SPLUNK Fundamentals 1|74 Questions with Answers 2023,100% CORRECT

Document Content and Description Below

SPLUNK Fundamentals 1|74 Questions with Answers 2023 Interesting Fields m6 - CORRECT ANSWER Have values in at least 20% of the events Field Names are...Case Sensitive or NOT Case Sensitive - ... CORRECT ANSWER Case Sensitive M6 Field Values are... Case Sensitive or NOT Case Sensitive - CORRECT ANSWER NOT Case Sensitive M6 = and != (equal and not equal to) - CORRECT ANSWER can be used with numerical or string values M6 != and NOT - CORRECT ANSWER will not always return the same results M6 These default fields ARE MOST POWERFUL and are extracted at INDEX time and will not need to be extracted at each search. - CORRECT ANSWER INDEX, SOURCE, HOST, SOURCETYPE M7 Which is better INCLUSION or EXCLUSION? - CORRECT ANSWER Inclusion is generally better than exclusion Searching for "access denied" is better than NOT "access granted" M7 @ Time - CORRECT ANSWER can be used to round down to nearest unit M7 -30m@h Run at 9:37, what events are returned? - CORRECT ANSWER Events from 9:00 on are returned M7 Define Indexes - CORRECT ANSWER Where splunk stores event data for searching M7 Splunk administrators will use multiple __________ to segregate data. - CORRECT ANSWER Indexes M7 The Splunk Search Language is built from what five components - CORRECT ANSWER Search Terms Commands Functions Arguments Clauses Boolean operators and command modifiers will display in what color - CORRECT ANSWER Orange (AND, OR Commands display in what color? - CORRECT ANSWER Blue Command Arguments display in what color? - CORRECT ANSWER Green Functions display in what color? - CORRECT ANSWER Purple Control + \ on windows or Command + \ on Apple will do what? - CORRECT ANSWER cause each pipe to move to a new line (making our search more easier to read) What does the fields command do? - CORRECT ANSWER Useful to limit fields displayed and can make search faster What command do you use to remove certain fields - CORRECT ANSWER fields - i.e. fields - client ip raw removes the client ip and raw fields What is one of the most costly parts of searching splunk? - CORRECT ANSWER Field Extraction Which happens first field inclusion or field extraction? This improves performance - CORRECT ANSWER Field Inclusion How is the table command different from the fields command? - CORRECT ANSWER The table command retains searched data in a tabulated format. What does the dedup command do? - CORRECT ANSWER Removes events with duplicate values. What does the sort command do? - CORRECT ANSWER Displays results in ascending or descending order. | sort Vendor Product_name Biggest numbers first, use - lowest numbers first use + New pivots automatically populate with __________ (Select all that apply) a)Split rows b)Split columns c)Count of hosts d)Time range filter - CORRECT ANSWER d)Time range filter Correlating Events, Enriching Data with Lookups, and Accelerating Reports: Use this command to use lookup fields in a search and see the lookup fields in the field sidebar. a) inputlookup b) lookup - CORRECT ANSWER b) lookup Getting Statistics: Which of the following commands will show the maximum bytes? a) sourcetype=access_* | maximum totals by bytes b) sourcetype=access_* | avg (bytes) c) sourcetype=access_* | stats max(bytes) d) sourcetype=access_* | max(bytes) - CORRECT ANSWER c) sourcetype=access_* | stats max(bytes) Correlating Events, Enriching Data with Lookups, and Accelerating Reports: What is the correct order of steps for creating a new lookup? A. Configure the lookup to run automatically B. Create the lookup table C. Define the lookup a) B, A, C b) A, B, C c) B, C, A d) C, B, A - CORRECT ANSWER c) B, C, A Splunk Components: Which of the following are responsible for reducing search results? a) search heads b) indexers c) forwarders - CORRECT ANSWER b) indexers Creating Searches and Saving Results: Which of the following search control will not re-rerun the search? (Select all that apply.) a) zoom out b) selecting a bar on the timeline c) deselect d) selecting a range of bars on the timelines - CORRECT ANSWER b) selecting a bar on the timeline c) deselect d) selecting a range of bars on the timelines Creating Searches and Saving Results: Which of the following search control will not re-rerun the search? (Select all that apply.) a) zoom out b) selecting a bar on the timeline c) deselect d) selecting a range of bars on the timelines - CORRECT ANSWER b) selecting a bar on the timeline c) deselect d) selecting a range of bars on the timelines Correlating Events, Enriching Data with Lookups, and Accelerating Reports: It is mandatory for the lookup file to have this for an automatic lookup to work. a)Source type b)At least five columns c)Timestamp d)Input field - CORRECT ANSWER d)Input field Correlating Events, Enriching Data with Lookups, and Accelerating Reports: Lookups allow you to overwrite your raw event. a)True b)False - CORRECT ANSWER a)True Search Fundamentals: Internal fields, such as _raw and _time, can be explicitly removed from results with fields command. a) True b) False - CORRECT ANSWER b) False Creating Reports and Visualizations: There is NOT a SAVE AS option when editing a report. a) True b) False - CORRECT ANSWER b) False Creating Searches and Saving Results: The Splunk search language does not support wildcards. a)True b)False - CORRECT ANSWER b)False Search Fundamentals: The following searches will return the same results. SEARCH 1: ssh error SEARCH 2: ssh AND error a) True b) False - CORRECT ANSWER a) True Using Fields and Tags: When you run a search, fast mode extracts all fields very quickly. a)True b)False - CORRECT ANSWER b)False Getting Statistics: This clause is used to group the output of a stats command by a specific name. a)Rex b)As c)List d)By - CORRECT ANSWER b)As Creating Reports and Visualizations: Reports _____ allowing drilldown by default. a)Are b)Are not - CORRECT ANSWER b)Are not Using Fields and Tags: Field discovery occurs at ___________ time. a) search b) index - CORRECT ANSWER b) index Getting Statistics: This function of the stats command allows you to identify the number of values a field has. a) max b) distinct_count c) fields d) count - CORRECT ANSWER d) count Creating Alerts: Alert throttling is used to _______. a) verify each alert b) stagger search request in a time sequenced order c) stop spamming yourself with alerts d) check severity - CORRECT ANSWER c) stop spamming yourself with alerts Play Shuffle Options Creating Alerts: Alert throttling is used to _______. a) verify each alert b) stagger search request in a time sequenced order c) stop spamming yourself with alerts d) check severity - CORRECT ANSWER c) stop spamming yourself with alerts Search Fundamentals: Field names are case ___________. a) sensitive b) insensitive - CORRECT ANSWER a) sensitive Correlating Events, Enriching Data with Lookups, and Accelerating Reports: The command shown here does witch of the following: Command: |outputlookup products.csv a)Writes search results to a file named products.csv b)Returns the contents of a file named products.csv - CORRECT ANSWER a)Writes search results to a file named products.csv What does the inputlookup command do? - CORRECT ANSWER Loads results from a specified static lookup input source, such as a .csv file. In regards to the Data Summary window, what is the difference between: Host, Source, and Sourcetype? - CORRECT ANSWER Host: A semi-unique identifier, such as host name, IP address, etc. Source: Name of the file, stream, path, etc. Sourcetype: The product or software type, such as cisco_asa, ps, win_audit, etc. What are some of the common stats functions? - CORRECT ANSWER 1) count 2) distinct_count or dc (unique value count) 3) sum 4) avg 5) list 6) values (unique value list) To keep from overwriting existing fields with your Lookup you can use the _________ clause. - CORRECT ANSWER OUTPUTNEW When Splunk does not have a predefined way to break events, how does is it accomplish the task? - CORRECT ANSWER Either through time stamps or regular expressions. What is a lookup? - CORRECT ANSWER Lookup is a command to invoke field value lookups. The lookup command can merge unstructured and structured data For example: ...| lookup <lookup-table-name> <lookup-field1> AS <event-field1> How would you access recent or saved search jobs? - CORRECT ANSWER Click the Activity drop down menu in the top right of the search app and then select the Jobs option. Which meta fields are stored with events in the index prior to search time? - CORRECT ANSWER 1) host 2) source 3) sourcetype 4) _time 5) _raw When creating a search, certain keywords will be colored by syntax. What does the following color map to?... Orange - CORRECT ANSWER Orange = Boolean Operators and Command Modifiers What are the two ways to create a report? - CORRECT ANSWER 1) Pivot 2) Search What are the three required parts of a pivot? - CORRECT ANSWER The pivot command is a generating command and must be first in a search pipeline. It requires a large number of inputs: the data model, the data model object, and pivot elements. ...| pivot <datamodel-name> <object-name> <pivot-element> What is Splunks recommended naming convention, so that when you are on the job, you can find your reports and tell them apart? - CORRECT ANSWER <group>_<object>_<description> Sales_Report_QuarterlySalesRevenue How do you create a Report from Scratch/ - CORRECT ANSWER Run a search Select Save As Select Report Based on your needs, alerts can - CORRECT ANSWER Create an entry in Triggered Alerts Log an event Output results to a lookup file Send emails Use a Webhook Perform a custom action earliest= -2d@d latest=@d - CORRECT ANSWER Looks back from two days ago, up to beginning of today If the instance only does search and not indexing, it is usually referred to as... - CORRECT ANSWER Search Head directs search requests to a set of search peers and merges the results back to the user - CORRECT ANSWER Search Head transforms raw data into events and stores the events into an index - CORRECT ANSWER Indexer "error earliest=-1d@d latest=-h@h" - CORRECT ANSWER retrieves events containing "error", that happened yesterday snapping to the beginning of the day and through the most recent hour of today, snapping on the hour. TIMELINE CONTROLS: Which two options re-executes the search? - CORRECT ANSWER Zoom to Selection Zoom Out For an external copy of Search results, you are able to export to which formats? - CORRECT ANSWER Raw Events (text file) CSV XML JSON What are the five trigger conditions that can be set for alerts? - CORRECT ANSWER 1) Trigger when any result is found. 2) Trigger on a specific number of results found. 3) Trigger on a specific number of hosts found. 4)Trigger on a specific number of sources found. 5) Custom criteria. How would you add the web index to the current search parameter?... index=security "failed password" - CORRECT ANSWER (index=security OR index=web) "failed password" What are the three search result view options? - CORRECT ANSWER 1) List (default) 2) Table 3) Raw What are the benefits of a traditional Index Cluster? - CORRECT ANSWER 1) Replicate data. 2) Prevent data loss. 3) Promote availability. 4) Manage multiple indexers. What are the three main methods for creating tables and visualizations in Splunk? - CORRECT ANSWER 1) Running a Report. 2) Using the Pivot interface. 3) Using the transforming commands in the search bar. What is the benefit of using a monitor over a forwarder? - CORRECT ANSWER A monitor sends event data as it happens, rather than on a schedule, allowing near real time information. What is the default time frame for a pivot? - CORRECT ANSWER All time. [Show More]

Last updated: 2 years ago

Preview 1 out of 12 pages