Thẻ ghi nhớ: Splunk Fundamentals 2 | Quizlet

These are booleans in the Splunk Search Language.

IF

NOT

AND

OR

NOT; AND; OR

Which is not a comparison operator in Splunk?

>

<=

?=

!=

=

?=

Which command removes results with duplicate field values?

dedup

join

distinct

limit

dedup

Warm buckets in Splunk indexes are named by:

the server that sent the events

a naming convention the administrator determines

the timestamps of first and last event in the bucket

the timestamps of first and last event in the bucket

The search job inspector shows you how long a given search took to run.

false

true

true

Bucket names in Splunk indexes are used to:

determine who has access to the events

determine if the bucket should be searched based on the time range of the search

indicate where the bucket should be stored when it transfers from hot to cold

determine if the bucket should be searched based on the time range of the search

Which of the following is NOT a stats function:

sum

count

addtotals

avg

addtotals

Time is the most efficient filter you can apply to a search.

false

true

true

When searching, field values are case:

insensitive

sensitive

insensitive

By default, the top command returns the top ____ values of a given field.

20

3

5

10

10

The timechart command buckets data in time intervals depending on:

the number of events returned

the selected time range

the type of visualization selected

the selected time range

How is the asterisk used in Splunk search?

to add up numbers

as a place holder

as a wildcard

as a wildcard

Field values are case sensitive.

true

false

false

How many results are shown by default when using a Top or Rare Command?

10

Which of these search strings is NOT valid:

index=web status=50* | chart count by host, status

index=web status=50* | chart count over host by status

index=web status=50* | chart count over host, status

index=web status=50* | chart count over host, status

The _____ axis should always be numeric.

x

y

y

Which type of visualization allows you to show a third dimension of data?

pie chart

scatter chart

bubble chart

area chart

bubble chart

In this search, __________ will appear on the y-axis. SEARCH: sourcetype=access_combined status!=200 | chart count over host

count

host

status

count

The ______ clause allows you to define which field is represented on the X axis of a chart.

by

over

over

Which option is NOT available with the chart and timechart commands?

limit

useother

usefill

usefill

This command will compute the sum of numeric fields within events and place the result in a new field:

addtotals

addrowtotals

addcoltotals

addtotals

The iplocation and geostats commands can be used together.

true

false

true

Which command is used to create choropleth maps?

geostats

cluster

geom

geom

The iplocation command:

returns the latitude and longitude of the server that produced the event

returns location information for events that include external IP addresses

returns external IP addresses based on location data in events

returns location information for events that include external IP addresses

The gauge command:

creates a single-value visualization

creates a radial gauge visualization

allows you to set colored ranges for a single-value visualization

allows you to set colored ranges for a single-value visualization

The geom command allows you to create:

choropleth maps

radial gauges

standard maps

choropleth maps

The trendline command requires the following three arguments:

trend type, time period, and field

wma, sma, and ema

trend type, time period, and field

What is wrong with the following search syntax: sourcetype=vendor_sales | eval SalesTerritory = if((VendorID >= 7000 AND VendorID < 8000), Asia, "Rest of the World") | stats sum(price) as TotalRevenue by SalesTerritory

you cannot nest searches when using the if function nothing, the search syntax is valid

Asia is not in double quotes

Asia is not in double quotes

The _____ function of the eval command can take multiple boolean arguments.

case

if

case

You can only use one eval command per search.

false

true

false

By default, the fillnull Command replaces null values with:

0

a blank space

null

0

If you want to format values without changing their characteristics, which would you use?

the eval tostring function

the fieldformat command

the fieldformat command

The eval command 'if' function requires the following three arguments (in order):

boolean expression, result if false, result if true

boolean expression, result if true, result if false

result if true, result if false, boolean expression

result if false, result if true, boolean expression

boolean expression, result if true, result if false

The eval command overwrites field values in the Splunk index.

false

true

false

If the destination field for the eval command already exists, it is:

ignored

appended with an integer

overwritten by the new field defined in the eval command

overwritten by the new field defined in the eval command

The transaction command allows you to _________ events across multiple sources.

persist

duplicate

correlate

tag

correlate

What will you learn from the results of the following search?

sourcetype=cisco_esa | transaction mid, dcid, icid | timechart avg(duration)

the average time elapsed during each transaction for all transactions

the average time for each event within each transaction the average time between each transaction

the average time elapsed during each transaction for all transactions

The maxpause definition:

finds groups of events where the first and last events are separated by a span of time that does not exceed a certain amount

finds groups of events where the span of time between included events does not exceed a specific value

finds groups of related events where the total number of events does not exceed a specific number

finds groups of events where the span of time between included events does not exceed a specific value

Mark the terms that fill in the blanks in the correct order:

Use _____ to see results of a calculation, or group events on a field value. Use _____ to see events correlated together, or grouped by start and end values.

stats, transaction

transaction, stats

stats, transaction

Which function should you use with the transaction command to set the maximum total time between the earliest and latest events returned?

maxspan

endswith

maxduration

maxpause

maxspan

You can create a transaction based on multiple fields.

false

true

true

Which of these is NOT a field that is automatically created with the transaction command?

maxcount

duration

eventcount

maxcount

_______ can share a knowledge object across all apps.

administrators

power users

users

administrators

When a user creates a Knowledge Object it is automatically set to _________.

shared to all apps

private

shared in app

private

Which users can create private Knowledge Objects?

admin

power

user

admin; power; user

Users with this role can reassign Knowledge Objects.

user

power

admin

admin

It is suggested that you name your Knowledge Objects using _______ segmented keys.

6

Knowledge Objects can be used to normalize data.

false

true

true

Knowledge objects are automatically shared with all users.

false

true

false

Knowledge Objects should be named as generically as possible.

true

false

false

During the validation step of the Field Extractor workflow:

you can validate where the data originated from

you cannot modify the field extraction

you can remove values that aren't a match for the field you want to define

you can remove values that aren't a match for the field you want to define

Fields extracted with the Field Extractor:

are persistent

require you to use regex in your search strings

are specific to a host, source, or source type

are specific to a host, source, or source type

After editing your regular expression from the Field Extractor Utility, you will be returned to the utility.

false

true

false

In the Field Extractor Utility, this button will display events that do not contain extracted fields.

selected-fields

non-matches

matches

non-extractions

non-matches

Once a field is created using the regex method, you cannot modify the underlying regular expression.

false

true

false

How many ways are there to access the Field Extractor Utility?

4

1

3

5

3

The field extractor utility allows you to extract fields using the following two methods:

erex and rex

tab and comma

regex and delimiter

regex and delimiter

During the validation step of the Field Extractor workflow:

you cannot modify the field extraction

you can remove values that aren't a match for the field you want to define

you can validate where the data originated from

you can remove values that aren't a match for the field you want to define

Once a field alias is created:

the original field name is no longer available

you must indicate both the original field name and field alias in searches

you can still use the original field name to search

you can still use the original field name to search

A field can only have one field alias.

false

true

false

Calculated fields are based on underlying:

keyword searches

eval expressions

stats commands

eval expressions

Field aliases are used to _____ data.

clean

normalize

transform

calculate

normalize

Field aliases can only be applied to a single source type, source, or host.

false

true

false

These allow you to categorize events based on search terms.

event types

groups

tags

macros

event types

Tags are descriptive names for ____________.

key value pairs

categories of search results

reports

key value pairs

Event Types do not show up in the Fields List.

false

true

false

Tags can be added to Event Types.

false

true

true

Which search would limit an "alert" tag to the "host" field?

tag=alert

tag::host=alert

host::tag::alert

tag==alert

tag::host=alert

The search expansion tool:

automatically fills in the variables before you run a search

allows you to see what a macro will expand to before you run a search

must be used before running a search with a macro

allows you to see what a macro will expand to before you run a search

The number of arguments in a macro must be included in the macro name.

false

true

true

What is the correct way to name a macro with two arguments?

us_sales2

us_sales(2)

us_sales,2

us_sales(1,2)

us_sales(2)

You can pipe the results of a macro to other commands.

false

true

true

What is the proper syntax for using a macro named "us_sales"?

"us_sales"

(us_sales)

`us_sales`

us_sales

`us_sales`

Search macros:

can pass arguments to the search

are time-range independent

allow you to store entire search strings, including pipes and eval statements

must always include an argument

can pass arguments to the search; are time-range independent; allow you to store entire search strings, including pipes and eval statements

This Workflow Action type directs users to a specified URI.

Search

POST

GET

GET

A Workflow action can:

execute a secondary search

direct users to a specified URI

send field values to external sources

execute a secondary search; direct users to a specified URI; send field values to external sources

This Workflow Action type sends field values to external resources.

Search

GET

POST

POST

To use field value data from an event in a Workflow Action, we need to:

wrap the field in dollar signs

select the GET method

create tags for the fields

wrap the field in dollar signs

Workflow Actions can only be applied to a single field.

false

true

false

When using a field value variable with a Workflow Action, which punctuation mark will escape the data?

*

^

#

!

!

Hidden fields in a data model:

will be displayed to a Pivot user that has permissions to the field

will not be displayed in the dataset editor

will not be displayed to a Pivot user, but can be used to define other datasets

will not be displayed to a Pivot user, but can be used to define other datasets

Required fields in a data model:

constrains the dataset to only return events that include that field

must always be hidden

must be filled out before saving the dataset

constrains the dataset to only return events that include that field

Which of these are NOT Data Model dataset types:

lookups

transactions

events

searches

lookups

_____ datasets can be added to a root dataset to narrow down the search.

event

parent

child

extracted

child

The only way to access and use a dataset is from the Pivot interface.

false

true

false

Fields used in Data Models must already be extracted before creating the datasets.

false

true

false

By default, data models in the CIM Add-on will search across all indexes.

false

true

true

The data models in the CIM Add-on are accelerated by default.

false

true

false

You can normalize data for CIM use:

at index time

only after adding the CIM Add-on

using Knowledge Objects

at index time; using Knowledge Objects

The Splunk CIM Add-on includes data models in a __________ format.

MySQL

XML

JSON

JSON

This role is required to install the CIM Add-on.

user

admin

power

admin

The CIM Add-on indexes extra data and will affect license usage.

false

true

false

If a search returns _______ it can be viewed as a chart.

events

statistics

keywords

timestamps

statistics

Which of the following are valid options with the chart command?

usefield

usenull

fillfield

useother

usenull; useother

You can only add one tag per field value pair.

false

true

false

Đang học (11)

Bạn đã bắt đầu học những thuật ngữ này. Tiếp tục phát huy nhé!