User FlashCards
1
Q
The Common constraints for the top command are?
A
limit
countfield
showperc
2
Q
What is the limit= to when you click the Top values in a field window?
A
The limit is =20
3
Q
Limit=0 returns how many results
A
Unlimited results
4
Q
By default what is the name of the countfield?
A
Count
5
Q
Shows the number of events that match the search criteria
A
stats count
6
Q
Returns a count of unique values for a given field?
A
distinct_count, dc
7
Q
Shows all values of a given field?
A
list
8
Q
Shows unique values of a given field?
A
values
9
Q
What are saved searches?
A
Reports
10
Q
Does running a report return fresh results each time you run it?
A
Yes!
11
Q
____ and ____ allow you to drill down by default to see the underlying events.
A
Statistics and Visualizations
12
Q
Can reports be shard and added to dashboards?
A
Yes!
13
Q
The report is saved with the time range that was selected when it was created. True or False?
A
True!
14
Q
Adding a time range picker allows you to do what to the Report?
A
It allows you to adjust the time range of the Report when you run it.
15
Q
What are the dialog buttons when creating a report?
A
- Continue Editing
- Add to Dashboard
- View - allows you to display and rerun the report
16
Q
There are 3 main ways to create tables and visualizations in Splunk. What are they?
A
- Select a field from the fields sidebar and choose a report to run
- User the Pivot interface
- Start with a dataset or Instant Pivot - Use the Splunk search language transforming commands in the Search bar.
17
Q
Numeric fields have 6 report types with mathematical functions, what are they?
A
- Average over time
- Maximum value over time
- Minimum value over time
- Top values
- Top values by time
- Rare values
18
Q
For alphanumeric character fields, there are only 3 available reports, what are they?
A
- Top values
- Top values by time
- Rare values
19
Q
When updating visualization settings like the min/max, how soon are the new settings reflected?
A
Immediately!!
20
Q
Switch to what tab in order to view the data as a table?
A
Statistics!
21
Q
What is a dashboard?
A
A dashboard consists of one or more panels displaying data visually in a useful way - such as events, tables, or charts.
Page 150 Mod 10
22
Q
Why create panels from reports?
A
It is efficient to create most dashboard panels based on reports because
- a single report can be used across different dashboards
- this links the report definition to the dashboard
Any change to the underlying report affects every dashboard panel that utilizes that report.
Page 154 Mod 10
23
Q
Dashboards can be exported as…
A
as a PDF or Printed
The selection screen screen under Export shows:
PDF
Schedule PDF Delivery
Print
Page 160 Mod 10
24
Q
How do you create an Instant Pivot?
A
- Execute a search (search criteria only, no search commands)
- Click the Statistics or Visualization tab
- Click the Pivot icon
- Select the fields to be included in the data model object
- Create the pivot (table or chart)
25
When saving a Pivot as a Report what is required?
The Model Title because this creates the Data Model
26
What is a lookup?
Sometimes static (or relatively unchanging) data is required for searches but isn't available in the index
Lookups pull such data from standalone files at search time and add it to search results
27
*NOTE: Lookups allow you to add more fields to your events, such as:
- Descriptions for HTTP status codes ("File Not Found", "Service Unavailable")
- Sale prices for products
- User names, IP addresses, and workstation IDs associated with RFIDs
28
After a lookup is configured, you can use the lookup fields in searches, True or False?
True!!
29
True or False: The lookup fields also appear in the Fields sidebar
True!
30
True or False: Lookup field values are case sensitive by default?
True!
31
What happens when an OUTPUT is not specified?
All the fields from the lookup table except the match fields
32
What happens when the OUTPUT is specified?
The fields overwrite existing fields
33
If a field in the lookup table represents a timestamp, you can create a what?
Time-Based Lookup
Page 199 Mod 12
34
Why would you want to use Scheduled Reports?
- Monthly, weekly, daily executive/managerial roll up reports
- Dashboard performance
- Automatically sending reports via email
Page 201 Mod 13
35
How do you create a Scheduled Report?
1. Create your search
2. From the Save As menu, select Report
3. Enter Title
4. Enter Description
5. Set Time Range Picker to No
6. Click Save
Page 202-204 Mod 13
36
When creating a Scheduled report you can select a time range from?
Presets
Relative
Advanced
Page 207 Mod 13
37
This setting determines a time frame to run the report.
Schedule Window
Page 207 Mod 13
38
Creates an indexed, searchable log event.
Log Event
Page 208 Mod 13
39
Selecting Output results to lookup.
Sends results of search to CSV lookup file.
Page 208 Mod 13
40
Selecting Output results to telemetry endpoint
Sends usage metrics back to Splunk (if your company has opted-in to program)
Page 208 Mod 13
41
Run a Script
Runs a previously created script
Page 208 Mod 13
42
Send email
Sends an email with results to specified recipients.
Page 208 Mod 13
43
Webhook
Sends an HTTP POST request to a specified URL.
Page 208 Mod 13
44
Managing Reports - Edit Permissions
With the GUI inside the Reports tab under Edit then Edit Permissions.
Run as: User
Will make what happen to the report?
Only data allowed to be accessed by the user role appears.
Page 211 Mod 13
45
Managing Reports - Edit Permissions
With the GUI inside the Reports tab under Edit then Edit Permissions.
Run as: Owner
Will make what happen to that report?
All data accessible by the owner appears in the report.
Page 211 Mod 13
46
To access the report results from a webpage.
Click edit > embed
Before a report can be embedded, it must be scheduled
Page 212 Mod 13
47
What are Alerts??
Splunk alerts are based on searches that can run either:
- on a regular scheduled interval
- in real-time
Alerts are triggered when the results of the search meet a specific condition that you define
Based on your needs, alerts can:
- Create an entry in triggered alerts
- log an event
- output results to a lookup file
- send emails
- use a webhook
- perform a custom action
Page 213 Mod 13
48
How to create an Alert in the GUI?
1. Run a search
2. Select Save As > Alert
3. Give the alert a Title and Description
Page 214 Mod 13
49
Setting alert permissions
Only you can access, edit, and view triggered alerts.
Private Permissions
Page 215 Mod 13
50
Setting alert permissions
- All users of the app can view triggered alerts
- By default, everyone has read access and power has write access to the alert.
Shared in App
Page 215 Mod 13
51
What type of alert?
- Search runs at a defined interval
- Evaluates trigger condition when the search completes
Scheduled Alerts
Page 216 Mod 13
52
What kind of search?
- Search runs constantly in the background
- Evaluates trigger conditions within a window of time based on the conditions you define
Real-Time
Page 216 Mod 13
53
You can set alerts to trigger in five ways
- Per-Result - triggers when a result is returned
- Number of Results - define how many results are returned before the alert triggers
- Number of Hosts - define how many unique hosts are returned before the alert triggers
- Number of Sources - define how many unique sources are returned before the alert triggers
- Custom - define custom conditions using the search language
Page 219 Mod 13
54
Alert Actions - Trigger Conditions
Executes actions one time for all matching events within the scheduled time and conditions
Once Trigger
Page 221 Mod 13
55
Alert Actions - Trigger Conditions
*NOTE: Executes the alert actions once for each result that matches the conditions.
For each result
Page 222 Mod 13
56
All actions that are available for scheduled reports and also available for alerts:
- Log Event
- Output results to lookup
- Output results to telemetry endpoint
- Run a script
- Send email
- Webhook
Page 223 Mod 13
57
Alert Actions - Add to Triggered Alerts
The severity for an alert:
- Info
- Low
- Medium
- High
- Critical
Page 224 Mod 13
58
Alert Actions - Log Event
When saving as a report, under Triggered Alerts and + Add Actions. You can add a Log Event action Which Log Event action matches the description below?
Enter the information that will be written to the new log event.
Event!
Page 225 Mod 13
59
Alert Actions - Log Event
When saving as a report, under Triggered Alerts and + Add Actions. You can add a Log Event action Which Log Event action matches the description below?
_____ of the new log event (by default, the alert name)
Source!
Page 225 Mod 13
60
Alert Actions - Log Event
When saving as a report, under Triggered Alerts and + Add Actions. You can add a Log Event action Which Log Event action matches the description below?
____ to which the new log event will be written
Sourcetype!
Page 225 Mod 13
61
Alert Actions - Log Event
When saving as a report, under Triggered Alerts and + Add Actions. You can add a Log Event action Which Log Event action matches the description below?
____ value of the new log event (by default, IP address of the host of the alert)
Host!
Page 225 Mod 13
62
Alert Actions - Log Event
When saving as a report, under Triggered Alerts and + Add Actions. You can add a Log Event action Which Log Event action matches the description below?
Destination ____ for the new log event (default value is main)
Index!
Page 225 Mod 13
63
Alert Actions - Send Email
When saving as a report, under Triggered Alerts and + Add Actions. You can add a Log Event action Which Log Event action matches the description below?
____ select the format of the alert.
Include!
Page 227 Mod 13
64
Alert Actions - Send Email
When saving as a report, under Triggered Alerts and + Add Actions. You can add a Log Event action Which Log Event action matches the description below?
____ select the format of the text message.
Type!
Page 227 Mod 13
65
What does Splunk do?
Aggregate, analyze, and get answers from your machine data
Page 5 Mod 1
66
What data can be pulled into Splunk?
Index ANY data from ANY source
- Computers
- Network devices
- Virtual machines
- Internet devices
- Communication devices
- Sensors
- Databases
- Logs
- Configurations
- Messages
- Call detail records
- Clickstream
- Alerts
- Metrics
- Scripts
- Changes
- Tickets
Page 6 Mod 1
67
Types of Splunk Deployment?
Splunk Enterprise - splunk components installed and administered on-premises
Splunk Cloud
- Splunk Enterprise as a scalable service
- No infrastructure required
Splunk Light
- Solution for small IT environments
Page 8 Mod 1
68
What three things define what Splunk Apps are?
- Designed to address a wide variety of use cases and to extend the power of Splunk
- Collections of files containing data inputs, UI elements, and/or knowledge objects
- Allows multiple workspaces for different use cases/user roles to co-exist on a single Splunk instance
Page 9 Mod 1
69
What are Splunk Enhanced Solutions?
- Splunk IT Service Intelligence (ITSI)
- Splunk Enterprise Security (ES)
- Splunk User Behavior Analytics (UBA)
Page 10 Mod 1
70
Out of the box, there are 3 main roles:
Admin
Power
User
Page 11 Mod 1
71
What is the Search & Reporting App used for?
- Provides a default interface for searching and analyzing data
- Enables you to create knowledge objects, reports, and dashboards
Page 14 Mod 1
72
Data Summary Tabs
Unique identifier of where the events originated (host name, IP address, etc.)
Host!
73
Data Summary Tabs
Name of the file, stream, or other input.
Source!
74
Data Summary Tabs
Specific data type or data format
Sourcetype!
75
Splunk is comprised of ___ components. What are they and how many?
3 main components
Indexer
Search Head
Forwarder
Page 23 Mod 2
76
What are three things the Indexer does?
- Processes machine data, storing the results in indexes as events, enabling fast search and analysis
- As the Indexer indexes data, it creates a number of files organized in sets of directories by age
- Contains raw data (compressed) and indexes (points to the raw data)
Page 24 Mod 2
77
What are four things the Search Heads do?
- Allows users to use the Search language to search the indexed data
- Distributes user search requests to the Indexers
- Consolidates the results and extracts field value pairs from the events to the user
- Knowledge Objects on the Search Heads can be created to extract additional fields and transform the data without changing the underlying index data
Page 25 Mod 2
78
What are four things Forwarders do?
- Splunk Enterprise instances that consume and send data the index
- Require minimal resources and have little impact on performance
- Typically reside on the machines where the data originates
- Primary way data is supplied for indexing
Page 27 Mod 2
79
What are the 3 less-common components of Splunk?
Deployment Server
Cluster Master
License Master
Page 28 Mod 2
80
Splunk Deployment - Standalone or Single Server
- All functions in a single instance of Splunk
- For testing, proof of concept, personal use, and learning
- This is what you get when you download Splunk and install with default settings
Page 29 Mod 2
81
Splunk Deployment - Basic or Splunk Server
Has a Splunk server:
- Similar to server in standalone configuration
- Manage deployment of forwarder configurations
Adds forwarders which:
- Collect data and send it to Splunk servers
- Install forwarders at data source (Usually production servers)
Page 30 Mod 2
82
Splunk Deployment - Basic
Splunk server
-Similar to server in standalone configuration
-Manage Deployment of forwarder configurations
Forwarders
- Forwarders collect data and send it to Splunk servers
- Install forwarders at data source (usually production servers)
Page 30 Mod 2
83
What are three rules and limits in Basic Deployment for organizations:
- Indexing less than 20GB per day
- With under 20 users
- Small amount of forwarders
Page 30 Mod 2
84
A Splunk Deployment - Multi-Instance
- Increases indexing and searching capacity
- Search management and index functions are split across multiple machines
- Search Head - for Searching
- Indexers - Indexing and Parsing
- Forwarders - Provide Input
Page 31 Mod 2
85
What are three rules and limits in Multi - Instance deployment for organizations:
- Indexing up to 100GB per day
- Supports 100 users
- Supports several hundred forwarders
Page 31 Mod 2
86
Splunk Deployment - Increasing Capacity/Search Head Cluster
Adding a Search Head Cluster:
- Services more users for increased search capacity
- Allows users and searches to share resources
- Coordinate activities to handle search requests and distribute the requests across the set of indexers
Require a minimum of three search heads
Use a deployer to manage and distribute apps to the members of the search head cluster.
Page 32 Mod 2
87
What is the minimum number of Search Heads required to make a cluster?
3 Search Heads
Page 32 Mod 2
88
What is used to manage and distribute apps to the members of the Search Head Cluster?
A Deployer!
Page 32 Mod 2
89
Splunk Deployment - What is an Index Cluster used for?
Traditional Index Clusters:
- Configured to replicate data
- Prevent data loss
- Promote availability
- Manage multiple indexers
Page 33 Mod 2
90
Two things to know about non-replicating Index Clusters:
- Offer simplified management
- Do not provide availability or data recovery
Page 33 Mod 2
91
What are the Splunk components installed from the Splunk Enterprise package?
```
Indexer (Search Peer)
Search Head
Deployment Server
License Master
Heavy Forwarder
Cluster Master
Search Head Cluster
```
Page 35 Mod 2
92
splunk help
Display a usage summary
Page 38 Mod 3
93
splunk [start | stop | restart]
Manage the Splunk processes
Page 38 Mod 3
94
splunk start --accept-license
Automatically accept the license without prompt
Page 38 Mod 3
95
splunk status
Display the Splunk process status
Page 38 Mod 3
96
splunk show splunkd-port
Show the port that the splunkd listens on
Page 38 Mod 3
97
splunk show web-port
Show the port that Splunk Web listens on
Page 38 Mod 3
98
splunk show servername
Show the servername of this instance
Page 38 Mod 3
99
splunk show default-hostname
Show the default host name used for all data inputs
Page 38 Mod 3
100
splunk enable boot-start-user
Initialize script to run Splunk Enterprise at system startup
Page 38 Mod 3
101
splunk enable boot-start-user
Initialize script to run Splunk Enterprise at system startup
Page 38 Mod 3
102
Splunk Index Time Process
Input Phase:
Handled at the source (usually a forwarder)
- The data sources are being opened and read
- Data is handled as streams and any configuration settings are applied to the entire stream
Page 40 Mod 4
103
Splunk Index Time Process
Parsing Phase:
Handled by indexers (or heavy forwarders)
- Data is broken up into events and advanced processing can be performed
Page 40 Mod 4
104
Splunk Index Time Process
Indexing Phase:
- License meter runs as data and is initially written to disk, prior to compression
- After data is written to disk, it cannot be changed
Page 40 Mod 4
105
What are the data input types that Splunk supports?
```
Files and directiories
Network data
Script output
Windows logs
HTTP
```
```
You can add data inputs with:
Apps and add-ons from Splunkbase
Splunk Web
CLI
Directly editing inputs.conf
```
Page 41 Mod 4
106
What are the default Metadata settings for Splunk?
Source
Host
Sourcetype
Index
Page 42 Mod 4
107
What are the Add Data options depending on the source being used?
Upload Option - allows uploading local files that only get indexed once. Useful for testing or data that is created once and never gets updated. Does not create inputs.conf
Monitor Option - provides one-time or continuous monitoring of files, directories, http events, network ports, or data gathering scripts located on Splunk Enterprise instances. Useful for testing inputs.
Forward Option - main source of input in production environments. Remote machines gather and forward data to indexers over a receiving port.
Page 44 Mod 4
108
*NOTE: Splunk parses data into individual events, extracts time, and assigns metadata each event has a/an:
```
timestamp
host
source
sourcetype
index
```
Page 59 Mod 5
109
What layout options do you have to view your search results in?
Raw
LIst
Table
110
What are Selected Fields?
A set of configurable fields displayed for each event
Page 79 Mod 6
111
What are Interesting Fields?
They occur in at least 20% of resulting events.
Page 79 Mod 6
112
Fast Mode:
Emphasizes speed over completeness
Page 89 Mod 6
113
Smart Mode:
Balances speed and completeness (default)
Page 89 Mod 6
114
Verbose Mode:
- Emphasizes completeness over speed
- Allows access to underlying events when using reporting or statistical commands (in addition to totals and stats)
Page 89 Mod 6
115
What are the syntax components of Splunk's Search Language?
```
Search for this
PIPE
Command
Function
Argument
Clause
```
Page 97 Mod 8
116
What are the 5 basic components that make up the Splunk Search Language?
```
Search Terms
Commands
Functions
Arguments
Clauses
```
Page 98 Mod 8
117
Search Language Syntax Components
What are you looking for?
- Keywords, phrases, Booleans, etc
Search Terms
Page 98 Mod 8
118
Search Language Syntax Components
What do you want to do with the results?
Commands
Page 98 Mod 8
119
Search Language Syntax Components
How do you want to chart, compute, or evaluate the results?
Functions
Page 98 Mod 8
120
Search Language Syntax Components
Are there variables you want to apply to this function?
Arguments
Page 98 Mod 8
121
Search Language Syntax Components
How do you want to group or rename the fields in the results?
Clauses
Page 98 Mod 8
122
What are the colors of Splunk's search syntax?
Boolean Operators/Command Modifiers - ORANGE
Commands - BLUE
Command Arguments - GREEN
Functions - PURPLE
Page 101 Mod 8
123
What are the transforming commands?
```
chart
timechart
stats
top
rare
contingency
highlight
```
124
Machine data is always structured.
False!
125
Machine data makes up for more than ___% of the data accumulated by organizations.
90%
126
Machine data is only generated by web servers.
False!
127
Which function is not a part of a single instance deployment?
Clustering!
128
What are the three main processing components of Splunk?
Forwarders
Search Heads
Indexers
Page 23 Mod 2
129
Which of these is not a main component of Splunk?
Compress and archive
130
What are the three main default roles in Splunk Enterprise?
User
Power User
Admin
Page 11 Mod 1roles can
131
You can launch and manage apps from the home app.
True!
132
Which apps ship with Splunk Enterprise?
Search & Reporting
| Home App
133
In most production environments, _______ will be used as the source of data input.
Forwarders
134
The monitor input option will allow you to continuously monitor files.
True!
135
Splunk uses ________ to categorize the type of data being indexed.
Sourcetype!
136
When zooming in on the event time line, a new search is run.
False!
137
How is the asterisk used in Splunk search?
A wildcard
138
These are booleans in the Splunk Search Language.
NOT
OR
AND
139
What attributes describe the circled field below?
| a dest 4
It contains string values
| It contains 4 values
140
Field names are ________.
Case sensitive
141
Which is not a comparison operator in Splunk?
?=
142
As a general practice, exclusion is better than inclusion in a Splunk search.
False!
143
What is the most efficient way to filter events in Splunk?
By time!
144
Time to search can only be set by the time range picker.
False!
145
Excluding fields using the Fields Command will benefit performance.
False!
146
Finish the rename command to change the name of the status field to HTTP Status.
sourcetype=a* status=404 | rename _____
status as "HTTP Status"
147
Would the ip column be removed in the results of this search? Why or why not?
sourcetype=a* | rename ip as "User" | fields - ip
NO, because the name was changed
148
How many results are shown by default when using a Top or Rare Command?
10
149
Which one of these is not a stats function?
Addtotals
150
Which stats function would you use to find the average value of a field?
avg
151
The User role can not create reports.
False!
152
A time range picker can be included in a report.
True!
153
These roles can create reports:
User
Power
Admin
154
Data models are made up of ___________.
Datasets
155
Adding child data model objects is like the ______ Boolean in the Splunk search language.
AND
156
Pivots cannot be saved as reports panels.
False!
157
To keep from overwriting existing fields with your Lookup you can use the ____________ clause.
OUTPUTNEW
158
External data used by a Lookup can come from sources like:
Scripts
CSV
Geospatial data
159
When using a .csv file for Lookups, the first row in the file represents this.
Field names
160
Once an alert is created, you can no longer edit its defining search.
False!
161
Alerts can be shared to all apps.
True!
162
Alerts can run uploaded scripts.
True!
163
Search strings are sent from the _________.
Search Head!
164
In most Splunk deployments, ________ serve as the primary way data is supplied for indexing.
Forwarders!
165
Splunk knows where to break the event, where the time stamp is located and how to automatically create field value pairs using these.
Sourcetypes!
166
When a search is sent to splunk, it becomes a _____.
Search Job!
167
Field values are case sensitive.
False!
168
Having separate indexes allows:
Faster Searches
Multiple retention policies
Ability to limit access
169
What command would you use to remove the status field from the returned events?
fields -
170
Which clause would you use to rename the count field?
as
171
Charts can be based on numbers, time, or location.
True!
172
In a dashboard, a time range picker will only work on panels that include a(n) __________ search.
Inline
173
In a dashboard, a time range picker will only work on panels that include a(n) __________ search.
Inline
174
Which role(s) can create data models?
Power
| Admin
175
The instant pivot button is displayed in the statistics and visualization tabs when a _______ search is run.
Non-transforming
176
A lookup is categorized as a dataset.
True!
177
Finish this search command so that it displays data from the http_status.csv Lookup file.
| ______ http_status.csv
inputlookup
178
Real-time alerts will run the search continuously in the background.
True
179
What is the order of evaluation for Boolean operations in Splunk?
NOT
OR
AND
180
Commands that create statistics and visualizations are called _______________ commands.
transforming
181
Shared search jobs remain active for _______ by default.
7 days
182
Wildcards cannot be used with field searches.
False
183
This symbol is used in the "Advanced" section of the time range picker to round down to nearest unit of specified time.
@
184
What is missing from this search?
| sourcetype=a* | rename ip as "User IP" | table User IP
Quotation marks around User IP
185
_____________ are reports gathered together into a single pane of glass.
Dashboards
186
An alert is an action triggered by a _____________.
Saved Search
187
Search requests are processed by the ___________.
Indexers
188
This role will only see their own knowledge objects and those that have been shared with them.
User
189
Files indexed using the the upload input option get indexed _____.
Once
190
Events are always returned in chronological order.
False
191
Events are always returned in chronological order.
False
192
A search job will remain active for ___ minutes after it is run.
10 mins
193
Excluding fields using the Fields Command will benefit performance.
False
194
The time stamp you see in the events is based on the time zone in your user account.
True
195
If a search returns this, you can view the results as a chart.
Statistical values
