SPLUNK Fundamentals 1 Exam 59 Questions with Answers,100% CORRECT

Document Content and Description Below

SPLUNK Fundamentals 1 Exam 59 Questions with Answers What are 3 components of Splunk - CORRECT ANSWER Forwarder: Splunk Enterprise instances which forward data to INDEXER. Indexer: Processes m... achine data and create files organized into directories by age. Search Head: Distribute user search requests to Indexer. How many roles in Splunk - CORRECT ANSWER Admin Power User Splunk will look for ______ to break the events. - CORRECT ANSWER Time stamps In case of multiple time stamps, what can be used for extracting desired field. - CORRECT ANSWER Regular Expression Search terms are not case sensitive. (T/F) - CORRECT ANSWER True After search query is entered, matching results are displayed in ___________ order. - CORRECT ANSWER Reverse Chronological Splunk parses event into individual events. When searched for e.g. "failed password", each event will have 4 things. what are they? - CORRECT ANSWER Timestamp Host Source Source Type Search results can be used to modify the existing search. (T/F) - CORRECT ANSWER True What are layout options for search results? - CORRECT ANSWER List Table Raw When selecting a subset of events on the timeline, it filters the results. Does it re-execute the search? - CORRECT ANSWER No. It only filter the results. "Zoom-out" and "Zoom to selection" re-execute the search. (T/F) - CORRECT ANSWER True. Jobs are available for _____ minutes by default. It can be extended to _____ days. - CORRECT ANSWER 10 minutes 7 days Search results can be shared. (T/F) - CORRECT ANSWER True How many formats can search results be exported into? - CORRECT ANSWER CSV JSON XML PDF Where can you review your search history. - CORRECT ANSWER Activity>Jobs Jobs which you run in the last 10 minutes. Already stored with the event in the index (prior to search time) are meta fields such as: - CORRECT ANSWER host source sourcetype What are Interesting fields? - CORRECT ANSWER Those fields which occur in at least 20% of resulting events. By default selected fields are: - CORRECT ANSWER Hots Source Sourcetype How to narrow a search to show only specific field in the results. e.g. action - CORRECT ANSWER action = * How to narrow a search to only add a specific field/value pair to your search - CORRECT ANSWER action=addtocart Field names are case _______ while Field values are case _______. - CORRECT ANSWER sensitive insensitive For IP Fields Splunk is subnet/CIDR aware. (T/F) - CORRECT ANSWER True What is the symbol for wild card? When are wildcards use? - CORRECT ANSWER * These are used to match a range of field values for that field name. What does fieldB!=value3 mean? - CORRECT ANSWER The search returns only those values for fieldB that are not value3 What does NOT fieldB=value3 mean? - CORRECT ANSWER The search returns everything except fieldB=value3 In an event search under Fast search mode, is field discovery on? - CORRECT ANSWER No In a reporting/statistical search under Fast or Smart search mode, is: -Field discovery on -Field sidebar exists -Access to Events view possible - CORRECT ANSWER No No No What is the default search mode? - CORRECT ANSWER Smart What is better, inclusion or exclusion? - CORRECT ANSWER Inclusion Avoid using _____ in the start of the string. ( wild card or dedup) - CORRECT ANSWER Wild card What are the abbreviation for: seconds minutes hour days week month year - CORRECT ANSWER s m h d w mon y If we have time of 09.37.12, what will -30m@h snaps to? - CORRECT ANSWER 09:00:00 What does this earliest =-h mean? - CORRECT ANSWER Looks back one hour. What does this earliest =-2d@d latest=@d mean? - CORRECT ANSWER Looks back from 2 days ago up to beginning of today Is it possible to specify multiple indexes? (Y/N) - CORRECT ANSWER Yes Is it possible to use wild cards in index values? (Y/N) - CORRECT ANSWER Yes What are 5 basic search concepts? - CORRECT ANSWER Search Terms Commands Functions Arguments Clauses What does fields - percent mean? - CORRECT ANSWER Remove column showing percentage TOP command automatically returns two fields. - CORRECT ANSWER count percent By default how many results are displayed? How to get unlimited results? - CORRECT ANSWER 10 limit=0 What are common constraints for TOP command? - CORRECT ANSWER limit countfield showperc Display top 3 users during last 24 hours. Rename the count field and show count, but not the percentage. - CORRECT ANSWER | top user_x limit=3 countfield="Total views" showperc=f Which command return least common field and identical options to TOP? - CORRECT ANSWER RARE Count invalid or failed login attempts during last 60 minutes. - CORRECT ANSWER index = x (invalid OR failed) | stats count Count number of events during last 15 minutes that contains "vendor action" field. Also count total events. - CORRECT ANSWER index = x | stats count(vendor_action) as ActionEvents count as TotalEvents Count number of events by user, app and vendor action during last 15 minutes - CORRECT ANSWER stats count by user, app, vendor_action To provide unique values of a field - CORRECT ANSWER stats dc(field) Report number of units sold and sales revenue for each product . Sort by total price. - CORRECT ANSWER stats count(price) as "units sold" sum(price) as "total sales" by product_name |sort - "total sales" Does list function lists all field values for a given field? (Y/N) How to circumvent it? - CORRECT ANSWER Yes. Use values function. Running a report return fresh results each time you run it? (Y/N) - CORRECT ANSWER Yes What naming standard is proposed for creating reports? - CORRECT ANSWER <group>_<object>_<description> What happens if you don't save a report with a time picker? - CORRECT ANSWER The report will be saved with the time range selected at its creation. In the field window, how many inbuilt reports are available for : (a) Numeric Fields (b)Alphanumeric character Fields - CORRECT ANSWER (a) 6 (b) 3 After creating a Dashboard, Dashboard ID is created automatically by Splunk. Should it be changed?(Y/N) - CORRECT ANSWER No Lookup fields are case sensitive by default? (Y/N) - CORRECT ANSWER Yes When a report is created, it can be run as admin or user? (YN) - CORRECT ANSWER Yes What need to be done before a report is embedded? - CORRECT ANSWER Scheduled Alerts are based on searches which are either _____ or ______? - CORRECT ANSWER run per schedule or real-time In Alert actions, Throttling refers to .... - CORRECT ANSWER ..suppressing the actions for results within specified time range. [Show More]

Last updated: 11 months ago

Preview 1 out of 7 pages