User FlashCards

1
Q

The Common constraints for the top command are?

A

limit
countfield
showperc

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is the limit= to when you click the Top values in a field window?

A

The limit is =20

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Limit=0 returns how many results

A

Unlimited results

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

By default what is the name of the countfield?

A

Count

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Shows the number of events that match the search criteria

A

stats count

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Returns a count of unique values for a given field?

A

distinct_count, dc

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Shows all values of a given field?

A

list

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Shows unique values of a given field?

A

values

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What are saved searches?

A

Reports

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Does running a report return fresh results each time you run it?

A

Yes!

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

____ and ____ allow you to drill down by default to see the underlying events.

A

Statistics and Visualizations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Can reports be shard and added to dashboards?

A

Yes!

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

The report is saved with the time range that was selected when it was created. True or False?

A

True!

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Adding a time range picker allows you to do what to the Report?

A

It allows you to adjust the time range of the Report when you run it.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What are the dialog buttons when creating a report?

A
  1. Continue Editing
  2. Add to Dashboard
  3. View - allows you to display and rerun the report
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

There are 3 main ways to create tables and visualizations in Splunk. What are they?

A
  1. Select a field from the fields sidebar and choose a report to run
  2. User the Pivot interface
    - Start with a dataset or Instant Pivot
  3. Use the Splunk search language transforming commands in the Search bar.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Numeric fields have 6 report types with mathematical functions, what are they?

A
  1. Average over time
  2. Maximum value over time
  3. Minimum value over time
  4. Top values
  5. Top values by time
  6. Rare values
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

For alphanumeric character fields, there are only 3 available reports, what are they?

A
  1. Top values
  2. Top values by time
  3. Rare values
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

When updating visualization settings like the min/max, how soon are the new settings reflected?

A

Immediately!!

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Switch to what tab in order to view the data as a table?

A

Statistics!

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What is a dashboard?

A

A dashboard consists of one or more panels displaying data visually in a useful way - such as events, tables, or charts.

Page 150 Mod 10

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Why create panels from reports?

A

It is efficient to create most dashboard panels based on reports because

  • a single report can be used across different dashboards
  • this links the report definition to the dashboard

Any change to the underlying report affects every dashboard panel that utilizes that report.

Page 154 Mod 10

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Dashboards can be exported as…

A

as a PDF or Printed

The selection screen screen under Export shows:
PDF
Schedule PDF Delivery
Print

Page 160 Mod 10

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

How do you create an Instant Pivot?

A
  1. Execute a search (search criteria only, no search commands)
  2. Click the Statistics or Visualization tab
  3. Click the Pivot icon
  4. Select the fields to be included in the data model object
  5. Create the pivot (table or chart)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

When saving a Pivot as a Report what is required?

A

The Model Title because this creates the Data Model

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

What is a lookup?

A

Sometimes static (or relatively unchanging) data is required for searches but isn’t available in the index

Lookups pull such data from standalone files at search time and add it to search results

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

*NOTE: Lookups allow you to add more fields to your events, such as:

A
  • Descriptions for HTTP status codes (“File Not Found”, “Service Unavailable”)
  • Sale prices for products
  • User names, IP addresses, and workstation IDs associated with RFIDs
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

After a lookup is configured, you can use the lookup fields in searches, True or False?

A

True!!

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

True or False: The lookup fields also appear in the Fields sidebar

A

True!

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

True or False: Lookup field values are case sensitive by default?

A

True!

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

What happens when an OUTPUT is not specified?

A

All the fields from the lookup table except the match fields

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

What happens when the OUTPUT is specified?

A

The fields overwrite existing fields

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

If a field in the lookup table represents a timestamp, you can create a what?

A

Time-Based Lookup

Page 199 Mod 12

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Why would you want to use Scheduled Reports?

A
  • Monthly, weekly, daily executive/managerial roll up reports
  • Dashboard performance
  • Automatically sending reports via email

Page 201 Mod 13

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

How do you create a Scheduled Report?

A
  1. Create your search
  2. From the Save As menu, select Report
  3. Enter Title
  4. Enter Description
  5. Set Time Range Picker to No
  6. Click Save

Page 202-204 Mod 13

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

When creating a Scheduled report you can select a time range from?

A

Presets
Relative
Advanced

Page 207 Mod 13

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

This setting determines a time frame to run the report.

A

Schedule Window

Page 207 Mod 13

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

Creates an indexed, searchable log event.

A

Log Event

Page 208 Mod 13

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

Selecting Output results to lookup.

A

Sends results of search to CSV lookup file.

Page 208 Mod 13

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

Selecting Output results to telemetry endpoint

A

Sends usage metrics back to Splunk (if your company has opted-in to program)

Page 208 Mod 13

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

Run a Script

A

Runs a previously created script

Page 208 Mod 13

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

Send email

A

Sends an email with results to specified recipients.

Page 208 Mod 13

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

Webhook

A

Sends an HTTP POST request to a specified URL.

Page 208 Mod 13

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

Managing Reports - Edit Permissions
With the GUI inside the Reports tab under Edit then Edit Permissions.

Run as: User

Will make what happen to the report?

A

Only data allowed to be accessed by the user role appears.

Page 211 Mod 13

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

Managing Reports - Edit Permissions
With the GUI inside the Reports tab under Edit then Edit Permissions.

Run as: Owner

Will make what happen to that report?

A

All data accessible by the owner appears in the report.

Page 211 Mod 13

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

To access the report results from a webpage.

A

Click edit > embed

Before a report can be embedded, it must be scheduled

Page 212 Mod 13

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

What are Alerts??

A

Splunk alerts are based on searches that can run either:

  • on a regular scheduled interval
  • in real-time

Alerts are triggered when the results of the search meet a specific condition that you define

Based on your needs, alerts can:

  • Create an entry in triggered alerts
  • log an event
  • output results to a lookup file
  • send emails
  • use a webhook
  • perform a custom action

Page 213 Mod 13

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

How to create an Alert in the GUI?

A
  1. Run a search
  2. Select Save As > Alert
  3. Give the alert a Title and Description

Page 214 Mod 13

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

Setting alert permissions

Only you can access, edit, and view triggered alerts.

A

Private Permissions

Page 215 Mod 13

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

Setting alert permissions

  • All users of the app can view triggered alerts
  • By default, everyone has read access and power has write access to the alert.
A

Shared in App

Page 215 Mod 13

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

What type of alert?

  • Search runs at a defined interval
  • Evaluates trigger condition when the search completes
A

Scheduled Alerts

Page 216 Mod 13

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q

What kind of search?

  • Search runs constantly in the background
  • Evaluates trigger conditions within a window of time based on the conditions you define
A

Real-Time

Page 216 Mod 13

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q

You can set alerts to trigger in five ways

A
  • Per-Result - triggers when a result is returned
  • Number of Results - define how many results are returned before the alert triggers
  • Number of Hosts - define how many unique hosts are returned before the alert triggers
  • Number of Sources - define how many unique sources are returned before the alert triggers
  • Custom - define custom conditions using the search language

Page 219 Mod 13

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
54
Q

Alert Actions - Trigger Conditions

Executes actions one time for all matching events within the scheduled time and conditions

A

Once Trigger

Page 221 Mod 13

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
55
Q

Alert Actions - Trigger Conditions

*NOTE: Executes the alert actions once for each result that matches the conditions.

A

For each result

Page 222 Mod 13

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
56
Q

All actions that are available for scheduled reports and also available for alerts:

A
  • Log Event
  • Output results to lookup
  • Output results to telemetry endpoint
  • Run a script
  • Send email
  • Webhook

Page 223 Mod 13

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
57
Q

Alert Actions - Add to Triggered Alerts

The severity for an alert:

A
  • Info
  • Low
  • Medium
  • High
  • Critical

Page 224 Mod 13

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
58
Q

Alert Actions - Log Event

When saving as a report, under Triggered Alerts and + Add Actions. You can add a Log Event action Which Log Event action matches the description below?

Enter the information that will be written to the new log event.

A

Event!

Page 225 Mod 13

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
59
Q

Alert Actions - Log Event

When saving as a report, under Triggered Alerts and + Add Actions. You can add a Log Event action Which Log Event action matches the description below?

_____ of the new log event (by default, the alert name)

A

Source!

Page 225 Mod 13

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
60
Q

Alert Actions - Log Event

When saving as a report, under Triggered Alerts and + Add Actions. You can add a Log Event action Which Log Event action matches the description below?

____ to which the new log event will be written

A

Sourcetype!

Page 225 Mod 13

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
61
Q

Alert Actions - Log Event

When saving as a report, under Triggered Alerts and + Add Actions. You can add a Log Event action Which Log Event action matches the description below?

____ value of the new log event (by default, IP address of the host of the alert)

A

Host!

Page 225 Mod 13

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
62
Q

Alert Actions - Log Event

When saving as a report, under Triggered Alerts and + Add Actions. You can add a Log Event action Which Log Event action matches the description below?

Destination ____ for the new log event (default value is main)

A

Index!

Page 225 Mod 13

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
63
Q

Alert Actions - Send Email

When saving as a report, under Triggered Alerts and + Add Actions. You can add a Log Event action Which Log Event action matches the description below?

____ select the format of the alert.

A

Include!

Page 227 Mod 13

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
64
Q

Alert Actions - Send Email

When saving as a report, under Triggered Alerts and + Add Actions. You can add a Log Event action Which Log Event action matches the description below?

____ select the format of the text message.

A

Type!

Page 227 Mod 13

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
65
Q

What does Splunk do?

A

Aggregate, analyze, and get answers from your machine data

Page 5 Mod 1

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
66
Q

What data can be pulled into Splunk?

A

Index ANY data from ANY source

  • Computers
  • Network devices
  • Virtual machines
  • Internet devices
  • Communication devices
  • Sensors
  • Databases
  • Logs
  • Configurations
  • Messages
  • Call detail records
  • Clickstream
  • Alerts
  • Metrics
  • Scripts
  • Changes
  • Tickets

Page 6 Mod 1

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
67
Q

Types of Splunk Deployment?

A

Splunk Enterprise - splunk components installed and administered on-premises

Splunk Cloud

  • Splunk Enterprise as a scalable service
  • No infrastructure required

Splunk Light
- Solution for small IT environments

Page 8 Mod 1

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
68
Q

What three things define what Splunk Apps are?

A
  • Designed to address a wide variety of use cases and to extend the power of Splunk
  • Collections of files containing data inputs, UI elements, and/or knowledge objects
  • Allows multiple workspaces for different use cases/user roles to co-exist on a single Splunk instance

Page 9 Mod 1

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
69
Q

What are Splunk Enhanced Solutions?

A
  • Splunk IT Service Intelligence (ITSI)
  • Splunk Enterprise Security (ES)
  • Splunk User Behavior Analytics (UBA)

Page 10 Mod 1

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
70
Q

Out of the box, there are 3 main roles:

A

Admin
Power
User

Page 11 Mod 1

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
71
Q

What is the Search & Reporting App used for?

A
  • Provides a default interface for searching and analyzing data
  • Enables you to create knowledge objects, reports, and dashboards

Page 14 Mod 1

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
72
Q

Data Summary Tabs

Unique identifier of where the events originated (host name, IP address, etc.)

A

Host!

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
73
Q

Data Summary Tabs

Name of the file, stream, or other input.

A

Source!

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
74
Q

Data Summary Tabs

Specific data type or data format

A

Sourcetype!

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
75
Q

Splunk is comprised of ___ components. What are they and how many?

A

3 main components
Indexer
Search Head
Forwarder

Page 23 Mod 2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
76
Q

What are three things the Indexer does?

A
  • Processes machine data, storing the results in indexes as events, enabling fast search and analysis
  • As the Indexer indexes data, it creates a number of files organized in sets of directories by age
  • Contains raw data (compressed) and indexes (points to the raw data)

Page 24 Mod 2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
77
Q

What are four things the Search Heads do?

A
  • Allows users to use the Search language to search the indexed data
  • Distributes user search requests to the Indexers
  • Consolidates the results and extracts field value pairs from the events to the user
  • Knowledge Objects on the Search Heads can be created to extract additional fields and transform the data without changing the underlying index data

Page 25 Mod 2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
78
Q

What are four things Forwarders do?

A
  • Splunk Enterprise instances that consume and send data the index
  • Require minimal resources and have little impact on performance
  • Typically reside on the machines where the data originates
  • Primary way data is supplied for indexing

Page 27 Mod 2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
79
Q

What are the 3 less-common components of Splunk?

A

Deployment Server
Cluster Master
License Master

Page 28 Mod 2

80
Q

Splunk Deployment - Standalone or Single Server

A
  • All functions in a single instance of Splunk
  • For testing, proof of concept, personal use, and learning
  • This is what you get when you download Splunk and install with default settings

Page 29 Mod 2

81
Q

Splunk Deployment - Basic or Splunk Server

A

Has a Splunk server:
- Similar to server in standalone configuration

  • Manage deployment of forwarder configurations

Adds forwarders which:
- Collect data and send it to Splunk servers

  • Install forwarders at data source (Usually production servers)

Page 30 Mod 2

82
Q

Splunk Deployment - Basic

A

Splunk server
-Similar to server in standalone configuration

-Manage Deployment of forwarder configurations

Forwarders
- Forwarders collect data and send it to Splunk servers

  • Install forwarders at data source (usually production servers)

Page 30 Mod 2

83
Q

What are three rules and limits in Basic Deployment for organizations:

A
  • Indexing less than 20GB per day
  • With under 20 users
  • Small amount of forwarders

Page 30 Mod 2

84
Q

A Splunk Deployment - Multi-Instance

A
  • Increases indexing and searching capacity
  • Search management and index functions are split across multiple machines
  • Search Head - for Searching
  • Indexers - Indexing and Parsing
  • Forwarders - Provide Input

Page 31 Mod 2

85
Q

What are three rules and limits in Multi - Instance deployment for organizations:

A
  • Indexing up to 100GB per day
  • Supports 100 users
  • Supports several hundred forwarders

Page 31 Mod 2

86
Q

Splunk Deployment - Increasing Capacity/Search Head Cluster

A

Adding a Search Head Cluster:

  • Services more users for increased search capacity
  • Allows users and searches to share resources
  • Coordinate activities to handle search requests and distribute the requests across the set of indexers

Require a minimum of three search heads

Use a deployer to manage and distribute apps to the members of the search head cluster.

Page 32 Mod 2

87
Q

What is the minimum number of Search Heads required to make a cluster?

A

3 Search Heads

Page 32 Mod 2

88
Q

What is used to manage and distribute apps to the members of the Search Head Cluster?

A

A Deployer!

Page 32 Mod 2

89
Q

Splunk Deployment - What is an Index Cluster used for?

A

Traditional Index Clusters:

  • Configured to replicate data
  • Prevent data loss
  • Promote availability
  • Manage multiple indexers

Page 33 Mod 2

90
Q

Two things to know about non-replicating Index Clusters:

A
  • Offer simplified management
  • Do not provide availability or data recovery

Page 33 Mod 2

91
Q

What are the Splunk components installed from the Splunk Enterprise package?

A
Indexer (Search Peer)
Search Head
Deployment Server
License Master
Heavy Forwarder
Cluster Master
Search Head Cluster

Page 35 Mod 2

92
Q

splunk help

A

Display a usage summary

Page 38 Mod 3

93
Q

splunk [start | stop | restart]

A

Manage the Splunk processes

Page 38 Mod 3

94
Q

splunk start –accept-license

A

Automatically accept the license without prompt

Page 38 Mod 3

95
Q

splunk status

A

Display the Splunk process status

Page 38 Mod 3

96
Q

splunk show splunkd-port

A

Show the port that the splunkd listens on

Page 38 Mod 3

97
Q

splunk show web-port

A

Show the port that Splunk Web listens on

Page 38 Mod 3

98
Q

splunk show servername

A

Show the servername of this instance

Page 38 Mod 3

99
Q

splunk show default-hostname

A

Show the default host name used for all data inputs

Page 38 Mod 3

100
Q

splunk enable boot-start-user

A

Initialize script to run Splunk Enterprise at system startup

Page 38 Mod 3

101
Q

splunk enable boot-start-user

A

Initialize script to run Splunk Enterprise at system startup

Page 38 Mod 3

102
Q

Splunk Index Time Process

Input Phase:

A

Handled at the source (usually a forwarder)

  • The data sources are being opened and read
  • Data is handled as streams and any configuration settings are applied to the entire stream

Page 40 Mod 4

103
Q

Splunk Index Time Process

Parsing Phase:

A

Handled by indexers (or heavy forwarders)
- Data is broken up into events and advanced processing can be performed

Page 40 Mod 4

104
Q

Splunk Index Time Process

Indexing Phase:

A
  • License meter runs as data and is initially written to disk, prior to compression
  • After data is written to disk, it cannot be changed

Page 40 Mod 4

105
Q

What are the data input types that Splunk supports?

A
Files and directiories
Network data
Script output
Windows logs
HTTP
You can add data inputs with:
Apps and add-ons from Splunkbase
Splunk Web 
CLI
Directly editing inputs.conf

Page 41 Mod 4

106
Q

What are the default Metadata settings for Splunk?

A

Source
Host
Sourcetype
Index

Page 42 Mod 4

107
Q

What are the Add Data options depending on the source being used?

A

Upload Option - allows uploading local files that only get indexed once. Useful for testing or data that is created once and never gets updated. Does not create inputs.conf

Monitor Option - provides one-time or continuous monitoring of files, directories, http events, network ports, or data gathering scripts located on Splunk Enterprise instances. Useful for testing inputs.

Forward Option - main source of input in production environments. Remote machines gather and forward data to indexers over a receiving port.

Page 44 Mod 4

108
Q

*NOTE: Splunk parses data into individual events, extracts time, and assigns metadata each event has a/an:

A
timestamp
host 
source
sourcetype
index

Page 59 Mod 5

109
Q

What layout options do you have to view your search results in?

A

Raw
LIst
Table

110
Q

What are Selected Fields?

A

A set of configurable fields displayed for each event

Page 79 Mod 6

111
Q

What are Interesting Fields?

A

They occur in at least 20% of resulting events.

Page 79 Mod 6

112
Q

Fast Mode:

A

Emphasizes speed over completeness

Page 89 Mod 6

113
Q

Smart Mode:

A

Balances speed and completeness (default)

Page 89 Mod 6

114
Q

Verbose Mode:

A
  • Emphasizes completeness over speed
  • Allows access to underlying events when using reporting or statistical commands (in addition to totals and stats)

Page 89 Mod 6

115
Q

What are the syntax components of Splunk’s Search Language?

A
Search for this
PIPE
Command
Function
Argument
Clause

Page 97 Mod 8

116
Q

What are the 5 basic components that make up the Splunk Search Language?

A
Search Terms
Commands
Functions
Arguments
Clauses

Page 98 Mod 8

117
Q

Search Language Syntax Components

What are you looking for?
- Keywords, phrases, Booleans, etc

A

Search Terms

Page 98 Mod 8

118
Q

Search Language Syntax Components

What do you want to do with the results?

A

Commands

Page 98 Mod 8

119
Q

Search Language Syntax Components

How do you want to chart, compute, or evaluate the results?

A

Functions

Page 98 Mod 8

120
Q

Search Language Syntax Components

Are there variables you want to apply to this function?

A

Arguments

Page 98 Mod 8

121
Q

Search Language Syntax Components

How do you want to group or rename the fields in the results?

A

Clauses

Page 98 Mod 8

122
Q

What are the colors of Splunk’s search syntax?

A

Boolean Operators/Command Modifiers - ORANGE
Commands - BLUE
Command Arguments - GREEN
Functions - PURPLE

Page 101 Mod 8

123
Q

What are the transforming commands?

A
chart
timechart
stats
top
rare
contingency
highlight
124
Q

Machine data is always structured.

A

False!

125
Q

Machine data makes up for more than ___% of the data accumulated by organizations.

A

90%

126
Q

Machine data is only generated by web servers.

A

False!

127
Q

Which function is not a part of a single instance deployment?

A

Clustering!

128
Q

What are the three main processing components of Splunk?

A

Forwarders
Search Heads
Indexers

Page 23 Mod 2

129
Q

Which of these is not a main component of Splunk?

A

Compress and archive

130
Q

What are the three main default roles in Splunk Enterprise?

A

User
Power User
Admin

Page 11 Mod 1roles can

131
Q

You can launch and manage apps from the home app.

A

True!

132
Q

Which apps ship with Splunk Enterprise?

A

Search & Reporting

Home App

133
Q

In most production environments, _______ will be used as the source of data input.

A

Forwarders

134
Q

The monitor input option will allow you to continuously monitor files.

A

True!

135
Q

Splunk uses ________ to categorize the type of data being indexed.

A

Sourcetype!

136
Q

When zooming in on the event time line, a new search is run.

A

False!

137
Q

How is the asterisk used in Splunk search?

A

A wildcard

138
Q

These are booleans in the Splunk Search Language.

A

NOT
OR
AND

139
Q

What attributes describe the circled field below?

a dest 4

A

It contains string values

It contains 4 values

140
Q

Field names are ________.

A

Case sensitive

141
Q

Which is not a comparison operator in Splunk?

A

?=

142
Q

As a general practice, exclusion is better than inclusion in a Splunk search.

A

False!

143
Q

What is the most efficient way to filter events in Splunk?

A

By time!

144
Q

Time to search can only be set by the time range picker.

A

False!

145
Q

Excluding fields using the Fields Command will benefit performance.

A

False!

146
Q

Finish the rename command to change the name of the status field to HTTP Status.
sourcetype=a* status=404 | rename _____

A

status as “HTTP Status”

147
Q

Would the ip column be removed in the results of this search? Why or why not?

sourcetype=a* | rename ip as “User” | fields - ip

A

NO, because the name was changed

148
Q

How many results are shown by default when using a Top or Rare Command?

A

10

149
Q

Which one of these is not a stats function?

A

Addtotals

150
Q

Which stats function would you use to find the average value of a field?

A

avg

151
Q

The User role can not create reports.

A

False!

152
Q

A time range picker can be included in a report.

A

True!

153
Q

These roles can create reports:

A

User
Power
Admin

154
Q

Data models are made up of ___________.

A

Datasets

155
Q

Adding child data model objects is like the ______ Boolean in the Splunk search language.

A

AND

156
Q

Pivots cannot be saved as reports panels.

A

False!

157
Q

To keep from overwriting existing fields with your Lookup you can use the ____________ clause.

A

OUTPUTNEW

158
Q

External data used by a Lookup can come from sources like:

A

Scripts
CSV
Geospatial data

159
Q

When using a .csv file for Lookups, the first row in the file represents this.

A

Field names

160
Q

Once an alert is created, you can no longer edit its defining search.

A

False!

161
Q

Alerts can be shared to all apps.

A

True!

162
Q

Alerts can run uploaded scripts.

A

True!

163
Q

Search strings are sent from the _________.

A

Search Head!

164
Q

In most Splunk deployments, ________ serve as the primary way data is supplied for indexing.

A

Forwarders!

165
Q

Splunk knows where to break the event, where the time stamp is located and how to automatically create field value pairs using these.

A

Sourcetypes!

166
Q

When a search is sent to splunk, it becomes a _____.

A

Search Job!

167
Q

Field values are case sensitive.

A

False!

168
Q

Having separate indexes allows:

A

Faster Searches
Multiple retention policies
Ability to limit access

169
Q

What command would you use to remove the status field from the returned events?

A

fields -

170
Q

Which clause would you use to rename the count field?

A

as

171
Q

Charts can be based on numbers, time, or location.

A

True!

172
Q

In a dashboard, a time range picker will only work on panels that include a(n) __________ search.

A

Inline

173
Q

In a dashboard, a time range picker will only work on panels that include a(n) __________ search.

A

Inline

174
Q

Which role(s) can create data models?

A

Power

Admin

175
Q

The instant pivot button is displayed in the statistics and visualization tabs when a _______ search is run.

A

Non-transforming

176
Q

A lookup is categorized as a dataset.

A

True!

177
Q

Finish this search command so that it displays data from the http_status.csv Lookup file.
| ______ http_status.csv

A

inputlookup

178
Q

Real-time alerts will run the search continuously in the background.

A

True

179
Q

What is the order of evaluation for Boolean operations in Splunk?

A

NOT
OR
AND

180
Q

Commands that create statistics and visualizations are called _______________ commands.

A

transforming

181
Q

Shared search jobs remain active for _______ by default.

A

7 days

182
Q

Wildcards cannot be used with field searches.

A

False

183
Q

This symbol is used in the “Advanced” section of the time range picker to round down to nearest unit of specified time.

A

@

184
Q

What is missing from this search?

sourcetype=a* | rename ip as “User IP” | table User IP

A

Quotation marks around User IP

185
Q

_____________ are reports gathered together into a single pane of glass.

A

Dashboards

186
Q

An alert is an action triggered by a _____________.

A

Saved Search

187
Q

Search requests are processed by the ___________.

A

Indexers

188
Q

This role will only see their own knowledge objects and those that have been shared with them.

A

User

189
Q

Files indexed using the the upload input option get indexed _____.

A

Once

190
Q

Events are always returned in chronological order.

A

False

191
Q

Events are always returned in chronological order.

A

False

192
Q

A search job will remain active for ___ minutes after it is run.

A

10 mins

193
Q

Excluding fields using the Fields Command will benefit performance.

A

False

194
Q

The time stamp you see in the events is based on the time zone in your user account.

A

True

195
Q

If a search returns this, you can view the results as a chart.

A

Statistical values