SPLUNK - 1 – Introduction Exam 169 Questions with Answers,100% CORRECT

Document Content and Description Below

SPLUNK - 1 – Introduction Exam 169 Questions with Answers What are the five components of Splunk Enterprise? - CORRECT ANSWER Index data Search and Investigate Add knowledge Monitor & Aler ... t Report & Analyze What is a Splunk App? - CORRECT ANSWER - A preconfigured environment staying on top of Splunk Enterprise - Defined by a user with administrative role Three main (default) roles in Splunk Enterprise and their power - CORRECT ANSWER Admin: install apps, create knowledge objects for all users Power User: create and share knowledge objects for users of an app and do real time searches User: see their own knowledge objects and those shared with them Where is ingested data stored in Splunk? - CORRECT ANSWER Splunk's Index Splunk Enterprise has a single default user which is? - CORRECT ANSWER Admin Splunk came with 2 default apps, what are they? - CORRECT ANSWER Home Search and Report Data is broken into single events by? - CORRECT ANSWER Source type What can you do from the search and reporting app? - CORRECT ANSWER + Create Knowledge objects + Create Reports + Dashboard and more What can the SplunkBar be used for? - CORRECT ANSWER + Switch between apps + Account settings + Messages (system level) + Settings + Activities (progress of jobs) + Help Besides the Splunk Bar, what are other main components of Splunk Search and Reporting? - CORRECT ANSWER App bar Search bar How to search panel What to search panel (search by source types, hosts, sources) Search history What are Splunk definitions for source types, sources, hosts? - CORRECT ANSWER Source types: classification of data Sources: path, network port/script from which the events originated Hosts: hostname, ip, fqdn.. After you execute a search, what are the main components of the search result page? - CORRECT ANSWER + Save as (to knowledge object) + Search result tab + Search action button + Search mode selector + Timeline + Event list + Field (extracted fields) In search result tab, there are statistic and visualization tabs, what kind of search command will generate those info? - CORRECT ANSWER Transforming commands What are the three search modes? - CORRECT ANSWER Fast (cutting down on the fields returned) Smart (based on the type of search, default) Verbose (returns as many fields as possible) Search results show newest or oldest event first? - CORRECT ANSWER newest What is the default fields of selected view? - CORRECT ANSWER Host Source source type Clicking on highlighted texts will show? - CORRECT ANSWER Add to search Exclude from search New search Boolean operations order - CORRECT ANSWER 1. NOT 2. OR 3. AND "Interesting field" appears in search results for how many percent? - CORRECT ANSWER 20% When you click on a field name, which kind of information show up? - CORRECT ANSWER + Statistics: Values, Count, Percent + Reports: Top values, top values by time, rare values, events with this field List some best practices while doing Splunk Search - CORRECT ANSWER + Specify time frame + Be detailed in search queries + Inclusion is better than exclusion + Apply filters as early as possible After a successful search, we can save it as report. After a report is created, what are the possible actions to be done on that report? - CORRECT ANSWER Open in Search Edit Description Edit permission Edit schedule Edit acceleration Clone Embed Delete Knowledge object components - CORRECT ANSWER Data Classification (event types, transactions, Data Normalization (tags, aliases) Data Models (hierarchical structured data) Data Enrichment (lookups, workflow actions) Data Interpretation (fields, field extraction, calculated fields) As a power user, you only have what report privilege? - CORRECT ANSWER Read and write Some reports can be accelerated. What does it mean by "accelerate" ? - CORRECT ANSWER Report acceleration lets you speed up searches by using cached data you create ahead of time. Report acceleration is used to accelerate individual reports and is easy to set up for any transforming search or report that runs over a large dataset. Ref: https://docs.splunk.com/Documentation/Hunk/6.4.11/Hunk/Workwithreportacceleration Caution on report data privacy - CORRECT ANSWER Report's "Run As" option if set by Owner and if Owner has some protected data then such data may be exposed to other users. Field side bar has? - CORRECT ANSWER Selected Field (most important) Interesting Field (values of at least 20% of the data) Click on a field will? - CORRECT ANSWER Create a transforming search with statistical data Selected field operational properties - CORRECT ANSWER - Show up in event lists - Available for subsequent searches filter search by sources using this option - CORRECT ANSWER sourcetype=source name can use with field operators like >=, != What does this search mean? index=security sourcetype=linux_secure action=failure host!="mail*" - CORRECT ANSWER search within "security" repository with just linux_secure source look for events that have value "failure" and not generated by any mail servers. What is the difference between status!= 200 and NOT status=200 - CORRECT ANSWER status!= 200 : Events must have the status field and it must not equal to 200 NOT status=200: Events may not have the status field or may has the status field not equal to 200 The later option may return more results Search for status that fall within set of values - CORRECT ANSWER status IN ("200", "404", "500") How to further filter this search by status? index=web status IN ("200", "404", "500") | stats count by status - CORRECT ANSWER index=web status IN ("200", "404", "500") | fields +status | stats count by status temporary fields are created by this command - CORRECT ANSWER eval erex and rex commands - CORRECT ANSWER extract fields using regex erex syntax - CORRECT ANSWER erex <field name> examples=<list of examples> [counterexamples=<string>] [fromfield=<field>] [maxtrainers=<integer>] If we use a field created by eval often, then we should - CORRECT ANSWER make a calculated field out of it field alias is best used when? - CORRECT ANSWER representing different fields from different sources with similar values search field evaluation order - CORRECT ANSWER Field extractions Aliases Calculated fields Lookups Event types Tags Are fields knowledge objects? - CORRECT ANSWER Yes What are the two way to look up past searches ? - CORRECT ANSWER Search history or Activity -> jobs (non persistent - be cleared up after a while) What is the command used to filter search results to top 10 of certain field name? - CORRECT ANSWER <search string> | top <fieldname> (results will include stats like value name, count, percent) What does this command do? sourcetype=vendor_sales | stats count(linecount) as "Units Sold" by product_name | addcoltotals lavel=":Total" lavelfield="Total Games Sold" - CORRECT ANSWER Counting all products sold by vendors, splitting by product_name, and add all those Totals together to a new column named "Total games sold" By default, a saved report is viewable by? - CORRECT ANSWER The Owner Only these roles can share knowledge objects - CORRECT ANSWER Admin and Power components of a report scheduler - CORRECT ANSWER check image How to avoid resource overloaded with scheduled searches? - CORRECT ANSWER Set schedule priority (only available to admin, options of default, high, and higher) and schedule window (allow flexibility for start time) How to let Splunk choose the best time to run the report? - CORRECT ANSWER Chose "auto" for Schedule Window in Report scheduler Examples of Trigger actions for Report Schedule - CORRECT ANSWER Log events: Logging and indexing searchable events Output results to a CSV lookup: Writing the results of the triggered alert or scheduled report to a CSV lookup file Email notification action: Sending report summaries by email Use a webhook alert action: Displaying a message in a chat room or updating another web resource Manage searches, reports, and alerts by? - CORRECT ANSWER Settings > Manage searches, reports, and alerts Alerts are triggered by? - CORRECT ANSWER Saved searches certain results (by specified triggers) Alert creation box - CORRECT ANSWER check image What is the main purpose of pivot? - CORRECT ANSWER Allowing non-tech users to create reports without much knowledge about search strings What are data models? - CORRECT ANSWER Knowledge objects that provide the data structure that drives pivots What can non-tech users do when they want to create a report but there is no data model for them to use yet? - CORRECT ANSWER They can use instant pivot What are the 3 main components of Splunk Enterprise architecture? - CORRECT ANSWER Forwarder, Indexer, Search Head How indexer stores data? - CORRECT ANSWER By files stored in directories ordered by age What do indexer's files contain? - CORRECT ANSWER Compressed Raw data Indexes that point to the Raw data along with metadata files Briefly describe the forwarder - CORRECT ANSWER Consumes data and forward to the indexer Usually resides on client Minum resource, little impact on performance Besides the main components like searchhead, forwarders.., what are the other components? - CORRECT ANSWER Deployment server Cluster master License master A search head cluster requires a minimum of how many search heads? - CORRECT ANSWER 3 What's the role of a deployer? - CORRECT ANSWER Distribute apps to search head cluster What is the biggest bottle neck for Splunk? - CORRECT ANSWER Disk IO What's the seek time requirements for shared storage? - CORRECT ANSWER 1200 seeks/sec What's Splunkd? - CORRECT ANSWER +System process that handles: Indexing, Searching, Forwarding, Web interface +Distributed C/C++ binary, runs over port 8089 by default, SSL Splunk - Application server listens on what port? - CORRECT ANSWER 8065, only bound on the loopback interface and not exposed to the network What ports should be opened before we install Splunk Enterprise? - CORRECT ANSWER 8089 (for splunkd) 8000 (for splunk web) 9997 (forwarding data) 22 (for ssh) Besides main index and summary index, what are the other indexes? - CORRECT ANSWER _internal (internal logs and metrics) _audit _introspection (system performance and resource usesage) _thefishbucket (checkpoint for file monitoring inputs) Inside index directories, events are stored by? - CORRECT ANSWER Buckets The "db" folder inside defaultdb (main index) has what bucket? - CORRECT ANSWER Hot and Warm The "colddb" folder inside defaultdb (main index) has the cold bucket. The thawed bucket stored in what folder and what will be in that bucket? - CORRECT ANSWER Under defaultdb/thaweddb Contains data entries restored from cold backups List some fields when you want to create an Index - CORRECT ANSWER Index name, home path, cold path, thawedpath, max size of index, max size of buckets, frozen path, etc setting of "auto" for buckets equals to ? - CORRECT ANSWER 750MB setting of "auto_high_volumn" sets buckets size to ? - CORRECT ANSWER 10GB What are the available built-in roles when you create a new user? - CORRECT ANSWER Admin can_delete power splunk-system-role user What are the methods for Splunk authentication? - CORRECT ANSWER Splunk native authentication LDAP SAML What is the upload (in data section) best for? - CORRECT ANSWER One time data Testing What are the data sources for the "Monitor" option in data section? - CORRECT ANSWER Files&Directories HTTP Event Collector TCP/UDP Scripts What is the most notable limitation of the forwarder? - CORRECT ANSWER It only forwards un-parsed data Describes the heavy forwarder - CORRECT ANSWER Forward parsed data to indexer Cannot do distributed searches Will be cap by license capacity Splunk advises to use universal forwarders instead if possible (to avoid hotspots/bottleneck) Splunk search syntax include 5 main components, what are they? - CORRECT ANSWER Search terms Commands (what we want to do with the search results - charts, statistics..) Functions (how things will be executed) Arguments (variables) Clauses (grouping results) How to include / exclude fields in searches? - CORRECT ANSWER (search command) | fields (+ or -) (field names) How does the table command different from the field command? - CORRECT ANSWER The table command retains searched data in a tabulated format. Give an example of a table command with a field renamed - CORRECT ANSWER sourcetype=access* status=200 product_name=* | table JSESSIONID, product_name, price | rename JSESSIONID as "User Session" product_name as "Purchased game" Table command can be a good way to quickly produce report. However, data entries are not in proper order and may have duplications. What command should we use to take care of those problems? - CORRECT ANSWER dedup command and sort command By default sort command put items in ascending order, how do we sort things in descending order? - CORRECT ANSWER Put a minus ( - ) in front of the column name Describe "Lookups" - CORRECT ANSWER A knowledge object Combine fields from external sources to searched events, based on event fields By default, Top returns top 10 results, how to customize it? - CORRECT ANSWER add "limit" for example ... | top Vendor limit=20 limit = 0 will show all results What are the clauses for Top command - CORRECT ANSWER limit = int countfield = string percentfield = string showcount = True/False showperc = True/False showother = True/False oitherstr = string | top columnA will sort everything by columnA. How do we sort columnA result by columnB ? - CORRECT ANSWER ... | top columnA by ColumnB What is the opposite command of Top? - CORRECT ANSWER the Rare command List some common functions of Stats command - CORRECT ANSWER count distinct count sum average list values What is the difference between | count and | count (..) - CORRECT ANSWER Count with brackets (...) is count providing that the criteria in the brackets also happened For example: index=* | stats count(eval(status="404")) AS count_status BY sourcetype what is "... | stats dc" ? - CORRECT ANSWER stats distinct_count Describe the clauses of chart command - CORRECT ANSWER over (field to be on the X axis) by (split data by an additional field) Give the command that will display all HTTP errors grouped by status - CORRECT ANSWER sourcetype=access_combined status>299 | chart count over status how to remove null ? - CORRECT ANSWER use: usenull=f chart command display is limited to how many columns? - CORRECT ANSWER 10 Columns that go beyond the display limit will be displayed as "other". To remove "other" column, we use? - CORRECT ANSWER useother=f With time chart, the x axis is always ? - CORRECT ANSWER Time value How to plot a time chart of a field named "vendor_sales" ? - CORRECT ANSWER sourcetype=vendor_sale | timechart count By default, timechart automatically group values based on the time range selected. In order to manually change that default setting, what option can be specified? - CORRECT ANSWER span=(time value to group) How to specifiy multiseries ? (two different graphs to be displayed in one) - CORRECT ANSWER use OR to "combine" two search queries, for example sourcetype=A OR sourcetype=B | timechart sum(...) by sourcetype Make sure multi series is selected in "format" drop down What is the benefit of Area graph over line graph ? - CORRECT ANSWER With area graph, we will be able to see the stacked data (based on the combination of shades) What does the Trendline command compute? - CORRECT ANSWER the moving average of field values What are the trend types? - CORRECT ANSWER simple moving average (sma) exponential moving average (ema) weighted moving average (wma) what is the main difference between the wma and the others? - CORRECT ANSWER wma add more weights to data points happened in recent times while sma and ema don't. in this trendline command ... | trendline wma2(sales) as trend What does the number 2 stand for? - CORRECT ANSWER 2 days Which command will be used to look up and add location information to events? - CORRECT ANSWER the iplocation command Which geo information can be added into events? - CORRECT ANSWER city country region latitude longtitude Will we be able to pull all geolocation information from iplocation command? - CORRECT ANSWER Not always Which command should we use to aggregates geographical data for use on a map visualization? - CORRECT ANSWER geostats command Give a geostat command that give details of vendor_sales accross the globe - CORRECT ANSWER sourcetype=vendor_sales | geostats latfield=VendorLatitude longfield=VendorLongtitude count What is the difference between the geostats and stats commands in term of "by" argument? - CORRECT ANSWER geostats only accept 1 "by" argument What is a .kmz file? What does it do? - CORRECT ANSWER Keyhole Markup Language file It describes region boundaries to be used in a choropleth map To prepare the events to be used in choropleth visualization, we need to use what command? What does it do? - CORRECT ANSWER the Geom command It adds field with geographical data structures matching polygons on map In this geom command ... | geom geo_countries featureIdField=VendorCountry What is "geo_countries" ? What can be another option for that spot? - CORRECT ANSWER it loads the geo_countries.kmz file Another option is "geo_us_states" We can have other kmz files for other parts of the world Trendline command requires how many arguments? - CORRECT ANSWER 3 trendline ( <trendtype><period>"("<field>")" [AS <newfield>] )... What is the difference between fieldformat and eval when formating the same data? - CORRECT ANSWER fieldformat works at the display level, meaning the original character of the data remains the same. For example, even when fieldformat changed the data to string, if original data type is number, we can still sort those data by number values Describe the where command - CORRECT ANSWER Same syntax as eval but only keep results that evaluate to True how to replace null values with "n/a" - CORRECT ANSWER ... | fillnull value="n/a" The transaction command include some definitions which are? - CORRECT ANSWER maxspan maxpause (allowed maximum time between events) startswith (starts with specified terms, field values, evaluations) endswith Stats V.S Transactions? - CORRECT ANSWER Stats is faster Stats groups event by field values, or by values other than sessions Transactions is used when we need to correlate events What is a "knowledge object" ? - CORRECT ANSWER A tool to discover and analyze data. It includes: + Data interpretation + Classification + Enrichment + Normalization + Search time mapping What is CIM? - CORRECT ANSWER Common Information Model Using to normalize data by deploying a schema that defines standard fields between sources to create common base references You need Write access to a data model in order to browse it in its editor view. More on CIM here: https://docs.splunk.com/Documentation/CIM/5.0.2/User/Howtousethesereferencetables When user create an object, the default permission of the object will be set to? and later, can be changed to? - CORRECT ANSWER Default is to be "private" Later, object permission can be changed to be available to "specific app" or "all apps" by power users or admins. In what situation that we need to use lookup? - CORRECT ANSWER Add other fields and values that were not included in the indexed data What are the two steps to set up a look up file? - CORRECT ANSWER + Define a lookup table + Define the lookup How to create a lookup table? - CORRECT ANSWER Go to Settings > Lookups > Lookup table files > "Add new" > Select destination app (lookup table will only be available to this app) > "Choose file" (the CSV file) > Destination name > Save How to verify that a csv file was successfully added as lookup table? - CORRECT ANSWER run | inputlookup (file name) and see if data were loaded successfully. How to define a lookup? - CORRECT ANSWER Settings > Lookups > Lookup definitions > "Add new" > Select destination app > Name > Type > Lookup file > Save How to add automatic lookup? - CORRECT ANSWER Settings > Lookups > Automatic lookup > "Add new" > Select destination app > Name > Lookup table > Apply to (what field) and Named (what value) > Lookup input fields (map field in lookup with a field in the search table) > Lookup output fields (mapping for outputs) >Save Besides file based lookup, what are other additional lookup options? - CORRECT ANSWER + search based + script based + db connect based + KV store based How to create a field alias? - CORRECT ANSWER Settings > Fields > Field Aliases > "Add new" > Destination app > Name > Apply to (source type/sources/host) and Named (field name) > Field aliases (existing field followed by alias) > Save What are the available actions for field aliases? - CORRECT ANSWER clone, move, delete Aliases can be defined at index time as well as ? - CORRECT ANSWER Search time What are calculated fields? - CORRECT ANSWER + Fields based on extracted or discovered fields (not from search nor from lookup) + Values provided by eval How to create a calculated field? - CORRECT ANSWER Settings > Fields > Calculated Field > "Add new" > Destination app > Apply to (source type/sources/host) and Named (field name) > Name (field name ) > Eval expression > Save What is the purpose of the field extractor? - CORRECT ANSWER It is used to extract fields that persist as Knowledge Objects, make them reusable. What are the two methods to be used in field extractor? - CORRECT ANSWER Regular Expression (recommended for unstructured data) Delimiters The are 3 ways to access field extractor. What are they? - CORRECT ANSWER + The regular "Field" menu in setting + Field sidebar ("Extract New Fields") + Event action menu (Event actions > Extract Fields) Among 3 ways to access field extractor, the workflow changes depending on chosen method and which method has the easiest (shortest) workflow? - CORRECT ANSWER Event action menu (Event actions > Extract Fields) How to create event type? - CORRECT ANSWER + Perform searches + Save as > Event type How to verify if a newly event type named "Purchase_action" is working? - CORRECT ANSWER we type this into search bar: eventtype=purchase* --> "Eventtype" will show up in Field list (left col) and corresponding events are color coded What's "Priority" for in Eventype edit ? - CORRECT ANSWER One event may belongs to different event types, this priority will specify which event type will be chosen when that particular event happens. What is the purpose of Workflow Actions? - CORRECT ANSWER To create links to interact with external resources via Get/Post or narrow search by interacting with splunk Index How to create a workflow action? - CORRECT ANSWER Settings > Fields > "Add new" for Workflow action type What is Splunk's recommended naming convention ? - CORRECT ANSWER Group_Type_Platform_Category_Time_Description (6 groups) What can an alert do? - CORRECT ANSWER + List in interface + Send emails + Trigger scripts + Use a webhook + Run a custom alert What are the two types of alerts? - CORRECT ANSWER Scheduled and Real time Steps to create an alert - CORRECT ANSWER > Define a search > Save as > Alert > Set trigger condition > Set alert throttle > Set alert action What are the options for Setting trigger condition? - CORRECT ANSWER per result, number of results, number of hosts, number of sources, custom How to view a list of data sources? - CORRECT ANSWER Search & Reporting > Data Summary To clear previous search, we do what? - CORRECT ANSWER Click "Search" in the navigation bar to reload search application What does this command do sourcetype=linux_secure | table src_ip, user, app | rename src_ip as "Potential Hacker", user as "Name used", app as "Application Used" | sort by "Potential Hacker", "Name used" | dedup "Potential Hacker" - CORRECT ANSWER This command will make a table out of "linux_secure" sourcetype, then rename the column names to be more descriptive, then sort the results by "Potential Hacker", "name used" and remove duplications What can be immediately improved in this command sourcetype=linux_secure | table src_ip, user, app | rename src_ip as "Potential Hacker", user as "Name used", app as "Application Used" | sort by "Potential Hacker", "Name used" | dedup "Potential Hacker" - CORRECT ANSWER pipe results of sourcetype command right into dedup command dedup should be performed as early as possible If you want to check for web server problems, a basic filter on http status should be made, which is? - CORRECT ANSWER status > 399 What does it mean to save a report to a dashboard as "inline" ? - CORRECT ANSWER It will be independent from the original report you want to limit search results to top 5 of "referrer" field, what is the command? - CORRECT ANSWER (search result) | top limit=5 referrer What does this command do (search result) | sort limit=20 -categoryId, +product_name - CORRECT ANSWER sort by descending order of categoryId, then by ascending order of product_name, and limit that result to top 20 entries What is the difference between these sort syntax sort +/-<fieldname> sort +/- <fieldname> - CORRECT ANSWER sign followed by fieldname will sort results in the sign's order sign followed by SPACE and then fieldname applies sort order to all following fields that don't have a sort order specified when using top command, how to disable the % - CORRECT ANSWER showperc=false how to list a list of "workstations" from a search result without duplication and renamed that column to "computers"? - CORRECT ANSWER (search result) | stats values(workstations) as Computers when using top or rare command, how to change the default name "count" by something else? - CORRECT ANSWER use countfield = <string> what is the difference between top user, subject limit=3 and top subject by user limit=3 ? - CORRECT ANSWER top user, subject limit=3 : display top 3 subjects for all users top subject by user limit=3 : display top 3 subjects for EACH user What are the possible pair of values for a boolean variable in Splunk? - CORRECT ANSWER t/f True/False 1/0 List and describe the functions of stats command - CORRECT ANSWER - count: number of events - distinct_count (or dc) : count of unique values for a field - sum - avg - list : list all values of a given field - values : list unique values of a given field Give a command that make a chart of top 5 total products sold (product_sold) per zipcode without the "other" column - CORRECT ANSWER (search result) | chart count over zipcode by product_sold limit=5 useother=f [Show More]

Last updated: 2 years ago

Preview 1 out of 22 pages