Splunk Core User

Which search mode behaves differently depending on the type of search being run? (A) Fast(B) variable(C) Smart(D) Verbose

C) Smart

Which character is used in a search before a command?(A) A pipe (|)(B) A backtick (`)(C) A tilde (~)(D) A quotation mark (")

A) A pipe |

Which of the following searches will return results containing the terms failed, password, or failed password?(A) failed OR password(B) failed password OR "failed password"(C) fail*(D) failed OR password OR "failed password"

(A) failed OR password(D) failed OR password OR "failed password"

What are the default roles in Splunk Enterprise? (A) Admin(B) Power(C) Manager(D) User

(A) Admin(B) Power(D) User

Which command can be used to further filter results in a search? (A) Search(B) Subset(C) Filter(D) Subsearch

(A) Search

What determines the timestamp shown on returned events in a search? (A) Timestamps are displayed in Greenwich Mean Time(B) Timestamps are displayed in epoch time(C) The time zone where the event originated(D) The time zone defined in user settings

(D) The time zone defined in user settings

By default, how long does a search job remain active?(A) 7 days(B) 30 minutes(C) 10 minutes

(C) 10 minutes

When a search is run, in what order are events returned? (A) Reverse chronological order(B) Reverse alphanumeric order(C) Chronological order(D) Alphanumeric order

(A) Reverse chronological order

What is the most efficient way to limit search results returned? (A) index(B) time(C) host(D) source

(B) time

By default, which of the following roles are required to share knowledge objects?(A) Power(B) Admin(C) Manager(D) User

(A) Power(B) Admin

Which Splunk infrastructure component stores ingested data?(A) Datasets(B) Data models(C) Dashboards(D) Index

(D) Index

By default, who is able to view a saved report?(A) The user who created it(B) Any user with a power or admin role(C) Any user with a power or admin role(D) Any user with the viewreports capability

(A) The user who created it

Which of the following searches will return results containing the phrase "failed password"?(A) "failed password"(B) failed password(C) failed password(D) (failed password)

(A) "failed password"

Which of the following searches will return results containing the words fail, failure, or failed?(A) fail+(B) fail(C) fail(D) fail

(D) fail*

Which of the following booleans can be used in a search?(A) ALSO(B) NOT(C) AND(D) OR

(B) NOT(C) AND(D) OR

Which knowledge object type can contain an eval expression?***

(A) Field aliases
(B) Calculated fields
(C) Event types
(D) Tags

(B) Calculated fields

Which two of the following knowledge object types can contain an eval expression?

(A) Field aliases
(B) Workflow actions
(C) Calculated fields
(D) Macros

(C) Calculated fields
(D) Macros

Which knowledge object type can store entire search strings, including commands?***

(A) Event types
(B) Tags
(C) Calculated fields
(D) Macros

(D) Macros

Which of the following user roles can create knowledge objects?

(A) Power User
(B) Admin
(C) Super User
(D) User

(A) Power User
(B) Admin

D) User

Which of the following file types can be uploaded to create a lookup?***

(A) XLS
(B) XML
(C) CSV
(D) PDF

(C) CSV

Which knowledge objects can be scheduled to execute at specific times?***

(A) Reports
(B) Macros
(C) Alerts
(D) Workflow actions

(A) Reports
(C) Alerts

Which knowledge object type can communicate with external sources using the HTTP GET and POST methods?***

(A) Search actions
(B) Field extractions
(C) Lookups
(D) Workflow actions

(D) Workflow actions

When a user has left your organization, what happens to their knowledge objects?

(A) They are automatically reassigned to an admin.
(B) A power user can reassign them to another user.
(C) They are automatically reassigned to a power user.
(D) An admin can reassign them to another user.

(D) An admin can reassign them to another user.

By default, what user role is required to make a knowledge object available to all apps?***

(A) Super User
(B) Admin
(C) User
(D) Power User

(B) Admin

Which of the following methods can be used to manually extract fields?***

(A) The Event Type Builder
(B) The Regular Expression Generator
(C) Regular Expressions, or RegEx
(D) Delimiters

(C) Regular Expressions, or RegEx
(D) Delimiters

Where can you find a list of all fields returned from events?***

(A) The fields library
(B) The fields posting list
(C) The fields sidebar
(D) The fields dropdown

(C) The fields sidebar

What are the three predefined sharing options for a knowledge object?***

(A) Shared in all apps
(B) Shared in app
(C) Private
(D) Blocked in app

(A) Shared in all apps
(B) Shared in app
(C) Private

Which knowledge object type can be searched in Pivot?***

(A) Event types
(B) Data models
(C) Data types
(D) Dashboards

(B) Data models

What are the primary functions of a workflow action?

(A) Passing information to external deployments to query additional indexes
(B) Communicating with an external source using the HTTP GET method
(C) Communicating with an external source using the HTTP POST method
(D) Passing information back to Splunk to run a secondary search

(B) Communicating with an external source using the HTTP GET method
(C) Communicating with an external source using the HTTP POST method
(D) Passing information back to Splunk to run a secondary search

By default, when a knowledge object is created, who can access its contents?***

(A) Any user of the app in which it was created
(B) Any power user in the environment
(C) Any user in the environment
(D) The user who created it or a user with an admin role

(D) The user who created it or a user with an admin role

True or False: Fields are knowledge objects.

(A) False
(B) True

True

At search time, if an event has an equal(=) sign, the data to the left is treated as a ______ and the data to the right is treated as a ______.

(A) field name, value
(B) field name, sourcetype
(C) lookup, sourcetype
(D) lookup, value

(A) field name, value

The fields command allows you to do which of the following? Select all that apply.

(A) Exclude fields (fields -)
(B) Include fields (fields)
(C) Include fields (fields +)

(A) Exclude fields (fields -)
(B) Include fields (fields)
(C) Include fields (fields +)

In the Fields sidebar, Interesting Fields occur in at least ________ of resulting events.

(A) 20%
(B) 3%
(C) 50%
(D) 10%

(A) 20%

True or False: Once you rename a field, the new field name must be used in the rest of the search string.

(A) False
(B) True

True

To remove fields from a search, you would use the _________ command.

(A) fields-
(B) -fields
(C) +fields
(D) fields+

(A) fields-

At search time, _______ extracts fields from raw event data.

(A) field discovery
(B) fields command
(C) field extractor

(A) field discovery

Which of the following fields are default selected fields?

(A) Host
(B) Source
(C) Sourcetype
(D) Index

(A) Host
(B) Source
(C) Sourcetype

Which alert action allows you to send an event to your Splunk deployment for indexing?

(A) Create event
(B) Log event
(C) Generate event
(D) Generate log

(B) Log event

Select the two valid types of alerts.

(A) Text message (SMS)
(B) Email
(C) Scheduled
(D) Real-time

(C) Scheduled
(D) Real-time

Which of the following user roles are able to display a report in the app in which it was created?

(A) Power
(B) Admin
(C) User
(D) The user who created the report

(B) Admin
(D) The user who created the report

Which Edit setting allows a report to be displayed to users outside of your organization?

(A) Embed
(B) Enable
(C) Permissions
(D) HTML

(A) Embed

Which scheduled report setting helps determine when concurrent reports will run?

(A) Report Priority
(B) Schedule Priority
(C) Report Order
(D) Schedule Order

(B) Schedule Priority

When are actions triggered for a real-time alert?

(A) As soon as alert conditions are met
(B) As soon as the related report is run
(C) Within a 60 second window of its cron schedule
(D) Within a five minute window of its cron schedule

(A) As soon as alert conditions are met

Which alert setting allows you to control how many alert actions are taken when trigger conditions are met?

(A) Limit
(B) Throttle
(C) Schedule Priority
(D) Schedule Window

Throttle

Which scheduled alert type will continuously run in the background?

(A) Automatic
(B) Constant
(C) Real-time
(D) Interval

(C) Real-time

What is a primary benefit of scheduling reports?

(A)Dashboard panels require scheduled reports in order to display up-to-date content.
(B) Scheduled reports take precedence over all other activity in your environment.
(C) Scheduling a report reduces the demand that concurrently running reports can put on your system hardware.
(D) When a scheduled report is run, all existing search jobs are terminated.

(C) Scheduling a report reduces the demand that concurrently running reports can put on your system hardware.

Which scheduled report setting allows you to define a time range for a report to run if it is delayed?

(A) Schedule Time Range
(B) Schedule Window
(C) Report Window
(D) Report Time Range

(B) Schedule Window

Which of the following prebuilt alert actions can be triggered when a report is run?

(A) Send a text message (SMS)
(B) Run a secondary report
(C) Output results to a lookup
(D) Send an email

(C) Output results to a lookup
(D) Send an email

Which alert action allows you to send a message to an external chat room?

(A) Output to text
(B) Output to chat
(C) Webhook
(D) API call

(C) Webhook

Which of the following user roles are able to display a report in all apps?

(A) User
(B) Admin
(C) Power
(D) The use who created the report

(B) Admin

If a dashboard panel is powered by a scheduled report, how frequently will its contents update?

(A) Dashboard panels will update based on the dashboard's time range picker.
(B) The dashboard panel updates based on the underlying report's scheduling settings.
(C) The dashboard panel updates any time the dashboard is opened or manually refreshed.
(D) Dashboard panels cannot be linked to scheduled reports

(C) The dashboard panel updates any time the dashboard is opened or manually refreshed.

How can the order of columns in a table be changed ?

By changing the order of fields specified in the table command

Which clause can be used with the top command to change the name of the count column

countfield

When using the timechart command, which axis represents time ?

X-Axis

How many columns are displayed in a visualization by default when using the chart command ?

10

Which command changes the appearance of field values ?

fieldformat

which argument can be used with the geostats command to control the column chart ?

globallimit

Which clause can be used with the top command to specify a number of values to return ?

Limit

Which argument can be used with the timechart command to specify the time range to use when grouping events ?

span

Which command can be used to exclude fields from search results ?

fields

\Which command removes duplicate field values in search results ?

Dedup

In a single series data table, which column provides the x-axis values for a visualization ?

Which clause can be used with the rare command to specify whether or not a percentage column is created ?

showperc

Which type of default map visualization uses shading to represent relative metrics ?

Chloropeth

Which of the following commands can return a count of all events matching search criteria over a specified time period ?

Stats

Which optional argument of the addtotals command changes the label for row totals in a table ?

fieldname

When using the following search arguments, what will be returned? | timechart count span=1h

chart events in 1 hour chunks

Which of the following are default time fields? Select all that apply.

date_mday
date_year
date_hour

Choose the search that will sort events into one minute groups. Select all that apply.

| bin time span=1mins
| bin span=1minutes time
| bin _time span=1m

Using earliest=-30d@d latest=@d is how to return results from 30 days ago up until the time the search was executed.

False

_______ and _______ are the time modifiers that override the time range picker in a historical report.

Earliest, latest

@timeUnit will always round up and go forward through time.

False

False

date_time always reflects your local time zone and not the time/date from raw events.

What will the strftime function return when using the %H argument? Select all that apply.

convert the hour into your local time based on your time zone setting of your Splunk web sessions

To display the least common values of a field, use the ___ command.

-timechart with common=f option

-rare

-stats

-top

rare

True or False: Use useother=false with the chart command if you want to hide the OTHER column.

-FALSE

-TRUE

True

True or False: The pow(X,Y) eval function returns Y to the power of X.

-TRUE

-FALSE

False

True or False: You can use wildcards (*) with the rename command to rename multiple fields that match a pattern.

True

If you use the stats command with two functions and a BY clause, which function is the BY clause applied to?

-both functions if they are both aggregate functions

-both functions

-the first function

-the second function

Both functions

True or False: Using an OVER and a BY clause with the chart command will create a multiseries data series.

True

True or False: The timechart command will always have _time as the X-axis.

True

When using the top command, add the BY clause to ___.

-return a percentage of events

-specify how many results to return

-specify which search mode to return results by

-return results grouped by the field you specify in the BY clause

return results grouped by the field you specify in the BY clause

When you use the stats command with a BY clause, what is returned?

-one row

-a statistical output for each value of the named field

-an error message because you did not include a statistical function

-numerical statistics on each field if and only if all of the values of that field are numerical

a statistical output for each value of the named field

True or False: Only one field can be created when using the eval command.

False

When renaming fields with spaces or special characters, use the rename command and include the new field name in ___.

-double quotes

-parenthesis

-None of the above

-single quotes

Double quotes

Which of these functions lists ALL values of the field X?

-values(X)

-list(X)

List

By default, the sort command lists results in ___ order.

-descending

-ascending

Ascending

Which of these eval functions takes no arguments?

-random

-min

-max

-pow

Random

Which eval function would you use to round numerical values?

-round

-roundvalue

-commas

-tonumber

Round

Which return expression would return the first 3 values of the IP field as key-value pairs?

a) | return $IP limit=3
b) | return 3 $IP
c) | return IP limit=3
d) | return 3 IP

| return 3 IP

If using | return <field>, the search will return:

a) All values of <field> as field-value pairs
b) The 1st <field> value
c) The 1st <field> and its value as a key-value pair
d) All values of <field>

c) The 1st <field> and its value as a key-value pair

True or False: When using the outputlookup command, you can use the lookup's filename or definition.

a) FALSE
b) TRUE

b) TRUE

What fields will be added to the event data when this lookup expression is executed? | lookup knownusers.csv user

a) All fields from knownusers.csv
b) Only the user field from knownusers.csv
c) No fields will be added because the user field already exists in the events
d) Any field that begins with "user" from knownusers.csv

b) Only the user field from knownusers.csv

True or False: Subsearches are always executed first.

True

Which of these inputlookup expressions is invalid?


a) | inputlookup map.kml
b) | inputlookup file.csv.gz
c) | inputlookup map_lookup
d) | inputlookup file.csv

a) | inputlookup map.kml

Access lookup data by including a subsearch in the basic search with the ___ command

inputlookup

Subsearch results are combined with an ___ Boolean and attached to the outer search with an ___ Boolean

OR, AND

If using | return $<field>, the search will return:

a) The 1st <field> and its value as a key-value pair
b) All values of <field> as field-value pairs
c) All values of <field>
d) The 1st <field> value

d) The 1st <field> value

What character should wrap a subsearch?

a) [ ] Brackets
b) { } Curly braces
c) " " Quotes
d) ( ) Parentheses

a) [ ] Brackets