SPLUNK Fundamentals 1|74 Questions with Answers 2023,100% CORRECT
SPLUNK Fundamentals 1|74 Questions with Answers 2023
Interesting Fields m6 - CORRECT ANSWER Have values in at least 20% of the events
Field... [Show More] Names are...Case Sensitive or NOT Case Sensitive - CORRECT ANSWER Case Sensitive M6
Field Values are... Case Sensitive or NOT Case Sensitive - CORRECT ANSWER NOT Case Sensitive M6
= and != (equal and not equal to) - CORRECT ANSWER can be used with numerical or string values M6
!= and NOT - CORRECT ANSWER will not always return the same results M6
These default fields ARE MOST POWERFUL and are extracted at INDEX time and will not need to be extracted at each search. - CORRECT ANSWER INDEX, SOURCE, HOST, SOURCETYPE
M7
Which is better INCLUSION or EXCLUSION? - CORRECT ANSWER Inclusion is generally better than exclusion
Searching for "access denied" is better than NOT "access granted"
M7
@ Time - CORRECT ANSWER can be used to round down to nearest unit
M7
-30m@h
Run at 9:37, what events are returned? - CORRECT ANSWER Events from 9:00 on are returned
M7
Define Indexes - CORRECT ANSWER Where splunk stores event data for searching
M7
Splunk administrators will use multiple __________ to segregate data. - CORRECT ANSWER Indexes
M7
The Splunk Search Language is built from what five components - CORRECT ANSWER Search Terms
Commands
Functions
Arguments
Clauses
Boolean operators and command modifiers will display in what color - CORRECT ANSWER Orange (AND, OR
Commands display in what color? - CORRECT ANSWER Blue
Command Arguments display in what color? - CORRECT ANSWER Green
Functions display in what color? - CORRECT ANSWER Purple
Control + \ on windows
or
Command + \ on Apple
will do what? - CORRECT ANSWER cause each pipe to move to a new line
(making our search more easier to read)
What does the fields command do? - CORRECT ANSWER Useful to limit fields displayed and can make search faster
What command do you use to remove certain fields - CORRECT ANSWER fields -
i.e. fields - client ip raw
removes the client ip and raw fields
What is one of the most costly parts of searching splunk? - CORRECT ANSWER Field Extraction
Which happens first field inclusion or field extraction? This improves performance - CORRECT ANSWER Field Inclusion
How is the table command different from the fields command? - CORRECT ANSWER The table command retains searched data in a tabulated format.
What does the dedup command do? - CORRECT ANSWER Removes events with duplicate values.
What does the sort command do? - CORRECT ANSWER Displays results in ascending or descending order.
| sort Vendor Product_name
Biggest numbers first, use -
lowest numbers first use +
New pivots automatically populate with __________ (Select all that apply)
a)Split rows
b)Split columns
c)Count of hosts
d)Time range filter - CORRECT ANSWER d)Time range filter
Correlating Events, Enriching Data with Lookups, and Accelerating Reports:
Use this command to use lookup fields in a search and see the lookup fields in the field sidebar.
a) inputlookup
b) lookup - CORRECT ANSWER b) lookup
Getting Statistics:
Which of the following commands will show the maximum bytes?
a) sourcetype=access_* | maximum totals by bytes
b) sourcetype=access_* | avg (bytes)
c) sourcetype=access_* | stats max(bytes)
d) sourcetype=access_* | max(bytes) - CORRECT ANSWER c) sourcetype=access_* | stats max(bytes)
Correlating Events, Enriching Data with Lookups, and Accelerating Reports:
What is the correct order of steps for creating a new lookup?
A. Configure the lookup to run automatically
B. Create the lookup table
C. Define the lookup
a) B, A, C
b) A, B, C
c) B, C, A
d) C, B, A - CORRECT ANSWER c) B, C, A
Splunk Components:
Which of the following are responsible for reducing search results?
a) search heads
b) indexers
c) forwarders - CORRECT ANSWER b) indexers
Creating Searches and Saving Results:
Which of the following search control will not re-rerun the search? (Select all that apply.)
a) zoom out
b) selecting a bar on the timeline
c) deselect
d) selecting a range of bars on the timelines - CORRECT ANSWER b) selecting a bar on the timeline
c) deselect
d) selecting a range of bars on the timelines
Creating Searches and Saving Results:
Which of the following search control will not re-rerun the search? (Select all that apply.)
a) zoom out
b) selecting a bar on the timeline
c) deselect
d) selecting a range of bars on the timelines - CORRECT ANSWER b) selecting a bar on the timeline
c) deselect
d) selecting a range of bars on the timelines
Correlating Events, Enriching Data with Lookups, and Accelerating Reports:
It is mandatory for the lookup file to have this for an automatic lookup to work.
a)Source type
b)At least five columns
c)Timestamp
d)Input field - CORRECT ANSWER d)Input field
Correlating Events, Enriching Data with Lookups, and Accelerating Reports:
Lookups allow you to overwrite your raw event.
a)True
b)False - CORRECT ANSWER a)True
Search Fundamentals:
Internal fields, such as _raw and _time, can be explicitly removed from results with fields command.
a) True
b) False - CORRECT ANSWER b) False
Creating Reports and Visualizations:
There is NOT a SAVE AS option when editing a report.
a) True
b) False - CORRECT ANSWER b) False
Creating Searches and Saving Results:
The Splunk search language does not support wildcards.
a)True
b)False - CORRECT ANSWER b)False
Search Fundamentals:
The following searches will return the same results. SEARCH 1: ssh error SEARCH 2: ssh AND error
a) True
b) False - CORRECT ANSWER a) True
Using Fields and Tags:
When you run a search, fast mode extracts all fields very quickly.
a)True
b)False - CORRECT ANSWER b)False
Getting Statistics:
This clause is used to group the output of a stats command by a specific name.
a)Rex
b)As
c)List
d)By - CORRECT ANSWER b)As
Creating Reports and Visualizations:
Reports _____ allowing drilldown by default.
a)Are
b)Are not - CORRECT ANSWER b)Are not
Using Fields and Tags:
Field discovery occurs at ___________ time.
a) search
b) index - CORRECT ANSWER b) index
Getting Statistics:
This function of the stats command allows you to identify the number of values a field has.
a) max
b) distinct_count
c) fields
d) count - CORRECT ANSWER d) count
Creating Alerts:
Alert throttling is used to _______.
a) verify each alert
b) stagger search request in a time sequenced order
c) stop spamming yourself with alerts
d) check severity - CORRECT ANSWER c) stop spamming yourself with alerts
Play
Shuffle
Options
Creating Alerts:
Alert throttling is used to _______.
a) verify each alert
b) stagger search request in a time sequenced order
c) stop spamming yourself with alerts
d) check severity - CORRECT ANSWER c) stop spamming yourself with alerts
Search Fundamentals:
Field names are case ___________.
a) sensitive
b) insensitive - CORRECT ANSWER a) sensitive
Correlating Events, Enriching Data with Lookups, and Accelerating Reports:
The command shown here does witch of the following: Command: |outputlookup products.csv
a)Writes search results to a file named products.csv
b)Returns the contents of a file named products.csv - CORRECT ANSWER a)Writes search results to a file named products.csv
What does the inputlookup command do? - CORRECT ANSWER Loads results from a specified static lookup input source, such as a .csv file.
In regards to the Data Summary window, what is the difference between: Host, Source, and Sourcetype? - CORRECT ANSWER Host: A semi-unique identifier, such as host name, IP address, etc.
Source: Name of the file, stream, path, etc.
Sourcetype: The product or software type, such as cisco_asa, ps, win_audit, etc.
What are some of the common stats functions? - CORRECT ANSWER 1) count
2) distinct_count or dc (unique value count)
3) sum
4) avg
5) list
6) values (unique value list)
To keep from overwriting existing fields with your Lookup you can use the _________ clause. - CORRECT ANSWER OUTPUTNEW
When Splunk does not have a predefined way to break events, how does is it accomplish the task? - CORRECT ANSWER Either through time stamps or regular expressions.
What is a lookup? - CORRECT ANSWER Lookup is a command to invoke field value lookups. The lookup command can merge unstructured and structured data
For example:
...| lookup AS
How would you access recent or saved search jobs? - CORRECT ANSWER Click the Activity drop down menu in the top right of the search app and then select the Jobs option.
Which meta fields are stored with events in the index prior to search time? - CORRECT ANSWER 1) host
2) source
3) sourcetype
4) _time
5) _raw
When creating a search, certain keywords will be colored by syntax. What does the following color map to?...
Orange - CORRECT ANSWER Orange = Boolean Operators and Command Modifiers
What are the two ways to create a report? - CORRECT ANSWER 1) Pivot
2) Search
What are the three required parts of a pivot? - CORRECT ANSWER The pivot command is a generating command and must be first in a search pipeline. It requires a large number of inputs: the data model, the data model object, and pivot elements.
...| pivot
What is Splunks recommended naming convention, so that when you are on the job, you can find your reports and tell them apart? - CORRECT ANSWER _
Preview 2 out of 11 pages
Generating Your Document
Purchase the document to get the full access instantly