User FlashCards
The Common constraints for the top command are?
limit
countfield
showperc
What is the limit= to when you click the Top values in a field window?
The limit is =20
Limit=0 returns how many results
Unlimited results
By default what is the name of the countfield?
Count
Shows the number of events that match the search criteria
stats count
Returns a count of unique values for a given field?
distinct_count, dc
Shows all values of a given field?
list
Shows unique values of a given field?
values
What are saved searches?
Reports
Does running a report return fresh results each time you run it?
Yes!
____ and ____ allow you to drill down by default to see the underlying events.
Statistics and Visualizations
Can reports be shard and added to dashboards?
Yes!
The report is saved with the time range that was selected when it was created. True or False?
True!
Adding a time range picker allows you to do what to the Report?
It allows you to adjust the time range of the Report when you run it.
What are the dialog buttons when creating a report?
- Continue Editing
- Add to Dashboard
- View - allows you to display and rerun the report
There are 3 main ways to create tables and visualizations in Splunk. What are they?
- Select a field from the fields sidebar and choose a report to run
- User the Pivot interface
- Start with a dataset or Instant Pivot - Use the Splunk search language transforming commands in the Search bar.
Numeric fields have 6 report types with mathematical functions, what are they?
- Average over time
- Maximum value over time
- Minimum value over time
- Top values
- Top values by time
- Rare values
For alphanumeric character fields, there are only 3 available reports, what are they?
- Top values
- Top values by time
- Rare values
When updating visualization settings like the min/max, how soon are the new settings reflected?
Immediately!!
Switch to what tab in order to view the data as a table?
Statistics!
What is a dashboard?
A dashboard consists of one or more panels displaying data visually in a useful way - such as events, tables, or charts.
Page 150 Mod 10
Why create panels from reports?
It is efficient to create most dashboard panels based on reports because
- a single report can be used across different dashboards
- this links the report definition to the dashboard
Any change to the underlying report affects every dashboard panel that utilizes that report.
Page 154 Mod 10
Dashboards can be exported as…
as a PDF or Printed
The selection screen screen under Export shows:
PDF
Schedule PDF Delivery
Print
Page 160 Mod 10
How do you create an Instant Pivot?
- Execute a search (search criteria only, no search commands)
- Click the Statistics or Visualization tab
- Click the Pivot icon
- Select the fields to be included in the data model object
- Create the pivot (table or chart)
When saving a Pivot as a Report what is required?
The Model Title because this creates the Data Model
What is a lookup?
Sometimes static (or relatively unchanging) data is required for searches but isn’t available in the index
Lookups pull such data from standalone files at search time and add it to search results
*NOTE: Lookups allow you to add more fields to your events, such as:
- Descriptions for HTTP status codes (“File Not Found”, “Service Unavailable”)
- Sale prices for products
- User names, IP addresses, and workstation IDs associated with RFIDs
After a lookup is configured, you can use the lookup fields in searches, True or False?
True!!
True or False: The lookup fields also appear in the Fields sidebar
True!
True or False: Lookup field values are case sensitive by default?
True!
What happens when an OUTPUT is not specified?
All the fields from the lookup table except the match fields
What happens when the OUTPUT is specified?
The fields overwrite existing fields
If a field in the lookup table represents a timestamp, you can create a what?
Time-Based Lookup
Page 199 Mod 12
Why would you want to use Scheduled Reports?
- Monthly, weekly, daily executive/managerial roll up reports
- Dashboard performance
- Automatically sending reports via email
Page 201 Mod 13
How do you create a Scheduled Report?
- Create your search
- From the Save As menu, select Report
- Enter Title
- Enter Description
- Set Time Range Picker to No
- Click Save
Page 202-204 Mod 13
When creating a Scheduled report you can select a time range from?
Presets
Relative
Advanced
Page 207 Mod 13
This setting determines a time frame to run the report.
Schedule Window
Page 207 Mod 13
Creates an indexed, searchable log event.
Log Event
Page 208 Mod 13
Selecting Output results to lookup.
Sends results of search to CSV lookup file.
Page 208 Mod 13
Selecting Output results to telemetry endpoint
Sends usage metrics back to Splunk (if your company has opted-in to program)
Page 208 Mod 13
Run a Script
Runs a previously created script
Page 208 Mod 13
Send email
Sends an email with results to specified recipients.
Page 208 Mod 13
Webhook
Sends an HTTP POST request to a specified URL.
Page 208 Mod 13
Managing Reports - Edit Permissions
With the GUI inside the Reports tab under Edit then Edit Permissions.
Run as: User
Will make what happen to the report?
Only data allowed to be accessed by the user role appears.
Page 211 Mod 13
Managing Reports - Edit Permissions
With the GUI inside the Reports tab under Edit then Edit Permissions.
Run as: Owner
Will make what happen to that report?
All data accessible by the owner appears in the report.
Page 211 Mod 13
To access the report results from a webpage.
Click edit > embed
Before a report can be embedded, it must be scheduled
Page 212 Mod 13
What are Alerts??
Splunk alerts are based on searches that can run either:
- on a regular scheduled interval
- in real-time
Alerts are triggered when the results of the search meet a specific condition that you define
Based on your needs, alerts can:
- Create an entry in triggered alerts
- log an event
- output results to a lookup file
- send emails
- use a webhook
- perform a custom action
Page 213 Mod 13
How to create an Alert in the GUI?
- Run a search
- Select Save As > Alert
- Give the alert a Title and Description
Page 214 Mod 13
Setting alert permissions
Only you can access, edit, and view triggered alerts.
Private Permissions
Page 215 Mod 13
Setting alert permissions
- All users of the app can view triggered alerts
- By default, everyone has read access and power has write access to the alert.
Shared in App
Page 215 Mod 13
What type of alert?
- Search runs at a defined interval
- Evaluates trigger condition when the search completes
Scheduled Alerts
Page 216 Mod 13
What kind of search?
- Search runs constantly in the background
- Evaluates trigger conditions within a window of time based on the conditions you define
Real-Time
Page 216 Mod 13
You can set alerts to trigger in five ways
- Per-Result - triggers when a result is returned
- Number of Results - define how many results are returned before the alert triggers
- Number of Hosts - define how many unique hosts are returned before the alert triggers
- Number of Sources - define how many unique sources are returned before the alert triggers
- Custom - define custom conditions using the search language
Page 219 Mod 13
Alert Actions - Trigger Conditions
Executes actions one time for all matching events within the scheduled time and conditions
Once Trigger
Page 221 Mod 13
Alert Actions - Trigger Conditions
*NOTE: Executes the alert actions once for each result that matches the conditions.
For each result
Page 222 Mod 13
All actions that are available for scheduled reports and also available for alerts:
- Log Event
- Output results to lookup
- Output results to telemetry endpoint
- Run a script
- Send email
- Webhook
Page 223 Mod 13
Alert Actions - Add to Triggered Alerts
The severity for an alert:
- Info
- Low
- Medium
- High
- Critical
Page 224 Mod 13
Alert Actions - Log Event
When saving as a report, under Triggered Alerts and + Add Actions. You can add a Log Event action Which Log Event action matches the description below?
Enter the information that will be written to the new log event.
Event!
Page 225 Mod 13
Alert Actions - Log Event
When saving as a report, under Triggered Alerts and + Add Actions. You can add a Log Event action Which Log Event action matches the description below?
_____ of the new log event (by default, the alert name)
Source!
Page 225 Mod 13
Alert Actions - Log Event
When saving as a report, under Triggered Alerts and + Add Actions. You can add a Log Event action Which Log Event action matches the description below?
____ to which the new log event will be written
Sourcetype!
Page 225 Mod 13
Alert Actions - Log Event
When saving as a report, under Triggered Alerts and + Add Actions. You can add a Log Event action Which Log Event action matches the description below?
____ value of the new log event (by default, IP address of the host of the alert)
Host!
Page 225 Mod 13
Alert Actions - Log Event
When saving as a report, under Triggered Alerts and + Add Actions. You can add a Log Event action Which Log Event action matches the description below?
Destination ____ for the new log event (default value is main)
Index!
Page 225 Mod 13
Alert Actions - Send Email
When saving as a report, under Triggered Alerts and + Add Actions. You can add a Log Event action Which Log Event action matches the description below?
____ select the format of the alert.
Include!
Page 227 Mod 13
Alert Actions - Send Email
When saving as a report, under Triggered Alerts and + Add Actions. You can add a Log Event action Which Log Event action matches the description below?
____ select the format of the text message.
Type!
Page 227 Mod 13
What does Splunk do?
Aggregate, analyze, and get answers from your machine data
Page 5 Mod 1
What data can be pulled into Splunk?
Index ANY data from ANY source
- Computers
- Network devices
- Virtual machines
- Internet devices
- Communication devices
- Sensors
- Databases
- Logs
- Configurations
- Messages
- Call detail records
- Clickstream
- Alerts
- Metrics
- Scripts
- Changes
- Tickets
Page 6 Mod 1
Types of Splunk Deployment?
Splunk Enterprise - splunk components installed and administered on-premises
Splunk Cloud
- Splunk Enterprise as a scalable service
- No infrastructure required
Splunk Light
- Solution for small IT environments
Page 8 Mod 1
What three things define what Splunk Apps are?
- Designed to address a wide variety of use cases and to extend the power of Splunk
- Collections of files containing data inputs, UI elements, and/or knowledge objects
- Allows multiple workspaces for different use cases/user roles to co-exist on a single Splunk instance
Page 9 Mod 1
What are Splunk Enhanced Solutions?
- Splunk IT Service Intelligence (ITSI)
- Splunk Enterprise Security (ES)
- Splunk User Behavior Analytics (UBA)
Page 10 Mod 1
Out of the box, there are 3 main roles:
Admin
Power
User
Page 11 Mod 1
What is the Search & Reporting App used for?
- Provides a default interface for searching and analyzing data
- Enables you to create knowledge objects, reports, and dashboards
Page 14 Mod 1
Data Summary Tabs
Unique identifier of where the events originated (host name, IP address, etc.)
Host!
Data Summary Tabs
Name of the file, stream, or other input.
Source!
Data Summary Tabs
Specific data type or data format
Sourcetype!
Splunk is comprised of ___ components. What are they and how many?
3 main components
Indexer
Search Head
Forwarder
Page 23 Mod 2
What are three things the Indexer does?
- Processes machine data, storing the results in indexes as events, enabling fast search and analysis
- As the Indexer indexes data, it creates a number of files organized in sets of directories by age
- Contains raw data (compressed) and indexes (points to the raw data)
Page 24 Mod 2
What are four things the Search Heads do?
- Allows users to use the Search language to search the indexed data
- Distributes user search requests to the Indexers
- Consolidates the results and extracts field value pairs from the events to the user
- Knowledge Objects on the Search Heads can be created to extract additional fields and transform the data without changing the underlying index data
Page 25 Mod 2
What are four things Forwarders do?
- Splunk Enterprise instances that consume and send data the index
- Require minimal resources and have little impact on performance
- Typically reside on the machines where the data originates
- Primary way data is supplied for indexing
Page 27 Mod 2