Splunk_1

Question 1

What is Machine Data ?

Answer 1

Digital information created by the activity of computers, mobile phones, embedded systems and other networked devices.

Question 2

What Splunk Do ?

Answer 2

Searching, monitoring, and examining machine-generated Big Data through a web-style interface.

Question 3

What are the main components of Splunk?

Answer 3

Forwarder
Indexer
Search Head

Question 4

What are forwarder ?

Answer 4

An agent you deploy on IT systems, which collects logs and sends them to the indexer.

Question 5

What is Splunk ?

Answer 5

A distributed system that aggregates, parses and analyses log data.

Question 6

What are the two types of forwarder ?

Answer 6

• Universal Forwarder

- Heavy Forwarder

Question 7

What is Universal forwarder for ?

Answer 7

It forwards the raw data without any prior treatment.

Question 8

What is Heavy Forwarder for ?

Answer 8

Parsing and indexing at the source, on the host machine and sends only the parsed events to the indexer.

Question 9

What is indexer for ?

Answer 9

Transforms data into events (unless it was received pre-processed from a heavy forwarder), stores it to disk and adds it to an index, enabling searchability.

Question 10

What is SearchHead for ?

Answer 10

Search and query Splunk data, and interfaces with indexers to gain access to the specific data they request.

Question 11

What is the three processing tiers for a splunk deployment ?

Answer 11

• Data input
• Indexing
• Search management

Question 12

What is the correspondence between the three typical processing tiers and the four data pipeline segments ?

Answer 12

• The data input tier handles the input segment.
• The indexing tier handles the parsing and indexing segments.
• The search management tier handles the search segment.

Question 13

What are the 5 main function of Splunk Enterprise ?

Answer 13

• Index Data
• Search & investigate
• Add knowledge
• Monitor & alert
• Report & analyse

Question 14

What are the different product categories of Splunk ?

Answer 14

Splunk Enterprise − It is used by companies which have large IT infrastructure and IT driven business.

Splunk Cloud − It is the cloud hosted platform with same features as the enterprise version. It can be availed from Splunk itself or through the AWS cloud platform.

Splunk Light − It allows search, report and alert on all the log data in real time from one place.

Question 15

What is splunk role ?

Answer 15

Determine what a user is able to see, do or interact with.

Question 16

What are the 3 main roles in Splunk Enterprise ?

Answer 16

• Administrator role
• Power role
• User role

Question 17

Who can add data to Splunk ?

Answer 17

The administrator

Question 18

What are the 3 option to ingest data to Splunk ?

Answer 18

• Upload file from the computer (local files)
• Monitor files and ports on the splunk platform instance
• Forward data form a splunk forwarder

Question 19

What is an event ?

Answer 19

A set of values associated with a

timestamp. It is a single entry of data

Question 20

What is SourceType ?

Answer 20

A default field that identifies the data structure of an event. A source type determines how formats the data during the indexing process.

Question 21

What is the Host Value ?

Answer 21

The name of the machine from which the event originates.

Question 22

What is index ?

Answer 22

The directory where the data will be stored

Question 23

What is knowledge object ?

Answer 23

A user-defined entity that enriches the existing data. You can use knowledge objects to get specific information about your data.

Question 24

What are the five components of splunk language ?

Answer 24

• Search terms
• Commands
• Functions
• Arguments
• Clauses

Question 25

Are Field values case sensitive ?

Answer 25

No

Question 26

Are Field Name case sensitive ?

Answer 26

Yes

Question 27

What is the most efficient way to filter events ?

Answer 27

Using Time

Question 28

Can Splunk allow searches in real time ?

Answer 28

Yes

Question 29

The colors in SPL

Answer 29

Orange for boolean
Blue for commands
Green for command arguments
Purple for functions

Question 30

Which command removes results with duplicate field values?

Answer 30

Dedup

Question 31

Can Charts be based on numbers, time, or location ?

Answer 31

Yes

Question 32

Can the User role create report ?

Answer 32

Yes

Question 33

What Splunk uses to categorize the type of data being indexed ?

Answer 33

Sourcetype

Question 34

Are events always returned in chronological order ?

Answer 34

No

Question 35

What separate indexes allows ?

Answer 35

Multiple retention policies
Faster Searches.
Ability to limit access.

Question 36

What is a lookup ?

Answer 36

Add custom fields to event from external sources like csv.file

Question 37

Which command returns a table containing only specified fields in result set ?

Answer 37

Table command

Question 38

Which command renames a field in results ?

Answer 38

Rename command

Question 39

Which command includes or excludes specified fields. ?

Answer 39

Fields command

Question 40

Which command sorts results by specified field ?

Answer 40

Sort command

Question 41

Which command adds field values from an external source (e.g., csv files) ?

Answer 41

Lookup command

Question 42

What is the transition that takes place as the buckets age in Splunk?

Answer 42

They roll from hot to warm to cold

Question 43

What does each bucket have?

Answer 43

Its own raw data, metadata, and index files

Question 44

What are Booleans in the Splunk Search Language ?

Answer 44

NOT
OR
AND

Question 45

How warm Buckets in Splunk indexes are named by ?

Answer 45

The timestamps of first and last event in the bucket

Question 46

What are the searches mode ?

Answer 46

Verbose
Fast
Smart

Question 47

Which of the search modes automatically returns all extracted fields in the fields sidebar?

Answer 47

Verbose

Question 48

Which type of visualization allows you to show a third dimension of data?

Answer 48

Bubble Chart

Question 49

Which option is NOT available with the chart and timechart commands?

Answer 49

Usefill

Question 50

What the timechart command buckets data in time intervals depending on ?

Answer 50

The selected time range

Question 51

Which clause allows you to define which field is represented on the X axis of a chart ?

Answer 51

Over

Question 52

Can the iplocation and geostats commands be used together ?

Answer 52

Yes

Question 53

Which options are valid with the chart command?

Answer 53

Useother

Usenull

Question 54

What the Gauge command allow you ?

Answer 54

To set colored ranges for a single-value visualization.

Question 55

Which command will compute the sum of numeric fields within events and place the result in a new field ?

Answer 55

Addtotals

Question 56

What arguments the trendline command requires ?

Answer 56

Trend type,
Time period
Field

Question 57

Does the search job inspector shows how long a given search took to run ?

Answer 57

Yes

Question 58

Which are stats function ?

Answer 58

avg
count
sum

Question 59

What search returns can be viewed as a chart ?

Answer 59

Statistics

Question 60

Which axis should always be numeric ?

Answer 60

the Y axis

Question 61

What is the gauge command for ?

Answer 61

Allows you to set colored ranges for a single-value visualization.

Question 62

Which argument (in order) the eval command ‘if’ function requires ?

Answer 62

boolean expression, result if true, result if false

Question 63

If you want to format values without changing their characteristics, which would you use?

Answer 63

The fieldformat command

Question 64

What is the maxpause definition ?

Answer 64

Finds groups of events where the span of time between included events does not exceed a specific value

Question 65

CAn you create a transaction based on multiple fields.

Answer 65

Yes

Question 66

Which function should you use with the transaction command to set the maximum total time between the earliest and latest events returned?

Answer 66

maxspan

Question 67

What is the Splunk CIM ?

Answer 67

Common Information Model provides a methodology to normalize data

Question 68

When should you used the CIM Schema ?

Answer 68

When creating Field Extractions, Aliases, Event Types, and Tags.

Question 69

Which datasets can be added to a root dataset to narrow down the search ?

Answer 69

A child datasets

Question 70

What are doing required fields in a data models ?

Answer 70

They constrains the dataset to only return events that include that field

Question 71

Do the fields used in the data models already have to be extracted before creating the datasets?

Answer 71

No

Question 72

Which workflow Action type sends field values to external resources ?

Answer 72

POST

Question 73

What we need to use field value data from an event in a Workflow Action ?

Answer 73

Wrap the field in dollar signs.

Question 74

Which Workflow Action type directs users to a specified URI ?

Answer 74

GET

Question 75

Can Workflow action only be applied to a single field ?

Answer 75

No

Question 76

What can do a workflow action ?

Answer 76

Direct users to a specified URI.
Execute a secondary search.
Send field values to external sources.

Question 77

Can we add tags to Event Types ?

Answer 77

Yes

Question 78

How categorize events based on search terms ?

Answer 78

By using event types

Question 79

Can you pipe the results of a macro to other commands ?

Answer 79

Yes

Question 80

What is the proper syntax for using a macro named “us_sales”

Answer 80

us_sales

Question 81

What allows the search expansion tool ?

Answer 81

To see what a macro will expand to before you run a search.

Question 82

Is the search macros must always include an argument ?

Answer 82

No

Question 83

What are tags ?

Answer 83

The descriptive name for key value pairs

Question 84

Do the event types show up in the fields list ?

Answer 84

Yes

Question 85

What allows to categorize events based on search terms ?

Answer 85

Events Types

Question 86

Why use field aliases ?

Answer 86

To normalise data

Question 87

In the Field Extractor Utility, which button will display events that do not contain extracted field ?

Answer 87

Non-Matches

Question 88

What method to extract can be used with the field extractor utility ?

Answer 88

Regex & Delimiter

Question 89

Which users can create private Knowledge Objects?

Answer 89

Power
User
Admin

Question 90

What the transaction command allows ?

Answer 90

To correlate events across multiple sources.

Question 91

What is maxpause for ?

Answer 91

Finds groups of events where the span of time between included events does not exceed a specific value

Question 92

Why use stats ?

Answer 92

To see results of a calculation, or group events on a field value

Question 93

why use transaction ?

Answer 93

To see events correlated together, or grouped by start and end values.

Question 94

By default, what does the fillnull command replace null values ​​with?

Answer 94

0

Question 95

Which command is used to create choropleth maps?

Answer 95

geom

Question 96

What return the iplocation command ?

Answer 96

It returns location information for events that include external IP addresses

Question 97

Which roles can create Private Knowledge Objects?

Answer 97

User, Power, Admin

Question 98

When using a .csv file for lookups, the first row in the file represents this.

Answer 98

Field names

Question 99

Which is the correct order to use when creating a lookup?

Answer 99

Define a lookup table
Define a lookup
Create and automatic lookup

Question 100

What are Field Aliases caracteristics ?

Answer 100

Can be referenced by lookup tables.
Are applicable to a specified app context.
Make correlation easier.

Question 101

Can calculate fields use lookup tables ?

Answer 101

No

Question 102

What is SVA ?

Answer 102

Splunk Validated Architectures (SVAs) are proven reference architectures for stable, efficient and repeatable Splunk deployments.

Question 103

What are Authentication Methods available in Splunk?

Answer 103

• Native Splunk Accounts
• LDAP
• SAML
• Scripted Authentication