Splunk SPLK-1001: Splunk Core Certified User

source: https://www.youtube.com/watch?v=-saluqaLOtI

Inline panel

A panel created when saving a search directly to a dashboard panel instead of saving as a report first

Search job

A process that can be stopped or paused at any point in time

Visualization tab

Displays time charts and bar charts in the search and reporting app

Selected Fields list

Always includes Source type

Time range specifier

Used in search bar with syntax like "earliest=-2h"

Splunk internal field

_raw

Rename command

Used with syntax "rename action as customer_action"

Most efficient search filter

Time

Top command with limit

Limits search results with syntax "top limit=5"

Activity menu

Shows the same events from when the original search was executed

Data summary

A quick comprehensive way to learn what data is present in a Splunk deployment

Editable report elements

Acceleration

Metadata field

Host is a metadata field assigned to every event in Splunk

Most efficient search filters

Time and index

Pipe character

Used before commands in search strings (e.g.

Report scheduling

After saving the report

Numeric field indicator

A hashtag symbol (#) to the left of the field name

Stats command functions

Count

Index time timestamp storage

_time field

Search string best practice

Include search terms at the beginning of the search string

Report saving

Any search can be saved as a report

All field options

None interesting fields

Interesting field

A field that appears in at least 20% of the events

Statistics results export formats

CSV

Events matching search terms

"index=security error fail" matches events containing both error AND fail

Search results item action

Adding the item to the search

Field stored in index

Source

Multiple dashboard creation best practice

Save the search as a report and use it in multiple dashboards as needed

Time range specification

"earliest=-72h@h latest=@d" looks back from 3 days ago up to the beginning of today

Event filtering with multiple fields

"host=www3 status=503" returns all events with host of www3 that also have a status of 503

Alert access permissions

Power user role contains minimum permissions required for alert write access

Top command with by clause

Shows top values for each specified field (e.g.

Splunk apps purpose

Designed for numerous use cases

Dashboard naming convention

GroupObjectDescription

Search result highlighting

Matching search terms are highlighted

Keyword search interactions

You can open a new search

Raw data transformation

Indexer transforms raw data into events and distributes results into an index

Stats values function

Lists unique values of a given field

Lookup table setup

The lookup file must be uploaded to Splunk and a lookup definition must be created

Lookup types

External

Dashboard panel modification

Can modify the chart type displayed in a dashboard panel and drag a panel to a different location

Command modifiers display color

Blue

Search results retention

Scheduling a report keeps search results longer than 7 days

Search best practice

Filter as early as possible

Report-based dashboard panel

Cannot modify the search string but can change and configure the visualization

Top command common constants

Show

Line charts characteristic

Optimal for single and multiple series

Event display order

In reverse chronological order

User account settings

Full name

Scheduled report primary function

Triggering an alert when certain conditions are met

Timeline clicking effect

Filters current search results

Static lookup file review command

Input lookup

Static lookup file display command

Input lookup command

Field name uniqueness indicator

The number directly to the right of the field name indicates the number of unique values for the field

Default search job lifetime

10 minutes

Rare field values search

"rare limit=15 destip" returns the 15 least common field values for the destip field

Alert trigger

When the results of a search meet specifically defined conditions

Main Splunk components

Search head

Field discovery at search time

Splunk automatically discovers only fields directly related to the search results

Index field value pair

"index=security" returns only events found in the index named Security

Default selected field

Host

Lookup creation requirements

The lookup definition must be created

Data origination component

Forwarder typically resides on machines where data originates

Scheduled report scope determination

All data accessible to the owner of the report will appear in the report

Boolean syntax requirement

Boolean operators must be uppercase

Field extraction determination

Splunk automatically discovers many fields based on source type and key/value pairs found in the data

Results export file format

JSON

Most efficient index search

"index=web OR index=sales" provides the most efficient search performance

Report naming best practice

Use a consistent naming convention so reports are easily separated by characteristics such as group and object

No index specified behavior

Events from every index to which the user has access will be returned by default

Statistics table drill down

Clicking on the field value in the table is the way to drill down to see underlying events

Alert filtering characteristics

App

Sort command delimiter

Comma can be used between field names in the search

Real-time events configuration

Real-time with "earliest=30s ago latest=now"

Stats count syntax

"stats count(vendor_action)"

Dashboard panels from reports benefit

Any change to the underlying report will affect every dashboard that utilizes that report

Default interesting field

Index

Case sensitivity rules

Field names are case sensitive

Rare command function

Returns the least common field values of a given field in the results

Alert script location

Splunk looks for scripts in $SPLUNK_HOME/bin/scripts

Implied Boolean operator

AND is always implied between two search terms unless otherwise specified

Stats distinct count function

DC(field) provides a count of how many unique values exist for a given field

By clause purpose with stats command

To group the results by one or more fields

Fields management in results

Use fields+ to add and fields- to remove

Adding field to sidebar

Click All Fields and select the field to add it to Selected Fields

Enterprise components installation

All components are installed and administered in Splunk Enterprise on-premise

Log filtering component

Heavy forwarders can perform log filtering or parsing

Default Splunk Enterprise app

Search and Reporting

Splunk indexing capability

Can index all firewall

Graffix wildcards performance

True - graffix wildcards might cause performance issues