BUS 475 > EXAM > Splunk Core Certified User & Splunk Fundamentals 1|237 Questions with Answers,100% CORRECT (All)

Splunk Core Certified User & Splunk Fundamentals 1|237 Questions with Answers,100% CORRECT

Document Content and Description Below

Splunk Core Certified User & Splunk Fundamentals 1|237 Questions with Answers T/F: Machine data is always structured. - CORRECT ANSWER False. Machine data can be structured or unstructured. ... Machine data makes up for more than ___% of the data accumulated by organizations. - CORRECT ANSWER 90 T/F: Machine data is only generated by web servers. - CORRECT ANSWER False Search requests are processed by the ___________. - CORRECT ANSWER Indexers Search strings are sent from the _________. - CORRECT ANSWER Search Head In most Splunk deployments, ________ serve as the primary way data is supplied for indexing. - CORRECT ANSWER Forwarders Which of these is *not* a main component of Splunk? A) Search and investigate. B) Compress and archive. C) Add knowledge. D) Collect and index data. - CORRECT ANSWER B) Compress and archive What are the three main processing components of Splunk? *(Select all that apply.)* A) Indexers B) Deployment Maker C) Search Heads D) Forwarders E) Distributors - CORRECT ANSWER A) Indexers C) Search Heads D) Forwarders _________ define what users can do in Splunk. A) Tokens B) Disk permissions C) Roles - CORRECT ANSWER C) Roles This role will only see their own knowledge objects and those that have been shared with them. A) User B) Power C) Admin - CORRECT ANSWER A) User T/F: You can launch and manage apps from the home app. - CORRECT ANSWER True What are the three main default roles in Splunk Enterprise? *(Select all that apply.)* A) King B) User C) Manager D) Admin E) Power - CORRECT ANSWER B) User D) Admin E) Power Which apps ship with Splunk Enterprise? *(Select all that apply.)* A) Home App B) Sideview Utils C) Search & Reporting D) DB Connect - CORRECT ANSWER A) Home App C) Search & Reporting The default username and password for a newly installed Splunk instance is: A) username and password B) admin and changeme C) admin and 12345 D) buttercup and rawks - CORRECT ANSWER B) admin and changeme Files indexed using the *upload* input option get indexed _____. A) Each time Splunk restarts. B) Every hour. C) On every search. D) Once. - CORRECT ANSWER D) Once. T/F: The monitor input option will allow you to continuously monitor files. - CORRECT ANSWER True Splunk knows where to break the event, where the time stamp is located and how to automatically create field value pairs using these. A) Line breaks B) Source types C) File names - CORRECT ANSWER B) Source types Splunk uses ______________ to categorize the type of data being indexed. - CORRECT ANSWER sourcetype In most production environments, _____________ will be used as your the source of data input. - CORRECT ANSWER Forwarders How is the *asterisk* used in Splunk search? A) As a wildcard. B) To make a nose for your clown emoticon. C) As a place holder. D) To add up numbers. - CORRECT ANSWER A) As a wildcard. Which following search mode toggles behavior based on the type of search being run? A) Smart B) Fast C) Verbose - CORRECT ANSWER A) Smart T/F: When zooming in on the event time line, a new search is run. - CORRECT ANSWER False T/F: These searches will return the same results... failed password failed AND password - CORRECT ANSWER True A search job will remain active for _____ minutes after it is run. A) 5 B) 10 C) 30 D) 60 E) 90 - CORRECT ANSWER B) 10 What attributes describe the field below? a dest 4 (Select all that apply.) A) It contains 4 values. B) It contains numerical values. C) It cannot be used in a search. D) It contains string values. - CORRECT ANSWER A) It contains 4 values. D) It contains string values. T/F: Wildcards cannot be used with field searches. - CORRECT ANSWER False T/F: Field values are case sensitive. - CORRECT ANSWER False Which is not a comparison operator in Splunk? (Select your answer.) A) > B) ?= C) <= D) != E) = - CORRECT ANSWER ?= Field names are ________. *(Select all that apply.)* A) Always capitalized. B) Not important in Splunk. C) Case sensitive. D) Case insensitive. - CORRECT ANSWER C) Case sensitive This symbol is used in the "Advanced" section of the time range picker to round down to nearest unit of specified time. (Select your answer.) A) % B) ^ C) @ D) & E) * - CORRECT ANSWER C) @ T/F: Time to search can only be set by the time range picker. - CORRECT ANSWER False What is the most efficient way to filter events in Splunk? A) By time. B) Using booleans. C) With an asterisk. - CORRECT ANSWER A) By time. T/F: As a general practice, exclusion is better than inclusion in a Splunk search. - CORRECT ANSWER False Having separate indexes allows: *(Select all that apply.)* A) Faster Searches. B) Ability to limit access. C) Multiple retention policies. - CORRECT ANSWER A) Faster Searches. B) Ability to limit access. C) Multiple retention policies. Would the ip column be removed in the results of this search? Why or why not? sourcetype=a* | rename ip as "User" | fields - ip A) Yes, because a pipe was used between search commands. B) No, because the name was changed. C) No, because table columns can not be removed. D) Yes, because the negative sign was used. - CORRECT ANSWER B) No, because the name was changed. T/F: Excluding fields using the Fields Command will benefit performance. - CORRECT ANSWER False Which command removes results with duplicate field values? A) Dedup B) Limit C) Join D) Distinct - CORRECT ANSWER A) Dedup What is missing from this search?... sourcetype=a* | rename ip as "User IP" | table User IP A) A pipe. B) Search terms C) Quotation marks around User IP. D) A table command. - CORRECT ANSWER C) Quotation marks around User IP. What command would you use to *remove the status field* from the returned events? sourcetype=a* status=404 | ___________ status A) table B) fields - C) not D) fields - CORRECT ANSWER B) fields - Which one of these is not a stats function? A) Count B) Avg C) Addtotals D) List E) Sum - CORRECT ANSWER C) Addtotals To display the most common values in a specific field, what command would you use? A) top B) all C) table D) rare - CORRECT ANSWER A) top Which clause would you use to rename the count field? sourcetype=vendor* | stats count __________ "Units Sold" A) rename B) to C) as D) show - CORRECT ANSWER C) as How many results are shown by default when using a Top or Rare Command? - CORRECT ANSWER 10 Which stats function would you use to find the average value of a field? - CORRECT ANSWER average (or avg) If a search returns this, you can view the results as a *chart*. A) A list. B) Statistical values C) Time limits. D) Numbers - CORRECT ANSWER B) Statistical values T/F: A time range picker can be included in a report. - CORRECT ANSWER True These roles can create reports: *(Select all that apply.)* A) Admin B) User C) Power - CORRECT ANSWER A) Admin B) User C) Power In a dashboard, a time range picker will only work on panels that include a(n) __________ search. A) transforming B) inline C) visualization D) accelerated - CORRECT ANSWER B) inline T/F: The User role can not create reports. - CORRECT ANSWER False Adding child data model objects is like the ______ operator in the Splunk search language. A) NOT B) AND C) OR - CORRECT ANSWER B) AND T/F: Pivots cannot be saved as reports panels. - CORRECT ANSWER False The instant pivot button is displayed in the statistics and visualization tabs when a _______ search is run. A) transforming B) non-transforming - CORRECT ANSWER B) non-transforming These are knowledge objects that provide the data structure for pivot. A) Alerts B) Indexes C) Reports D) Data models - CORRECT ANSWER D) Data models T/F: Pivots can be saved as dashboards panels. - CORRECT ANSWER True T/F: A lookup is categorized as a dataset. - CORRECT ANSWER True External data used by a Lookup can come from sources like: *(Select all that apply.)* A) Scripts. B) CSV files. C) None. Only internal data can be used. D) Geospatial data. - CORRECT ANSWER A) Scripts B) CSV files D) Geospatial data When using a .csv file for Lookups, the first row in the file represents this. A) Field names. B) Output fields. C) Nothing, it is ignored. D) Input fields. - CORRECT ANSWER A) Field names. Finish this search command so that it displays data from the http_status.csv Lookup file. | _________________ http_status.csv A) inputlookup B) lookup=* C) datalookup D) lookup - CORRECT ANSWER A) inputlookup To keep from *overwriting* existing fields with your Lookup you can use the _________ clause. - CORRECT ANSWER OUTPUTNEW T/F: Alerts can be shared to all apps. - CORRECT ANSWER True T/F: Real-time alerts will run the search continuously in the background. - CORRECT ANSWER True T/F: Alerts can run uploaded scripts. - CORRECT ANSWER True T/F: Once an alert is created, you can no longer edit its defining search. - CORRECT ANSWER False T/F: Alerts can send an email. - CORRECT ANSWER True Which function is not a part of a single instance deployment? A) Searching B) Parsing C) Clustering D) Indexing - CORRECT ANSWER C) Clustering T/F: Events are always returned in chronological order. - CORRECT ANSWER False Finish the rename command to change the name of the status field to HTTP Status. sourcetype=a* status=404 | rename ______________ A) as "HTTP Status" B) status as "HTTP Status" C) status to "HTTP Status" D) status as HTTP Status - CORRECT ANSWER B) status as "HTTP Status" _____________ are reports gathered together into a single pane of glass. A) Dashboards B) Panels C) Alerts D) Scheduled Reports - CORRECT ANSWER A) Dashboards An alert is an action triggered by a _____________. A) Selected field B) Tag C) Report D) Saved search - CORRECT ANSWER D) Saved Search What is a transforming command? - CORRECT ANSWER A type of search command that *orders the results into a data table*. Transforming commands "transform" the specified cell values for each event into numerical values that Splunk Enterprise can use for statistical purposes. What are *seven* common transforming commands? - CORRECT ANSWER Transforming commands include: 1) chart 2) timechart 3) stats 4) top 5) rare 6) contingency 7) highlight. What does CIM stand for and what is it? - CORRECT ANSWER Common Information Model (CIM). A shared semantic model focused on extracting value from data. The CIM is implemented as an add-on that contains a collection of data models, documentation, and tools that support the consistent, normalized treatment of data for maximum efficiency at search time. What is a lookup? - CORRECT ANSWER Lookup is a command to *invoke field value lookups*. The lookup command can merge unstructured and structured data For example: ...| lookup <lookup-table-name> <lookup-field1> AS <event-field1> What is a scheduled report? - CORRECT ANSWER A report that is scheduled to run on a regular interval, making it a type of *scheduled search*. Scheduled reports typically initialize one or more alert actions each time they run, such as sending the results of the report run to a set of recipients, logging and indexing custom log events, or adding the results to a CSV lookup. What is pivot? - CORRECT ANSWER Pivot is a command that applies a pivot operation to data. For example: This command counts the number of events in the "HTTP Requests" object in the "Tutorial" data model. ...| pivot Tutorial HTTP_requests count(HTTP_requests) AS "Count of HTTP requests" What are the *three* required parts of a pivot? - CORRECT ANSWER The pivot command is a generating command and must be first in a search pipeline. It requires a large number of inputs: *the data model*, *the data model object*, and *pivot elements*. ...| pivot <datamodel-name> <object-name> <pivot-element> What does SPL stand for and what are some of it's features? - CORRECT ANSWER Search Processing Language (SPL) It is Splunk's *proprietary* language. SPL encompasses all the search commands and their functions, arguments, and clauses. Its syntax was originally *based on the Unix pipeline and SQL*. The scope of SPL includes *data searching, filtering, modification, manipulation, insertion, and deletion*. What is the most recent version of Splunk that is stable? - CORRECT ANSWER Spunk Version 7.2.1 (As of 12/06/2018) What are the *three* Splunk search modes? - CORRECT ANSWER 1) *Verbose* (returns most amount of data) 2) *Fast* (limits types of data returned and emphasizes speed) 3) *Smart* (switches to verbose or fast based on search) How would you use a wildcard to create a search that looks for all of the *product IDs* that begin with the letter *S* and end in *G01*. - CORRECT ANSWER productID=S*G01 Indexes consist of what *two* types of files? - CORRECT ANSWER 1) Raw data files 2) Index files What is an index? - CORRECT ANSWER A collection of databases. What is time-series data? - CORRECT ANSWER Any data with time stamps. How does Splunk indexing work? - CORRECT ANSWER Time-series data is broken into events, based on the timestamps. When should you avoid using wildcards? - CORRECT ANSWER When the items searched against have *punctuation*, such as SF-RT_5G01 A typical search would be: productID=S*G01 But due to the way Splunk indexes punctuation (such as underscore or dash), this search would likely fail. What is the difference between *stats*, *chart*, and *time chart*? - CORRECT ANSWER Stats: Tabular format that allows *unlimited fields*. Chart: Graphical format that allows *two fields* (x and y axis) and can be pie chart, bar chart, line chart etc. Time Chart: Allows display in bar or line graph format, and only takes in *one field* because it uses time for the X axis. What are the *five* default fields for every event in Splunk? - CORRECT ANSWER 1) host 2) source 3) source type 4) index 5) timestamp All of Splunk's configurations are written within what file type? - CORRECT ANSWER Plain text *.conf* files. What are the *five* Splunk data bucket ages, from most current to oldest? - CORRECT ANSWER 1) Hot 2) Warm 3) Cold 4) Frozen 5) Thawed What happens to data once it reaches the frozen bucket? - CORRECT ANSWER Depending on the aging policy, the data in the frozen bucket is either *archived or deleted*. What does a Splunk license specify? - CORRECT ANSWER How much *data* you can index per calendar day. What does a generating command do? - CORRECT ANSWER A generating command *fetches information* from the indexes, *without any transformations*. Generating commands are either event-generating (distributable or centralized) or report-generating. Most report-generating commands are also centralized. Depending on which type the command is, the results are returned in a list or a table. What does the metadata command do? - CORRECT ANSWER The metadata command returns a list of sources, sourcetypes, or hosts from a specified index or distributed search peer. For Example: ...| metadata type=hosts What is the Splunk data inspector process? - CORRECT ANSWER 1) Look at data and decide how to process it. 2) Label data by source type. 3) Break data into events. 4) Normalize timestamps. 5) Added to Splunk index to be searched Where would you go to determine whether the built-in search optimizations are helping your search to complete faster? - CORRECT ANSWER Job Inspector What is the job of the Search Head? - CORRECT ANSWER *Handle search requests* using Splunk search language. Enriches data with reports, dashboards, visualizations. Search heads send searches to... - CORRECT ANSWER Indexers What processes machine data, storing the results in indexes as events, and enables fast search and analysis? - CORRECT ANSWER The Splunk *Indexer*. As the Indexer indexes data, it creates a number of files organized by __________ - CORRECT ANSWER age (using the imestamps) What do Indexes point to? - CORRECT ANSWER Indexes point to raw compressed data. Which Splunk component allows a user to extract fields and transform data without changing the underlying index data? - CORRECT ANSWER Search Heads Where do forwarders usually reside? - CORRECT ANSWER Forwarders reside on the machines where the data originates. Which Splunk component supplies data to be indexed? - CORRECT ANSWER Forwarders What are the three less common Splunk components? - CORRECT ANSWER 1) Deployment Server 2) Cluster Master 3) License Master What are the Splunk *Basic* Deployment limitations? - CORRECT ANSWER 1) Indexing less than 20GB per day. 2) Under 20 users. 3) Limited number of forwarders. What is the minimum number of search heads required for a search head cluster? - CORRECT ANSWER Three What is used to *manage and distribute apps* to the members of the search head cluster? - CORRECT ANSWER A deployer. What are the benefits of a Search Head Cluster? - CORRECT ANSWER 1) Services more users. 2) Allows users and searches to share resources. 3) Distribute requests across the set of indexers. What are the benefits of a traditional Index Cluster? - CORRECT ANSWER 1) Replicate data. 2) Prevent data loss. 3) Promote availability. 4) Manage multiple indexers. Which ports are required for Splunk? - CORRECT ANSWER 1) splunkweb, port 8000 2) splunkd, port 8089 3) forwarder, port 9997 What does the *NIX command do for a Splunk installation? - CORRECT ANSWER *NIX decompresses the .tar.gz file in the path you want Splunk to run from. What file extension is the Windows installer? - CORRECT ANSWER .msi While Splunk starts automatically on Windows after installation, to automatically start Splunk on a Linux a user is required to enable... - CORRECT ANSWER boot-start The difference between a single deployment and an Splunk enterprise deployment is in... - CORRECT ANSWER The post-deployment configuration. Which CLI command is used to... *Display a command usage summary* - CORRECT ANSWER splunk help Which CLI commands are used to... *Manage the Splunk processes* - CORRECT ANSWER splunk [start | stop | restart] <process_name> Which CLI command is used to... *Automatically accept the license without prompt* - CORRECT ANSWER splunk start --accept-license Which CLI command is used to... *Display the Splunk process status* - CORRECT ANSWER splunk status Which CLI command is used to... Show the port that the *splunkd* listens on - CORRECT ANSWER splunk show splunkd-port Which CLI command is used to... Show the port that *Splunk Web* listens on - CORRECT ANSWER splunk show web-port Which CLI command is used to... *Show the servername of this instance* - CORRECT ANSWER splunk show servername Which CLI command is used to... *Show the default host name used for all data inputs* - CORRECT ANSWER splunk show default-hostname Which CLI command is used to... *Initialize script to run Splunk Enterprise at system startup* - CORRECT ANSWER splunk enable boot-start -user Users with the account type __________ can create additional roles and create apps. - CORRECT ANSWER administrator What is the *URL* used by administrators for creating and installing additional Splunk apps? - CORRECT ANSWER splunkbase.splunk.com What are the *three* options for adding app data? - CORRECT ANSWER 1) Upload 2) Monitor 3) Forward In what circumstance might you use the *upload* option for app data? - CORRECT ANSWER When *testing* OR when searching small data sets that are *not updated*. In the following sample device log entries, which parts are the field names, field values, and delimiters?... icmp_seq=0 ttl=64 - CORRECT ANSWER Field names: icmp_seq and ttl Field values: 0 and 64 Delimiters: equal signs "=" When Splunk does not have a predefined way to *break events*, how does is it accomplish the task? - CORRECT ANSWER Either through *time stamps* or *regular expressions*. What happens if the forwarder to indexer connection is lost? - CORRECT ANSWER Splunk will queue the input data and once the connection is reestablished, Splunk will begin sending data from where it left off. In regards to the Data Summary window, what is the difference between: Host, Source, and Sourcetype? - CORRECT ANSWER *Host*: A semi-unique identifier, such as host name, IP address, etc. *Source*: Name of the file, stream, path, etc. *Sourcetype*: The product or software type, such as cisco_asa, ps, win_audit, etc. Every report and visualization is built based on _______. - CORRECT ANSWER an underlying search. What is the benefit of using a monitor over a forwarder? - CORRECT ANSWER A monitor sends event data as it happens, rather than on a schedule, allowing near real time information. For production environments what are the main source of data input? - CORRECT ANSWER Forwarders Which boolean operator is implied between search terms? - CORRECT ANSWER AND Are search terms case sensitive? - CORRECT ANSWER No. While field names are case sensitive, search terms are case *insensitive*. Searching *exact phrases*, such as *best effort* or *unit 0837* require the use of what? - CORRECT ANSWER Quotation marks, i.e. ... "best effort" or "unit 0837" Which default automated tool provides selections for how to complete the search string? - CORRECT ANSWER Search Assistant What are the two Search Assistant modes? - CORRECT ANSWER 1) Compact 2) Full In what order are search results returned? - CORRECT ANSWER Reverse chronological order, i.e. newest first. T/F: Matching search terms are highlighted. - CORRECT ANSWER True When Splunk parses data into individual events, each event typically includes which *four* fields? - CORRECT ANSWER 1) timestamp 2) host 3) source 4) sourcetype What is the name of the tab that displays possible field choices on the left of the search results screen? - CORRECT ANSWER The Fields Sidebar If you click a highlighted keyword from search results, what are the three options you are given? - CORRECT ANSWER 1) Add to search 2) Exclude from search 3) New Search What are the *three* search result view options? - CORRECT ANSWER 1) List (default) 2) Table 3) Raw What are the *six* time range tabs in the time picker drop down menu? - CORRECT ANSWER 1) Presets (default) 2) Relative 3) Real-time 4) Date Range 5) Date & Time Range 6) Advanced What is the search results timeline used for? - CORRECT ANSWER The search results timeline *displays the distribution of the event results* and can be used to *drill into specific time ranges* of interest. What are Splunk jobs typically tied to? - CORRECT ANSWER Searches What is the default time search jobs are available for? - CORRECT ANSWER 10 minutes What are the *three* ways can you share a particular search you've created? - CORRECT ANSWER In the bottom right of the search bar there are *job options*, which allow you to do the following: 1) Obtain a sharable *link* for the search/results. 2) *Print* the Search results. 3) Save the search results as a *PDF*. What are the *four* search result export formats? - CORRECT ANSWER 1) Raw events 2) CSV 3) XML 4) JSON How would you access recent or saved search jobs? - CORRECT ANSWER Click the *Activity* drop down menu in the top right of the search app and then select the *Jobs* option. How does Splunk discover fields for a search? - CORRECT ANSWER The fields are populated based on *sourcetype* and any *key/value pairs* found in the data. Which *meta fields* are stored with events in the index prior to search time? - CORRECT ANSWER 1) host 2) source 3) sourcetype 4) _time 5) _raw What are the *three* sections of the Fields Sidebar on the left of the search results? - CORRECT ANSWER 1) Selected Fields (the configured default events) 2) Interesting Fields (frequently observed events) 3) All Fields (link to every field) How do you make an *Interesting Field* become a *Selected Field*? - CORRECT ANSWER Click on the Interesting Field and then click the *Yes* button for "Selected" Which of the following are case sensitive: A) Field Names B) Field Values C) Both A & B D) None of the above - CORRECT ANSWER A) Field Names Which of the following is a valid CIDR aware Splunk search: A) clientip="" B) clientip="141.146.8.*" C) Both A & B D) None of the above - CORRECT ANSWER C) Both A & B Which of the following is using *incorrect syntax*: A) src_port>1000 src_port<4000 B) referer_domain=*.cn C) host!=www3 D) None of the above - CORRECT ANSWER D) None of the above What is the difference between *!=* and *NOT* in the Splunk search language? - CORRECT ANSWER A search with *NOT* will *include NULL* (i.e. blank) entries in addition to all other events that match the search. Therefore, NOT usually returns more events. A search with *!=* will *not include NULL* entries in addition to all other events that match the search. *Tip: "LARGE letters return a LARGE number of events." In other words, NOT returns NULL entries.* What is the default Splunk search mode? - CORRECT ANSWER Smart Where in a search should a user specify the index value? - CORRECT ANSWER The index value should be specified at the *beginning* of a Splunk search. What is a common way to improve Splunk search efficiency, other than specifying time frame and index? - CORRECT ANSWER Adding as many search terms as possible. Which is a more optimal search term? *"access denied"* OR *NOT "access granted"* - CORRECT ANSWER *"access denied"* Inclusion is generally better than exclusion. Searching for "access denied" is faster than NOT "access granted" Which command allows you to remove duplicate entries from search results? - CORRECT ANSWER *dedup* i.e. ... ...| dedup name_of_your_field Is it more efficient to use wildcards at the beginning or end or strings? - CORRECT ANSWER Wildcards are more efficient when used at the *end of strings*. i.e. sourcetype=cisco* What are the Splunk time unit abbreviations? - CORRECT ANSWER s = seconds m = minutes h = hours d = days w = week mon = months y = year What does the *@* aka snap symbol do? - CORRECT ANSWER The snap symbol rounds a search down to the nearest specified unit, i.e. ... Current time when the search starts is 09:37:12 *-30m@h* looks back to 09:00:00 What does the following search command translate to?... earliest=-2d@d latest=@d - CORRECT ANSWER Look back from two days ago, up to the beginning of today. What is a common way for Splunk admins to separate data based on user role? - CORRECT ANSWER An admin typically creates indexes for specific data and then places role based access control on the indexes. How would you add the *web* index to the current search parameter?... index=security "failed password" - CORRECT ANSWER (index=security OR index=web) "failed password" Is it possible to use wildcards for index values? - CORRECT ANSWER Yes. One example: index=* What does the following search do? index=web sourcetype=access_* status=503 | stats sum(price) as lost_revenue | eval lost_revenue = "$" + tostring(lost_revenue, "commas") - CORRECT ANSWER 1) Return all web index entries for status of 503. 2) Calculate the sum of the price field and name it lost_revenue. 3) Format the lost_revenue field so that it is a string that starts with $ and has commas. What are the *five* basic components that can be used in making Splunk searches? - CORRECT ANSWER 1) Search terms 2) Commands 3) Functions 4) Arguments 5) Clauses How many results are returned by default when using the *top* command? - CORRECT ANSWER 10 What would the following command do to your results?... ... | field - percent - CORRECT ANSWER Removes the column showing percentages. What keyboard shortcut allows you to place each pipe on a new line? - CORRECT ANSWER *Ctrl + \* or *⌘ + \* What is returned by a *table*? - CORRECT ANSWER All fields specified in the search argument list. What search command *changes the name of a field* to a different specified name? - CORRECT ANSWER rename Which of the following are valid search entries using the *rename* command?... A) rename productId as ProductID B) rename action as "Customer Action" C) rename status as "HTTP Status" D) All of the above. - CORRECT ANSWER D) All of the above. What are the *two* commands used to add or remove fields from search results? - CORRECT ANSWER 1) *fields +* 2) *fields -* How would you finish the following search, in order to successfully display network failures during the previous week, and *retrieve only user, app, and src_ip*?... index=security sourcetype=linux_secure (fail* OR invalid) ... - CORRECT ANSWER index=security sourcetype=linux_secure (fail* OR invalid) | fields user, app, src_ip How would you change the following search, in order to *remove duplicate* entries for *Vendors* and *VendorCity* from the results? index=sales sourcetype=vendor_sales | table VendorCountry, VendorStateProvince, VendorCity, Vendor - CORRECT ANSWER index=sales sourcetype=vendor_sales *| dedup VendorCity, Vendor * | table VendorCountry, VendorStateProvince, VendorCity, Vendor How do you specify whether to sort search results as either *ascending* or *descending*? - CORRECT ANSWER sort *-*FieldName OR sort *+*FieldName i.e. ... | sort -VendorCountry, +VendorStateProvince When the *top* command is used, what *two* additional *columns* populate for the returned data? - CORRECT ANSWER Count and percent. How would you change this search to show the top 25 results?... sourcetype=linux_secure index=security (fail* OR invalid) | top src_ip - CORRECT ANSWER sourcetype=linux_secure index=security (fail* OR invalid) | top *limit=25* src_ip What does *limit=0* equate to? - CORRECT ANSWER Return unlimited results. What does *showperc=t* equate to? - CORRECT ANSWER Show percentage is set to true. i.e. the percentage column would be included in a search of something like top values. How could this search be modified to return the top 3 common web categories browsed by each user?... index=network sourcetype=cisco_wsa_squid | top x_webcat_code_full limit=3 - CORRECT ANSWER index=network sourcetype=cisco_wsa_squid | top x_webcat_code_full *by user* limit=3 What are the *three* ways to set a boolean value? - CORRECT ANSWER 1) t or f 2) true or false) 3) 1 or 0 How would you modify this search to change the name of the count column to "Total Viewed" ?... index=network sourcetype=cisco_wsa_squid | top user x_webcat_code_full limit=3 showperc=f - CORRECT ANSWER index=network sourcetype=cisco_wsa_squid | top user x_webcat_code_full limit=3 *countfield="Total Viewed"* showperc=f What does the *rare* command return? - CORRECT ANSWER The *least common* field values of a given field. What are some of the common *stats* functions? - CORRECT ANSWER 1) *count* 2) *distinct_count* or *dc* (unique value count) 3) *sum* 4) *avg* 5) *list* 6) *values* (unique value list) What does this piped stats command do?... index=security sourcetype=linux_secure *| stats count(vendor_action) as ActionEvents, count as TotalEvents* - CORRECT ANSWER Counts the number of events that contain a vendor action field (as "ActionEvents"), and counts the total events (as "TotalEvents"). What does this piped stats command do?... index=security sourcetype=linux_secure *| stats count by user, app, vendor_action* - CORRECT ANSWER Counts the number of events by user, app, and vendor action. i.e. the pipe returns the total number of entries that meet all the field requirements... such as... USER...APP...VENDOR_ACTION...COUNT John sshd Failed 8 Sam sshd Failed 2 What should be added to this search in order to get the total count of all unique domains visited during the search time frame?... index=network sourcetype=cisco_wsa_squid - CORRECT ANSWER index=network sourcetype=cisco_wsa_squid *| stats dc(domain)* What does this command do? index=network sourcetype=cisco_wsa_squid | stats sum(sc_bytes) as Bandwidth by s_hostname | sort -Bandwidth - CORRECT ANSWER 1) Pull values from the network index for cisco wsa squid. 2) Get the stats for source bytes, renamed to Bandwidth, and by source host. 3) Sort the results in descending order by Bandwidth. T/F: Reports *can't* be shared and added to dashboards. - CORRECT ANSWER False What are the *two* ways to create a report? - CORRECT ANSWER 1) Pivot 2) Search T/F: Running a report returns fresh results each time you run it. - CORRECT ANSWER True What *naming convention* does Splunk recommend for reports? - CORRECT ANSWER <group>_<object>_<description> i.e. Sales_Report_QuarterlySalesRevenue What are the *three* main methods for creating tables and visualizations in Splunk? - CORRECT ANSWER 1) Running a *Report*. 2) Using the *Pivot* interface. 3) Using the *transforming commands* in the search bar. What is a *timechart*? - CORRECT ANSWER A timechart is a *report* that shows the *average over time*. What format does the *statistics* tab display data in? - CORRECT ANSWER table format Why is it efficient to create most dashboard panels based on reports? - CORRECT ANSWER 1) A single report can be used across different dashboards. 2) This links the report definition to the dashboard. T/F: Any change to the underlying report will affect every dashboard panel that utilizes that report. - CORRECT ANSWER True How do you drill down from a visualization to the corresponding search? - CORRECT ANSWER Simply click a part of the visualization and you will be directed to the area of the search it corresponds to. What is the default time frame for a pivot? - CORRECT ANSWER All time. How do you add attribute rows to a new pivot? - CORRECT ANSWER 1) Click the "*+*" symbol under "Split Rows." 2) Select the attribute rows from the list. T/F: It is not possible to filter out specific categories from a pivot. - CORRECT ANSWER False T/F: It is possible to display a pivot as either a table or a visualization, such as a column chart. - CORRECT ANSWER True T/F: A pivot can be saved as a report. - CORRECT ANSWER True T/F: Instant Pivot requires a preexisting data model. - CORRECT ANSWER False How is the Instant Pivot data model created? - CORRECT ANSWER Instant pivot creates an underlying data model *utilizing the search criteria* entered during the initial search. What are the *five* steps to create an Instant Pivot? - CORRECT ANSWER 1) Execute a search (search criteria only, no search commands). 2) Click the Statisticsor Visualizationtab. 3) Click the Pivoticon. 4) Select the fields to be included in the data model object. 5) Create the pivot (table or chart). T/F: You can save any pivot to a new or existing dashboard. - CORRECT ANSWER True What do lookups allow you to do? - CORRECT ANSWER Lookups allow you to *add* more *fields* to your *events*: - Provide descriptions for http status codes ("file not found", "service unavailable"). - Define sale prices for products. - Associate RFIDs with user names, IP addresses, and workstation ID. Admins can change the lookup case_sensitive_match option to false in which file? - CORRECT ANSWER transforms.conf What does the *inputlookup* command do? - CORRECT ANSWER Loads results from a specified static lookup input source, such as a .csv file. When do you use the *OUTPUTNEW* command? - CORRECT ANSWER When you do not want to overwrite existing fields. What is a lookup *categorized* as? - CORRECT ANSWER A dataset. Which *app* would you use to create lookups with data from external *SQL databases*? - CORRECT ANSWER Splunk DB Connect What is the *file path* for scripts that fire as the result of a scheduled report? - CORRECT ANSWER $SPLUNK_HOME/bin/scripts What are the *five* trigger conditions that can be set for alerts? - CORRECT ANSWER 1) Trigger when any result is found. 2) Trigger on a specific number of results found. 3) Trigger on a specific number of hosts found. 4)Trigger on a specific number of sources found. 5) Custom criteria. Which alert option is used to add a suppression rule? - CORRECT ANSWER Throttle What *two* attributes define an alert throttle? - CORRECT ANSWER 1) Field value 2) Time i.e. If we received an alert for a status=503 entry, suppress 503 alerts for 10 minutes. When using Splunk ES, which *index* would you most likely start a search with? - CORRECT ANSWER index=notable Searches that use transforming commands are called ______. - CORRECT ANSWER Transforming Searches Which port do *forwarders* use? - CORRECT ANSWER Port 9997 Which port does *splunkd* use? - CORRECT ANSWER Port 8089 Which port does *splunkweb use? - CORRECT ANSWER Port 8000 What is the difference between these two commands?.... | sort -count | field -count - CORRECT ANSWER *| sort -count* This command returns the count field in descending order. *| field -count* This command removes the count field. T/F: Every event has an index associated with it. - CORRECT ANSWER True When creating a search, certain keywords will be colored by syntax. What does the following color map to?... *Orange* - CORRECT ANSWER *Orange* = Boolean Operators and Command Modifiers When creating a search, certain keywords will be colored by syntax. What does the following color map to?... *Blue* - CORRECT ANSWER *Blue* = Commands When creating a search, certain keywords will be colored by syntax. What does the following color map to?... *Green* - CORRECT ANSWER *Green* = Command Arguments When creating a search, certain keywords will be colored by syntax. What does the following color map to?... *Purple* - CORRECT ANSWER *Purple* = Functions [Show More]

Last updated: 11 months ago

Preview 1 out of 38 pages

Add to cart

Instant download


Buy this document to get the full access instantly

Instant Download Access after purchase

Add to cart

Instant download

Reviews( 0 )


Add to cart

Instant download

Can't find what you want? Try our AI powered Search



Document information

Connected school, study & course

About the document

Uploaded On

Jul 09, 2023

Number of pages


Written in



Member since 2 years

10 Documents Sold

Additional information

This document has been written for:


Jul 09, 2023





Recommended For You

Get more on EXAM »

What is Browsegrades

In Browsegrades, a student can earn by offering help to other student. Students can help other students with materials by upploading their notes and earn money.

We are here to help

We're available through e-mail, Twitter, Facebook, and live chat.
 Questions? Leave a message!

Follow us on

Copyright © Browsegrades · High quality services·