Splunk Exam 169 Questions with Answer 2023,100% CORRECT

Document Content and Description Below

Splunk Exam 169 Questions with Answer 2023 ___ allows different workspaces for specific use cases or user roles to co-exist on a single Splunk instance. - CORRECT ANSWER Apps Unique identif... ier of where the events originated (hostname, IP address, etc.). - CORRECT ANSWER Hosts Name of he file, stream, or other input. - CORRECT ANSWER Sources Specific data type or data format. - CORRECT ANSWER Sourcetypes Machine data is only generated by web servers. True/False. - CORRECT ANSWER False Machine data makes up for more than ___% of the data accumulated by organizations. - CORRECT ANSWER 90 Machine data is always structured. True/False. - CORRECT ANSWER False Splunk is comprised of three main processing components. What are they? - CORRECT ANSWER Indexer, Search Head, Forwarder ___ processes machine data, storing the results in indexes as events, enabling fast search and analysis. - CORRECT ANSWER Indexer As the Indexer indexes your data, it creates a number of files organized in sets of ___ by age, and it contains raw data (compressed) and indexes (points to the raw data). - CORRECT ANSWER Directories ___ allows users to use the Search language to search the indexed data, and it distributes user search requests to the Indexer. ___ consolidates the results and extracts field value pairs from the events to the user. - CORRECT ANSWER Search Heads ___ on the Search Heads can be created to extract additional fields and transform the data without changing the underlying index data. - CORRECT ANSWER Knowledge Objects ___ provide tools to enhance the search experience such as reports, dashboards and visualization. - CORRECT ANSWER Search Heads ___ are instances that consume and send data to the index, and it require minimal resources and have little impact on performance. ___ typically reside on the machines where the data originates, and it is the primary way data is supplied for indexing. - CORRECT ANSWER Forwarders In addition to the three main Splunk processing components, there are some lee-common components. What are they? - CORRECT ANSWER Deployment Server, Cluster Master, License Master In ___ Deployment, a single server contains all functions in a single instance of Splunk for testing, proof of concept, personal user, and learning purposes. It is recommended to have at least one test/development setup at the site. - CORRECT ANSWER Standalone In ___ Deployment, Splunk server manages the deployment of forwarder configurations. - CORRECT ANSWER Basic In Basic Deployment, ___ collect data and send it to Splunk Servers. It installs forwarders at the data source (usually production servers). - CORRECT ANSWER Forwarders Basic Deployment for organizations: - Indexing less than __ GB per day - With user __ user - Small amount of forwarders - CORRECT ANSWER 20 __ Deployment increases indexing and searching capacity. Search management and index functions are split across multiple machines. - CORRECT ANSWER Multi-Instance Multi-Instance Deployment for organizations: - Indexing up to ___ GB per day - Supports ___ users - Supports several hundred forwarders - CORRECT ANSWER 100 Adding a ___ Cluster services more users for increased search capacity, and allows users and searches to share resources. It coordinates activities to handle search requests and distribute the requests across the set of indexers. - CORRECT ANSWER Search Head Search Head Clusters require a minimum of ___ Search Heads. - CORRECT ANSWER three A ___ is used to manage and distribute apps to the members of the Search Head Cluster. - CORRECT ANSWER Deployer __ are configured to replicate data, prevent data loss, promote availability, and manage multiple indexers. - CORRECT ANSWER Traditional Index Clusters ___ offer simplified management, and don't provide availability or data recovery, - CORRECT ANSWER Non-replicating Index Clusters Search requests are processed by the ___. - CORRECT ANSWER Indexers Which function is a part of a single instance deployment? - CORRECT ANSWER Input, Parsing, Indexing, Searching Which of these is a main component of Splunk? - CORRECT ANSWER Collect and index Data, Search and Investigate, Add Knowledge In most Splunk deployments, ___ serve as the primary way data is supplied for indexing. - CORRECT ANSWER Forwarders A single-instance deployment of Splunk Enterprise handles: - CORRECT ANSWER Input, Parsing, Indexing, Searching After installation, Splunk starts automatically on ___, and must be manually started on ___ until boot-start is enabled. - CORRECT ANSWER Windows, *NIX Installing Splunk Enterprise as an Indexer or Search Head is identical to installing a ___ deployment instance. - CORRECT ANSWER single ___ define what users can do in Splunk. - CORRECT ANSWER Roles This role will only see their own knowledge objects and those that have been shared with them. - CORRECT ANSWER User Which apps ship with Splunk Enterprise? - CORRECT ANSWER Search & Reporting, Home App You can launch and manage apps from the home app. True/False. - CORRECT ANSWER True What are the three main default roles in Splunk Enterprise? - CORRECT ANSWER Admin, Power, User Splunk index time process (Data ingestion) can be broken down into three phases. What are they? - CORRECT ANSWER Input, Parsing, Indexing After data is written to disk, it cannot be changed. True/False. - CORRECT ANSWER True User can add data inputs with directly editing ___. - CORRECT ANSWER inputs.conf When you index a data source, Splunk assigns ___ values. - CORRECT ANSWER metadata Upload allows uploading local files that only get indexed ___. Useful for testing or data that is created ___ and never updated. - CORRECT ANSWER once Add data menu provides three options depending on the source to be used. What are they? - CORRECT ANSWER Upload, Monitor, Forward What Add Data option is the main source of input in production environments? - CORRECT ANSWER Forward For one-time indexing (or testing); the ___ option does not create a stanza in inputs.conf. - CORRECT ANSWER Index Once ___ displays how your processed events will be indexed. - CORRECT ANSWER Data preview When add data, by default, the default host name in ___ is used. - CORRECT ANSWER General settings Indexed events are available for immediate search;however, it may take a ___ for Splunk to start indexing the data. - CORRECT ANSWER minute Splunk uses ___ to categorize the type of data being indexed. - CORRECT ANSWER source type Splunk knows where to break the event, where the time stamp is located and how to automatically create field value pairs using these. - CORRECT ANSWER source types The monitor input option will allow you to continuously monitor files. True/False. - CORRECT ANSWER True In most production environments, ___ will be used as the source of data input. - CORRECT ANSWER Forwarder Files indexed using the the upload input option get indexed ___. - CORRECT ANSWER once ___ provides selections for how to complete the search string. - CORRECT ANSWER Search Assistant Before the first ___, Search Assistant looks for matching terms. After the first ___, the Search Assistant shows a list of commands that can be entered into the search string. - CORRECT ANSWER pipe (|) Search Assistant is enabled by default in the ___ user preferences. - CORRECT ANSWER SPL Editor In SPL Editor, ___ is selected for Search Assistant by default. To show more information, choose Full. - CORRECT ANSWER Compact Viewing search results displayed in reverse chronological order (newest first). True/False. - CORRECT ANSWER True Splunk parses data into individual events, extracts time, and assigns metadata. Each event has five fields by default. What are they? - CORRECT ANSWER timestamp, host, source, sourcetype, index ___ symbol "snaps" to the time unit you specify. - CORRECT ANSWER @ To specify a beginning and an ending for a time range, use ___ and ___. - CORRECT ANSWER earliest, latest If time specified, it must be in MM/DD/YYYY:HH:MM:SS format. True/False. - CORRECT ANSWER True Zoom In dose not re-execute the search. True/False. - CORRECT ANSWER True Zoom Out expands the time focus and re-executes the search. True/False. - CORRECT ANSWER True Every search is also a job, and jobs are available for __ minutes by default. - CORRECT ANSWER 10 In Job Setting, Lifetime is ___ minutes by default, and can be extended to 7 days. - CORRECT ANSWER 10 Sharing search extends results retention to ___ days. - CORRECT ANSWER 7 Search History displays your most recent ad-hoc searches - ___ per page. - CORRECT ANSWER 5 In Search, "failed password" and "failed AND password" will return the same results. True/False. - CORRECT ANSWER True Which following search mode toggles behavior based on the type of search being run? - CORRECT ANSWER Smart These are booleans in the Splunk Search Language. What are they? - CORRECT ANSWER NOT, OR, AND Shared search jobs remain active for ___ days by default. - CORRECT ANSWER 7 When zooming in on the event time line, a new search is run. True/False. - CORRECT ANSWER False ___ are searchable key/value pairs in your event data. - CORRECT ANSWER Fields Between search terms, ___ is implied unless otherwise specified. - CORRECT ANSWER AND Prior to search time, some fields are already stored with the event in the index. What are they in Meta fields? - CORRECT ANSWER host, source, sourcetype, index Prior to search time, some fields are already stored with the event in the index. What are they in Internal fields? - CORRECT ANSWER _time, _raw For the current search, Interesting Fields contains occurring events at least __ % of resulting. - CORRECT ANSWER 20 By default, the selected fields are ___, ___ and ___. - CORRECT ANSWER host, source, sourcetype You can identify other fields as selected fields from ___ (which shows all of the discovered fields) - CORRECT ANSWER All Fields Field names are case sensitive, but Field values are not case sensitive. True/False. - CORRECT ANSWER True For IP fields, Splunk is subnet/CIDR aware. True/False. - CORRECT ANSWER True Not status = 200 returns events where a status field exists and value in the field doesn't equal 200 -- and all events where the status field doesn't exist. True/False. - CORRECT ANSWER True What is the default Search Mode? - CORRECT ANSWER Smart Interesting Fields : Have values in at least ___ % of the events. - CORRECT ANSWER 20 What is the most efficient filer in Seach? - CORRECT ANSWER Time Searching for "access denied" is always better than searching for "denied". True/False. - CORRECT ANSWER True Inclusion is generally better than exclusion. Searching for "access denied" is faster than searching for NOT "access granted". True/False. - CORRECT ANSWER True It's possible to search without an index - but that's inefficient and not recommended. True/False. - CORRECT ANSWER True What duration is the most efficient way to filter events in Time? - CORRECT ANSWER 7 days Searches are made up of 5 basic components. What are they? - CORRECT ANSWER Search terms, Commands, Functions, Arguments, Clauses The __ command returns a table formed by only fields in the argument list. - CORRECT ANSWER table To change the name of a field, use the ___ command. - CORRECT ANSWER rename Once you rename a field, you can't access it with the original name. True/False. - CORRECT ANSWER True ___ ___ is one of the most costly parts of a search. - CORRECT ANSWER Field extraction The ___ command allows you to include or exclude specified fields in your search or report. - CORRECT ANSWER fields Using fields+ improves performance, and fields- doesn't affect performance. True/False. - CORRECT ANSWER True The ___ command removes duplicates from your results. - CORRECT ANSWER dedup The ___ command orders your result in + ascending (default) or - descending. True/False. - CORRECT ANSWER True To limit the returned results, use the ___ option. - CORRECT ANSWER lint Having separate indexes allows: - CORRECT ANSWER Multiple retention policies Ability to limit access Faster Searches As a general practice, exclusion is better than inclusion in a Splunk search. True/False. - CORRECT ANSWER False Time to search can only be set by the time range picker. True/False. - CORRECT ANSWER False Excluding fields using the Fields Command will benefit performance. True/False. - CORRECT ANSWER False The ___ command finds the most common values of a given field in the result set. - CORRECT ANSWER top By default, the top command returns top ___ results. - CORRECT ANSWER 10 By default, the top command returns ___ and ___ columns. - CORRECT ANSWER count, percent The limit=# returns this number of results, and limit=0 returns unlimited results. True/False. - CORRECT ANSWER True If the showperc is not included - or it is included and set to t - a percent column is displayed. If showperc=f, then a percent column is NOT displayed. True/False. - CORRECT ANSWER True By default, the display name of the countfield is ___, and countfield=string renames the field for display purposes. - CORRECT ANSWER count The ___ command returns the least common field values or a given field in the result, and its options are identical to the top command. - CORRECT ANSWER rare The ___ enables you to calculate statistics on data that matches your search criteria. - CORRECT ANSWER stats What is the stats function to lists unique values of a given field? - CORRECT ANSWER values What is the stats function to lists all values of a given field? - CORRECT ANSWER list The ___ returns the number of matching events based on the current search criteria. - CORRECT ANSWER count Adding a ___ as an argument to the count function returns the number of events where a value is present for the specified field. - CORRECT ANSWER field The ___ clause returns a count for each value of a named field or set of fiends. - CORRECT ANSWER by The ___ provides a count of how many unique values there are for a given field in the result set. - CORRECT ANSWER distinct_count or dc How many results are shown by default when using a Top or Rare Command? - CORRECT ANSWER 10 To display the most common values in a specific field, what command would you use? - CORRECT ANSWER top Which stats function would you use to find the average value of a field? - CORRECT ANSWER avg Running a report returns fresh results each time you run it. True/False. - CORRECT ANSWER True For alphanumeric character fields, there are only ___ available reports. - CORRECT ANSWER 3 A ___ consists of one or more panels displaying data visually in a useful way - such as events, tables, or charts. - CORRECT ANSWER dashboard The Dashboard ID is automatically populated with a unique value used by Splunk and should not be changed. True/False. - CORRECT ANSWER True. Why create Panels from Reports? - CORRECT ANSWER It is efficient to create most dashboard panels based on reports. Any change to the underlying report affects every dashboard panel that utilizes that report. The User role can not create reports. True/False. - CORRECT ANSWER False A time range picker can be included in a report. True/False. - CORRECT ANSWER True These roles can create reports: - CORRECT ANSWER Admin User Power In a dashboard, a time range picker will only work on panels that include a(n) ___ search. - CORRECT ANSWER inline The ___ are reports gathered together into a single pane of glass. - CORRECT ANSWER dashboards Pivots can be saved as reports. True/False. - CORRECT ANSWER True The ___ pivot allows you to utilize the pivot tool without a preexisting data model. - CORRECT ANSWER Instant You can save any pivot to a new or existing dashboard. True/False. - CORRECT ANSWER True ___ ___ are knowledge objects that provide the data structure that drives Pivots. - CORRECT ANSWER Data Models Data models are created by Admin and Power role. True/False. - CORRECT ANSWER True The ___ help users to find data and get answers faster. - CORRECT ANSWER Datasets The instant pivot button is displayed in the statistics and visualization tabs when a ___ search is run. - CORRECT ANSWER non-transforming These are knowledge objects that provide the data structure for pivot. - CORRECT ANSWER Data Models The ___ pull such data from standalone files at search time and add it to search results, and allow you to add more fields to your event. - CORRECT ANSWER Lookups What can be used when sometimes static (or relatively unchanging) data is required for searches, but isn't available in the index? - CORRECT ANSWER Lookups Lookup field values are case sensitive by default. True/False. - CORRECT ANSWER True In Lookups file, the first row represents ___ names (header). - CORRECT ANSWER field Use the ___ command to load the results from a specified static lookup. - CORRECT ANSWER inputlookup If a lookup is not configured to run automatically, use the ___ command in your search to use the lookup fields. - CORRECT ANSWER lookup Use ___ when you do not want to overwrite existing field. - CORRECT ANSWER OUTPUTNEW To use an automatic lookup, specify the ___ fields in your search. - CORRECT ANSWER output If a field in a lookup table represents a(n) ___, you can create a time-based lookup. - CORRECT ANSWER timestamp To keep from overwriting existing fields with your Lookup you can use the ___ clause. - CORRECT ANSWER OUTPUTNEW A lookup is categorized as a dataset. True/False. - CORRECT ANSWER True When using a .csv file for Lookups, the first row in the file represents this. - CORRECT ANSWER Field names Users with admin privileges can select a Schedule Priority of Default, Higher, or Highest. True/False. - CORRECT ANSWER True Before a report can be embedded, it must be ___. - CORRECT ANSWER scheduled ___ are triggered when the results of the search meet a specific condition that you define. - CORRECT ANSWER Alerts By default, ___ has read access and ___ has write access to the alert. - CORRECT ANSWER everyone, power What are the two types of alerts? - CORRECT ANSWER Scheduled, Real-time Trigger condition: ___ executes actions one time for all matching events within the scheduled time and conditions. - CORRECT ANSWER Once The ___ options to suppress the actions for results within a specified time range. - CORRECT ANSWER Throttle If you have administrator privileges, you can use a log event action: - CORRECT ANSWER Event, Source, Sourcetype, Host, Index Alerts can be shared to all apps. True/False. - CORRECT ANSWER True Alerts can send an email. True/False. - CORRECT ANSWER True Alerts can run uploaded scripts. True/False. - CORRECT ANSWER True An alert is an action triggered by a ___ ___. - CORRECT ANSWER Saved Search Once an alert is created, you can no longer edit its defining search. True/False. - CORRECT ANSWER False The password for a newly installed Splunk instance is: - CORRECT ANSWER Created when you install Splunk Enterprise. Commands that create statistics and visualizations are called ___ commands. - CORRECT ANSWER stats Charts can be based on numbers, time, or location. True/False. - CORRECT ANSWER True Data models are made up of ___. - CORRECT ANSWER Datasets [Show More]

Last updated: 1 year ago

Preview 1 out of 15 pages