Splunk Core Power User Flashcards
Studied by 2 people
Learn
Practice Test
Spaced Repetition
Match
Flashcards1/90
There's no tags or description
Looks like no tags are added yet.
Name | Mastery | Learn | Test | Matching | Spaced |
|---|
No study sessions yet.
91 Terms
This Workflow Action type directs users to a specified URI.
GET
Who can create data models?
Administrators
What should knowledge objects be named by?
6 segmented keys
Data models for CIM are in what format?
.json
What is the main difference between Hot and Warm bucket?
Hot is writable by Splunk
Why is there a warm and cold bucket?
Cold buckets are generally searched less frequently and stored in a different location, this means they can be stored on cheaper media with slower I/O speeds.
What are the 4 buckets Splunk used to store data?
Hot
Warm
Cold
Frozen
Data Interpretation is made up of:
fields
field extraction
Data classification is made up of:
Event types
Data enrichment is made up of:
Lookups
Workflow Actions
Normalisation is made up of:
Tags
Field aliases
Data sets are made up of:
Data models
Workflow Actions can only be applied to a single field.
False
___________ datasets can be added to a root dataset to narrow down the search.
Child
Which of these are NOT Data Model dataset types:
Lookups
Fields used in Data Models must already be extracted before creating the datasets.
False
You can normalize data for CIM use:
- At index time.
- Using Knowledge Objects.
The CIM schema should be used when creating Field Extraction, Aliases, Event Types, and Tags.
True
The data models in the CIM Add-on are accelerated by default.
False
Which command removes results with duplicate field values?
Dedup
Field values are case sensitive.
False
These are booleans in the Splunk Search Language.
- AND
- NOT
- OR
When searching, field values are case:
insensitive
Time is the most efficient filter you can apply to a search.
True
Warm buckets in Splunk indexes are named by:
The time of first and last events inside
The _____________ clause allows you to define which fields represented on the X axis of a chart.
over
Which type of visualization allows you to show a third dimension of data?
bubble chart
Which option is NOT available with the chart and timechart commands?
usefill
The geom command allows you to create:
chloropleth maps
This command will compute the sum of numeric fields within events and place the result in a new field:
addtotals
Which of the following are valid options with the chart command?
useother, usenull, limit
What is wrong with the following search syntax:
sourcetype=vendor_sales | eval SalesTerritory=if((VendorID >= 7000 AND VendorID < 8000), Asia, "Rest of the World") | stats sum(price) as TotalRevenue by SalesTerritory
Asia is not in double quotes
The eval commmand 'if' function requires the following three arguments (in order):
boolean expression, result if true, result if false
If the destination field for the eval command already exists, it is:
overwritten
The maxpause definition:
Finds groups of events where the span of time between included events does not exceed a specific value.
Which is not a comparison operator in Splunk?
?=
How is the asterisk used in Splunk search?
As a wildcard
How many results are shown by default when using a Top of Rare Command?
10
The search job inspector shows you how long a given search took to run.
True
Which of the following is NOT a stats function:
addtotals
Bucket names in Splunk indexes are used to :
determine if the bucket should be searched based on the time range of the search.
Which of these search strings is NOT valid?
index=web status=50* | chart count over host, status
The timechart command buckets data in time intervals depending on:
the selected time range
In this search, ________ will appear on the y-axis. SEARCH: sourcetype=access_combined status!=200 | chart count over host
count
If a search returns __________ it can be viewed as a chart.
statistics
The _____ axis should always be numeric.
Y
The trendline command requires the following three arguments:
trend type, time period, and field.
The iplocation and geostats commands can be used together.
True
Which command is used to create choropleth maps?
geom
The iplocation command:
returns location information for events that include external IP addresses.
If you want to format values without changing their characteristics, which would you use?
The fieldformat question command
If the destination field for the eval command already exists, it is:
overwritten by the new field defined in the eval command.
By default, the fillnull Command replaces null values with:
0
The ___________ function of the eval command can take multiple boolean arguments.
case
What will you learn from the results of the following search?
sourcetype=cisco_esa | transaction mid, dcid, icid | timechart avg(duration)
The average time elapsed during each transaction for all transactions.
The transaction command allows you to ___________ events across multiple sources.
correlate
You can create a transaction based on multiple fields.
True
Which function should you use with the transaction command to set the maximum total time between the earliest and latest events returned.
maxspan
Knowledge Objects should be named generically as possible.
False
What are the predefined ways Knowledge Objects can be shared?
- Private
- Specific Aps
Which users can create private Knowledge Objects?
- Admin
- User
- Power
Knowledge objects are automatically shared with all users.
False
In the Field Extractor Utility, this button will display events that do not contain extracted fields.
Non-matches
Once a field is created using the regex method, you cannot modify the underlying regular expression.
False
During the validation step of the Field Extractor workflow:
You can remove values that aren't a match for the field you want to define.
When extracting fields, we may choose to use our own regular expression.
True
After editing your regular expression from the Field Extractor Utility, you will be returned to the utility.
False
Field aliases can only be applied to a single source type, source, or host.
False
Field aliases are used to ________ data.
normalize
A field can only have one field alias.
False
Calculated fields are based on underlying:
eval expressions
Once a field alias is created:
You can still use the original field name to search
Which search would limit an "alert" tag to the "host" field?
tag::host=alert
You can only add one tag per field value pair.
False
These allow you to categorize events based on search terms,
Event Types
Event Types do not show up in the Field List.
False
Tags are descriptive names for:
Key Value Pairs
The number of arguments in a macro must be included in the macro name.
True
You can pipe the results of a macro to other commands
True
What is the correct way to name a macro with two arguments?
us_sales(2)
What is the proper syntax for using a macro named "us_sales"
'us_sales'
Search Macros:
- Are time-range independent
- Can pass arguments to the search
- Allow you to store entire search strings, including pipes, and eval statements.
To use field value data from an event in a Workflow Action, we need to:
Wrap the field in dollar signs.
This Workflow Action type sends field values to external resources.
POST
When using a field value variable with a Workflow Action, which puncvtuation mark will escape the data?
!
Required fields in a data model:
Constrains the dataset to only return events that include that field
The only way to access and use a dataset is from the Pivot interface.
False
Hidden fields in a data model:
Will not be displayed to a Pivot user, but can be used to define other datasets
By default, data models in the CIM Add-on will search across all indexes.
True
The Splunk CIM Add-on includes data models in a ______________ format.
JSON
The CIM schema should be used when creating Field Extractions, Aliases, Event Types, and Tags.
True