Splunk qualification test #1

Combo of gdrive quizzes

Which of the following searches would return events with failure in index netfw or warn or critical in index netops?

(index=netfw failure) OR (index=netops (warn OR critical))

What is a primary function of a scheduled report?

Auto-generated PDF reports of overall data trends

Clicking a SEGMENT on a chart does what?

Drills down for that value

What is the main requirement for creating visualizations using the Splunk UI?

Your search must transform event data into statistical data tables first

What must be done in order to use a lookup table in Splunk?

The lookup file must be uploaded to Splunk and a lookup definition must be created

When looking at a dashboard panel based on a report, which is true?

You cannot modify the search string in the panel, but you can change and configure the visualization

The stats command will create a _ by default

Table

What happens when a field is added to the Selected Fields list?

The selected field and its corresponding values will appear underneath the events in the search results

How are events displayed after a search is executed?

In reverse chronological order

Which stats command functions provide a count of how many unique values exist for a given field?

dc(field) and distinct-count(field)

Which of the following searches will show the number of categoryID used by each host?

sourcetype=access_* | stats sum(categoryID) by host

Which command is used to validate a lookup file?

| inputlookup products.csv

What type of search can be saved as a report?

Any search can be saved as a report

Can lookups be private for a user?

True

Select the answer that displays the accurate placing of the pipe in a search string

index=security sourcetype=access_* status=200 | stats count by price

By default, how long does Splunk retain a search job?

10 Minutes

Which Boolean operator is implied between search terms?

AND

These users can create global knowledge objects

administrators

What is sourcetype in Splunk?

This is what Splunk uses to categorize the data that is being indexed

When viewing search results, what is an Interesting Field?

A field that appears in at least 20% of the events

Which command enables using lookup fields in a search?

lookup

What is the purpose of using a by clause with the stats command?

To group the results by one or more fields

Which Splunk components are responsible for parsing incoming data and storing data on disc?

indexers

What does the stats command do?

Calculates statistics on data that matches the search criteria

Will -30m@h at 03:35:08 look back to 03:00:00?

Yes

Which is a metadata field assigned to every event in Splunk?

host

When is the pipe character used in search strings?

Before commands. For example: | stats sum(bytes) by host

What is the default lifetime of every Splunk search job?

All search jobs are saved for 10 minutes

Search query for multiple indexes

(index=a OR index=b)

Three different search modes in Splunk

Fast, Smart, and Verbose

Data Summary button information

Sourcetypes, Hosts, and Sources

Main user roles in Splunk

3

Field name number in Fields sidebar

The number of unique values for the field

Most efficient search

index=security "failed password"

Options after selecting timeline

Zoom to selection, Format Timeline, Zoom Out, Deselect

Rare command function

Returns the least common field values of a given field in the results

Search Assistant in SPL editor

Yes

Component responsible for saving data

Indexer

Numeric field indicator in Fields sidebar

A # symbol to the left of the field name

Definition of Splunk

Splunk is a software platform to search, analyze and visualize machine-generated data

Default app for Splunk Enterprise

Searching and Reporting

Three basic components of Splunk

Search Head, Forwarder, and Indexer

Component for writing SPL query

Search head

Licensing meter location

Indexer

Creating an inline panel

When saving a search directly to a dashboard panel instead of saving as a report first

Search job results display

The same events from when the original search was executed

Field for timestamp value at index time

_time

Not a comparison operator in Splunk

?=

Search string for host WWW3

host=WWW3

Difference between != and NOT operators

!= returns results where a field is not equal to a value, while NOT negates an entire condition

Monitor option in Add Data

Both One-time and continuous monitoring

Phase involving data sources being opened

Input Phase

Events segregation in Splunk

Yes

Stopping a search job

Once a search job begins, it can be stopped or paused at any point in time

Median function of stats command

Median(X)

Default WRITE permission for users

False

Time range earliest=-72h@h latest=@d

Look back 72 hours, up to the end of today

Single instance of Splunk managing data

True

Field names case sensitivity

True

Prefix wildcards recommendation

No, they might cause performance issues

Denotation of Splunk internal fields

True

Command to rename a field

| rename action as "Customer Action"

Portal for Splunk apps URL

www.splunkbase.com

Documentation for Splunk URL

docs.splunk.com

Parsing action performed by Splunk

Parses data into individual events, extracts time, and assigns metadata