What are fields?
building blocks of a Splunk search
What are field aliases?
normalizing data by assigning an alternate name to existing fields in your data
What are field extractions?
values are contained in a field at search time, but can also be manually extracted with the help of regex or delimiters
What are calculated fields?
perform calculations based on the values of existing fields
What are lookups?
used to add additional fields and values that are not contained in your data
What are event types?
- used to save a search that you use often
- user-defined field that represents a category of events
- can be used to normalize field names, tags and field extractions
What are tags?
saved key-value pairs (labels for your data)
What are workflow actions?
provide links within your data that interact with external resources or narrow your search (HTTP GET, HTTP POST, secondary search)
What are reports?
searches you run repeatedly
What are alerts?
searches you run repeatedly (scheduled or real-time), that send notifications
What are macros?
search strings or portions of search strings that can be reused in multiple places
What are data models?
- hierarchically structured datasets that can consist of three types: events, searches, transactions
- can be used in pivot
What is a saved search?
- a search that a user makes available for later use
- a type of knowledge object
- reports, alerts, scheduled searches are types of saved searches
What is a knowledge object?
- user-defined entity that enriches the existing data
- tool used to discover and analyze various aspects of data
- fields, field extractions, saved searches, event types, tags, field aliases, lookups, workflow actions, reports, alerts, data models
What is the CIM?
- Common Information Model
- 22 pre-configured data models
- fields names and tags
- least common denominator of a domain of interest
- used to normalize your data to match a common standard
What are transforming commands?
- massages raw data into a data table
- transform specified cell values for each event into numerical values that can be used for statistical purposes
- required to transform search results into visualizations
- top, rare, chart, timechart, stats, geostats,…
What are the three search modes?
Fast: quick but not detailed (no contents for interesting fields)
Smart (default): combination of fast & verbose
Verbose: slow but detailed (returns all possible field and event data)
What is a data series?
a sequence of related data points that are plotted in a visualization
What are expressions?
produce a value and can be composed by literals, functions, fields parameters, comparisons and other expressions
Which are the Splunk CIM Add-On Data Models?
Alerts
Application State
Authentication
Change Analysis
CIM Validation (S.o.S)
Databases
Email
Interprocess Messaging
Intrusion Detection
Inventory
Java Virtual Machines (JVM)
Malware
Network Traffic
Performance
Splunk Audit Logs
Ticket Management
Updates
Vulnerabilities
Web
What is the order of processing for knowledge objects at search time?
(first to last)
–> field extractions
–> field aliases
–> calculated fields
–> lookups
–> event types
–> tags
