Brainscape's Knowledge GenomeTM


Top Flashcards (Certified)
All Flashcards

Splunk_User > Splunk_User > Flashcards

Splunk_User Flashcards

Preparation to Splunk User exam

1
Q

What are 4 main functions of Splunk Enterprise?

A
  • Input
  • Parsing
  • Indexing
  • Searching
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are fields?

A

Fields are searchable key/value pairs in your event data. These are searchable name and value pairings that distinguish one event from another. Not all events have the same fields and field values

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is host?

A

Physical devices from which the event originates

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is source?

A

A source is the name of the file, directory, data stream, or other input from which a particular event originates

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are source types used for?

A
  • Format the data during indexing
  • Categorize your data for easier searching
  • Help in appropriate timestamp and event breaks.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are forwarders?

A

A forwarder consumes data and then forwards the data to an indexer.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What are indexers?

A

An indexer indexes incoming data that it usually receives from a group of forwarders. Transforms the data into events and stores the events in an index. Searches the indexed data in response to search requests from a search head. Label with a source type and break the data into single events. Add knowledge objects into the data. Performs actual searches on the data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are search heads?

A

Directs search requests to a set of indexers and merges the results back o the user. Use search language to search index data. Handle search requests from users and distribute requests to the indexers. Consolidate and enrich the results from the indexers before returning them to the user. The search heads also provide the users with various tools such as dashboards, reports and visualisations to assist the search experience.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Who are 3 the main users?

A

User, Power User, Admin

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What activities does Splunk Administrator?

A
  • Sets up user account and permissions
  • Gets data into Splunk Enterprise
  • Configures, administers, optimizes and secures the Splunk Enterprise deployment
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What activities does Splunk User?

A
  • Use search to investigate server problems, understand configurations, monitor user activities and troubleshoot escalated problems.
  • Builds reports and dashboards
  • Identify patterns and trends that are indicator of routine problems.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What are benefits of index clusters?

A
  • Prevent data loss
  • Promote availability
  • Data recovery
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Main functions of search and reporting app

A
  • Searching and analysing data

* Create knowledge objects, reports and dashboards

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Index time process

A
  • Input phase: opened and read and any configuration settings are applied
  • Parsing phase: handled by indexers. Data broken up into events and advanced processing
  • Indexing phase: data is initially written to disk, compressed.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

How you can add data inputs

A
  • Apps and add-ons from Splunkbase
  • Splunk Web
  • CLI
  • Directory editing inputs.conf
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Who is adding the data for the deployment?

A

Admin user

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What are 3 ways of adding the data into Splunk?

A
  • Data input
  • Monitor
  • Forwarders
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What does upload data option do

A

Upload your local file and index once. Does not create inputs.conf

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What does monitor option do

A

Upload files and directories, HTTP events, TCP/UDP and Scripts. Useful for testing inputs. We can monitor continuously or index once.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What multiple indexes allow?

A
  • Limits the amount of data Splunk searches
  • Limiting access by user role. You can control who see what data
  • Allow custom retention policies.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

How long jobs are stored in Splunk?

A

10 minutes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What is the maximum time length that the job is stored?

A

7 days

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What are 3 search modes

A
  • Fast
  • Smart
  • Verbose
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What Fast search mode does?

A

Emphasizes speed over completeness. Field discovery is disabled

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
What verbose mode does?
Emphasizes completeness over speed. Allows access to underlying events when using reporting or statistical commands. Verbose mode return as much field and information as possible.
26
What smart mode does?
Smart balances speed and completeness. Default Smart mode will give different behaviour based on the type of behaviour you are running. Limiting a search by time is key to faster results and is a best practice.
27
What is Splunk approach to zooming in and out of the event?
Zooming into events uses your orginal search job. Zooming out, Splunk runs a new search job to return newly selected events.
28
Event processing
Occurs in two stages: parsing and indexing. During parsing Splunk breaks the chunks into events. During indexing it’s giving the timestamp and the main metadata elements
29
How timestamp assignment works?
Added to events at index time. Assigns automatically from the information in the data or attempts to assign on it’s own.
30
What timestamps are used for?
* Correlate events by time * Create the timeline histogram in Splunk Web * Set time ranges for searches
31
What is the order of Boolean?
* Not * Or * And
32
Selected fields
The set of fields displayed for each event. Default are: host, source and source type.
33
What are interesting fields?
Fields that have values in at least 20% of the events
34
!= vs. NOT
!= returns events where status field existis and value is not equal to … NOT returns events where status field existis and value is not equal to … and all events where status field doesn’t exists.
35
When != and NOT yeld the same results?
Only if the field you’re evaluating always exists in the data you’re searching.
36
General Search practices:
* The less data you have to search the faster the Splunk will be * The more you tell the search engine the more likely it is that you will get good results * Inclusion is generally better than exclusion. * Updating in real time. * Filter as early as possible. For example, remove duplicate events, then sort. * Avoid using wildcards at the beginning or middle of a string. * When possible use OR instead of * * Splunk usually will use multiple indexes to index the data. * Admin can limit access to different indexes for other users for security reasons.
37
What are commands?
Tells Splunk what we want to do with the search results including creating charts, completing statistics and formatting
38
What are functions?
Explain how we want to chart, compute and evaluating the results.
39
What are arguments?
Variables that we want to apply to the functions
40
What are clauses?
Explains how we want the variables grouped or defined, how we want to group or rename the fields results.
41
What is the function of “|”
Search for this and….
42
What are 4 main elements of search language syntax?
Command, function, argument, clause
43
What is table command?
Returns a table formed by only fields in the argument list.
44
What is field command
Allows to include or exclude fields from search results. Useful to limit fields displayed and can make search faster. Field inclusion happens before field extraction and can improve performance. Field exclusion happens after field extraction only affecting displayed results.
45
What command removes duplicate events?
Dedup
46
What are options in the stats count command?
Countfield -> change the title of the count Percentfield -> change the title of percentages Showcount -> not show count Showperc -> not show % Showother -> add the row of count number for results.
47
What is the number of observations shown by top command by default
10
48
What are reports?
Reports are saved searches. Reports can show events, statistics (tables) or visualisation (charts). Running a report returns fresh results each time you run it. Statistics and visualization allow you to drill down by default to see the underlying events. Reports can be share and added to dashboards.
49
Is the power user allowed to create reports?
True
50
When time range picker works in panels?
Time range picker will only work on panels with an inline search.
51
What are the options in the visualisations?
* Change formatting options * Add legend * Stack column
52
What is a dashboard?
A dashboard consists of one or more panel displaying data visually in a useful way – such as events, tables or charts. They display the results of completed searches and data from real-time searches that run in the background.
53
How reports work with dashboards?
A single report can be used across different dashboards, this links the report definition to the dashboard. Any changes to the underlying report affects every dashboard panel that utilizes that report
54
What are datasets?
Event dataset: represent a set of events Transaction datasets: represent transactions-group of events that are related in some way. Search datasets: results of an arbitrary sets. Child datasets: subset of the datasets encompassed by their parent dataset.
55
What are pivots?
Pivot refers to the table, chart, or data visualization you create using the Pivot Editor. The Pivot Editor lets users map attributes defined by data model objects to a table, chart, or data visualization without having to write the searches in the Search Processing Language (SPL) to generate them.
56
What are instant pivots?
Pivot refers to the table, chart, or data visualization you create using the Pivot Editor. The Pivot Editor lets users map attributes defined by data model objects to a table, chart, or data visualization without having to write the searches in the Search Processing Language (SPL) to generate them.
57
What is a Lookup?
Lookup pulls statis data from standalone files at search time and add it to the search results. Allows to add other fields not included in the indexed data. It is categorised as a dataset.
58
Are lookup fields sensitive?
Yes
59
What are stages of creating lookup?
* Define the file required for the lookup * Define the lookup type * You can configure the lookup to run automatically.
60
How you can review the data in the .csv file or validate the lookup?
INPUTLOOKUP
61
Lookup command
If lookup is not running automatically use it to get access to lookup fields.
62
How to not overwrite exiting fields in the lookup?
OUTPUTNEW
63
What is scheduled report?
Scheduled report is a report that runs on a schedule interval and can trigger it’s action each time it runs.
64
What is embedded report?
A scheduled report that is embedded in an external web page or HTML-based dashboard. Embedded report is a report that is viewable by anyone who has access to the web page that is inserted in. An embedded report will not show data until the schedules search is run.
65
What are alerts?
Alerts can trigger once the results of a search meet defined conditions.
66
What are the alerts options?
* Send an email * Webhook * Running custom script * Trigger scripts
67
What are 2 different time options in alerts and what are they difference?
* Scheduled alert | * Real time
68
What are the best practices for alerts?
* Coordinating an alert schedule with the search time range prevents event data from being evaluated twice by the search * Schedule alerts with at least one minute of delay. This practice is important in distributed search deployments where event data might not reach the indexer immediately. A delay ensures that you are counting all events, not just the events that were indexed first.
69
What is a webhook alert?
Webhook alert allows you to define custom callbacks on a particular web resource.
70
What are apps?
Apps are a collection of configurations, knowledge objects, and customer designed views and dashboards
71
What are data models?
hierarchically-organized collection of datasets that Pivot uses to generate reports.
72
What are events?
An event is a set of values associated with a timestamp. It is a single entry of data and can have one or multiple lines
73
What is index?
is the repository for Splunk Enterprise data
74
What are indexes?
Events stored in the index
75
What is index time and what occurs then?
The time span from when the Splunk software receives new data to when the data is written to an index. data is read from a source on a host and is classified into a source type. Timestamps are extracted, and the data is parsed into individual events. Line-breaking rules are applied to segment the events to display in the search results. Each event is written to an index on disk, where the event is later retrieved with a search request.
76
What are jobs?
Searches. The information that is tracked includes the owner of the job, the app that the job was run on, how many events were returned and how long the job took to run.
77
How you can export your job results?
* CSV * JSON * PDF * Raw events * XML
78
Difference between scheduled report and scheduled alert?
Scheduled report: Runs its action and sends an email every time the report completes even if there are no search results showing check-ins Scheduled alert: Only run its action when it is triggered by search results showing one or more check-ins events
79
What are subsearches?
Search that is used to narrow down the set of events that you search on. Subsearches return a maximum of 10,000 results and have a maximum runtime of 60 seconds
80
Difference between scheduled triggering and throttling?
You can trigger alert if your search will bring e.g. 15 different event and throttling will delay them by 15 minutes.
81
field_name=field_value
Field sensitive = not case sensitive. Cannot use wildcards = Can us wildcards Quotation marks when the field values include spaces.
82
How long are retained jobs from scheduled searches?
Scheduled search multiplied by two.
83
What are historical searches?
Review data in the past but you can set up searches review events with future-dated timestamp if your index contains them.
84
Search requests are processed by
Indexers
85
What are transforming commands?
Commands that create statistics and visualisations
86
When the instant pivot button is displayed in the statistics and visualisation tabs?
When a non-trnsforming command is run
87
What does App bar?
Navigate system
88
External data used by a Lookup can come from sources like
* CVS file * Scripts * Geospatial Data
89
How to display data from the lookup
Inputlookup
90
When a search is sent to Splunk it becomes
Search job
91
Excluding fields using the Fields Command will benefit performance
False
92
How Splunk knows where to break the event, where the time stamp is located and how to automatically created field value pairs
Using source type
93
---------------- is generally better than -------
Inclusion / Exclusion
94
What the purpose of an index administrator
To segregate data and limit access by Splunk role.
95
Are the forward option do?
Data is gathered on a remote machine and forwarded to an index over receiving port
96
Creating Searches and Saving Results: | Selected fields are displayed ______each event in the search results.
below
97
Search terms are not case sensitive.
True
98
Creating Searches and Saving Results: | These two searches will NOT return the same results. SEARCH 1:login failure SEARCH 2: "login failure".
True
99
A space is an implied _____ in a search string.
AND
100
You can not specify a relative time range, such as 45 seconds ago, for a search.
False
101
Historical searches provide a static snapshot of events at a given time.
True
102
Using the export function, you can export a maximum of 2000 results.
False
103
Which of the following search control will not re-rerun the search? (Select all that apply.)
b) selecting a bar on the timeline c) deselect d) selecting a range of bars on the timelines
104
Highlighted search terms indicate _________ search results in Splunk. a) Display as selected fields. b) Sorted c) Charted based on time d) Matching
d) Matching
105
The Splunk search language does not support wildcards.
b) False
106
The Splunk search language supports the + wildcard.
b) False
107
When you mouse over and click to add a search term this (these) Boolean operator(s) is(are) not implied. (Select all that apply). a) OR b) ( ) c) AND d) NOT
b( ()
108
The time range specified for a historical search defines the ____________ .------questionable on ans a) Amount of data shown on the timeline as data streams in b) Amount of data fetched from index matching that time range c) Time range for the static results
b)Amount of data fetched from index matching that time range
109
Historical searches provide a static snapshot of events at a given time.
a) True
110
Using the export function, you can export search results as __________.( Select all that apply) a) Xml b) Json c) Html d) A php file
a) XML | b) JSON
111
Using the export function, you can export a maximum of 2000 results.
b) False
112
These kinds of fields are identified in you data at INDEX time.
b) Default fields
113
Default fields are not added to every event in SPLUNK at INDEX time.
b) False
114
The fields sidebar does not show________. (Select all that apply.) a) interesting fields b) selected fields c) all extracted fields
c) all extracted fields
115
Field discovery occurs at ___________ time. a) search b) index
a) search
116
Only Splunk Administrators can assign selected fields. a) True b) False
b) False
117
Fast, optimized and verbose are all selectable search modes. a) True b) False
b) False
118
This search user!=*_________________. a) displays only events that contain a value for user b) displays all events c) displays only events that do NOT contain a value for user
c) displays only events that do NOT contain a value for user
119
The interesting fields in the fields sidebar is based on what fields you have requested in the past. a) True b) False
b)False
120
These 2 searches will return exactly the same results: SEARCH 1:host=www1 SEARCH 2: host=WWW1 a)True b)False
b)True
121
These are the default selected fields. a) source, sourcetype, host b) source, sourcetype, index c) source, sourcetype, timestamp d) host, source, _raw
a)source, sourcetype, host
122
Which search mode automatically decides how to return fields based on your search? a) Verbose mode b) Fast mode c) Smart mode
c)Smart mode
123
When you run a search, fast mode extracts all fields very quickly a) True b) False
a)True
124
These kinds of fields are identified in your data at INDEX time. ----ans ?able a) Default fields b) Data-specific fields a) Default fields
a)Default fields
125
Which search mode returns all fields? a) Verbose mode b) Fast mode c) Smart mode
a)Verbose mode
126
When you run a search, fast mode extracts all fields very quickly. a) True b) False
b)False
127
Splunk alerts can be based on search that run______. (Select all that apply.) a) in real-time b) on a regular schedule c) and have no matching events
a) in real-time | b) on a regular schedule
128
Alert throttling is used to _______. a) verify each alert b) stagger search request in a time sequenced order c) stop spamming yourself with alerts d) check severity
c) stop spamming yourself with alerts
129
A real-time alert is ______________. a) A scheduled alert b) constantly running in the background
b) constantly running in the background
130
An alert does not have to trigger every time it generates search results. a) True b) False
a)True
131
Alerts trigger when search results meet specific conditions. a) True b) False
a)True
132
Scheduled alerts must be scheduled to run with cron job syntax only. a) True b) False
b)False
133
This tab shows you the event patterns in the results of a specific search. a) statistics b) visualization c) patterns
c) patterns
134
Which of the following about reports is/are true? a) Reports are knowledge objects. b) Reports can be scheduled. c) Reports can run a script. d) All of the above.
d) All of the above.
135
There is NOT a SAVE AS option when editing a report. a) True b) False
a) True
136
Select this in the fields sidebar to automatically pipe you search results to the rare command a) events with this field b) rare values c) top values by time d) top values
b) rare values
137
Reports _____ allowing drilldown by default. a) Are b) Are not
b)Are not
138
A report scheduled to run every 15 mins. but takes 17 mins. to complete is in danger of being_____. a) skipped or deferred b) automatically accelerated c) deleted d) all of the above
a)skipped or deferred
139
Custom charts can be created from the fields sidebar. a) True b) False
b)False
140
Which of the following are valid options to speed up reports? (Select all the apply.) a) Edit permissions b) Edit description c) Edit acceleration d) Edit schedule
c)Edit acceleration
141
Running a scheduled saved report______. a) Returns the results from the last time the report was saved b) Returns a fresh results set
b)Returns a fresh results set
142
Pivot visualizations____________. a) include bubble chart marker gauge and bar chart b) include map scatter chart and pie chart
a) include bubble chart marker gauge and bar chart
143
After you create a pivot you can save it as a __________. (Select all that apply.) a) tag b) eventtype c) report d) dashboard panel
c) report | d) dashboard panel
144
Pivot editor enables users to quickly reports but they must use the pivot command.' a) True b) False
b)False
145
The pivot editor has a map visualization option. a) True b) False
b)False
146
New pivots automatically populate with __________ (Select all that apply). a) Split rows b) Split columns c) Count of hosts d) Time range filter
d)Time range filter
147
The following searches will return the same results. SEARCH 1: ssh error SEARCH 2: ssh AND error a) True b) False
a) True
148
Field names are case ___________. a) sensitive b) insensitive
a) sensitive
149
Which of the following statements are true for this search? (Select all that apply.) SEARCH: sourcetype=access* |fields action productld status a) is looking for all events that include the search terms: fields AND action AND productld AND status b) users the table command to improve performance c) limits the fields are extracted d) returns a table with 3 columns
b) users the table command to improve performance | c) limits the fields are extracted
150
Internal fields, such as _raw and _time, can be explicitly removed from results with fields command. a) True b) False
b) False
151
Use the dedup command to _____. a) Rename a field in the index b) remove duplicate values c) provide an additional alias for the field that can d)be used in the search criteria
b)remove duplicate values
152
The following searches will not return the same results. SEARCH 1: purchase SEARCH 2: action=purchase a) True b) False
a)True
153
We can use the rename command to _____ (Select all that apply.) a) Change indexed fields b) Exclude fields from our search results c) Extract new fields from our data using regular expressions d) Give a field a new name at search time
d)Give a field a new name at search time
154
The limit attribute will___________. a) override default of 10 b) only work with top command c) override default of 20 d) override default of 15
a) override default of 10
155
This function of the stats command allows you to identify the number of values a field has. a) max b) distinct_count c) fields d) count
d) count
156
This function of the stats command allows you to return the sample standard deviation of a field. a) stdev b) dev c) count deviation d) by standarddev
a) stdev
157
Which of the following commands will show the maximum bytes? a) sourcetype=access_* | maximum totals by bytes b) sourcetype=access_* | avg (bytes) c) sourcetype=access_* | stats max(bytes) d) sourcetype=access_* | max(bytes)
max(bytes)
158
This search will return 20 results. SEARCH: error | top host limit = 20 a) True b) False
a)True
159
Which of the following searches will show the number of categoryld used by each host? a) Sourcetype=access_* |sum bytes by host b) Sourcetype=access_* |stats sum(categoryld) by host c) Sourcetype=access_* |sum(bytes) by host d) Sourcetype=access_* |stats sum by host
b)Sourcetype=access_* |stats sum(categoryld) by host
160
his clause is used to group the output of a stats command by a specific name. a) Rex b) As c) List d) By
a)Rex
161
``` This function of the stats command allows you to return the middle-most value of field X. Median(X) Eval by X Fields(X) Values(X) ```
Median(X)
162
When a search returns __________, you can view the results as a list. a) a list of events b) transactions c) statistical values
c) statistical values
163
Clicking a SEGMENT on a chart, ________. a) drills down for that value b) highlights the field value across the chart c) adds the highlighted value to the search criteria
c) adds the highlighted value to the search criteria
164
Use this command to use lookup fields in a search and see the lookup fields in the field sidebar. a) inputlookup b) lookup
b) inputlookup
165
Lookups can be private for a user. a) True b) False
a) True
166
In automatic lookup definitions, the _____ fields are those that are not in the event data. a) input b) output
b) output
167
``` What is the correct order of steps for creating a new lookup? A. Configure the lookup to run automatically B. Create the lookup table C. Define the lookup a) B, A, C b) A, B, C c) B, C, A d) C, B, A ```
c) B, C, A
168
The command shown here does witch of the following: Command: |outputlookup products.csv a) Writes search results to a file named products.csv b) Returns the contents of a file named products.csv
a)Writes search results to a file named products.csv
169
Which of the following are not true about lookups? (Select all that apply.) a) Lookups can be time based b) Search results can be used to populate a lookup table c) Splunk DB Connect can be used to populate a lookup table from relational databases d) Output from a script can be used to populate a lookup table e) Lookup have a 10mg maximum size limit
e)Lookup have a 10mg maximum size limit
170
Lookups allow you to overwrite your raw event. a) True b) False
a)True
171
It is mandatory for the lookup file to have this for an automatic lookup to work. a) Source type b) At least five columns c) Timestamp d) Input filed
d)Input filed
172
By default, all users have DELETE permission to ALL knowledge objects. a) True b) False
b) False
173
These users can create global knowledge objects. (Select all that apply.) a) users b) power users c) administrators
b) power users | c) administrators
174
All users by default have WRITE permission to ALL knowledge objects. a) True b) False
b)False
175
Object ATTRIBUTES do not define ___________. a) a base search for the object b) fields for the object
a) a base search for the object
176
Fields associated with a data set are known as ______. a) Attributes b) Constraints
a)Attributes
177
Which of the following are responsible for reducing search results? a) search heads b) indexers c) forwarders
b) indexers
178
Which of the following are responsible for parsing incoming data and storing data on disc? a) forwarders b) indexers c) search heads
b) indexers
179
This is what Splunk uses to categorize the data that is being indexed. a) sourcetype b) index c) source d) host
a) sourcetype
180
This is what Splunk uses to categorize the data that is being indexed. a) Host b) Sourcetype c) Index d) Source
b)Sourcetype
181
It is no possible for a single instance of Splunk to manage the input, parsing and indexing of machine data. a) True b) False
b)False
182
It is not possible for a single instance of Splunk to manage the input, parsing and indexing of machine. a) True b) False
b)False
183
By default search results are not returned in ________ order. a) Chronological b) Reverser chronological c) ASCIE d) Alphabetical
a) Chronological | d) Alphabetical
184
The stats command will create a _____________ by default. a) Table b) Report c) Pie chart
a)Table

Splunk_User (1 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions