Chapter 1-10: Using Fields in Splunk

A set of Q&A flashcards covering key concepts from chapters 1–10 about using fields in Splunk.

Which fields are selected by default in the field sidebar?

Host, source, and source type.

What qualifies a field as 'interesting' in Splunk's field sidebar?

Fields with values in at least 20% of the events; A denotes string values; # denotes numeric values.

What happens when you click a field in the field sidebar?

You see a list of values, their counts, and their percentage; you can add a field-value pair to the search.

How can you add a field-value pair to your search from the field list?

Click on the field value to add it to the search.

What effect does adding a field to the Selected Fields list have?

The field appears in the events where it occurs and persists for subsequent searches.

How can you view all fields for the current search?

Use the 'all fields' link at the top or the 'more fields' link at the bottom of the fields list.

Are field names case sensitive, and are field values case sensitive?

Field names are case sensitive; values are not.

Which operators work with numerical or string field values in Splunk?

Equal and not equal work for both; greater than, greater or equal; less than, and less than or equal work for numeric values.

What is the difference between the 'not equal' operator and the 'not' Boolean?

Not equal filters by field value; not (Boolean) excludes results differently, especially with missing fields.

What does the 'in' operator do in field searches?

Follows a field name with a list of values to include in the results.

What is the purpose of the fields command in a search?

To include or exclude fields using plus/minus operators.

Why is early filtering important and where should you place the fields command?

Best practice for efficiency; place before the stats command.

What does the 'rename' command do?

Renames fields to more descriptive labels; can rename multiple fields separated by commas; new label wrapped in quotes.

What is the difference between index-time and search-time field extraction?

Index-time extracts metadata (host, source, source type, time, raw); search-time extracts additional fields from raw data based on source type and key-value pairs; fields are persistent unless told otherwise.

What are persistent versus temporary fields?

Persistent fields are extracted for every search with the same terms; temporary fields are created ad hoc (e.g., with eval) for a single search.

What is the eval command used for?

Calculates and manipulates field values; can write results to a new temporary field or replace an existing field.

In the bandwidth example, how is megabytes calculated from bytes?

By dividing bytes by 1024 twice and storing the result in a new field (bandwidth).

What is the field extractor utility used for?

Extracts fields from data that were not automatically extracted for its source type.

What are eREX and REX commands used for?

Temporary field extraction at search time using regular expressions; eREX uses samples to build regex; REX uses an existing regex and generally does not require samples.

What is the difference in ease between eREX and REX?

EREX is easier (no regex knowledge) but requires samples; REX requires regex knowledge but doesn’t require samples; use REX when possible.

What is a field alias and how does it work?

Assigns alternate names to fields; does not replace the original field; you can search by alias or original name.

What are lookups in Splunk searches?

Field-value pairs configured to automatically append information to events at search time, adding context not in index data.

What is the correct order of knowledge objects in search-time processing?

Field extractions, then field aliases, then calculated fields, then lookups.

What is a calculated field and what is a key limitation?

A field created from calculations on existing fields; it can only reference fields already present in the events returned by the search.

What is the 'where' command with is null used for?

To identify missing or unmatched values; adding more samples to the examples argument helps fix misses.