Splunk Core Certified Power User

What is the only writeable bucket type?

The hot bucket

By what filter are indexes divided into buckets?

By time

What are the 4 types of searches in Splunk (by performance)

Dense, Sparse, Super Sparse, Rare

In searches, what is the scanCount?

The number of events scanned for that particular search

What are the requirement of the underlying search in order to get multi-series table?

The underlying search must use reporting search commands like chart or timechart

What are the seven chart types?

Line, Area, Column, Bar, Bubble, Scatter and Pie

What is a trait of scatter charts?

Can only show two dimensions. Shows trends in the relationsgip between discrete data values

What is a trait of bubble charts?

Provides a visual way to view a three dimensional series

What are two commonly used clauses for chart?

over and by

What does the over and by clauses do when used with chart?

divides the data into sub-groupings

(True/False) You can only split chart results over two dimensions

True

chart and timechart commands automatically filter results to include how many values?

10

What happens to surplus resulting values of chart and timechart commands?

They are grouped into other

(True/False) Null values are not shown by default by chart and timechart

False

What is always the value on the x-axis for timechart?

_time

(True/False) Functions and arguments used with stats and chart can not be used with timechart

False

(True/False) As with chart, it is possible to split timechart by two fields

False. It is only possible to split by one field

What is the argument for adjusting sampling interval of timechart?

span

What does the trendline command do?

allows you to overlay a computed moving average on a chart

What is the syntax of the trendline command?

trendline (field) [AS newfield]

What command can be used to look up and add location information to an event?

iploaction

What information does the iplocation command include?

city, country, region, latitude and longitude

What is the data-requirement for the geostats command?

Data must include latitude and longitude values

These arguments are used to control column counts when using the geostats command

gloabllimit and locallimit

This command is used to compute statisticalm functions and render a cluster map

geostats

What command can be used to show relative metrics for predefined geographic regions?

geom

(True/False) A sparkline is an inline chart, that can be added to timechart

True

(True/False) Automatically totaling of every columns can be done by using the Format option

True

This command can be used to add total of all or selected fields

addtotals

the row option for addtotals does (if enabled)

create a column that contains numeric totals for each row

the column option for addtotals does (if enabled)

create a row that contains numeric totals for each column

What does the labelfield option for addtotals specify?

What field the label should be placed in (in general, this should be the leftermost and first field)

The eval command can be used to

perform calculations, convert, round and format values, use conditional statements

This command allows you to calculate and manipulate field values in your report

eval

(True/false) Results of eval can be written to existing field

True

What happens with a destination field value if the field is the same as the resulting field of the eval command?

The field value gets overwritten by the resulting value outputted from the eval command

(True/False) Indexed data get modified after field values are overwritten by the eval command.

False

This operator is used for concatenation

+.

This function can be used to set the value of a field to the number of decimals you specify

round

(True/False) The tostring function can be used with eval

True

How can you use eval to format numeric field values to strings?

By adding characters to the field values

What separator is used when having multiple expressions used with eval command?

comma

If function used with eval: What is field value of SalesTerritory for a VendorID of 80000 in the following evaluation?:

| eval SalesTerritory = if((VendorID >= 7000 AND VendorID <8000), "Asia", "Rest of the World")

"Rest of the World"

(True/False) The search command treats field values in a case-insensitive manner

True

(True/False) The where command treats field values in a case-insensitive manner

False

(True/False) Unqouted or single-quoted strings are treated as fields.

True

To be able to do wildcard searches with the where command, this operator must be used

like

What is the fillnull value used for?

To replace null values in fields. Default replacement value is 0.

What is a transaction?

A transaction is any group of related events that span time

What is the syntax of the transaction command?

transaction field-list. field-list argument is a list of one or multiple fields.

(True/False) Transaction command creates a single event from a group of events

True

This field is produced by running the transaction command

duration - difference between timestamp of first and last event in the transaction

What does the maxpan argument do when used for transaction?

Defines the maximum total time between the earliest and latest events

What does the maxpause argument do when used for transaction?

Specify maximum total time between events.

What can be said about the events returned from the following search?

index=web sourcetype=access_combined

| transaction clientip JSESSIONID

startswith=eval(action="addtocart")

endswith=eval(action="purchase")

The first event in this transaction includes the action "addtocart", the last include the action "purchase"

What are the limited number of events per transaction by default?

1000

Why is stats recommended over transaction?

Faster and more efficient

When do you need to use transaction?

When you need to see events correlated together, and/or must define event grouping based on start/end values or segments on time

How can admins change the limit of numbers of events per transaction?

by configuring max_events_per_bucket in limits.conf

What are Knowledge Objects?

Knowledge objects are tools you use to discover and analyze various aspects of your data

(True/false) Knowledge Objects are shareable, reusable and searchable

True

(True/False) The Power User role can create an object that persists globally across all apps

False

(True/False) The Power User role can create an object that persists in the context of a specific app

True

What is the Splunk Common Information Model (CIM)

A methodology for normalizing data, easily correlate data from different sources and source type.

Which meta fields are already stored in the index prior to search time?

host, source and sourcetype

Which internal fields are stored in the index prior to search time?

_time and _raw

At this time, field discovery discovers fields directly related to the search's results

search time

(True/False) After extracting fields using the field extractor (FX), it is possible to share the extracted fields.

True. Extracted fields exists as knowledge objects.

What are the two methods for doing field extractions?

Regex and delimiter

These knowledge objects provide a way of normalizing data over any default field

field aliases

(True/false) Field aliases are applied after field extraction, before lookups

True

(True/false) It is not possible to apply field aliases to lookups

False

(True/false) Multiple aliases can be applied to one field

True

(True/false) After a field alias have been made, the field alias can be used as an ordinary field in SPL

True

What is a calculated field?

Shortcut for performing repetitive, long, or complex transformations using the eval command

What is true about a calculated field?

Must be based on an extracted field

Where can both calculated field and field aliases be set up (using the GUI)?

Settings->Fields

These knowledge objects are like nicknames that are created for related field/value pairs

Tags

(True/False) Tags are case sensitive

True

(True/False) You can only create one tag for any field/value combination

False

(True/False)Knowledge objects like tags, field aliases and calculated fields are searchable

True

How does a tag appear after being selected?

In the results as tags, in parantheses next to the associated field/value pairs

The syntax for searching for a tag associated with a value is?

tag=

The syntax for searching for a tag associated with a value on a specific field is?

tag:: =

Where can tag-settings (including permissions) be edited?

Settings->Tags-> List by field value pair

This knowledge object can be used to group similar types of events

Event types

How do you create an event type?

Create and execute a search, press "save as"-> Event types

(True/False) Event type names can contain spaces

False

Which criterias must be reviewed and refined when using the Event Type Builder?

Search string, Field values, tags

What is the syntax for using eventtypes in a search?

eventtype=

At what time does Splunk evalute the events when searching and using event types in your search?

Search time

How can you tag event types? (GUI)

Either by using "Settings-> Event Types" or by using "Event details->Actions"

(True/False) It is not possible to add tag to an Event Type

False

(True/false) Event Types does not include a time range, while a saved report does

True

These knowledge objects are useful when you frequently run searches or reports with similar search syntax

macros

(True/false) Macros are shareable

True

What happens if an event fits in multiple eventtypes?

Priority decides which event takes precident in the display order

At what time are parameter values passed to macro?

At execution time

How can you create a macro?(GUI)

Settings->Advanced search-> Search macros

What is the syntax for using macros in searches?

`macro`