event Type
B. Settings > Event types > “New Event Type”
C. Run a search, then save as Event Type
Which statement best describes the function of a Workflow Action (Select all that apply)
A. Allows users to interact with web resources
B. Sends field values to an external source
C. Uses field values to perform a secondary search
D. Retrieves information from an external source
A. Allows users to interact with web resources
B. Sends field values to an external source
C. Uses field values to perform a secondary search
D. Retrieves information from an external source
When using regex for field extraction, what’s the first thing you have to do in the Field Extractor?
A. Provide a Field Name
B. Set the Extractions Name and set permissions
C. Select a value to extract
D. Edit the regular expression
C. Select a value to extract
True or False. Fields can be extracted only after indexing is complete.
A. FALSE
B. TRUE
A. False
True or False: If you manually edit the regular expression in the Field Extractor Utility then you will not be able to go back to validate the results.
A. FALSE
B. TRUE
B. True
Which of the following statements are true about a Regex “capture”?
A. Captures a matching pattern
B. Allows the Regex to be case insensitive
C. Defined with a matching parenthesis: ()
D. Can be referenced with a given name using: ?<name>
A. Captures a matching pattern
C. Defined with a matching parantheses: ()
D. Can be referenced with a given name using: ?<name>
Which of the following character delimiters are supported for a delimited field extraction?
A. space
B. pipe
C. tab
D. comma
A. space
B. pipe
C. tab
D. comma
Which of the following Regex operator can most severly impact performance, and may be considered “greedy”?
A. * (asterisk)
B. + (plus sign)
C. . (period)
D. \ (backslash)
A. * (asterisk)
Use this field extraction method when fields are separated by spaces, commas, or characters.
A. delimited field extractions
B. regex field extractions
C. rename field extractions
A. delimited field extractions
There are three ways to get to the Field Extractor (FX). Select all that apply.
A. Settings menu
B. Auto-Extract Fields Workflow
C. Fields sidebar
D. Event Actions menu
A. Settings menu
C. Fields sidebar
D. Event Actions menu
Which of the following strings match this Regular Expression: c.t
A. c.t
B. c#t
C. c99t
D. cat
A. c.t
B. c#t
D. cat
What functionality is provided to allow collaboration with other Splunk users to create, modify or test data models?
A. The data model “clone” functionality
B. Downloading and uploading data models
C. Splunk user integration, such as LDAP
D. Creating data models in the Search & Reporting app
B. Downloading and uploading data models
Data models contain the following. Select all that apply.
A. event object hierarchy
B. constraints
C. inherited and extracted fields
A. event object hierarchy
B. constraints
C. inherited and extracted fields
Which of the following accurately describes data models? Select all that apply.
A. Can be used by the Pivot interface to generate reports and dashboard panels
B. Must contain at least one of each dataset: Events, Searches, and Transactions
C. Can only be designed by users with the admin role
D. A knowledge object that applies information structure to raw data
A. Can be used by the Pivot interface to generate reports and dashboard panels
D. A knowledge object that applies information structure to raw data
When creating a data model, which of the following is true? Select all that apply.
A. As the title is entered an ID is automatically generated.
B. Only the Search & Reporting and Monitoring Console apps can be selected.
C. The process fails if you are not logged in as an admin user.
D. Splunk highly recommends overriding the default ID to prevent confusion.
A. As the title is entered an ID is automatically generated.
True of False: You can only split a pivot with a maximum of one row or column.
A. TRUE
B. FALSE
B. False
To add a Root Event Dataset, what field is required to be manually added?
A. Dataset ID
B. Dataset Name
C. Duration maxpause maxspan
B. Dataset Name
Which of the following do all event datasets contain? Select all that apply.
A. Fields
B. Children
C. Purchases
D. Constraints
A. Fields
D. Constraints
By default, the sort command lists results in __________ order.
A. descending
B. ascending
B. ascending
True or False: A constraint inherited by the children dataset from the parent dataset can be removed.
A. TRUE
B. FALSE
B. FALSE
A data model can consist of the following three types of datasets. Select all that apply.
A. events
B. transactions
C. Pivot reports
D. searches
A. events
B. transactions
D. searches
What do Pivots require to create visualizations in Splunk? Select all that apply.
A. lookups
B. spreadsheets
C. data models
D. web filters
A. lookups
C. data models
Which of the following accurately describes pivots? Select all that apply.
A. Alternate method to access data without using search language
B. Quick way to design visualizations of data using Splunk Web
C. Requires the use of simplified search language
D. Requires use of datasets
A. Alternate method to access data without using search language
B. Quick way to design visualizations of data using Splunk Web
D. Requires use of datasets
When adding fields to a dataset, which of the following creates a new field based on an expression that you define?
A. Eval Expression
B. Geo IP
C. Auto-Extracted
D. Lookup
A. Eval Expression
What is required to configure persistent data model acceleration?
A. All 3 root dataset types: events, search, and transaction
B. A user accessing a data model dataset in Pivot
C. A user role with the accelerate_datamodel capability
D. A private data model
C. A user role with the accelerate_datamodel capability
What occurs when setting a field flag to Hidden?
A. The field is not displayed to Pivot users when they select the dataset in Pivot.
B. The field doesn’t have to appear in every event.
C. Only events that contain the field are returned.
D. Constraints will ignore the use of this field.
A. The field is not displayed to Pivot users when they select the dataset in Pivot.
