splunk videos Flashcards

Question 1

Q

_______ and _______ are the time modifiers that override the time range picker in a historical report.
A. earliest
B. latest
C. first
D. last

Answer

A

B. latest
A. earliest

Question 2

Q

Using earliest=-30d@d latest=@d is how to return results from 30 days ago up until the time the search was executed.
A. TRUE
B. FALSE

Question 3

Q

What will the strftime function return when using the %H argument? Select all that apply.
A. convert the hour into your local time based on your time zone setting of your Splunk web sessions
B. time of raw event in UTC
C. hour of the event generated at index time

Answer

A

A. convert the hour into your local time based on your time zone setting of your Splunk web sessions

Question 4

Q

Choose the search that will sort events into one minute groups. Select all that apply.
A. | bin _time span=1m
B. | bin _time span=1mins
C. | bin span=1minutes _time

Answer

A

A. | bin _time span=1m
B. | bin _time span=1mins
C. | bin span=1minutes _time

Question 5

Q

When using the following search arguments, what will be returned? | timechart count span=1h
A. determine time range of events to scale
B. chart events in 1 hour chunks
C. events in the last 24 hours
D. chart only events over a 1 hour period

Answer

A

B. chart events in 1 hour chunks

Question 6

Q

date_time always reflects your local time zone and not the time/date from raw events.
A. True
B. False

Question 7

Q

@timeUnit will always round up and go forward through time.
A. True
B. False

Question 8

Q

Which of the following are default time fields? Select all that apply.
A. date_hour
B. date_mday
C. date_year
D. date_day

Answer

A

A. date_hour
B. date_mday
C. date_year

Question 9

Q

True or False: Using an OVER and a BY clause with the chart command will create a multiseries data series.
A. TRUE
B. FALSE

Question 10

Q

Which of these functions lists ALL values of the field X?
A.list(X)
B.values(X)

Answer

A

A. list(X)

Question 11

Q

True or False: Only one field can be created when using the eval command.
A. FALSE
B. TRUE

Question 12

Q

Which of these eval functions takes no arguments?
A. pow
B. min
C. random
D. max

Answer

A

C. random

Question 13

Q

When renaming fields with spaces or special characters, use the rename command and include the new field name in ___.
A. Parenthesis
B. Single quotes
C. None of the above
D. Double quotes

Answer

A

D. Double quotes

Question 14

Q

True or False: You can use wildcards (*) with the rename command to rename multiple fields that match a pattern.
A. FALSE
B. TRUE

Question 15

Q

When using the top command, add the BY clause to ___.
A. specify how many results to return
B. return a percentage of events
C. return results grouped by the field you specify in the BY clause
D. specify which search mode to return results by

Answer

A

C. return results grouped by the field you specify in the BY clause

Question 16

Q

By default, the sort command lists results in ___ order.
A. Ascending
B. Descending

Answer

A

A. Ascending

Question 17

Q

To round numerical values, use the ___ function of the eval command.

Question 18

Q

The ___(X,Y) eval function returns X to the power of Y.

Question 19

Q

If you use the stats command with two functions and a BY clause, which function is the BY clause applied to?
A. both functions if they are both aggregate functions
B. the first function
C. both functions
D. the second function

Answer

A

C. Both functions

Question 20

Q

To display the least common values of a field, use the ___ command.
A. stats
B. top
C. timechart with common=f option
D. rare

Question 21

Q

Use ___=false with the chart command if you want to hide the OTHER column.

Question 22

Q

The ___ command will always have _time as the X-axis.

Answer

A

timechart

Question 23

Q

When you use the stats command with a BY clause, what is returned?
A. a statistical output for each value of the named field
B. an error message because you did not include a statistical function
C. numerical statistics on each field if and only if all of the values of that field are numerical
D. one row

Answer

A

A. a statistical output for each value of the named field

Question 24

Q

The eval command calculates an expression and puts the resulting ____ into a new or existing field.
A. command
B. argument
C. value

Question 25

Q

True or False: Temporary fields created by using eval can be referenced in the search pipeline following creation.
A. TRUE
B. FALSE

Question 26

Q

True or False: Specify a wildcard by using the * character with the where command.
A. TRUE
B. FALSE

Question 27

Q

Which of the following functions must be used with the in function? Select all that apply.
A. if
B. validate
C. case
D. sum

Answer

A

A. if
C. case

Question 28

Q

Which are the Boolean operators that can be used by the eval command? Select all that apply.
A. NAND
B. AND
C. XOR
D. OR

Answer

A

B. AND
C. XOR
D. OR

Question 29

Q

The where command only returns results that evaluate to TRUE.
A. FALSE
B. TRUE

Question 30

Q

True or False: eval cannot exist as an expression.
A. FALSE
B. TRUE

Question 31

Q

What is the order of Boolean Expression of Evaluation for where and eval commands?
A. Expressions with parenthesis, NOT, AND, OR
B. NOT, AND, OR, Expressions with parenthesis
C. AND, OR, NOT, Expressions with parenthesis
D. AND, NOT, Expressions with parenthesis, OR

Answer

A

A. Expressions with parenthesis, NOT, AND, OR

Question 32

Q

The where command interprets unquoted or single-quoted strings as _____ and double-quoted strings as _____.
A. integers, field values
B. field, field values
C. field values, fields
D. field values, integers

Answer

A

B. field, field values

Question 33

Q

True of False: When using the eval command, all field values are treated in a case-sensitive manner and must be double-quoted.
A.FALSE
B.TRUE

Question 34

Q

Which of the following functions can be used to filter null values?
A. usenull=f
B. usenull=t
C. isnotnull
D. isnull

Answer

A

C. isnotnull
D. isnull

Question 35

Q

True or False: eventstats and streamstats support multiple stats functions, just like stats.
A. True
B. False

Question 36

Q

You would use the ___ function to convert a string to uppercase and the ___ function to convert a string to lowercase.
A. lowercase(), uppercase()
B. lower(), upper()
C. uppercase(), lowercase()
D. upper(), lower()

Answer

A

D. upper(), lower()

Question 37

Q

True or False: The foreach command can be used without a subsearch.
A. True
B. False

Question 38

Q

Which of these expressions will accurately normalize values from the OperatingSys and CompSys fields into a new field called OS?
A.| eval replace(OperatingSys OR CompSys,OS”
B.| eval OS = case(OperatingSys=OperatingSys,”OS”,CompSys=CompSys,”OS”,true(),”OS”)
C.| eval OS = coalesce(OperatingSys,CompSys)

Answer

A

C.| eval OS = coalesce(OperatingSys,CompSys)

Question 39

Q

___ is the process of organizing data to appear similar across all records, making the information easier to search.
A. Splunkification
B. Segmentation
C. Collating
D. Normalization

Answer

A

D. Normalization

Question 40

Q

Which two commands when used together are equivalent to chart <fieldA> over <filedB> by <fieldC>? Select all that apply.
A. stats <fieldA> by <fieldB>,<fieldC> followed by xyseries <fieldB> <fieldC> <fieldA>
B. stats <fieldA> by <fieldB>,<fieldC> followed by additional commands and then xyseries <fieldB> <fieldC> <fieldA>
C. stats <fieldA> by <fieldB>,<fieldC> followed by additional commands and then untable <fieldB> <fieldC> <fieldA>
D. stats <fieldA> by <fieldB>,<fieldC> followed by untable <fieldB> <fieldC> <fieldA>

Answer

A

A. stats <fieldA> by <fieldB>,<fieldC> followed by xyseries <fieldB> <fieldC> <fieldA>
B. stats <fieldA> by <fieldB>,<fieldC> followed by additional commands and then xyseries <fieldB> <fieldC> <fieldA>

Question 41

Q

Which statement(s) about appendpipe is/are false?
A. Only one appendpipe can exist in a search because the search head can only process two searches simultaneously
B. appendpipe transforms results and adds new lines to the bottom of the results set because appendpipe is always the last command to be executed
C. appendpipe transforms results and adds new lines to the bottom of the results set without overwriting original results
D. The subpipeline is executed only when Splunk reaches the appendpipe command

Answer

A

A. Only one appendpipe can exist in a search because the search head can only process two searches simultaneously
B. appendpipe transforms results and adds new lines to the bottom of the results set because appendpipe is always the last command to be executed

Question 42

Q

Which command uses a template subsearch to replace the values of specific fields?
A. replace
B. eval
C. foreach
D. none; commands only use functions to replace field values, not templates or subsearches

Answer

A

C. foreach

Question 43

Q

Which of these tostring expressions will format the PROFIT field in the USD currency format, $x,xxx?
A.| eval PROFIT = tostring(“$x,xxx”,PROFIT)
B.| eval PROFIT = tostring(PROFIT,”$”.”commas”)
C.| eval PROFIT = “$”.tostring(PROFIT,”commas”)
D.| eval PROFIT = tostring(PROFIT,”$x,xxx”)

Answer

A

C.| eval PROFIT = “$”.tostring(PROFIT,”commas”)

Question 44

Q

True or False: If there is an appendpipe in a search, its subpipeline will always be executed last.
A. TRUE
B. FALSE

Question 45

Q

Transactions contain the _____ field contents and the _____ of the earliest member.
A. _time, timestamp
B. _raw, timestamp
C. host, timestamp
D. source, timestamp

Answer

A

B. _raw, timestamp

Question 46

Q

The ______ option controls the maximum total time between the earliest and latest events.
A. maxpause
B. maxspan
C. span
D. minpause

Answer

A

B. maxspan

Question 47

Q

Which fields are added to raw events by the transaction command? Select all that apply.
A. _time
B. index
C. duration
D. eventcount

Answer

A

C.duration
D.eventcount

Question 48

Q

True or False: The transaction command is resource intensive.
A. True
B. False

Question 49

Q

The ___ command combines results from two or more datasets and returns a single result set.
A. join
B. union
C. append

Question 50

Q

The append command attaches results of a subsearch to the _____ of current results.
A. end
B. start
C. append command does not attach to the current results.

Question 51

Q

True or False: If a transaction fails to meet any conditions, it is evicted from the results.
A. True
B. False

Question 52

Q

Which of the following statements about subsearches are true?
A. Multiple searches can be used.
B. They can be nested.
C. They can not be nested.
D. Great for filtering data.

Answer

A

A. Multiple searches can be used.
B. They can be nested.
D. Great for filtering data.

Question 53

Q

When present in a search pipleine, a subsearch is executed _____ and it sends its _____ to the basic search.
A. first, results
B. first, search query
C. last, results
D. last, search query

Answer

A

A. first, results

Question 54

Q

If field data is missing, using the _____ command can create misleading results.
A.appendcols
B.union
C.append
D.transaction

Answer

A

A.appendcols

Question 55

Q

Which of the following options can be used with the transaction command?
A.endswith
B.startswith
C.maxpause
D.maxevents

Answer

A

A.endswith
B.startswith
C.maxpause
D.maxevents

Question 56

Q

True or False: Splunk knowledge objects can only be used privately.
A. True
B. False

Question 57

Q

Which workflow actions require you to specify if the behavior should open in a new window or current window? Select all that apply.
A. GET
B. POST
C. Search
D. PUT

Answer

A

A. GET
B. POST
C. Search

Question 58

Q

If you have a tag label called “homeoffice” associated with the field/value pair system_ip=<your>, when you run a search using the tag=homeoffice constraint, what events will be returned?
A. events from _internal
B. events with the value of the system_ip field equal to your ip address
C. field lookup table</your>

Answer

A

B. events with the value of the system_ip field equal to your ip address

Question 59

Q

Which function is used to send field values externally in Workflow Actions?
A. Search
B. POST
C. PUT
D. GET

Question 60

Q

Field aliases are applied after _________ and before ________ . Select all that apply.
A.lookups, field extractions
B.tags, field extractions
C.field extractions, tags
D.field extractions, lookups

Answer

A

C.field extractions, tags
D.field extractions, lookups

Question 61

Q

Select all knowledge objects.
A. lookups
B. users
C. workflow actions
D. field aliases

Answer

A

A.lookups
C.workflow actions
D.field aliases

Question 62

Q

When adding arguments to a macro, include the number of arguments in_____
A. Parentheses after the macro name
B. Using the pipe function
C. Dollar signs with the search definition
D. Parentheses before the macro name

Answer

A

A. Parentheses after the macro name

Question 63

Q

To search for a tag associated with a value on a specific field, select the correct string.
A. tag::user=privileged
B. tag=user::privileged
C. tag=user=privileged
D. tag-user::privileged

Answer

A

A. tag::user=privileged

Question 64

Q

Surround the macro name with the _____ when executing the macro in search.
A. Single quote character
B. Dollar sign
C. Double quote character
D. Backtick character

Answer

A

D. Backtick character

Answer 40

A

D. Search

Answer 41

A

B. Can be used to normalize field names, tags and field extractions
D. Categorizes events based on search constraints

Answer 42

A

A. From event details, select Event Actions > Build Event Type
B. Settings > Event types > “New Event Type”
C. Run a search, then save as Event Type

Answer 43

A

A. Allows users to interact with web resources
B. Sends field values to an external source
C. Uses field values to perform a secondary search
D. Retrieves information from an external source

Answer 44

A

C. Select a value to extract

Answer 45

A

A. Captures a matching pattern
C. Defined with a matching parantheses: ()
D. Can be referenced with a given name using: ?<name>

Answer 46

A

A. space
B. pipe
C. tab
D. comma

Answer 47

A

A. * (asterisk)

Answer 48

A

A. delimited field extractions

Answer 49

A

A. Settings menu
C. Fields sidebar
D. Event Actions menu

Answer 50

A

A. c.t
B. c#t
D. cat

Answer 51

A

B. Downloading and uploading data models

Answer 52

A

A. event object hierarchy
B. constraints
C. inherited and extracted fields

Answer 53

A

A. Can be used by the Pivot interface to generate reports and dashboard panels
D. A knowledge object that applies information structure to raw data

Answer 54

A

A. As the title is entered an ID is automatically generated.

Answer 55

A

B. Dataset Name

Answer 56

A

A. Fields
D. Constraints

Answer 57

A

B. ascending

Answer 58

A

A. events
B. transactions
D. searches

Answer 59

A

A. lookups
C. data models

Answer 60

A

A. Alternate method to access data without using search language
B. Quick way to design visualizations of data using Splunk Web
D. Requires use of datasets

Answer 61

A

A. Eval Expression

Answer 62

A

C. A user role with the accelerate_datamodel capability

Answer 63

A

A. The field is not displayed to Pivot users when they select the dataset in Pivot.

Brainscape's Knowledge GenomeTM

splunk videos Flashcards

Brainscape's Knowledge Genome^TM