1
Q
what are considered hosts by splunk ?
A
computers, sensors, virtual machines, web servers, network devices, databases
2
Q
hosts usually generate a variety of data including
A
fault
configuration
accounting
performance
security
system logs
application logs
metrics
tickets
3
Q
where can splunk index data from ?
A
- can index from any source
4
Q
what are the processing components of splunk ?
A
indexers
forwarders
search heads
5
Q
what are the management components of splunk ?
A
- Deployment servers
- indexer cluster manager
- search head cluster deployment
- license manager
- monitoring console
6
Q
what can a search head do once connected ?
A
- search
- analyze
- visualize
- reports
- alerts
- dashboard
- knowledge
7
Q
what are some details about splunk forwarders ?
A
forwarders are generally installed on host machines to collect source data and send to splunk
forwarders are the primary way to send data to splunk for indexing
8
Q
what are the two types of splunk forwarders ?
A
-Universal forwarder
Heavy forwarders
- configured from full splunk enterprise installation
- can parse and filter before forwarding
9
Q
what is a splunk component that resides on machines originating data ?
A
forwarder
10
Q
what is the difference between universal and heavy forwarders
A
heavy forwarders can parse data
11
Q
how does splunk data flow initially ?
A
data from hosts —> Indexer —-> indexes on disk
12
Q
what is an indexer in splunk ?
A
An indexer or search peer is a Splunk enterprise instance that processes and writes data into repositories as events
13
Q
what is processing in regards to splunk?
A
- transform data into events
- assign metadata
- identify or create timestamps
- data repositories are known as indexes
- repositories containing files with index data are called buckets
14
Q
what is thawed data in splunk ?
A
thawed data in splunk is when you are bringing data out of the archive
15
Q
what is an Indexer cluster ?
A
- an indexer cluster is when you group indexers together to provide data replication
- cluster manager - coordinates replication activities and manages the cluster
16
Q
what is a splunk component that transforms raw data into events?
A
indexer and heavy forwarders are the splunk components that transform raw data into events
17
Q
what are some of the details regarding search heads
A
- allows users to write search queries SPL to search the indexed data
- distributes search requests to the indexers and merges the result back to the user
Can create fields and other knowledge objects such as
- reports
- alerts
- visualizations
- dashboards
18
Q
what are some details regarding the search head cluster ?
A
- groups of search heads with identical configuration
- search requests from users are balanced across the SH groups
- Managed by a cluster captain
- cluster deployer, distributes apps and other configuration to cluster members
19
Q
what are some details of the configuration deployment server?
A
- distributes content, configuration, apps to other groups of splunk instances
- distributed content is known as deployment apps
- used mostly to distribute apps to splunk forwarders
20
Q
what is the forwarder manager for Splunk ?
A
provides a way to configure deployment servers and monitor updates
21
Q
what is the license manager in Splunk ?
A
Hosts licenses and assigns license volume to other splunk components in a distributed deployment
License meter runs during indexing
License types
- Volume based
- Infrastructure based
- Access to splunk features
22
Q
what is the monitoring console in Splunk ?
A
Used to view topology and performance information.
23
Q
what are the three main out of the box roles in Splunk ?
A
User
Power
Admin
24
Q
what are some of the default app examples ?
A
home app
search app
25
what is the default port for Splunk web ?
port 8000
26
what are some splunk default app examples ?
home app
search and reporting app
27
what are splunk apps ?
splunk apps are custom solutions that allow you to extend the functionality of the splunk platform
28
what can splunk apps do for us ?
What can Splunk Apps do for us ?
Separate workspaces for different use cases to co exist on a single instance.
- Alerts
- Reports
- Dashboards
Custom configurations to ingest data
Collections of
- Data inputs
- UI Elements
- Knowledge Objects
29
how do we access splunk apps ?
you can access Splunk apps on Splunk-base
30
what is SPL ?
SPL is Splunk processing language
31
what can be changed using the account settings and preferences ?
preferences - time zone
Full name
Email
Password
change the theme
32
what is the splunk search and reporting app ?
default app that provides an interface to search, analyze and visualize data in splunk
33
what is the search bar used for in splunk ?
the search bar is where you specify search criteria
34
what is the app navigation bar in Splunk?
shows views in the current applicationand the different apps avaliable
35
what is the time range picker in splunk ?
allows us to specify the time period to search
Default value is 24 hours
36
what are the three different types of search modes in splunk ?
Fast (better performance less info)
Smart (less performance but more info then fast mode)
Verbose (slowest performance but the most information)
37
what is search history in splunk ?
See a history of your searches
You can select to re-run a search
38
what are the different ways you can view counts of events in Splunk ?
Hosts
Sources
Source types
39
what is a quick way to understand data in your deployment?
the data summary type
40
what are the fields presented under the data summary tab ?
host
source
source type
41
what are the three out of the box users in splunk ?
user
power
admin
42
what is the user role in splunk ?
Limited access to Settings
Create private knowledge objects
Assign to basic users
43
what is the power role in splunk ?
Limited access to settings
Create and publish share knowledge objects
Assign to power users
44
what is the admin role in splunk ?
Access to all settings
Has the most capabilities
Assign to splunk admins
45
which roles have minimum and maximum permissions
minimum permissions is the user role
Maximum permissions is the admin role
46
Which Splunk component transforms raw data into events and distributes the result to an index?
Indexer
47
Which component of splunk is primarily responsible for saving data ?
Indexer
48
The three basic components of splunk are ?
Forwarder, indexer, Search head
49
What is Splunk ?
Splunk is a software platform to search, analyze and visualize the machine generated data
50
Which component of Splunk let us write SPL query to find the required data?
Search head
51
What Splunk Components can perform log filtering/parsing ?
Heavy forwarders
52
What is true about user account settings and preferences?
Full name, time zone, and default app can be defined by clicking the login name in the Splunk bar
53
A collection of items contains things such as data inputs, UI elements and knowledge objects is known as what ?
An app
54
explain what Splunk apps are ?
It is a collection of different Splunk config files like data inputs, UI and Knowledge objects
55
What is the default app for Splunk Enterprise ?
Search and reporting
56
How many main roles do you have in Splunk ?
3
57
What is the default web port used by Splunk?
8000
58
what are some of the ways we get data in Splunk ?
Get data from Files and Directories
Get data from network sources
Get data from Windows sources
Get data from other sources
59
what are some of the ways we can get data from files and directories in splunk ?
Monitor files and directories
Upload static files
60
what are some of the ways we can get data from network sources ?
Data that comes over a network port
Both TCP and UDP protocols supported
61
what are some of the ways we can get data from windows sources in splunk ?
Windows Event logs
Windows registry
Windows Management Instrumentation
Active Directory
Performance monitoring
62
what are some of the other sources we can get data from in Splunk ?
APIs
Databases
Metrics
FIFO queues
63
what are some of the ways we can ingest data into Splunk ?
Use existing Apps and Add-ons
Use forwarders to get data
use HTTP event collector HEC
for custom data use
64
what are some of the ways we can ingest data into Splunk using existing apps and Add ons
- Splunk add-on for windows
- Splunk add-ons for AWS
- Splunk DB connect
- Splunk stream
65
what is the way we can use forwarders to get data ?
Install forwarders on the sources generating data
Use heavy forwarder when more processing is required before ingestion
66
what are ways we can use the splunk HEC to ingest data into splunk?
Use HEC to get data from the HTTP or HTTPS protocol
67
what is the splunk index time process ?
data is handled at the splunk data source and forwarded using the universal forwarder or heavy forwarder
then the data sources are open and read
configurations are applied to entire streams
data is sent out for indexing
68
what are the three phases of the splunk index time process ?
The first phase of the Splunk index time process is the input phase
The second phase of this process is the parsing phase
The third phase of this is the indexing phase
69
explain the parsing phase of the splunk index time process ?
Handled at
- Indexer
- Heavy forwarder
Data broken into events
Extract default metadata fields
- Host
- Source
- Sourcetype
- Index
Identify or create timestamps
Identify line termination
70
explain the indexing phase of the splunk index time process ?
Handled at
- Indexer
- Run License meter
- Build index data structures
- Write data to disk
71
what are the different ways of configuring data inputs in splunk ?
Splunk web
CLI
Configuration files edit inputs.conf
Apps and add-ons from Splunkbase
72
what are the three ways we can add data inputs using splunk web ?
uploads
monitor
forward
73
explain the upload function in splunk web
Upload local files from your computer
Only gets indexed once
74
what is the monitor function in splunk web
Monitor files and directories, network ports
Data located on splunk enterprise instance
Useful for testing
75
explain the forward function in Splunk web
Frequently used in production environments
Get data from remote machines over receiving port
Remote machines have the forwarder installed to forward data
76
what is the default splunk installation directory in windows ?
C:\Program Files\Splunk
77
what is the default splunk installation directory for linux ?
/opt/splunk/
78
what is the default MAC os splunk installation directory ?
/Applications/Splunk
79
Data source being open and read applies to?
The input phase
80
Select the correct option that applies to index time processing
Input, parsing, indexing
81
The splunk index time process can be broken down into how many phases
3
82
Where does licensing meter happen ?
Indexer
83
Which statement is true about heavy forwarders ?
Parsing, masking, forwarding
84
We use keywords and phrases to retrieve matched events from the index:
When searching for keywords splunk is searching the keyword against raw events in the _raw filed
The _raw field contains the entire events
To search matching phrases, use double-quotes example "user ubuntu"
85
what do we use wildcards for in Splunk ?
Use wildcards to match characters in string values for events in your index
86
what is best practice for using wildcards ?
As best practice, use wildcards at the end of the term.
87
in which situations do we want to avoid using wildcards ?
Avoid using at the beginning of a string example *fail
If you put a wildcard at the front it will scan every event
Can cause performance issues
88
should we use wildcards in the middle of a string ?
Don’t use in the middle of a string
Might cause inconsistent results especially in string containing punctuation
89
where should wildcards be used when searching in Splunk ?
To have better searches we should always place our wildcards at the end
The * character can be used as a wildcard
90
what do we use Boolean operators for ?
Use boolean operators AND, OR, NOT to combine search terms
Boolean operators must be in uppercase
The AND operator is implied between terms
Example search for failed password is the same as failed AND password
Example user NOT administrator – search events that contain the word user and does not contain the word administrator
91
what is the point of boolean operators ?
they are used to combine search terms
92
what do we have to remember when using boolean operators ?
boolean operators are always in upper case
93
what does the search assistant help us with in Splunk ?
The search assistant helps with writing searches by providing selections to complete strings
It helps matching searches based on recent search history
Shows list of commands after first pipe
94
what are the three modes in search assistant ?
- compact (default)
- full
- none (used to disable search assistant)
95
what is the difference between full mode and compact mode with the search assistant ?
Full mode shows more information than compact mode
Additionally, it displays count of how many times a term appears in indexed data
96
what are some things to remember when identifying content of search results ?
- Each event contains a timestamp extracted at index time
- The newest events are going to be displayed at the top and the oldest are going to be displayed at the bottom
- Splunk also extracts metadata fields at index time . The metadata fields are the following
- Host
- Source
- Sourcetpye
- Index
Selected fields host,source,sourcetype are shown at the bottom of each event
Terms that match the search are highlighted in search results
97
what are the three display options with the event viewer
- list
- raw
-table
98
what is the order of search results in splunk
reverse chronological order
99
what are the metadata fields in the search results ?
- host
- source
- sourcetype
- index
100
what do time unit abbreviations include ?
S = seconds
M = minutes
H = hours
D = days
W = weeks
Mon = months
Y= years
101
what does the events timeline include ?
The events timeline shows distribution of events over time for a selected time range.
102
Exam: what does using click and drag on the timeline do for us?
We are able to select specific times and timelines without having to re-execute the search
103
what are the three different timeout controls ?
We are able to Format the timeline
Zoom out zoom in to edit the selection
We are able to deselect a section
104
what are some of the search actions we can perform in Splunk ?
Every search you run is a job and generates a job id
Under the job menu you can do the following
- Change job settings
- Send a job to the background
- Can associate an email with this so it emails you when the job is done
- You can inspect a job
- You can use this to find out why a job is taking a long time
- Delete a job
- Pause/resume a job
-Stop job
- Will generate partial results
- Share job
- Provides a link to bookmark or copy /share job
- Can give read permissions to the people you have shared with
Export a job
- Export search results as Raw Events (text file)
- CSV
- XML
- JSON
- Print a job
105
How do we access saved jobs in splunk ?
We have to go to the activity menu to access saved jobs
106
What is the default time to retain a search job
10 minutes
107
How do we keep search results longer then 7 days ?
To save the job longer then 7 days you have to save the job as a report
108
When writing searches in Splunk, which of the following is true about Booleans?
They must be in uppercase
109
How are events displayed after a search is executed?
In reverse chronological order
110
Which time range picker option configuration would return real-time events for the past 30 seconds?
Real time – Earliest: 30-seconds ago, latest: Now
111
Which Boolean operator is always implied between two search terms, unless otherwise specified?
AND
112
What user interface component allows for time selection ?
Time Range Picker
113
Which of the following searches will return results where fail, 400, and error exist in every event?
Error AND (fail AND 400)
114
In a deployment with multiple indexes, what will happen when a search is run and an index is not specified in the search string?
Events from every index searched by default to which the user has access will be returned
115
Which of the following is an option after clicking an item in search results ?
Adding the item to the search
116
What does the following specified time range do?
earliest=-72h@h latest=@d
Look back from 3 days ago, up to the beginning of today
117
What is the primary function of the timeline located under the search bar ?
To show peaks and or valleys in the timeline, which can indicate spikes in activity or downtime.
118
According to splunk best practices which placement of the wildcard results in the most efficient search ?
Fail*
119
Which of the following can be used as a wildcard in splunk
*
120
What is search assistant in Splunk ?
Shows options to complete the search string
121
You can use the following options to specify start and end time for the query range:
Earliest=, latest=
122
Which of the following file types is an option for exporting splunk search results ?
Not pdf, not xls, not RTF, but JSON yes
123
By default how long does splunk retain a search job ?
10 minutes
124
what are indexers in splunk ?
In Splunk, indexers are the components responsible for ingesting, parsing, and storing data into indexes.
Indexers are a critical part of the Splunk architecture, as they handle the initial processing and storage of data before it can be searched and analyzed by search heads or other Splunk components.
125
what are the main tasks with indexers in splunk ?
Data ingestion: They ingest data from various sources like log files, network data, APIs, etc.
Data parsing: They parse the incoming data to extract relevant information and structure it into events.
Data indexing: They index the parsed events by storing them in the appropriate indexes based on configured rules or settings.
Data distribution: In a distributed Splunk environment, indexers can forward data to other indexers for load balancing or data replication purposes.
126
what is the main job of the splunk universal forwarder ?
The Splunk universal forwarder sends data to the splunk indexer
127
what do the splunk search heads provide ?
The search heads provide an interface for the splunk users and allow searches to be made on the data
128
what is a Splunk Indexer ?
Receives data from clients
Converts raw data into searchable events
Executes searches
129
what is a splunk search head ?
Web interface for the user
Manages the searches
Dispatches searches to the indexers
Maintains access control
130
what is a Splunk Universal forwarder ?
Collects data from the machine it is installed on
Keeps track of data ingestion
Very lightweight and production ready
131
what is a splunk index cluster ?
Multiple copies of data replicated across the cluster members
Helps protect against hardware failure on one or more indexers
Cluster mater manages the cluster-level operations
132
what is inside of an indexer ?
Splunk stores data in indexes
Indexes contain buckets
Data buckets contain raw data and index files
Data retention policies are configured at index level
133
what are data buckets in Splunk ?
Data buckets are categorized as hot, warm, cold and frozen
As data ages the data buckets roll from hot to warm to cold to frozen
Data buckets expire when all events in it become older than the configured duration
134
what are hot buckets in splunk ?
Contains the newest bucket
Open for both read and write
Splunk administrator can configure when data rolls to warm bucket
135
what are warm buckets in splunk ?
Open for read only (no writes)
Hot and warm buckets are usually kept in faster storage
When data ages, they roll from warm to cold
136
what are cold buckets in splunk ?
Open for read only (no writes)
Cold buckets can be kept in cheaper and hence slower storage
137
what are frozen buckets in Splunk ?
Not searchable
138
what does splunk implement for security?
Splunk implements role based access control
Three primary roles: user, power, admin
Only power users can share knowledge objects
139
what are knowledge objects ?
Knowledge objects are tools you create and utilize for analyzing your data
140
what are some examples of knowledge objects ?
Filed extractions
Lookups
Data models
Tags
141
what are fields in splunk ?
Fields are searchable name/value pairs in your event data
Searches using fields are more efficient than searches using keywords or quoted phrases
Fields can be extracted from data at index time and at search time
142
what is field discovery in splunk ?
Automatically discover fields based on sourcetype and name/value pairs in your data
143
how would you describe field discovery in Splunk ?
In Splunk, Field Discovery is a feature that automatically identifies and extracts fields (key-value pairs) from events or log messages as they are ingested into Splunk. This process helps structure the data and makes it easier to search, analyze, and report on the information contained within the events.
144
what are the metadata fields in splunk ?
Host
Source
Sourcetype
Index
145
what is the fields sidebar in splunk ?
Fields sidebar displays fields discovered in your events
146
what are selected fields under the fields sidebar ?
By default these are
Host
Source
Sourcetype
Can be configured to add/remove fields
147
what are interesting fields under the field sidebar ?
Fields that appear in at least 20% of your events
Can always make an interesting field a selected field and vice versa
148
what is the all fields option under the field sidebar for ?
Use this to see all fields in events
Will also include fields that appear in less than 20% of your events
149
how do we make any fields a selected field in Splunk ?
Click on all fields
Click the checkboxes next to them to make them selected fields
150
what are some of the different reports when you click on a field under the interesting fields tab ?
Top values / stats and visualizations of top 20 values
Top values by time – timechart for top values
Rare values – stats and visualizations of bottom 20 values
Events with this field – all events containing the field
151
how do we add fields to the field sidebar ?
Have to click on all fields and select the check box next to the field you want to be added
152
What are the field characteristics you need to know for the exam ?
- Numeric Fields
A – Alphanumeric field
Count of unique events
153
What are the default selected fields
Host
Source
Sourcetype
154
What are the reports that show up in the field window ?
Top values / stats and visualizations of top 20 values
Top values by time – timechart for top values
Rare values – stats and visualizations of bottom 20 values
Events with this field – all events containing the field
155
what is the synatx for using fields in searches ?
156
what is the most efficient way to search, using keywords, quoted strings, or field searches
Field searches
157
what are some things to keep in mind when using fields in searches ?
Use quotation marks for field names with spaces
Field names are case sensitive
Field values are not case sensitive
You can use wildcards with fields
You can use Boolean operators AND, OR, NOT with fields
158
are filed names case sensitive when searching ?
Field names are case sensitive field values are not
159
can you use boolean operators with field searches ?
You can also use the boolean operators AND, OR, NOT with field searches
160
what do boolean operators help us with when using searches ?
Narrow down searches specifically to what you want
Improves performance
161
which boolean operator is usually implied ?
AND
162
what is true about boolean operators ?
they always have to be uppercase
163
what are some of the comparison operators
!= | not equal
> | Greater than
< | Less than
>= | greater than or equal to
<= | less than or equal to
164
!=
not equal
165
>
Greater than
166
<
less than
167
>=
greater than or equal to
168
<=
less than or equal to
169
what is the difference between the != and NOT operators ?
"NOT action=remove"
- All events where the action field exists, and value is different from remove
- All events where the action field does not exist
"action!=remove"
- All events where the action field exists and the value is different from remove
- The NOT and != operator will produce the same results when a field exists in all your events
170
what are some features of the fast mode search in Splunk ?
Best performance, speed over completeness
Field discovery is disabled
171
what are some features of the smart mode in Splunk ?
Balances speed and completeness
Field discovery is enabled
172
what are some features of verbose mode in Splunk ?
More data, least performance, completeness over speed
Field discovery is enabled
Shows event when using transforming commands
173
what are the three different search modes in Splunk ?
Fast mode
Smart mode
Verbose mode
174
what are some common search best practices ?
Specify indexes at the beginning of a search string
Use OR instead of wildcards when possible
It is better to use inclusion than exclusion
Inclusion action=addtocart
Exclusion NOT action=addtocart
Include as many search terms as possible to narrow down your results
Specify time to narrow down the results of your search.
175
Which search string only returns events from host WWW3?
Host=WWW3
176
Which of the following searches would return events with failure in index netfw or warn or critical in index netops?
(index=netfw failure) OR (index=netops(warn OR critical))
177
Which of the following is a Splunk search best practice?
Filter as early as possible
178
by default which of the following fields would be listed in the fields sidebar under interesting fields?
Index
179
Which of the following statements about case sensitivity is true?
Field names ARE case sensitive, field values are NOT
180
A field exists in search results, but isn't being displayed in the fields sidebar.
How can it be added to the fields sidebar?
Click All fields and select the field to add it to selected fields
181
In the fields sidebar, which character denotes alphanumeric field values?
@
182
What syntax is used to link key/value pairs in search strings?
action=purchase
183
Which of the following is the most efficient filter for running searches in Splunk?
Time
184
How does Splunk determine which fields to extract from data?
Splunk automatically discovers many fields based on sourcetype and key/value pairs found in the data
185
What syntax is used to link key/value pairs in search strings?
Relational operators such as =,<, or >
186
Which search would return events from the access_combined sourcetype?
sourcetype=Access_Combined
187
Which of the following index searches would provide the most efficient search performance?
(index=web OR index=sales)
188
In the fields sidebar, what indicates that a field is numeric?
A # symbol to the left of the field name.
189
At index time, in which field does Splunk store the timestamp value?
_time
190
Which events will be returned by the following search string? host=www3 status=503
All events with a host of www3, that also have a status of 503
191
what are some specific commands we can apply to Splunk searches ?
Commands
- Specifies what to do with results retrieved
- Calculate Statistics, generate chart, evaluate new fields
192
what are functions in regards to splunk search ?
Functions define how to perform a task required by the command
Function arguments provide the variables needed for the function to do the work
193
what are arguments in regards to Splunk search ?
Variables needed for the command to work
194
what character can sperate commands ?
|
195
what are some common command examples in splunk ?
-eval
-top
-rename
196
what color are functions in search splunk and what are some function examples ?
Functions are always in purple, function examples:
- If
- Count
197
what color are boolean operators in splunk search and what are some examples ?
Boolean operators and clauses are in orange, examples
- AND
- OR
- NOT
198
what color are command line arguments in splunk and what are some examples ?
Command arguments are in green
- Limit
- Span
199
what does the fields command do in Splunk ?
Use the fields command to filter a list of fields returned in the search results
Note that internal fields _raw and _time are returned by default
To include fields
- Use the "fields" or "fields+" command
To exclude fields
- Use fields -
200
what are some details about the table command ?
The table command creates a statistics table of the specified fields
Each row of the created table represents an event, and the columns represent field names
Columns are displayed in the order given in the command when using the table command
201
what are some details regarding the rename command ?
Use the rename command to change the name of a field
Useful when you want to provide meaningful names
Use double-quotes when renaming field names with names that include spaces or special characters
202
what is an example of the rename command ?
Rename command example:
Rename method as "HTTP Method", status as "HTTP Status", clientip as ClientIP_Address
203
what are some details about the sort command ?
the sort command allows us to sort search results by specified fields
To sort in ascending order use the following command:
- Sort +
- Sort
To sort in descending order
Use sort -
Use the limit argument to limit the number of results
204
what does the dedup command do in splunk ?
the dedup command removes duplicates from your results
205
When running searches, command modifiers in the search string are displayed in what color?
Orange
206
When sorting on multiple fields with the sort command, what delimiter can be used between the field names in the search?
comma character ,
207
How do you add or remove fields from search results?
Use Field + to add and field – to remove
208
When placed early in a search, which command is most effective at reducing search execution time?
Fields +
209
Search Language Syntax in Splunk can be broken down into the following components:
Search Term, Pipe, Command, Functions, Arguments, Clause
210
Which command will rename action to customer action?
rename action as Customer Action
211
When is the pipe character | used in search strings?
Before command, For example: | stats sum(bytes) by host
212
Which search will return only events containing the word `error` and display the results as a table that includes the fields named action, src, and dest?
Error | table action,src,dest
213
Which search string only returns events from hostWWW3?
A. host=*
B. host=WWW3
C. host=WWW*
D. Host=WWW3
B
214
by default how long does splunk retain a search job ?
A. 10 Minutes
B. 15 Minutes
C. 1 Day
D. 7 Days
A. 10 Minutes
215
What must be done before an automatic lookup can be created? (Choose all that apply.)
A. The lookup command must be used.
B. The lookup definition must be created.
C. The lookup file must be uploaded to Splunk.
D. The lookup file must be verified using the inputlookup command.
B the lookup definition must be created
216
Which of the following Splunk components typically resides on the machines where data originates?
A. Indexer
B. Forwarder
C. Search head
D. Deployment server
B. Forwarder
217
When writing searches in Splunk, which of the following is true about Booleans?
A. They must be lowercase.
B. They must be uppercase.
C. They must be in quotations.
D. They must be in parentheses.
B. They must be uppercase.
218
Which of the following searches would return events with failure in index netfw or warn or critical in index netops?
A. (index=netfw failure) AND index=netops warn OR critical
B. (index=netfw failure) OR (index=netops (warn OR critical))
C. (index=netfw failure) AND (index=netops (warn OR critical))
D. (index=netfw failure) OR index=netops OR (warn OR critical)
B. (index=netfw failure) OR (index=netops (warn OR critical))
219
Select the answer that displays the accurate placing of the pipe in the following search string: index=security sourcetype=access_* status=200 stats count by price
A. index=security sourcetype=access_* status=200 stats | count by price
B. index=security sourcetype=access_* status=200 | stats count by price
C. index=security sourcetype=access_* status=200 | stats count | by price
D. index=security sourcetype=access_* | status=200 | stats count by price
B. index=security sourcetype=access_* status=200 | stats count by price
220
Which of the following constraints can be used with the top command?
A. limit
B. useperc
C. addtotals
D. fieldcount
A limit
221
what are examples of keyword modifiers in splunk and what color are they ?
- Boolean operators (AND, OR, NOT) to combine or exclude terms
- Wildcard characters (*, ?) to match partial words or unknown characters
- Field qualifiers (fieldname:value) to search within specific fields
Keyword modifiers are orange
222
When running searches, command modifiers in the search string are displayed in what color?
A. Red
B. Blue
C. Orange
D. Highlighted
B. Blue
223
what is the recommended naming conventions for dashboards ?
Group_Object_Description
224
What is a primary function of a scheduled report?
A. Auto-detect changes in performance.
B. Auto-generated PDF reports of overall data trends.
C. Regularly scheduled archiving to keep disk space use low.
D. Triggering an alert in your Splunk instance when certain conditions are met.
D. Triggering an alert in your Splunk instance when certain conditions are met.
225
Which command is used to review the contents of a specified static lookup file?
A. lookup
B. csvlookup
C. inputlookup
D. outputlookup
C. inputlookup
226
When sorting on multiple fields with the sort command, what delimiter can be used between the field names in the search?
A. |
B. $
C. !
D. ,
D. ,
227
Which time range picker configuration would return real-time events for the past 30 seconds?
A. Preset - Relative: 30-seconds ago
B. Relative - Earliest: 30-seconds ago, Latest: Now
C. Real-time - Earliest: 30-seconds ago, Latest: Now
D. Advanced - Earliest: 30-seconds ago, Latest: Now
C. Real-time - Earliest: 30-seconds ago, Latest: Now
228
What is the correct syntax to count the number of events containing a vendor_action field?
A. count stats vendor_action
B. count stats (vendor_action)
C. stats count (vendor_action)
D. stats vendor_action (count)
C. stats count (vendor_action)
229
By default, which of the following fields would be listed in the fields sidebar under interesting Fields?
A. host
B. index
C. source
D. sourcetype
B index
230
Which of the following statements about case sensitivity is true?
A. Both field names and field values ARE case sensitive.
B. Field names ARE case sensitive; field values are NOT.
C. Field values ARE case sensitive; field names ARE NOT.
D. Both field names and field values ARE NOT case sensitive.
B. Field names ARE case sensitive; field values are NOT.
231
What does the rare command do?
A. Returns the least common field values of a given field in the results.
B. Returns the most common field values of a given field in the results.
C. Returns the top 10 field values of a given field in the results.
D. Returns the lowest 10 field values of a given field in the results.
A. Returns the least common field values of a given field in the results.
232
When an alert action is configured to run a script, Splunk must be able to locate the script.
Which is one of the directories Splunk will look in to find the script?
A. $SPLUNK_HOME/bin/scripts
B. $SPLUNK_HOME/etc/scripts
C. $SPLUNK_HOME/bin/etc/scripts
D. $SPLUNK_HOME/etc/scripts/bin
A. $SPLUNK_HOME/bin/scripts
233
Which Boolean operator is always implied between two search terms, unless otherwise specified?
A. OR
B. NOT
C. AND
D. XOR
C. AND
234
Which statement is true about Splunk alerts?
A. Alerts are based on searches that are either run on a scheduled interval or in real-time.
B. Alerts are based on searches and when triggered will only send an email notification.
C. Alerts are based on searches and require cron to run on scheduled interval.
D. Alerts are based on searches that are run exclusively as real-time.
A. Alerts are based on searches that are either run on a scheduled interval or in real-time.
Splunk Certified User
flashcards
Decks in class (3)
# Cards
