Splunk Fundamentals 1|183 Questions with Answer 2023,100% CORRECT

Document Content and Description Below

Splunk Fundamentals 1|183 Questions with Answer 2023 5 Main components of Splunk Enterprise - CORRECT ANSWER Index Data, Search & investigate, Add knowledge, Monitor & Alert, Report & Ana... lyze. - Module 1 Three main roles in splunk? (3) - CORRECT ANSWER Admin, Power, User - Module 1 What role can Install apps, create knowledge objects for all users, and can control what apps a user will see by default - CORRECT ANSWER Admin What role can creates and share knowledge objects for users of app, and create real-time searches - CORRECT ANSWER Power User What role can only see it's own knowledge objects and those shared to them - CORRECT ANSWER User What are Apps in Splunk? - CORRECT ANSWER They are Designed to address a wide variety of use cases, and extend the power of Splunk They are a Collection of files containing data inputs, UI elements, and/or knowledge objects They Allow multiple work-spaces for different use cases/user roles to co-exist on a single Splunk Instance There are 1000+ ready-made apps in Splunkbase - Module 1 What does the search and reporting app do in splunk? - CORRECT ANSWER a. A default interface for searching and analyzing data b. Creates knowledge objects, reports, and dashboards - Module 1 What are the seven main components in the splunk search and reporting App? - CORRECT ANSWER Splunk bar, App bar, Search bar, Time range picker, How to search panel, What to search panel, and Search History, - Module 1 What does the time range picker do? - CORRECT ANSWER a. The single most important parameter you can specify b. Retrieve events over a specific time period c. Allow search by preset times, relative times. Real time (earliest, latest), date range Limiting search by ___________ is key to faster results and is a best practice - CORRECT ANSWER Time - Module 7 The time range picker is set to _________ by default. - CORRECT ANSWER All-time Search jobs are available for ____ minutes by default. - CORRECT ANSWER 10 ________ commands create statistics and visualizations. - CORRECT ANSWER Transforming ________ tab is default tab for searches - CORRECT ANSWER Event The three main search modes? - CORRECT ANSWER Fast, Verbose, and Smart - Module 6 The _______ search mode Emphasizes speed over completeness, and has discovery turned off for event searches. No event or field data for stats searches. - CORRECT ANSWER Fast - Module 6 The ______ search mode Emphasizes completeness over speed, and has all events and field data. Splunk switches to this mode after visualization. - CORRECT ANSWER Verbose - Module 6 The ______ smart mode (default-based on search string data) has field discovery ON for event searches. No event or field data for stats searches. Balances speed and completeness. - CORRECT ANSWER Smart - Module 6 What options are avaliable under "Job" action button? - CORRECT ANSWER Edits job settings, Sends job to the background, Inspect job, Delete job Saved searches are set to ______ by default. - CORRECT ANSWER private The timestamp seen in events is based on the users ______ settings in the users account profile. - CORRECT ANSWER Time Zone List the three booleans - CORRECT ANSWER (AND, OR, NOT) ________boolean is used if none is implied - CORRECT ANSWER AND Exact phrases must be incased in ______ - CORRECT ANSWER - Quotes - Generally, you need quotes around phrases and field values that include white spaces, commas, pipes, quotes, or brackets. Quotes must be balanced, an opening quote must be followed by an unescaped closing quote. Use a _______ for searching a string with quotes in the string - CORRECT ANSWER - backslash - The backslash character (\) is used to escape quotes, pipes, and itself. Example: info="user "chrisV4" not in database" info="user\"chrisV4\" not in database " The three default search fields automatically selected are - CORRECT ANSWER Host, Source, Sourcetype - Module 6 The _______ sidebar shows all fields extracted at search time - CORRECT ANSWER Fields - Module 6 _______ fields (host, source, sourcetype) are default and appear in every event - CORRECT ANSWER Selected - Module 6 _______ fields have values in at least 20% of the events - CORRECT ANSWER Interesting - Module 6 Clicking on a field shows a list of _______, ________, and ________. - CORRECT ANSWER values, count, and percentage - Module 6 These fields can launch a quick report by clicking on them (4) - CORRECT ANSWER Top values, Top values by time, Rare values, Events with this field - Module 6 Use ______ to limit search to only one sourcetype - CORRECT ANSWER sourcetype= _____ are case sensitive, _______ case insensitive - CORRECT ANSWER field names, field values - Module 6 These symbols are only used with numerical values? - CORRECT ANSWER > >= < <= --> (T/F) Using NOT and != would return the same results. - CORRECT ANSWER True Use _______ to nest boolean searches - CORRECT ANSWER parenthesis ______ is better than exclusion - CORRECT ANSWER inclusion - Module 7 When creating reports you can edit, clone, embed, and delete under the ______ tab - CORRECT ANSWER report Creates charts, computes statistics, and formats - CORRECT ANSWER search commands Top command returns top ____ results with a count and percentage - CORRECT ANSWER 10 What are the three ways to create visualizations? - CORRECT ANSWER 1. Select a field from the fields sidebar 2. Use the pivot interface 3. Use the Splunk search language commands in the search bar with statistics and visualization tabs Save visual reports as _______ or _______ - CORRECT ANSWER report or a dashboard pannel ________ is an action that a saved search triggers based on the results of the search - CORRECT ANSWER Alert ________ designs reports into a simple interface without having to craft a search string - CORRECT ANSWER Pivot The default time value for pivot is ______ - CORRECT ANSWER all the time The data model is the framework and the ______ is the interface to the data - CORRECT ANSWER pivot _______ object is the main source of data - CORRECT ANSWER Root Adding a _______ object acts like an AND boolean in Splunk - CORRECT ANSWER Child Dataset (T/F) An instant pivot allows instant access to data without having a data model - CORRECT ANSWER True alerts use a _______ search to check for events. - CORRECT ANSWER saved Adjust the ______ type to configure how often the search runs - CORRECT ANSWER alert Use ________ alerts to check for events on a regular basis - CORRECT ANSWER Scheduled _______ alerts monitor for events continuously - CORRECT ANSWER Real-time An _______ action can notify you of a triggered alert and help you start responding to it - CORRECT ANSWER alert Search terms include (6) - CORRECT ANSWER Keywords, booleans, phrases, fields, wildcards, and comparisons. ______ is the most efficient filter - CORRECT ANSWER Time Search terms are case sensitive or case insensitive. (components of search language) - CORRECT ANSWER Case insensitive ______ Tell Splunk what we want to do with the search results, like creating charts, stats and formatting. - CORRECT ANSWER Commands ______ explain how we want to chart, compute and evaluate the results, like "List" - CORRECT ANSWER Functions ______ are the variables we want to apply to the functions, like a "Field Name" - CORRECT ANSWER Arguments _______ explain how we want the results grouped or defined, like "as" OR "by" - CORRECT ANSWER Clauses _____ is used to pass current results to the next search component - CORRECT ANSWER A pipe (T/F) Search command works from left to right - CORRECT ANSWER True (T/F) Once an item is filtered out it is no longer available in the search string - CORRECT ANSWER True The _____ command includes or excludes fields from search results. - CORRECT ANSWER Fields Exclude a field by using a ______ symbol - CORRECT ANSWER minus (-) (T/F) Primary fields _time and _raw will always be extracted, but can also be removed by using the fields command with the minus (-) symbol - CORRECT ANSWER True Field _____ happens after all the fields have been extracted from a search. Field ______ only affects the displayed results. - CORRECT ANSWER exclusion, extraction ________ command retains searched data in a tabulated format by only fields in the arguments list - CORRECT ANSWER table (T/F) In regards to a rename command, once a field is renamed the original name is available to later search commands - CORRECT ANSWER F This command removes events with duplicate values, you use on multiple fields - CORRECT ANSWER dedup The _____ command followed by field name displays results in ascending (+) default or descending (-) order. You can use the "limit=#" option to reduce the results - CORRECT ANSWER sort (T/F) Lookup fields also appear in the fields sidebar - CORRECT ANSWER True The _____ command produces statistics of a search result - CORRECT ANSWER stats This function of the stats command shows the number of events matching search criteria - CORRECT ANSWER stats count Use this command and function to sum numerical value - CORRECT ANSWER stats sum This command preforms stats aggregation against time - CORRECT ANSWER timechart command Use the _____ clause to split data by additional fields - CORRECT ANSWER by (T/F) Usenull = _____ will remove NULL values - CORRECT ANSWER False fillnull Command i.e. fillnull value=NULL - CORRECT ANSWER The fillnull command adds a field and default value to events or results that lack fields present on other events or results in the search. to group multiple events into a single meta-event that represents a single physical event. - CORRECT ANSWER The Transaction command Data processing commands - CORRECT ANSWER sort, eventstats, and some modes of cluster, dedup, and fillnull. Transforming commands - CORRECT ANSWER "transform" the specified cell values for each event into numerical values that Splunk software can use for statistical purposes. Indexes data, files into directories by age - CORRECT ANSWER Indexer Uses Splunk search language, distributes search requests to indexers. Contains reports, dashboards, and visualizations - CORRECT ANSWER Search heads Consumes and sends data to the indexer - CORRECT ANSWER Forwaders Splunk's way of categorizing the type of data, knowing where to break the event. location of time stamp, and create field pairs - CORRECT ANSWER sourcetype Watches files, directories, http events etc - CORRECT ANSWER Monitor (add data) Are case insensitive and *wildcard supported - CORRECT ANSWER Search terms Booleans - in orange - CORRECT ANSWER AND, OR, NOT in this order (AND is implied) and must be uppercase Has the following: timestamp, host, source, sourcetype - CORRECT ANSWER Event details Where can you set read permissions, lifetime, and link to a job - CORRECT ANSWER Job settings Searchable key/value pairs in your event data. They are case sensitive - CORRECT ANSWER Fields A set of configurable fields displayed for each event. Field names are case sensitive - field values are not - CORRECT ANSWER Search fields Occur in at least 20% of resulting events - CORRECT ANSWER Interesting fields Looks back to the designated earliest event - CORRECT ANSWER earliest i.e. earliest=-hr Looks to the ending time range. The @ snaps to the time period defined - CORRECT ANSWER latest i.e. latest=@d A location where Splunk stores and searches for event data - CORRECT ANSWER Indexer This role segregates data into separate indexes to limit access by Splunk role - CORRECT ANSWER Administrators Search component that define what you are looking for - keywords, phrases Booleans, etc. These are case insensitive - CORRECT ANSWER Search terms Search component that defines what you want to do with the results -- create a chart, compute statistics, evaluate and format, etc - CORRECT ANSWER Commands (blue) Search component that defines how you want to chart, compute, or evaluate results - get sum, get an average, transform the values, etc - CORRECT ANSWER Functions (purple) Are variables that you can apply to functions -- can calculate average value for a specific field, convert milliseconds to seconds, etc - CORRECT ANSWER Arguments (green) Determines how you want to group or name the fields in the results, can give the field another name or group values by or over - CORRECT ANSWER Clauses The command that returns a table formed only by the fields in the argument list. Each row is an event and each argument is a column - CORRECT ANSWER table {| table clientip, action, status} When used with "as" chnages the name of a field - CORRECT ANSWER rename {| rename productid as ProductID} The command that allows you to include or exclude specified fields in your search or report - CORRECT ANSWER fields +(default) - {| fields user, app, action} The command that removes duplicates from your search results - CORRECT ANSWER dedup {| dedup VendorCity, VendorState} The command that orders your results in + (default) ascending or - descending - CORRECT ANSWER sort {| sort country, -city, state} The command that controls the number of returned results - CORRECT ANSWER limit {| limit=20} The command that finds the most common values of a given field in the results set. By default returns the first 10 values and displays in table format - CORRECT ANSWER top {| top src_ip} Host - CORRECT ANSWER Name or IP address of the network device from which the events originated Source - CORRECT ANSWER Name of the file, stream or other data input The command that returns the least common values of a given field in the results set. By default returns the first 10 values and displays in table format - CORRECT ANSWER rare The command that enables you to calculate statistics on data that matches your search criteria - CORRECT ANSWER stats The command that returns the most common values of a given field in the results set. By default returns the first 10 values and displays in table format - CORRECT ANSWER top | top user Xweb_code limit=3 - CORRECT ANSWER Displays the top 3 common values for users and web cats browsed in the last 24hrs When you start a new search, the default time range is Last 24 hours. | top xweb_cat by user limit=3 - CORRECT ANSWER Displays the top 3 common web categories browsed by each user | top user x_web cat limit=3 countfield="total Viewed" showperc=f - CORRECT ANSWER Displays the top 3 user/web categories browsed combinations. Renames the count field and show count, but not the percentage | (invalid OR failed) | stats count as "Potential Issues" - CORRECT ANSWER Counts the invalid or failed login attempts as "Potential Issues" | stats count(vendor_action) as ActionEvents, count as TotalEvents - CORRECT ANSWER Counts the number of events during the last 15 min that contain a vendor action field. Also count total events The clause that, when used with the stats command, returns a count for each value of a named field or set of fields - CORRECT ANSWER by(field or fields) example "| stats count by user, app, vendor_action" Stats function that provides a count of how many unique values there are for a given field in the result set - CORRECT ANSWER distinct count(field) or dc(field) example "| stats dc(s_hostname) as Websites" Stats function that sums the actual values of a specific field - CORRECT ANSWER sum(field) example "| stats sum(sc_bytes) as Bandwidth by s_host" Stats function that provides the average numeric value for the given numeric field - CORRECT ANSWER avg(field) example "| stats avg(sc_bytes) as "average Bytes" by usage" Stats function that lists all field values for a given field - CORRECT ANSWER list(field) example "| stats list(s_hostname) as "Web Sites" by username" Stats function that returns a list of "unique" field values - CORRECT ANSWER values(field) example "| stats values(s_hostname) as "Web Sites" by username" Three main methods to create tables and visualizations in Splunk are: - CORRECT ANSWER 1) Select a field from the fields sidebar 2) Use the Pivot interface 3) Use a transforming command in the search bar Consists of one or more panels displaying data visually - i.e. events, tables, or charts - CORRECT ANSWER Dashboard (T/F) A report or a pivot cannot be used to create a panel on a dashboard - CORRECT ANSWER False, Pivots can most definitely be used to create panels on dashboards. (T/F) Any change to the underlying dashboard will not affect every dashboard panel that utilizes that report - CORRECT ANSWER False _____ are used when static or unchanging data is required for searches but isn't available in the index - CORRECT ANSWER Lookups _____ allows you to add more fields to your events and are usually defined in a static ".csv" file or output from a python script - CORRECT ANSWER Lookups What is the command that loads results from a specified lookup _____________? - CORRECT ANSWER INPUTLOOKUP example... "| inputlookup products.csv" Searches Sent to Splunk become - CORRECT ANSWER (Search) Jobs New Search window contains - CORRECT ANSWER 1. Save As Menu, 2. Search Result Tabs, 3. Search Action buttons, 4. Search Mode Selector, and 5, Timeline 6. The Events 7. Fields Extracted -Module 5 The Search Results Tabs - CORRECT ANSWER Events Patterns Statistics Visualizations The Events Tab - CORRECT ANSWER Displays the events return for search and the fields extracted for events (for a simple query this is default tab) The Patterns Tab - CORRECT ANSWER See patterns in data, get a better understanding of data Commands that create statistics or visualizations are called ____________. - CORRECT ANSWER Transforming Commands By default a search job will remain active for __________ - CORRECT ANSWER 10 minutes after its run, after splunk needs to run the job again to return the results By default a shared search job will remain active for ______ - CORRECT ANSWER 7 days and readable to everyone The Export icon will allow in what formats? - CORRECT ANSWER Raw, CSV, XML or JSON What color are Boolean Operators and Command Modifiers in the search bar. - CORRECT ANSWER Orange What color are Commands in the search bar. - CORRECT ANSWER Blue What color are Command Arguments in the search bar. - CORRECT ANSWER Green What color are Functions in the search bar. - CORRECT ANSWER Purple (T/F) Lookup field values are case sensitive - CORRECT ANSWER True When can you use lookup fields in a search? - CORRECT ANSWER After the lookup has been configured When do you use the lookup command in your search? - CORRECT ANSWER If the lookup is not configured to run automatically Is you use the lookup command in your search the ____ argument is optional - CORRECT ANSWER OUTPUT (T/F) If the OUTPUT argument is not specified the lookup will return all fields from the lookup - CORRECT ANSWER True If you specify the OUTPUT argument in a lookup search, what happens to existing fields - CORRECT ANSWER They get overwritten What argument should you use to prevent lookup fields from being over written - CORRECT ANSWER OUTPUTNEW How long do Output lookup fields exist - CORRECT ANSWER Only for the current search When can you create a time-based lookup - CORRECT ANSWER If a field in the lookup table represents a timestamp This is useful for; Monthly, weekly, daily reports -Dashboard performance - Automatically sending reports via email - CORRECT ANSWER Scheduled Report To create a scheduled report - CORRECT ANSWER Start with a search to be based on and choose Report from the Save As menu There is no reason to include this for a scheduled report - CORRECT ANSWER Time Range Picker When scheduling a report This is only available to Admin users - CORRECT ANSWER Schedule Priority The options under Schedule Priority are - CORRECT ANSWER Default, Higher, Highest This setting allows you to set a timeframe in which to run your report - CORRECT ANSWER Schedule Window These are the actions that can be triggered from a scheduled report - CORRECT ANSWER - Log Event - Output results to lookup - Output results to telemetry endpoint - Run a script - Send email - Webhook - sends an HTTP POST request to specified URL Managing Schedule Reports can be done here _______ - CORRECT ANSWER From "Searches , Reports, and Alerts" link in the Settings drop down menu When you click the name of your report from the "Searches , Reports, and Alerts" window you can do this ______ - CORRECT ANSWER Change the search string and time range When you click the edit menu on a report you can - CORRECT ANSWER Edit Search, Permissions, Schedule, Acceleration, Summary Indexing, Disable or Clone, Embed, Move or Delete You can also access you report from the _____ - CORRECT ANSWER Reports Tab in the Search and Reporting app When you click the name of your report from "Reports Tab in the Search and Reporting app" - CORRECT ANSWER Displays the results of the scheduled report Do this _____ to make a report available to user that do not have access to the Splunk instance - CORRECT ANSWER Embed the report An embedded report will be viewable by ____ - CORRECT ANSWER anyone who has access to the web page When will an embedded report show data - CORRECT ANSWER After the scheduled search has run (T/F) once embedding is enabled you will no longer be able to edit attributes for the report - CORRECT ANSWER True (T/F) You can add a scheduled report to a dashboard - CORRECT ANSWER True The Run As option in edit permissions window determines which user profile is used at run time - CORRECT ANSWER - Owner - all data accessible by the owner appears in the report - User - only data allowed to be accessed by the user role appears Alerts are based on searches that can run either: - CORRECT ANSWER - On a regular scheduled interval - In real-time Alerts are triggered when ______ - CORRECT ANSWER The results of the search meet a specific condition that you define Alerts can: - CORRECT ANSWER - Create an entry in Triggered Alerts - Log an event - Output results to a lookup file - Send emails - Use a webhook - Perform a custom action Alert Permissions are set to ____ by Default - CORRECT ANSWER Private - only you can access, edit, and view triggered alerts What happens when the Alert Permissions are set to "Shared in app" - CORRECT ANSWER - All users of the app can view triggered alerts - By default, everyone has read access and "power users" has write access to the alert You can choose an Alert to run in what ways - CORRECT ANSWER • Scheduled alerts - Search runs at a defined interval - Evaluates trigger condition when the search completes • Real-time alerts - Search runs constantly in the background - Evaluates trigger conditions within a window of time based on the conditions you define Scheduled alerts can runs at these defined intervals - CORRECT ANSWER Every Hour, Day, Week, Month or on Cron Schedule When you set your alert to run on a Cron Schedule you must do what ______ - CORRECT ANSWER Choose a Time Range and enter a Cron Expression You can set alerts to trigger: - CORRECT ANSWER - Per-Result - - Number of Results - - Number of Hosts - - Number of Sources - - Custom - [Show More]

Last updated: 1 year ago

Preview 1 out of 19 pages