Splunk Fundamentals 1|183 Questions with Answer 2023
5 Main components of Splunk Enterprise - CORRECT ANSWER Index Data,
Search & investigate,
... [Show More]
Add knowledge,
Monitor & Alert,
Report & Analyze.
- Module 1
Three main roles in splunk? (3) - CORRECT ANSWER Admin, Power, User
- Module 1
What role can Install apps, create knowledge objects for all users, and can control what apps a user will see by default - CORRECT ANSWER Admin
What role can creates and share knowledge objects for users of app, and create real-time searches - CORRECT ANSWER Power User
What role can only see it's own knowledge objects and those shared to them - CORRECT ANSWER User
What are Apps in Splunk? - CORRECT ANSWER They are Designed to address a wide variety of use cases, and extend the power of Splunk
They are a Collection of files containing data inputs, UI elements, and/or knowledge objects
They Allow multiple work-spaces for different use cases/user roles to co-exist on a single Splunk Instance
There are 1000+ ready-made apps in Splunkbase
- Module 1
What does the search and reporting app do in splunk? - CORRECT ANSWER a. A default interface for searching and analyzing data
b. Creates knowledge objects, reports, and dashboards
- Module 1
What are the seven main components in the splunk search and reporting App? - CORRECT ANSWER Splunk bar,
App bar,
Search bar,
Time range picker,
How to search panel,
What to search panel, and
Search History,
-
Module 1
What does the time range picker do? - CORRECT ANSWER a. The single most important parameter you can specify
b. Retrieve events over a specific time period
c. Allow search by preset times, relative times. Real time (earliest, latest), date range
Limiting search by ___________ is key to faster results and is a best practice - CORRECT ANSWER Time
- Module 7
The time range picker is set to _________ by default. - CORRECT ANSWER All-time
Search jobs are available for ____ minutes by default. - CORRECT ANSWER 10
________ commands create statistics and visualizations. - CORRECT ANSWER Transforming
________ tab is default tab for searches - CORRECT ANSWER Event
The three main search modes? - CORRECT ANSWER Fast, Verbose, and Smart - Module 6
The _______ search mode Emphasizes speed over completeness, and has discovery turned off for event searches. No event or field data for stats searches. - CORRECT ANSWER Fast - Module 6
The ______ search mode Emphasizes completeness over speed, and has all events and field data. Splunk switches to this mode after visualization. - CORRECT ANSWER Verbose - Module 6
The ______ smart mode (default-based on search string data) has field discovery ON for event searches. No event or field data for stats searches. Balances speed and completeness. - CORRECT ANSWER Smart - Module 6
What options are avaliable under "Job" action button? - CORRECT ANSWER Edits job settings,
Sends job to the background,
Inspect job,
Delete job
Saved searches are set to ______ by default. - CORRECT ANSWER private
The timestamp seen in events is based on the users ______ settings in the users account profile. - CORRECT ANSWER Time Zone
List the three booleans - CORRECT ANSWER (AND, OR, NOT)
________boolean is used if none is implied - CORRECT ANSWER AND
Exact phrases must be incased in ______ - CORRECT ANSWER - Quotes -
Generally, you need quotes around phrases and field values that include white spaces, commas, pipes, quotes, or brackets. Quotes must be balanced, an opening quote must be followed by an unescaped closing quote.
Use a _______ for searching a string with quotes in the string - CORRECT ANSWER - backslash -
The backslash character (\) is used to escape quotes, pipes, and itself.
Example: info="user "chrisV4" not in database" info="user\"chrisV4\" not in database "
The three default search fields automatically selected are - CORRECT ANSWER Host, Source, Sourcetype - Module 6
The _______ sidebar shows all fields extracted at search time - CORRECT ANSWER Fields - Module 6
_______ fields (host, source, sourcetype) are default and appear in every event - CORRECT ANSWER Selected - Module 6
_______ fields have values in at least 20% of the events - CORRECT ANSWER Interesting - Module 6
Clicking on a field shows a list of _______, ________, and ________. - CORRECT ANSWER values, count, and percentage - Module 6
These fields can launch a quick report by clicking on them (4) - CORRECT ANSWER Top values, Top values by time, Rare values, Events with this field - Module 6
Use ______ to limit search to only one sourcetype - CORRECT ANSWER sourcetype=
_____ are case sensitive, _______ case insensitive - CORRECT ANSWER field names, field values - Module 6
These symbols are only used with numerical values? - CORRECT ANSWER > >= < <= -->
(T/F) Using NOT and != would return the same results. - CORRECT ANSWER True
Use _______ to nest boolean searches - CORRECT ANSWER parenthesis
______ is better than exclusion - CORRECT ANSWER inclusion - Module 7
When creating reports you can edit, clone, embed, and delete under the ______ tab - CORRECT ANSWER report
Creates charts, computes statistics, and formats - CORRECT ANSWER search commands
Top command returns top ____ results with a count and percentage - CORRECT ANSWER 10
What are the three ways to create visualizations? - CORRECT ANSWER 1. Select a field from the fields sidebar
2. Use the pivot interface
3. Use the Splunk search language commands in the search bar with statistics and visualization tabs
Save visual reports as _______ or _______ - CORRECT ANSWER report or a dashboard pannel
________ is an action that a saved search triggers based on the results of the search - CORRECT ANSWER Alert
________ designs reports into a simple interface without having to craft a search string - CORRECT ANSWER Pivot
The default time value for pivot is ______ - CORRECT ANSWER all the time
The data model is the framework and the ______ is the interface to the data - CORRECT ANSWER pivot
_______ object is the main source of data - CORRECT ANSWER Root
Adding a _______ object acts like an AND boolean in Splunk - CORRECT ANSWER Child Dataset
(T/F) An instant pivot allows instant access to data without having a data model - CORRECT ANSWER True
alerts use a _______ search to check for events. - CORRECT ANSWER saved
Adjust the ______ type to configure how often the search runs - CORRECT ANSWER alert
Use ________ alerts to check for events on a regular basis - CORRECT ANSWER Scheduled
_______ alerts monitor for events continuously - CORRECT ANSWER Real-time
An _______ action can notify you of a triggered alert and help you start responding to it - CORRECT ANSWER alert
Search terms include (6) - CORRECT ANSWER Keywords, booleans, phrases, fields, wildcards, and comparisons.
______ is the most efficient filter - CORRECT ANSWER Time
Search terms are case sensitive or case insensitive.
(components of search language) - CORRECT ANSWER Case insensitive
______ Tell Splunk what we want to do with the search results, like creating charts, stats and formatting. - CORRECT ANSWER Commands
______ explain how we want to chart, compute and evaluate the results, like "List" - CORRECT ANSWER Functions
______ are the variables we want to apply to the functions, like a "Field Name" - CORRECT ANSWER Arguments
_______ explain how we want the results grouped or defined, like "as" OR "by" - CORRECT ANSWER Clauses
_____ is used to pass current results to the next search component - CORRECT ANSWER A pipe
(T/F) Search command works from left to right - CORRECT ANSWER True
(T/F) Once an item is filtered out it is no longer available in the search string - CORRECT ANSWER True
The _____ command includes or excludes fields from search results. - CORRECT ANSWER Fields
Exclude a field by using a ______ symbol - CORRECT ANSWER minus (-)
(T/F) Primary fields _time and _raw will always be extracted, but can also be removed by using the fields command with the minus (-) symbol - CORRECT ANSWER True
Field _____ happens after all the fields have been extracted from a search. Field ______ only affects the displayed results. - CORRECT ANSWER exclusion, extraction
________ command retains searched data in a tabulated format by only fields in the arguments list - CORRECT ANSWER table
(T/F) In regards to a rename command, once a field is renamed the original name is available to later search commands - CORRECT ANSWER F
This command removes events with duplicate values, you use on multiple fields - CORRECT ANSWER dedup
The _____ command followed by field name displays results in ascending (+) default or descending (-) order. You can use the "limit=#" option to reduce the results - CORRECT ANSWER sort
(T/F) Lookup fields also appear in the fields sidebar - CORRECT ANSWER True
The _____ command produces statistics of a search result - CORRECT ANSWER stats
This function of the stats command shows the number of events matching search criteria - CORRECT ANSWER stats count
Use this command and function to sum numerical value - CORRECT ANSWER stats sum
This command preforms stats aggregation against time - CORRECT ANSWER timechart command
Use the _____ clause to split data by additional fields - CORRECT ANSWER by
(T/F) Usenull = _____ will remove NULL values - CORRECT ANSWER False
fillnull Command i.e. fillnull value=NULL - CORRECT ANSWER The fillnull command adds a field and default value to events or results that lack fields present on other events or results in the search.
to group multiple events into a single meta-event that represents a single physical event. - CORRECT ANSWER The Transaction command
Data processing commands - CORRECT ANSWER sort, eventstats, and
some modes of cluster, dedup, and fillnull.
Transforming commands - CORRECT ANSWER "transform" the specified cell values for each event into numerical values that Splunk software can use for statistical purposes.
Indexes data, files into directories by age - CORRECT ANSWER Indexer
Uses Splunk search language, distributes search requests to indexers. Contains reports, dashboards, and visualizations - CORRECT ANSWER Search heads
Consumes and sends data to the indexer - CORRECT ANSWER Forwaders
Splunk's way of categorizing the type of data, knowing where to break the event. location of time stamp, and create field pairs - CORRECT ANSWER sourcetype
Watches files, directories, http events etc - CORRECT ANSWER Monitor (add data)
Are case insensitive and *wildcard supported - CORRECT ANSWER Search terms
Booleans - in orange - CORRECT ANSWER AND, OR, NOT in this order (AND is implied) and must be uppercase
Has the following: timestamp, host, source, sourcetype - CORRECT ANSWER Event details
Where can you set read permissions, lifetime, and link to a job - CORRECT ANSWER Job settings
Searchable key/value pairs in your event data. They are case sensitive - CORRECT ANSWER Fields
A set of configurable fields displayed for each event. Field names are case sensitive - field values are not - CORRECT ANSWER Search fields
Occur in at least 20% of resulting events - CORRECT ANSWER Interesting fields
Looks back to the designated earliest event - CORRECT ANSWER earliest i.e. earliest=-hr
Looks to the ending time range. The @ snaps to the time period defined - CORRECT ANSWER latest i.e. latest=@d
A location where Splunk stores and searches for event data - CORRECT ANSWER Indexer
This role segregates data into separate indexes to limit access by Splunk role - CORRECT ANSWER Administrators
Search component that define what you are looking for - keywords, phrases Booleans, etc. These are case insensitive - CORRECT ANSWER Search terms
Search component that defines what you want to do with the results -- create a chart, compute statistics, evaluate and format, etc - CORRECT ANSWER Commands (blue)
Search component that defines how you want to chart, compute, or evaluate results - get sum, get an average, transform the values, etc - CORRECT ANSWER Functions (purple)
Are variables that you can apply to functions -- can calculate average value for a specific field, convert milliseconds to seconds, etc - CORRECT ANSWER Arguments (green)
Determines how you want to group or name the fields in the results, can give the field another name or group values by or over - CORRECT ANSWER Clauses
The command that returns a table formed only by the fields in the argument list. Each row is an event and each argument is a column - CORRECT ANSWER table {| table clientip, action, status}
When used with "as" chnages the name of a field - CORRECT ANSWER rename {| rename productid as ProductID}
The command that allows you to include or exclude specified fields in your search or report - CORRECT ANSWER fields +(default) - {| fields user, app, action}
The command that removes duplicates from your search results - CORRECT ANSWER dedup {| dedup VendorCity, VendorState}
The command that orders your results in + (default) ascending or - descending - CORRECT ANSWER sort {| sort country, -city, state}
The command that controls the number of returned results - CORRECT ANSWER limit {| limit=20}
The command that finds the most common values of a given field in the results set. By default returns the first 10 values and displays in table format - CORRECT ANSWER top {| top src_ip}
Host - CORRECT ANSWER Name or IP address of the network device from which the events originated
Source - CORRECT ANSWER Name of the file, stream or other data input
The command that returns the least common values of a given field in the results set. By default returns the first 10 values and displays in table format - CORRECT ANSWER rare
The command that enables you to calculate statistics on data that matches your search criteria - CORRECT ANSWER stats
The command that returns the most common values of a given field in the results set. By default returns the first 10 values and displays in table format - CORRECT ANSWER top
| top user Xweb_code limit=3 - CORRECT ANSWER Displays the top 3 common values for users and web cats browsed in the last 24hrs
When you start a new search, the default time range is Last 24 hours.
| top xweb_cat by user limit=3 - CORRECT ANSWER Displays the top 3 common web categories browsed by each user
| top user x_web cat limit=3 countfield="total Viewed" showperc=f - CORRECT ANSWER Displays the top 3 user/web categories browsed combinations. Renames the count field and show count, but not the percentage
| (invalid OR failed) | stats count as "Potential Issues" - CORRECT ANSWER Counts the invalid or failed login attempts as "Potential Issues"
| stats count(vendor_action) as ActionEvents, count as TotalEvents - CORRECT ANSWER Counts the number of events during the last 15 min that contain a vendor action field. Also count total events
The clause that, when used with the stats command, returns a count for each value of a named field or set of fields - CORRECT ANSWER by(field or fields)
example "| stats count by user, app, vendor_action"
Stats function that provides a count of how many unique values there are for a given field in the result set - CORRECT ANSWER distinct count(field) or dc(field)
example "| stats dc(s_hostname) as Websites"
Stats function that sums the actual values of a specific field - CORRECT ANSWER sum(field)
example "| stats sum(sc_bytes) as Bandwidth by s_host"
Stats function that provides the average numeric value for the given numeric field - CORRECT ANSWER avg(field)
example "| stats avg(sc_bytes) as "average Bytes" by usage"
Stats function that lists all field values for a given field - CORRECT ANSWER list(field)
example "| stats list(s_hostname) as "Web Sites" by username"
Stats function that returns a list of "unique" field values - CORRECT ANSWER values(field)
example "| stats values(s_hostname) as "Web Sites" by username"
Three main methods to create tables and visualizations in Splunk are: - CORRECT ANSWER 1) Select a field from the fields sidebar
2) Use the Pivot interface
3) Use a transforming command in the search bar
Consists of one or more panels displaying data visually - i.e. events, tables, or charts - CORRECT ANSWER Dashboard
(T/F) A report or a pivot cannot be used to create a panel on a dashboard - CORRECT ANSWER False, Pivots can most definitely be used to create panels on dashboards.
(T/F) Any change to the underlying dashboard will not affect every dashboard panel that utilizes that report - CORRECT ANSWER False
_____ are used when static or unchanging data is required for searches but isn't available in the index - CORRECT ANSWER Lookups
_____ allows you to add more fields to your events and are usually defined in a static ".csv" file or output from a python script - CORRECT ANSWER Lookups
What is the command that loads results from a specified lookup _____________? - CORRECT ANSWER INPUTLOOKUP
example... "| inputlookup products.csv"
Searches Sent to Splunk become - CORRECT ANSWER (Search) Jobs
New Search window contains - CORRECT ANSWER 1. Save As Menu,
2. Search Result Tabs,
3. Search Action buttons,
4. Search Mode Selector, and
5, Timeline
6. The Events
7. Fields Extracted
-Module 5
The Search Results Tabs - CORRECT ANSWER Events
Patterns
Statistics
Visualizations
The Events Tab - CORRECT ANSWER Displays the events return for search and the fields extracted for events (for a simple query this is default tab)
The Patterns Tab - CORRECT ANSWER See patterns in data, get a better understanding of data
Commands that create statistics or visualizations are called ____________. - CORRECT ANSWER Transforming Commands
By default a search job will remain active for __________ - CORRECT ANSWER 10 minutes after its run, after splunk needs to run the job again to return the results
By default a shared search job will remain active for ______ - CORRECT ANSWER 7 days and readable to everyone
The Export icon will allow in what formats? - CORRECT ANSWER Raw, CSV, XML or JSON
What color are Boolean Operators and Command Modifiers in the search bar. - CORRECT ANSWER Orange
What color are Commands in the search bar. - CORRECT ANSWER Blue
What color are Command Arguments in the search bar. - CORRECT ANSWER Green
What color are Functions in the search bar. - CORRECT ANSWER Purple
(T/F) Lookup field values are case sensitive - CORRECT ANSWER True
When can you use lookup fields in a search? - CORRECT ANSWER After the lookup has been configured
When do you use the lookup command in your search? - CORRECT ANSWER If the lookup is not configured to run automatically
Is you use the lookup command in your search the ____ argument is optional - CORRECT ANSWER OUTPUT
(T/F) If the OUTPUT argument is not specified the lookup will return all fields from the lookup - CORRECT ANSWER True
If you specify the OUTPUT argument in a lookup search, what happens to existing fields - CORRECT ANSWER They get overwritten
What argument should you use to prevent lookup fields from being over written - CORRECT ANSWER OUTPUTNEW
How long do Output lookup fields exist - CORRECT ANSWER Only for the current search
When can you create a time-based lookup - CORRECT ANSWER If a field in the lookup table represents a timestamp
This is useful for; Monthly, weekly, daily reports -Dashboard performance - Automatically sending reports via email - CORRECT ANSWER Scheduled Report
To create a scheduled report - CORRECT ANSWER Start with a search to be based on and choose Report from the Save As menu
There is no reason to include this for a scheduled report - CORRECT ANSWER Time Range Picker
When scheduling a report This is only available to Admin users - CORRECT ANSWER Schedule Priority
The options under Schedule Priority are - CORRECT ANSWER Default, Higher, Highest
This setting allows you to set a timeframe in which to run your report - CORRECT ANSWER Schedule Window
These are the actions that can be triggered from a scheduled report - CORRECT ANSWER - Log Event
- Output results to lookup
- Output results to telemetry endpoint
- Run a script
- Send email
- Webhook - sends an HTTP POST request to specified URL
Managing Schedule Reports can be done here _______ - CORRECT ANSWER From "Searches , Reports, and Alerts" link in the Settings drop down menu
When you click the name of your report from the "Searches , Reports, and Alerts" window you can do this ______ - CORRECT ANSWER Change the search string and time range
When you click the edit menu on a report you can - CORRECT ANSWER Edit Search, Permissions, Schedule, Acceleration, Summary Indexing, Disable or Clone, Embed, Move or Delete
You can also access you report from the _____ - CORRECT ANSWER Reports Tab in the Search and Reporting app
When you click the name of your report from "Reports Tab in the Search and Reporting app" - CORRECT ANSWER Displays the results of the scheduled report
Do this _____ to make a report available to user that do not have access to the Splunk instance - CORRECT ANSWER Embed the report
An embedded report will be viewable by ____ - CORRECT ANSWER anyone who has access to the web page
When will an embedded report show data - CORRECT ANSWER After the scheduled search has run
(T/F) once embedding is enabled you will no longer be able to edit attributes for the report - CORRECT ANSWER True
(T/F) You can add a scheduled report to a dashboard - CORRECT ANSWER True
The Run As option in edit permissions window determines which user profile is used at run time - CORRECT ANSWER - Owner - all data accessible by the owner appears in the report
- User - only data allowed to be accessed by
the user role appears
Alerts are based on searches that can run either: - CORRECT ANSWER - On a regular scheduled interval
- In real-time
Alerts are triggered when ______ - CORRECT ANSWER The results of the search meet a specific condition that you define
Alerts can: - CORRECT ANSWER - Create an entry in Triggered Alerts
- Log an event
- Output results to a lookup file
- Send emails
- Use a webhook
- Perform a custom action
Alert Permissions are set to ____ by Default - CORRECT ANSWER Private - only you can access, edit, and view triggered alerts
What happens when the Alert Permissions are set to "Shared in app" - CORRECT ANSWER - All users of the app can view triggered alerts
- By default, everyone has read access and "power users" has write access to the alert
You can choose an Alert to run in what ways - CORRECT ANSWER • Scheduled alerts
- Search runs at a defined interval
- Evaluates trigger condition when the search completes
• Real-time alerts
- Search runs constantly in the background
- Evaluates trigger conditions within a window of time based on the conditions you define
Scheduled alerts can runs at these defined intervals - CORRECT ANSWER Every Hour, Day, Week, Month or on Cron Schedule
When you set your alert to run on a Cron Schedule you must do what ______ - CORRECT ANSWER Choose a Time Range and enter a Cron Expression
You can set alerts to trigger: - CORRECT ANSWER - Per-Result -
- Number of Results -
- Number of Hosts -
- Number of Sources -
- Custom - [Show Less]