Splunk qualification test #2

Generated from gdrive quizzes

What is the main requirement for creating visualizations using the Splunk UI?

Your search must transform event data into statistical data tables first.

What is an Interesting Field?

A field that appears in at least 20% of the events.

Which of the following is the first step in configuring a scheduled alert?

Create a search.

The stats command will create a _ by default.

Table

What syntax is used to link key/value pairs in search strings?

action=purchase

Which of the following Splunk components typically resides on the machines where data originates?

Forwarder

What will ticking the Throttle checkbox achieve when setting up an alert?

Suppress alert triggering for a specific time period.

How are events displayed after a search is executed?

In reverse chronological order.

Which of the following describes lookup files?

Lookups add more fields to results returned by a search.

Clicking a SEGMENT on a chart .

drills down for that value

What is a suggested Splunk best practice for naming reports?

Use a consistent naming convention so they are easily separated by characteristics such as group and object.

This function of the stats command allows you to return the middle-most value of field X

Median(X)

What does the stats command do?

Calculates statistics on data that matches the search criteria.

What are the steps to schedule a report?

After saving the report, click Schedule.

Is it possible for a single instance of Splunk to manage the input, parsing, and indexing of machine data?

True

Which command is used to validate a lookup file?

inputlookup products.csv

What must be done before an automatic lookup can be created?

The lookup definition must be created. The lookup file must be uploaded to Splunk.

Which search string only returns events from host WWW3?

host=WWW3

What should an admin configure to notify a retailer every day at 23:00 about the sales status?

A scheduled alert

In a deployment with multiple indexes, what happens when a search is run without specifying an index?

Events from every index searched by default to which the user has access will be returned.

Which of the following is an option after clicking an item in search results?

Adding the item to the search.

Which command lets you use lookup fields in a search and see them in the field sidebar?

lookup

What is the result of a webhook alert action?

Displaying a message in a chat room or updating another web resource.

By default, how long does Splunk retain a search job?

7 Days

What determines the scope of data that appears in a scheduled report?

The owner of the report can configure permissions so that the report uses either the User role or the owner's profile at run time.

Fields associated with a data set in Data Models are known as .

Attributes

What effect does clicking and dragging across the timeline have after running a search?

Filters current search results.

What does the time range earliest=-72h@h latest=@d do?

Look back from 3 days ago up to the beginning of today.

In automatic lookup definitions, which fields are those not in the event data?

output

Which stats command function returns the sample standard deviation of a field?

stdev

When is the pipe character used in search strings?

Before commands. For example: | stats sum(bytes) by host.

Does snapping round down to the nearest specified unit?

Yes

Are field values case sensitive?

True

When viewing results of a search job from the Activity menu, what is displayed?

The same events from when the original search was executed.

Data sources being opened and read applies to which phase?

Input Phase

Which is a metadata field assigned to every event in Splunk?

host

Are field names case sensitive?

True

Are field names case sensitive?

False

How many main user roles do you have in Splunk?

3

Can documentation for Splunk be found at docs.splunk.com?

True

Every Search in Splunk is also called _.

Job

What is the better way of writing search query for multiple indexes?

(index=a OR index=b)

What options can you select in GUI for monitor input?

Filed & Directories, HTTP Event Collector (HEC), TCP/UDP and Scripts

Does Splunk automatically determine the source type for major data types?

True

Which time range picker configuration would return real-time events for the past 30 seconds?

Real-time - Earliest: 30-seconds ago, Latest: Now

What is Search Assistant in Splunk?

Shows options to complete the search string.

Should we use heavy forwarder for sending event-based data to Indexers?

False

What does the rare command do?

Returns the least common field values of a given field in the results.

How can you change an Interesting field into a selected field?

Click a field in the field sidebar --> click YES on the pop-up dialog on the upper right side next to the Selected label.

Which of the following is a Splunk internal field?

_raw

Can the @ Symbol be used in advanced time unit option?

Yes

Are matching search terms highlighted?

Yes

What transforms raw data into events and distributes the results into an index?

Indexer

Which statements are correct about Search & Reporting App?

Enables the user to create knowledge object, reports, alerts and dashboards. Provides default interface for searching and analyzing logs. Can be accessed by Apps > Search & Reporting.

Which search would return events from the access_combined sourcetype?

sourcetype=access_combined

When saving a search directly to a dashboard panel instead of a report first, what is created?

Inline panel

Which search will return results where fail, 400, and error exist in every event?

error AND (fail AND 400)

Are fields searchable name and value pairings that differentiate one event from another?

True

Which statement describes a search job?

Once a search job begins, it can be stopped or paused at any point in time.

How do you put query into separate lines where pipes are used?

CTRL + Enter

What does the values function of the stats command do?

Lists unique values of a given field.

Which stats command functions provide a count of how many unique values exist for a field?

dc(field) and distinct-count(field)

What is the purpose of using a by clause with the stats command?

To group the results by one or more fields.

When editing a dashboard, which options are possible?

Add an output. Export a dashboard panel. Modify the chart type displayed in a dashboard panel. Drag a dashboard panel to a different location on the dashboard.

Which of the following are common constraints of the top command?

limit, showpercent

Which command automatically returns percent and count columns when executing searches?

top

Which of the following are functions of the stats command?

sum, avg, values

Which of the following commands will show the maximum bytes?

sourcetype=access_* | stats max(bytes)

What is one benefit of creating dashboard panels from reports?

Any change to the underlying report will affect every dashboard that utilizes that report.

Are != and NOT the same arguments?

False

What is Splunk?

Splunk is a software platform to search, analyze and visualize the machine-generated data.

Which search string is the most efficient?

index=security "failed password"

Which search matches the events containing the terms "error" and "fail"?

index=security error OR fail

When placed early in a search, which command is most effective at reducing search execution time?

fields +

Which component of Splunk is primarily responsible for saving data?

Indexer

According to Splunk best practices, which placement of the wildcard results in the most efficient search?

fail*

Are events in Splunk automatically segregated using data and time?

Yes

Which of the following represents the Splunk recommended naming convention for dashboards?

GroupObjectDescription

Where does Licensing meter happen?

Indexer