User FlashCards

Question 1

The Common constraints for the top command are?

Answer 1

limit
countfield
showperc

Question 2

What is the limit= to when you click the Top values in a field window?

Answer 2

The limit is =20

Question 3

Limit=0 returns how many results

Answer 3

Unlimited results

Question 4

By default what is the name of the countfield?

Answer 4

Count

Question 5

Shows the number of events that match the search criteria

Answer 5

stats count

Question 6

Returns a count of unique values for a given field?

Answer 6

distinct_count, dc

Question 7

Shows all values of a given field?

Answer 7

list

Question 8

Shows unique values of a given field?

Answer 8

values

Question 9

What are saved searches?

Answer 9

Reports

Question 10

Does running a report return fresh results each time you run it?

Answer 10

Yes!

Question 11

____ and ____ allow you to drill down by default to see the underlying events.

Answer 11

Statistics and Visualizations

Question 12

Can reports be shard and added to dashboards?

Answer 12

Yes!

Question 13

The report is saved with the time range that was selected when it was created. True or False?

Answer 13

True!

Question 14

Adding a time range picker allows you to do what to the Report?

Answer 14

It allows you to adjust the time range of the Report when you run it.

Question 15

What are the dialog buttons when creating a report?

Answer 15

1. Continue Editing
2. Add to Dashboard
3. View - allows you to display and rerun the report

Question 16

There are 3 main ways to create tables and visualizations in Splunk. What are they?

Answer 16

1. Select a field from the fields sidebar and choose a report to run
2. User the Pivot interface
   - Start with a dataset or Instant Pivot
3. Use the Splunk search language transforming commands in the Search bar.

Question 17

Numeric fields have 6 report types with mathematical functions, what are they?

Answer 17

1. Average over time
2. Maximum value over time
3. Minimum value over time
4. Top values
5. Top values by time
6. Rare values

Question 18

For alphanumeric character fields, there are only 3 available reports, what are they?

Answer 18

1. Top values
2. Top values by time
3. Rare values

Question 19

When updating visualization settings like the min/max, how soon are the new settings reflected?

Answer 19

Immediately!!

Question 20

Switch to what tab in order to view the data as a table?

Answer 20

Statistics!

Question 21

What is a dashboard?

Answer 21

A dashboard consists of one or more panels displaying data visually in a useful way - such as events, tables, or charts.

Page 150 Mod 10

Question 22

Why create panels from reports?

Answer 22

It is efficient to create most dashboard panels based on reports because

• a single report can be used across different dashboards
• this links the report definition to the dashboard

Any change to the underlying report affects every dashboard panel that utilizes that report.

Page 154 Mod 10

Question 23

Dashboards can be exported as…

Answer 23

as a PDF or Printed

The selection screen screen under Export shows:
PDF
Schedule PDF Delivery
Print

Page 160 Mod 10

Question 24

How do you create an Instant Pivot?

Answer 24

1. Execute a search (search criteria only, no search commands)
2. Click the Statistics or Visualization tab
3. Click the Pivot icon
4. Select the fields to be included in the data model object
5. Create the pivot (table or chart)

Question 25

When saving a Pivot as a Report what is required?

Answer 25

The Model Title because this creates the Data Model

Question 26

What is a lookup?

Answer 26

Sometimes static (or relatively unchanging) data is required for searches but isn’t available in the index

Lookups pull such data from standalone files at search time and add it to search results

Question 27

*NOTE: Lookups allow you to add more fields to your events, such as:

Answer 27

• Descriptions for HTTP status codes (“File Not Found”, “Service Unavailable”)
• Sale prices for products
• User names, IP addresses, and workstation IDs associated with RFIDs

Question 28

After a lookup is configured, you can use the lookup fields in searches, True or False?

Answer 28

True!!

Question 29

True or False: The lookup fields also appear in the Fields sidebar

Answer 29

True!

Question 30

True or False: Lookup field values are case sensitive by default?

Answer 30

True!

Question 31

What happens when an OUTPUT is not specified?

Answer 31

All the fields from the lookup table except the match fields

Question 32

What happens when the OUTPUT is specified?

Answer 32

The fields overwrite existing fields

Question 33

If a field in the lookup table represents a timestamp, you can create a what?

Answer 33

Time-Based Lookup

Page 199 Mod 12

Question 34

Why would you want to use Scheduled Reports?

Answer 34

• Monthly, weekly, daily executive/managerial roll up reports
• Dashboard performance
• Automatically sending reports via email

Page 201 Mod 13

Question 35

How do you create a Scheduled Report?

Answer 35

1. Create your search
2. From the Save As menu, select Report
3. Enter Title
4. Enter Description
5. Set Time Range Picker to No
6. Click Save

Page 202-204 Mod 13

Question 36

When creating a Scheduled report you can select a time range from?

Answer 36

Presets
Relative
Advanced

Page 207 Mod 13

Question 37

This setting determines a time frame to run the report.

Answer 37

Schedule Window

Page 207 Mod 13

Question 38

Creates an indexed, searchable log event.

Answer 38

Log Event

Page 208 Mod 13

Question 39

Selecting Output results to lookup.

Answer 39

Sends results of search to CSV lookup file.

Page 208 Mod 13

Question 40

Selecting Output results to telemetry endpoint

Answer 40

Sends usage metrics back to Splunk (if your company has opted-in to program)

Page 208 Mod 13

Question 41

Run a Script

Answer 41

Runs a previously created script

Page 208 Mod 13

Question 42

Send email

Answer 42

Sends an email with results to specified recipients.

Page 208 Mod 13

Question 43

Webhook

Answer 43

Sends an HTTP POST request to a specified URL.

Page 208 Mod 13

Question 44

Managing Reports - Edit Permissions
With the GUI inside the Reports tab under Edit then Edit Permissions.

Run as: User

Will make what happen to the report?

Answer 44

Only data allowed to be accessed by the user role appears.

Page 211 Mod 13

Question 45

Managing Reports - Edit Permissions
With the GUI inside the Reports tab under Edit then Edit Permissions.

Run as: Owner

Will make what happen to that report?

Answer 45

All data accessible by the owner appears in the report.

Page 211 Mod 13

Question 46

To access the report results from a webpage.

Answer 46

Click edit > embed

Before a report can be embedded, it must be scheduled

Page 212 Mod 13

Question 47

What are Alerts??

Answer 47

Splunk alerts are based on searches that can run either:

• on a regular scheduled interval
• in real-time

Alerts are triggered when the results of the search meet a specific condition that you define

Based on your needs, alerts can:

• Create an entry in triggered alerts
• log an event
• output results to a lookup file
• send emails
• use a webhook
• perform a custom action

Page 213 Mod 13

Question 48

How to create an Alert in the GUI?

Answer 48

1. Run a search
2. Select Save As > Alert
3. Give the alert a Title and Description

Page 214 Mod 13

Question 49

Setting alert permissions

Only you can access, edit, and view triggered alerts.

Answer 49

Private Permissions

Page 215 Mod 13

Question 50

Setting alert permissions

• All users of the app can view triggered alerts
• By default, everyone has read access and power has write access to the alert.

Answer 50

Shared in App

Page 215 Mod 13

Question 51

What type of alert?

• Search runs at a defined interval
• Evaluates trigger condition when the search completes

Answer 51

Scheduled Alerts

Page 216 Mod 13

Question 52

What kind of search?

• Search runs constantly in the background
• Evaluates trigger conditions within a window of time based on the conditions you define

Answer 52

Real-Time

Page 216 Mod 13

Question 53

You can set alerts to trigger in five ways

Answer 53

• Per-Result - triggers when a result is returned
• Number of Results - define how many results are returned before the alert triggers
• Number of Hosts - define how many unique hosts are returned before the alert triggers
• Number of Sources - define how many unique sources are returned before the alert triggers
• Custom - define custom conditions using the search language

Page 219 Mod 13

Question 54

Alert Actions - Trigger Conditions

Executes actions one time for all matching events within the scheduled time and conditions

Answer 54

Once Trigger

Page 221 Mod 13

Question 55

Alert Actions - Trigger Conditions

*NOTE: Executes the alert actions once for each result that matches the conditions.

Answer 55

For each result

Page 222 Mod 13

Question 56

All actions that are available for scheduled reports and also available for alerts:

Answer 56

• Log Event
• Output results to lookup
• Output results to telemetry endpoint
• Run a script
• Send email
• Webhook

Page 223 Mod 13

Question 57

Alert Actions - Add to Triggered Alerts

The severity for an alert:

Answer 57

• Info
• Low
• Medium
• High
• Critical

Page 224 Mod 13

Question 58

Alert Actions - Log Event

When saving as a report, under Triggered Alerts and + Add Actions. You can add a Log Event action Which Log Event action matches the description below?

Enter the information that will be written to the new log event.

Answer 58

Event!

Page 225 Mod 13

Question 59

Alert Actions - Log Event

When saving as a report, under Triggered Alerts and + Add Actions. You can add a Log Event action Which Log Event action matches the description below?

_____ of the new log event (by default, the alert name)

Answer 59

Source!

Page 225 Mod 13

Question 60

Alert Actions - Log Event

When saving as a report, under Triggered Alerts and + Add Actions. You can add a Log Event action Which Log Event action matches the description below?

____ to which the new log event will be written

Answer 60

Sourcetype!

Page 225 Mod 13

Question 61

Alert Actions - Log Event

When saving as a report, under Triggered Alerts and + Add Actions. You can add a Log Event action Which Log Event action matches the description below?

____ value of the new log event (by default, IP address of the host of the alert)

Answer 61

Host!

Page 225 Mod 13

Question 62

Alert Actions - Log Event

When saving as a report, under Triggered Alerts and + Add Actions. You can add a Log Event action Which Log Event action matches the description below?

Destination ____ for the new log event (default value is main)

Answer 62

Index!

Page 225 Mod 13

Question 63

Alert Actions - Send Email

When saving as a report, under Triggered Alerts and + Add Actions. You can add a Log Event action Which Log Event action matches the description below?

____ select the format of the alert.

Answer 63

Include!

Page 227 Mod 13

Question 64

Alert Actions - Send Email

When saving as a report, under Triggered Alerts and + Add Actions. You can add a Log Event action Which Log Event action matches the description below?

____ select the format of the text message.

Answer 64

Type!

Page 227 Mod 13

Question 65

What does Splunk do?

Answer 65

Aggregate, analyze, and get answers from your machine data

Page 5 Mod 1

Question 66

What data can be pulled into Splunk?

Answer 66

Index ANY data from ANY source

• Computers
• Network devices
• Virtual machines
• Internet devices
• Communication devices
• Sensors
• Databases
• Logs
• Configurations
• Messages
• Call detail records
• Clickstream
• Alerts
• Metrics
• Scripts
• Changes
• Tickets

Page 6 Mod 1

Question 67

Types of Splunk Deployment?

Answer 67

Splunk Enterprise - splunk components installed and administered on-premises

Splunk Cloud

• Splunk Enterprise as a scalable service
• No infrastructure required

Splunk Light
- Solution for small IT environments

Page 8 Mod 1

Question 68

What three things define what Splunk Apps are?

Answer 68

• Designed to address a wide variety of use cases and to extend the power of Splunk
• Collections of files containing data inputs, UI elements, and/or knowledge objects
• Allows multiple workspaces for different use cases/user roles to co-exist on a single Splunk instance

Page 9 Mod 1

Question 69

What are Splunk Enhanced Solutions?

Answer 69

• Splunk IT Service Intelligence (ITSI)
• Splunk Enterprise Security (ES)
• Splunk User Behavior Analytics (UBA)

Page 10 Mod 1

Question 70

Out of the box, there are 3 main roles:

Answer 70

Admin
Power
User

Page 11 Mod 1

Question 71

What is the Search & Reporting App used for?

Answer 71

• Provides a default interface for searching and analyzing data
• Enables you to create knowledge objects, reports, and dashboards

Page 14 Mod 1

Question 72

Data Summary Tabs

Unique identifier of where the events originated (host name, IP address, etc.)

Answer 72

Host!

Question 73

Data Summary Tabs

Name of the file, stream, or other input.

Answer 73

Source!

Question 74

Data Summary Tabs

Specific data type or data format

Answer 74

Sourcetype!

Question 75

Splunk is comprised of ___ components. What are they and how many?

Answer 75

3 main components
Indexer
Search Head
Forwarder

Page 23 Mod 2

Question 76

What are three things the Indexer does?

Answer 76

• Processes machine data, storing the results in indexes as events, enabling fast search and analysis
• As the Indexer indexes data, it creates a number of files organized in sets of directories by age
• Contains raw data (compressed) and indexes (points to the raw data)

Page 24 Mod 2

Question 77

What are four things the Search Heads do?

Answer 77

• Allows users to use the Search language to search the indexed data
• Distributes user search requests to the Indexers
• Consolidates the results and extracts field value pairs from the events to the user
• Knowledge Objects on the Search Heads can be created to extract additional fields and transform the data without changing the underlying index data

Page 25 Mod 2

Question 78

What are four things Forwarders do?

Answer 78

• Splunk Enterprise instances that consume and send data the index
• Require minimal resources and have little impact on performance
• Typically reside on the machines where the data originates
• Primary way data is supplied for indexing

Page 27 Mod 2

Question 79

What are the 3 less-common components of Splunk?

Answer 79

Deployment Server
Cluster Master
License Master

Page 28 Mod 2

Question 80

Splunk Deployment - Standalone or Single Server

Answer 80

• All functions in a single instance of Splunk
• For testing, proof of concept, personal use, and learning
• This is what you get when you download Splunk and install with default settings

Page 29 Mod 2

Question 81

Splunk Deployment - Basic or Splunk Server

Answer 81

Has a Splunk server:
- Similar to server in standalone configuration

• Manage deployment of forwarder configurations

Adds forwarders which:
- Collect data and send it to Splunk servers

• Install forwarders at data source (Usually production servers)

Page 30 Mod 2

Question 82

Splunk Deployment - Basic

Answer 82

Splunk server
-Similar to server in standalone configuration

-Manage Deployment of forwarder configurations

Forwarders
- Forwarders collect data and send it to Splunk servers

• Install forwarders at data source (usually production servers)

Page 30 Mod 2

Question 83

What are three rules and limits in Basic Deployment for organizations:

Answer 83

• Indexing less than 20GB per day
• With under 20 users
• Small amount of forwarders

Page 30 Mod 2

Question 84

A Splunk Deployment - Multi-Instance

Answer 84

• Increases indexing and searching capacity
• Search management and index functions are split across multiple machines
• Search Head - for Searching
• Indexers - Indexing and Parsing
• Forwarders - Provide Input

Page 31 Mod 2

Question 85

What are three rules and limits in Multi - Instance deployment for organizations:

Answer 85

• Indexing up to 100GB per day
• Supports 100 users
• Supports several hundred forwarders

Page 31 Mod 2

Question 86

Splunk Deployment - Increasing Capacity/Search Head Cluster

Answer 86

Adding a Search Head Cluster:

• Services more users for increased search capacity
• Allows users and searches to share resources
• Coordinate activities to handle search requests and distribute the requests across the set of indexers

Require a minimum of three search heads

Use a deployer to manage and distribute apps to the members of the search head cluster.

Page 32 Mod 2

Question 87

What is the minimum number of Search Heads required to make a cluster?

Answer 87

3 Search Heads

Page 32 Mod 2

Question 88

What is used to manage and distribute apps to the members of the Search Head Cluster?

Answer 88

A Deployer!

Page 32 Mod 2

Question 89

Splunk Deployment - What is an Index Cluster used for?

Answer 89

Traditional Index Clusters:

• Configured to replicate data
• Prevent data loss
• Promote availability
• Manage multiple indexers

Page 33 Mod 2

Question 90

Two things to know about non-replicating Index Clusters:

Answer 90

• Offer simplified management
• Do not provide availability or data recovery

Page 33 Mod 2

Question 91

What are the Splunk components installed from the Splunk Enterprise package?

Answer 91

Indexer (Search Peer)
Search Head
Deployment Server
License Master
Heavy Forwarder
Cluster Master
Search Head Cluster

Page 35 Mod 2

Question 92

splunk help

Answer 92

Display a usage summary

Page 38 Mod 3

Question 93

splunk [start | stop | restart]

Answer 93

Manage the Splunk processes

Page 38 Mod 3

Question 94

splunk start –accept-license

Answer 94

Automatically accept the license without prompt

Page 38 Mod 3

Question 95

splunk status

Answer 95

Display the Splunk process status

Page 38 Mod 3

Question 96

splunk show splunkd-port

Answer 96

Show the port that the splunkd listens on

Page 38 Mod 3

Question 97

splunk show web-port

Answer 97

Show the port that Splunk Web listens on

Page 38 Mod 3

Question 98

splunk show servername

Answer 98

Show the servername of this instance

Page 38 Mod 3

Question 99

splunk show default-hostname

Answer 99

Show the default host name used for all data inputs

Page 38 Mod 3

Question 100

splunk enable boot-start-user

Answer 100

Initialize script to run Splunk Enterprise at system startup

Page 38 Mod 3

Question 101

splunk enable boot-start-user

Answer 101

Initialize script to run Splunk Enterprise at system startup

Page 38 Mod 3

Question 102

Splunk Index Time Process

Input Phase:

Answer 102

Handled at the source (usually a forwarder)

• The data sources are being opened and read
• Data is handled as streams and any configuration settings are applied to the entire stream

Page 40 Mod 4

Question 103

Splunk Index Time Process

Parsing Phase:

Answer 103

Handled by indexers (or heavy forwarders)
- Data is broken up into events and advanced processing can be performed

Page 40 Mod 4

Question 104

Splunk Index Time Process

Indexing Phase:

Answer 104

• License meter runs as data and is initially written to disk, prior to compression
• After data is written to disk, it cannot be changed

Page 40 Mod 4

Question 105

What are the data input types that Splunk supports?

Answer 105

Files and directiories
Network data
Script output
Windows logs
HTTP

You can add data inputs with:
Apps and add-ons from Splunkbase
Splunk Web 
CLI
Directly editing inputs.conf

Page 41 Mod 4

Question 106

What are the default Metadata settings for Splunk?

Answer 106

Source
Host
Sourcetype
Index

Page 42 Mod 4

Question 107

What are the Add Data options depending on the source being used?

Answer 107

Upload Option - allows uploading local files that only get indexed once. Useful for testing or data that is created once and never gets updated. Does not create inputs.conf

Monitor Option - provides one-time or continuous monitoring of files, directories, http events, network ports, or data gathering scripts located on Splunk Enterprise instances. Useful for testing inputs.

Forward Option - main source of input in production environments. Remote machines gather and forward data to indexers over a receiving port.

Page 44 Mod 4

Question 108

*NOTE: Splunk parses data into individual events, extracts time, and assigns metadata each event has a/an:

Answer 108

timestamp
host 
source
sourcetype
index

Page 59 Mod 5

Question 109

What layout options do you have to view your search results in?

Answer 109

Raw
LIst
Table

Question 110

What are Selected Fields?

Answer 110

A set of configurable fields displayed for each event

Page 79 Mod 6

Question 111

What are Interesting Fields?

Answer 111

They occur in at least 20% of resulting events.

Page 79 Mod 6

Question 112

Fast Mode:

Answer 112

Emphasizes speed over completeness

Page 89 Mod 6

Question 113

Smart Mode:

Answer 113

Balances speed and completeness (default)

Page 89 Mod 6

Question 114

Verbose Mode:

Answer 114

• Emphasizes completeness over speed
• Allows access to underlying events when using reporting or statistical commands (in addition to totals and stats)

Page 89 Mod 6

Question 115

What are the syntax components of Splunk’s Search Language?

Answer 115

Search for this
PIPE
Command
Function
Argument
Clause

Page 97 Mod 8

Question 116

What are the 5 basic components that make up the Splunk Search Language?

Answer 116

Search Terms
Commands
Functions
Arguments
Clauses

Page 98 Mod 8

Question 117

Search Language Syntax Components

What are you looking for?
- Keywords, phrases, Booleans, etc

Answer 117

Search Terms

Page 98 Mod 8

Question 118

Search Language Syntax Components

What do you want to do with the results?

Answer 118

Commands

Page 98 Mod 8

Question 119

Search Language Syntax Components

How do you want to chart, compute, or evaluate the results?

Answer 119

Functions

Page 98 Mod 8

Question 120

Search Language Syntax Components

Are there variables you want to apply to this function?

Answer 120

Arguments

Page 98 Mod 8

Question 121

Search Language Syntax Components

How do you want to group or rename the fields in the results?

Answer 121

Clauses

Page 98 Mod 8

Question 122

What are the colors of Splunk’s search syntax?

Answer 122

Boolean Operators/Command Modifiers - ORANGE
Commands - BLUE
Command Arguments - GREEN
Functions - PURPLE

Page 101 Mod 8

Question 123

What are the transforming commands?

Answer 123

chart
timechart
stats
top
rare
contingency
highlight

Question 124

Machine data is always structured.

Answer 124

False!

Question 125

Machine data makes up for more than ___% of the data accumulated by organizations.

Answer 125

90%

Question 126

Machine data is only generated by web servers.

Answer 126

False!

Question 127

Which function is not a part of a single instance deployment?

Answer 127

Clustering!

Question 128

What are the three main processing components of Splunk?

Answer 128

Forwarders
Search Heads
Indexers

Page 23 Mod 2

Question 129

Which of these is not a main component of Splunk?

Answer 129

Compress and archive

Question 130

What are the three main default roles in Splunk Enterprise?

Answer 130

User
Power User
Admin

Page 11 Mod 1roles can

Question 131

You can launch and manage apps from the home app.

Answer 131

True!

Question 132

Which apps ship with Splunk Enterprise?

Answer 132

Search & Reporting

Home App

Question 133

In most production environments, _______ will be used as the source of data input.

Answer 133

Forwarders

Question 134

The monitor input option will allow you to continuously monitor files.

Answer 134

True!

Question 135

Splunk uses ________ to categorize the type of data being indexed.

Answer 135

Sourcetype!

Question 136

When zooming in on the event time line, a new search is run.

Answer 136

False!

Question 137

How is the asterisk used in Splunk search?

Answer 137

A wildcard

Question 138

These are booleans in the Splunk Search Language.

Answer 138

NOT
OR
AND

Question 139

What attributes describe the circled field below?

a dest 4

Answer 139

It contains string values

It contains 4 values

Question 140

Field names are ________.

Answer 140

Case sensitive

Question 141

Which is not a comparison operator in Splunk?

Answer 141

?=

Question 142

As a general practice, exclusion is better than inclusion in a Splunk search.

Answer 142

False!

Question 143

What is the most efficient way to filter events in Splunk?

Answer 143

By time!

Question 144

Time to search can only be set by the time range picker.

Answer 144

False!

Question 145

Excluding fields using the Fields Command will benefit performance.

Answer 145

False!

Question 146

Finish the rename command to change the name of the status field to HTTP Status.
sourcetype=a* status=404 | rename _____

Answer 146

status as “HTTP Status”

Question 147

Would the ip column be removed in the results of this search? Why or why not?

sourcetype=a* | rename ip as “User” | fields - ip

Answer 147

NO, because the name was changed

Question 148

How many results are shown by default when using a Top or Rare Command?

Answer 148

10

Question 149

Which one of these is not a stats function?

Answer 149

Addtotals

Question 150

Which stats function would you use to find the average value of a field?

Answer 150

avg

Question 151

The User role can not create reports.

Answer 151

False!

Question 152

A time range picker can be included in a report.

Answer 152

True!

Question 153

These roles can create reports:

Answer 153

User
Power
Admin

Question 154

Data models are made up of ___________.

Answer 154

Datasets

Question 155

Adding child data model objects is like the ______ Boolean in the Splunk search language.

Answer 155

AND

Question 156

Pivots cannot be saved as reports panels.

Answer 156

False!

Question 157

To keep from overwriting existing fields with your Lookup you can use the ____________ clause.

Answer 157

OUTPUTNEW

Question 158

External data used by a Lookup can come from sources like:

Answer 158

Scripts
CSV
Geospatial data

Question 159

When using a .csv file for Lookups, the first row in the file represents this.

Answer 159

Field names

Question 160

Once an alert is created, you can no longer edit its defining search.

Answer 160

False!

Question 161

Alerts can be shared to all apps.

Answer 161

True!

Question 162

Alerts can run uploaded scripts.

Answer 162

True!

Question 163

Search strings are sent from the _________.

Answer 163

Search Head!

Question 164

In most Splunk deployments, ________ serve as the primary way data is supplied for indexing.

Answer 164

Forwarders!

Question 165

Splunk knows where to break the event, where the time stamp is located and how to automatically create field value pairs using these.

Answer 165

Sourcetypes!

Question 166

When a search is sent to splunk, it becomes a _____.

Answer 166

Search Job!

Question 167

Field values are case sensitive.

Answer 167

False!

Question 168

Having separate indexes allows:

Answer 168

Faster Searches
Multiple retention policies
Ability to limit access

Question 169

What command would you use to remove the status field from the returned events?

Answer 169

fields -

Question 170

Which clause would you use to rename the count field?

Answer 170

as

Question 171

Charts can be based on numbers, time, or location.

Answer 171

True!

Question 172

In a dashboard, a time range picker will only work on panels that include a(n) __________ search.

Answer 172

Inline

Question 173

In a dashboard, a time range picker will only work on panels that include a(n) __________ search.

Answer 173

Inline

Question 174

Which role(s) can create data models?

Answer 174

Power

Admin

Question 175

The instant pivot button is displayed in the statistics and visualization tabs when a _______ search is run.

Answer 175

Non-transforming

Question 176

A lookup is categorized as a dataset.

Answer 176

True!

Question 177

Finish this search command so that it displays data from the http_status.csv Lookup file.
| ______ http_status.csv

Answer 177

inputlookup

Question 178

Real-time alerts will run the search continuously in the background.

Answer 178

True

Question 179

What is the order of evaluation for Boolean operations in Splunk?

Answer 179

NOT
OR
AND

Question 180

Commands that create statistics and visualizations are called _______________ commands.

Answer 180

transforming

Question 181

Shared search jobs remain active for _______ by default.

Answer 181

7 days

Question 182

Wildcards cannot be used with field searches.

Answer 182

False

Question 183

This symbol is used in the “Advanced” section of the time range picker to round down to nearest unit of specified time.

Answer 183

@

Question 184

What is missing from this search?

sourcetype=a* | rename ip as “User IP” | table User IP

Answer 184

Quotation marks around User IP

Question 185

_____________ are reports gathered together into a single pane of glass.

Answer 185

Dashboards

Question 186

An alert is an action triggered by a _____________.

Answer 186

Saved Search

Question 187

Search requests are processed by the ___________.

Answer 187

Indexers

Question 188

This role will only see their own knowledge objects and those that have been shared with them.

Answer 188

User

Question 189

Files indexed using the the upload input option get indexed _____.

Answer 189

Once

Question 190

Events are always returned in chronological order.

Answer 190

False

Question 191

Events are always returned in chronological order.

Answer 191

False

Question 192

A search job will remain active for ___ minutes after it is run.

Answer 192

10 mins

Question 193

Excluding fields using the Fields Command will benefit performance.

Answer 193

False

Question 194

The time stamp you see in the events is based on the time zone in your user account.

Answer 194

True

Question 195

If a search returns this, you can view the results as a chart.

Answer 195

Statistical values