User FlashCards
The Common constraints for the top command are?
limit
countfield
showperc
What is the limit= to when you click the Top values in a field window?
The limit is =20
Limit=0 returns how many results
Unlimited results
By default what is the name of the countfield?
Count
Shows the number of events that match the search criteria
stats count
Returns a count of unique values for a given field?
distinct_count, dc
Shows all values of a given field?
list
Shows unique values of a given field?
values
What are saved searches?
Reports
Does running a report return fresh results each time you run it?
Yes!
____ and ____ allow you to drill down by default to see the underlying events.
Statistics and Visualizations
Can reports be shard and added to dashboards?
Yes!
The report is saved with the time range that was selected when it was created. True or False?
True!
Adding a time range picker allows you to do what to the Report?
It allows you to adjust the time range of the Report when you run it.
What are the dialog buttons when creating a report?
- Continue Editing
- Add to Dashboard
- View - allows you to display and rerun the report
There are 3 main ways to create tables and visualizations in Splunk. What are they?
- Select a field from the fields sidebar and choose a report to run
- User the Pivot interface
- Start with a dataset or Instant Pivot - Use the Splunk search language transforming commands in the Search bar.
Numeric fields have 6 report types with mathematical functions, what are they?
- Average over time
- Maximum value over time
- Minimum value over time
- Top values
- Top values by time
- Rare values
For alphanumeric character fields, there are only 3 available reports, what are they?
- Top values
- Top values by time
- Rare values
When updating visualization settings like the min/max, how soon are the new settings reflected?
Immediately!!
Switch to what tab in order to view the data as a table?
Statistics!
What is a dashboard?
A dashboard consists of one or more panels displaying data visually in a useful way - such as events, tables, or charts.
Page 150 Mod 10
Why create panels from reports?
It is efficient to create most dashboard panels based on reports because
- a single report can be used across different dashboards
- this links the report definition to the dashboard
Any change to the underlying report affects every dashboard panel that utilizes that report.
Page 154 Mod 10
Dashboards can be exported as…
as a PDF or Printed
The selection screen screen under Export shows:
PDF
Schedule PDF Delivery
Print
Page 160 Mod 10
How do you create an Instant Pivot?
- Execute a search (search criteria only, no search commands)
- Click the Statistics or Visualization tab
- Click the Pivot icon
- Select the fields to be included in the data model object
- Create the pivot (table or chart)
When saving a Pivot as a Report what is required?
The Model Title because this creates the Data Model
What is a lookup?
Sometimes static (or relatively unchanging) data is required for searches but isn’t available in the index
Lookups pull such data from standalone files at search time and add it to search results
*NOTE: Lookups allow you to add more fields to your events, such as:
- Descriptions for HTTP status codes (“File Not Found”, “Service Unavailable”)
- Sale prices for products
- User names, IP addresses, and workstation IDs associated with RFIDs
After a lookup is configured, you can use the lookup fields in searches, True or False?
True!!
True or False: The lookup fields also appear in the Fields sidebar
True!
True or False: Lookup field values are case sensitive by default?
True!
What happens when an OUTPUT is not specified?
All the fields from the lookup table except the match fields
What happens when the OUTPUT is specified?
The fields overwrite existing fields
If a field in the lookup table represents a timestamp, you can create a what?
Time-Based Lookup
Page 199 Mod 12
Why would you want to use Scheduled Reports?
- Monthly, weekly, daily executive/managerial roll up reports
- Dashboard performance
- Automatically sending reports via email
Page 201 Mod 13
How do you create a Scheduled Report?
- Create your search
- From the Save As menu, select Report
- Enter Title
- Enter Description
- Set Time Range Picker to No
- Click Save
Page 202-204 Mod 13
When creating a Scheduled report you can select a time range from?
Presets
Relative
Advanced
Page 207 Mod 13
This setting determines a time frame to run the report.
Schedule Window
Page 207 Mod 13
Creates an indexed, searchable log event.
Log Event
Page 208 Mod 13
Selecting Output results to lookup.
Sends results of search to CSV lookup file.
Page 208 Mod 13
Selecting Output results to telemetry endpoint
Sends usage metrics back to Splunk (if your company has opted-in to program)
Page 208 Mod 13
Run a Script
Runs a previously created script
Page 208 Mod 13
Send email
Sends an email with results to specified recipients.
Page 208 Mod 13
Webhook
Sends an HTTP POST request to a specified URL.
Page 208 Mod 13
Managing Reports - Edit Permissions
With the GUI inside the Reports tab under Edit then Edit Permissions.
Run as: User
Will make what happen to the report?
Only data allowed to be accessed by the user role appears.
Page 211 Mod 13
Managing Reports - Edit Permissions
With the GUI inside the Reports tab under Edit then Edit Permissions.
Run as: Owner
Will make what happen to that report?
All data accessible by the owner appears in the report.
Page 211 Mod 13
To access the report results from a webpage.
Click edit > embed
Before a report can be embedded, it must be scheduled
Page 212 Mod 13
What are Alerts??
Splunk alerts are based on searches that can run either:
- on a regular scheduled interval
- in real-time
Alerts are triggered when the results of the search meet a specific condition that you define
Based on your needs, alerts can:
- Create an entry in triggered alerts
- log an event
- output results to a lookup file
- send emails
- use a webhook
- perform a custom action
Page 213 Mod 13
How to create an Alert in the GUI?
- Run a search
- Select Save As > Alert
- Give the alert a Title and Description
Page 214 Mod 13
Setting alert permissions
Only you can access, edit, and view triggered alerts.
Private Permissions
Page 215 Mod 13
Setting alert permissions
- All users of the app can view triggered alerts
- By default, everyone has read access and power has write access to the alert.
Shared in App
Page 215 Mod 13
What type of alert?
- Search runs at a defined interval
- Evaluates trigger condition when the search completes
Scheduled Alerts
Page 216 Mod 13
What kind of search?
- Search runs constantly in the background
- Evaluates trigger conditions within a window of time based on the conditions you define
Real-Time
Page 216 Mod 13
You can set alerts to trigger in five ways
- Per-Result - triggers when a result is returned
- Number of Results - define how many results are returned before the alert triggers
- Number of Hosts - define how many unique hosts are returned before the alert triggers
- Number of Sources - define how many unique sources are returned before the alert triggers
- Custom - define custom conditions using the search language
Page 219 Mod 13
Alert Actions - Trigger Conditions
Executes actions one time for all matching events within the scheduled time and conditions
Once Trigger
Page 221 Mod 13
Alert Actions - Trigger Conditions
*NOTE: Executes the alert actions once for each result that matches the conditions.
For each result
Page 222 Mod 13
All actions that are available for scheduled reports and also available for alerts:
- Log Event
- Output results to lookup
- Output results to telemetry endpoint
- Run a script
- Send email
- Webhook
Page 223 Mod 13
Alert Actions - Add to Triggered Alerts
The severity for an alert:
- Info
- Low
- Medium
- High
- Critical
Page 224 Mod 13
Alert Actions - Log Event
When saving as a report, under Triggered Alerts and + Add Actions. You can add a Log Event action Which Log Event action matches the description below?
Enter the information that will be written to the new log event.
Event!
Page 225 Mod 13
Alert Actions - Log Event
When saving as a report, under Triggered Alerts and + Add Actions. You can add a Log Event action Which Log Event action matches the description below?
_____ of the new log event (by default, the alert name)
Source!
Page 225 Mod 13
Alert Actions - Log Event
When saving as a report, under Triggered Alerts and + Add Actions. You can add a Log Event action Which Log Event action matches the description below?
____ to which the new log event will be written
Sourcetype!
Page 225 Mod 13
Alert Actions - Log Event
When saving as a report, under Triggered Alerts and + Add Actions. You can add a Log Event action Which Log Event action matches the description below?
____ value of the new log event (by default, IP address of the host of the alert)
Host!
Page 225 Mod 13
Alert Actions - Log Event
When saving as a report, under Triggered Alerts and + Add Actions. You can add a Log Event action Which Log Event action matches the description below?
Destination ____ for the new log event (default value is main)
Index!
Page 225 Mod 13
Alert Actions - Send Email
When saving as a report, under Triggered Alerts and + Add Actions. You can add a Log Event action Which Log Event action matches the description below?
____ select the format of the alert.
Include!
Page 227 Mod 13
Alert Actions - Send Email
When saving as a report, under Triggered Alerts and + Add Actions. You can add a Log Event action Which Log Event action matches the description below?
____ select the format of the text message.
Type!
Page 227 Mod 13
What does Splunk do?
Aggregate, analyze, and get answers from your machine data
Page 5 Mod 1
What data can be pulled into Splunk?
Index ANY data from ANY source
- Computers
- Network devices
- Virtual machines
- Internet devices
- Communication devices
- Sensors
- Databases
- Logs
- Configurations
- Messages
- Call detail records
- Clickstream
- Alerts
- Metrics
- Scripts
- Changes
- Tickets
Page 6 Mod 1
Types of Splunk Deployment?
Splunk Enterprise - splunk components installed and administered on-premises
Splunk Cloud
- Splunk Enterprise as a scalable service
- No infrastructure required
Splunk Light
- Solution for small IT environments
Page 8 Mod 1
What three things define what Splunk Apps are?
- Designed to address a wide variety of use cases and to extend the power of Splunk
- Collections of files containing data inputs, UI elements, and/or knowledge objects
- Allows multiple workspaces for different use cases/user roles to co-exist on a single Splunk instance
Page 9 Mod 1
What are Splunk Enhanced Solutions?
- Splunk IT Service Intelligence (ITSI)
- Splunk Enterprise Security (ES)
- Splunk User Behavior Analytics (UBA)
Page 10 Mod 1
Out of the box, there are 3 main roles:
Admin
Power
User
Page 11 Mod 1
What is the Search & Reporting App used for?
- Provides a default interface for searching and analyzing data
- Enables you to create knowledge objects, reports, and dashboards
Page 14 Mod 1
Data Summary Tabs
Unique identifier of where the events originated (host name, IP address, etc.)
Host!
Data Summary Tabs
Name of the file, stream, or other input.
Source!
Data Summary Tabs
Specific data type or data format
Sourcetype!
Splunk is comprised of ___ components. What are they and how many?
3 main components
Indexer
Search Head
Forwarder
Page 23 Mod 2
What are three things the Indexer does?
- Processes machine data, storing the results in indexes as events, enabling fast search and analysis
- As the Indexer indexes data, it creates a number of files organized in sets of directories by age
- Contains raw data (compressed) and indexes (points to the raw data)
Page 24 Mod 2
What are four things the Search Heads do?
- Allows users to use the Search language to search the indexed data
- Distributes user search requests to the Indexers
- Consolidates the results and extracts field value pairs from the events to the user
- Knowledge Objects on the Search Heads can be created to extract additional fields and transform the data without changing the underlying index data
Page 25 Mod 2
What are four things Forwarders do?
- Splunk Enterprise instances that consume and send data the index
- Require minimal resources and have little impact on performance
- Typically reside on the machines where the data originates
- Primary way data is supplied for indexing
Page 27 Mod 2
What are the 3 less-common components of Splunk?
Deployment Server
Cluster Master
License Master
Page 28 Mod 2
Splunk Deployment - Standalone or Single Server
- All functions in a single instance of Splunk
- For testing, proof of concept, personal use, and learning
- This is what you get when you download Splunk and install with default settings
Page 29 Mod 2
Splunk Deployment - Basic or Splunk Server
Has a Splunk server:
- Similar to server in standalone configuration
- Manage deployment of forwarder configurations
Adds forwarders which:
- Collect data and send it to Splunk servers
- Install forwarders at data source (Usually production servers)
Page 30 Mod 2
Splunk Deployment - Basic
Splunk server
-Similar to server in standalone configuration
-Manage Deployment of forwarder configurations
Forwarders
- Forwarders collect data and send it to Splunk servers
- Install forwarders at data source (usually production servers)
Page 30 Mod 2
What are three rules and limits in Basic Deployment for organizations:
- Indexing less than 20GB per day
- With under 20 users
- Small amount of forwarders
Page 30 Mod 2
A Splunk Deployment - Multi-Instance
- Increases indexing and searching capacity
- Search management and index functions are split across multiple machines
- Search Head - for Searching
- Indexers - Indexing and Parsing
- Forwarders - Provide Input
Page 31 Mod 2
What are three rules and limits in Multi - Instance deployment for organizations:
- Indexing up to 100GB per day
- Supports 100 users
- Supports several hundred forwarders
Page 31 Mod 2
Splunk Deployment - Increasing Capacity/Search Head Cluster
Adding a Search Head Cluster:
- Services more users for increased search capacity
- Allows users and searches to share resources
- Coordinate activities to handle search requests and distribute the requests across the set of indexers
Require a minimum of three search heads
Use a deployer to manage and distribute apps to the members of the search head cluster.
Page 32 Mod 2
What is the minimum number of Search Heads required to make a cluster?
3 Search Heads
Page 32 Mod 2
What is used to manage and distribute apps to the members of the Search Head Cluster?
A Deployer!
Page 32 Mod 2
Splunk Deployment - What is an Index Cluster used for?
Traditional Index Clusters:
- Configured to replicate data
- Prevent data loss
- Promote availability
- Manage multiple indexers
Page 33 Mod 2
Two things to know about non-replicating Index Clusters:
- Offer simplified management
- Do not provide availability or data recovery
Page 33 Mod 2
What are the Splunk components installed from the Splunk Enterprise package?
Indexer (Search Peer) Search Head Deployment Server License Master Heavy Forwarder Cluster Master Search Head Cluster
Page 35 Mod 2
splunk help
Display a usage summary
Page 38 Mod 3
splunk [start | stop | restart]
Manage the Splunk processes
Page 38 Mod 3
splunk start –accept-license
Automatically accept the license without prompt
Page 38 Mod 3
splunk status
Display the Splunk process status
Page 38 Mod 3
splunk show splunkd-port
Show the port that the splunkd listens on
Page 38 Mod 3
splunk show web-port
Show the port that Splunk Web listens on
Page 38 Mod 3
splunk show servername
Show the servername of this instance
Page 38 Mod 3
splunk show default-hostname
Show the default host name used for all data inputs
Page 38 Mod 3
splunk enable boot-start-user
Initialize script to run Splunk Enterprise at system startup
Page 38 Mod 3
splunk enable boot-start-user
Initialize script to run Splunk Enterprise at system startup
Page 38 Mod 3
Splunk Index Time Process
Input Phase:
Handled at the source (usually a forwarder)
- The data sources are being opened and read
- Data is handled as streams and any configuration settings are applied to the entire stream
Page 40 Mod 4
Splunk Index Time Process
Parsing Phase:
Handled by indexers (or heavy forwarders)
- Data is broken up into events and advanced processing can be performed
Page 40 Mod 4
Splunk Index Time Process
Indexing Phase:
- License meter runs as data and is initially written to disk, prior to compression
- After data is written to disk, it cannot be changed
Page 40 Mod 4
What are the data input types that Splunk supports?
Files and directiories Network data Script output Windows logs HTTP
You can add data inputs with: Apps and add-ons from Splunkbase Splunk Web CLI Directly editing inputs.conf
Page 41 Mod 4
What are the default Metadata settings for Splunk?
Source
Host
Sourcetype
Index
Page 42 Mod 4
What are the Add Data options depending on the source being used?
Upload Option - allows uploading local files that only get indexed once. Useful for testing or data that is created once and never gets updated. Does not create inputs.conf
Monitor Option - provides one-time or continuous monitoring of files, directories, http events, network ports, or data gathering scripts located on Splunk Enterprise instances. Useful for testing inputs.
Forward Option - main source of input in production environments. Remote machines gather and forward data to indexers over a receiving port.
Page 44 Mod 4
*NOTE: Splunk parses data into individual events, extracts time, and assigns metadata each event has a/an:
timestamp host source sourcetype index
Page 59 Mod 5
What layout options do you have to view your search results in?
Raw
LIst
Table
What are Selected Fields?
A set of configurable fields displayed for each event
Page 79 Mod 6
What are Interesting Fields?
They occur in at least 20% of resulting events.
Page 79 Mod 6
Fast Mode:
Emphasizes speed over completeness
Page 89 Mod 6
Smart Mode:
Balances speed and completeness (default)
Page 89 Mod 6
Verbose Mode:
- Emphasizes completeness over speed
- Allows access to underlying events when using reporting or statistical commands (in addition to totals and stats)
Page 89 Mod 6
What are the syntax components of Splunk’s Search Language?
Search for this PIPE Command Function Argument Clause
Page 97 Mod 8
What are the 5 basic components that make up the Splunk Search Language?
Search Terms Commands Functions Arguments Clauses
Page 98 Mod 8
Search Language Syntax Components
What are you looking for?
- Keywords, phrases, Booleans, etc
Search Terms
Page 98 Mod 8
Search Language Syntax Components
What do you want to do with the results?
Commands
Page 98 Mod 8
Search Language Syntax Components
How do you want to chart, compute, or evaluate the results?
Functions
Page 98 Mod 8
Search Language Syntax Components
Are there variables you want to apply to this function?
Arguments
Page 98 Mod 8
Search Language Syntax Components
How do you want to group or rename the fields in the results?
Clauses
Page 98 Mod 8
What are the colors of Splunk’s search syntax?
Boolean Operators/Command Modifiers - ORANGE
Commands - BLUE
Command Arguments - GREEN
Functions - PURPLE
Page 101 Mod 8
What are the transforming commands?
chart timechart stats top rare contingency highlight
Machine data is always structured.
False!
Machine data makes up for more than ___% of the data accumulated by organizations.
90%
Machine data is only generated by web servers.
False!
Which function is not a part of a single instance deployment?
Clustering!
What are the three main processing components of Splunk?
Forwarders
Search Heads
Indexers
Page 23 Mod 2
Which of these is not a main component of Splunk?
Compress and archive
What are the three main default roles in Splunk Enterprise?
User
Power User
Admin
Page 11 Mod 1roles can
You can launch and manage apps from the home app.
True!
Which apps ship with Splunk Enterprise?
Search & Reporting
Home App
In most production environments, _______ will be used as the source of data input.
Forwarders
The monitor input option will allow you to continuously monitor files.
True!
Splunk uses ________ to categorize the type of data being indexed.
Sourcetype!
When zooming in on the event time line, a new search is run.
False!
How is the asterisk used in Splunk search?
A wildcard
These are booleans in the Splunk Search Language.
NOT
OR
AND
What attributes describe the circled field below?
a dest 4
It contains string values
It contains 4 values
Field names are ________.
Case sensitive
Which is not a comparison operator in Splunk?
?=
As a general practice, exclusion is better than inclusion in a Splunk search.
False!
What is the most efficient way to filter events in Splunk?
By time!
Time to search can only be set by the time range picker.
False!
Excluding fields using the Fields Command will benefit performance.
False!
Finish the rename command to change the name of the status field to HTTP Status.
sourcetype=a* status=404 | rename _____
status as “HTTP Status”
Would the ip column be removed in the results of this search? Why or why not?
sourcetype=a* | rename ip as “User” | fields - ip
NO, because the name was changed
How many results are shown by default when using a Top or Rare Command?
10
Which one of these is not a stats function?
Addtotals
Which stats function would you use to find the average value of a field?
avg
The User role can not create reports.
False!
A time range picker can be included in a report.
True!
These roles can create reports:
User
Power
Admin
Data models are made up of ___________.
Datasets
Adding child data model objects is like the ______ Boolean in the Splunk search language.
AND
Pivots cannot be saved as reports panels.
False!
To keep from overwriting existing fields with your Lookup you can use the ____________ clause.
OUTPUTNEW
External data used by a Lookup can come from sources like:
Scripts
CSV
Geospatial data
When using a .csv file for Lookups, the first row in the file represents this.
Field names
Once an alert is created, you can no longer edit its defining search.
False!
Alerts can be shared to all apps.
True!
Alerts can run uploaded scripts.
True!
Search strings are sent from the _________.
Search Head!
In most Splunk deployments, ________ serve as the primary way data is supplied for indexing.
Forwarders!
Splunk knows where to break the event, where the time stamp is located and how to automatically create field value pairs using these.
Sourcetypes!
When a search is sent to splunk, it becomes a _____.
Search Job!
Field values are case sensitive.
False!
Having separate indexes allows:
Faster Searches
Multiple retention policies
Ability to limit access
What command would you use to remove the status field from the returned events?
fields -
Which clause would you use to rename the count field?
as
Charts can be based on numbers, time, or location.
True!
In a dashboard, a time range picker will only work on panels that include a(n) __________ search.
Inline
In a dashboard, a time range picker will only work on panels that include a(n) __________ search.
Inline
Which role(s) can create data models?
Power
Admin
The instant pivot button is displayed in the statistics and visualization tabs when a _______ search is run.
Non-transforming
A lookup is categorized as a dataset.
True!
Finish this search command so that it displays data from the http_status.csv Lookup file.
| ______ http_status.csv
inputlookup
Real-time alerts will run the search continuously in the background.
True
What is the order of evaluation for Boolean operations in Splunk?
NOT
OR
AND
Commands that create statistics and visualizations are called _______________ commands.
transforming
Shared search jobs remain active for _______ by default.
7 days
Wildcards cannot be used with field searches.
False
This symbol is used in the “Advanced” section of the time range picker to round down to nearest unit of specified time.
@
What is missing from this search?
sourcetype=a* | rename ip as “User IP” | table User IP
Quotation marks around User IP
_____________ are reports gathered together into a single pane of glass.
Dashboards
An alert is an action triggered by a _____________.
Saved Search
Search requests are processed by the ___________.
Indexers
This role will only see their own knowledge objects and those that have been shared with them.
User
Files indexed using the the upload input option get indexed _____.
Once
Events are always returned in chronological order.
False
Events are always returned in chronological order.
False
A search job will remain active for ___ minutes after it is run.
10 mins
Excluding fields using the Fields Command will benefit performance.
False
The time stamp you see in the events is based on the time zone in your user account.
True
If a search returns this, you can view the results as a chart.
Statistical values
