Splunk Core Certified User

T/F:

Machine data is always structured.

False.

Machine data can be structured or unstructured.

Machine data makes up for more than ___% of the data accumulated by organizations.

90

T/F:

Machine data is only generated by web servers.

False

Search requests are processed by the ___________.

Indexers

Search strings are sent from the _________.

Search Head

In most Splunk deployments, ________ serve as the primary way data is supplied for indexing.

Forwarders

Which of these is not a main component of Splunk?

A) Search and investigate.

B) Compress and archive.

C) Add knowledge.

D) Collect and index data.

B) Compress and archive

What are the three main processing components of Splunk?

(Select all that apply.)

A) Indexers

B) Deployment Maker

C) Search Heads

D) Forwarders

E) Distributors

A) Indexers

C) Search Heads

D) Forwarders

_________ define what users can do in Splunk.

A) Tokens

B) Disk permissions

C) Roles

C) Roles

This role will only see their own knowledge objects and those that have been shared with them.

A) User

B) Power

C) Admin

A) User

T/F:

You can launch and manage apps from the home app.

True

What are the three main default roles in Splunk Enterprise?

(Select all that apply.)

A) King

B) User

C) Manager

D) Admin

E) Power

B) User

D) Admin

E) Power

Which apps ship with Splunk Enterprise?

(Select all that apply.)

A) Home App

B) Sideview Utils

C) Search & Reporting

D) DB Connect

A) Home App

C) Search & Reporting

The default username and password for a newly installed Splunk instance is:

A) username and password

B) admin and changeme

C) admin and 12345

D) buttercup and rawks

B) admin and changeme

Files indexed using the upload input option get indexed _____.

A) Each time Splunk restarts.

B) Every hour.

C) On every search.

D) Once.

D) Once.

T/F:

The monitor input option will allow you to continuously monitor files.

True

Splunk knows where to break the event, where the time stamp is located and how to automatically create field value pairs using these.

A) Line breaks

B) Source types

C) File names

B) Source types

Splunk uses ______________ to categorize the type of data being indexed.

sourcetype

In most production environments, _____________ will be used as your the source of data input.

Forwarders

How is the asterisk used in Splunk search?

A) As a wildcard.

B) To make a nose for your clown emoticon.

C) As a place holder.

D) To add up numbers.

A) As a wildcard.

Which following search mode toggles behavior based on the type of search being run?

A) Smart

B) Fast

C) Verbose

A) Smart

T/F:

When zooming in on the event time line, a new search is run.

False

T/F:

These searches will return the same results...

failed password

failed AND password

True

A search job will remain active for _____ minutes after it is run.

A) 5

B) 10

C) 30

D) 60

E) 90

B) 10

What attributes describe the field below?

a dest 4

(Select all that apply.)

A) It contains 4 values.

B) It contains numerical values.

C) It cannot be used in a search.

D) It contains string values.

A) It contains 4 values.

D) It contains string values.

T/F:

Wildcards cannot be used with field searches.

False

T/F:

Field values are case sensitive.

False

Which is not a comparison operator in Splunk?

(Select your answer.)

A) >

B) ?=

C) <=

D) !=

E) =

?=

Field names are ________.

(Select all that apply.)

A) Always capitalized.

B) Not important in Splunk.

C) Case sensitive.

D) Case insensitive.

C) Case sensitive

This symbol is used in the "Advanced" section of the time range picker to round down to nearest unit of specified time.

(Select your answer.)

A) %

B) ^

C) @

D) &

E) *

C) @

T/F:

Time to search can only be set by the time range picker.

False

What is the most efficient way to filter events in Splunk?

A) By time.

B) Using booleans.

C) With an asterisk.

A) By time.

T/F:

As a general practice, exclusion is better than inclusion in a Splunk search.

False

Having separate indexes allows:

(Select all that apply.)

A) Faster Searches.

B) Ability to limit access.

C) Multiple retention policies.

A) Faster Searches.

B) Ability to limit access.

C) Multiple retention policies.

Would the ip column be removed in the results of this search? Why or why not?

sourcetype=a* | rename ip as "User" | fields - ip

A) Yes, because a pipe was used between search commands.

B) No, because the name was changed.

C) No, because table columns can not be removed.

D) Yes, because the negative sign was used.

B) No, because the name was changed.

T/F:

Excluding fields using the Fields Command will benefit performance.

False

Which command removes results with duplicate field values?

A) Dedup

B) Limit

C) Join

D) Distinct

A) Dedup

What is missing from this search?...

sourcetype=a* | rename ip as "User IP" | table User IP

A) A pipe.

B) Search terms

C) Quotation marks around User IP.

D) A table command.

C) Quotation marks around User IP.

What command would you use to remove the status field from the returned events?

sourcetype=a* status=404 | ___________ status

A) table

B) fields -

C) not

D) fields

B) fields -

Which one of these is not a stats function?

A) Count

B) Avg

C) Addtotals

D) List

E) Sum

C) Addtotals

To display the most common values in a specific field, what command would you use?

A) top

B) all

C) table

D) rare

A) top

Which clause would you use to rename the count field?

sourcetype=vendor* | stats count __________ "Units Sold"

A) rename

B) to

C) as

D) show

C) as

How many results are shown by default when using a Top or Rare Command?

10

Which stats function would you use to find the average value of a field?

average (or avg)

If a search returns this, you can view the results as a chart.

A) A list.

B) Statistical values

C) Time limits.

D) Numbers

B) Statistical values

T/F:

A time range picker can be included in a report.

True

These roles can create reports:

(Select all that apply.)

A) Admin

B) User

C) Power

A) Admin

B) User

C) Power

In a dashboard, a time range picker will only work on panels that include a(n) __________ search.

A) transforming

B) inline

C) visualization

D) accelerated

B) inline

T/F:

The User role can not create reports.

False

Adding child data model objects is like the ______ operator in the Splunk search language.

A) NOT

B) AND

C) OR

B) AND

T/F:

Pivots cannot be saved as reports panels.

False

The instant pivot button is displayed in the statistics and visualization tabs when a _______ search is run.

A) transforming

B) non-transforming

B) non-transforming

These are knowledge objects that provide the data structure for pivot.

A) Alerts

B) Indexes

C) Reports

D) Data models

D) Data models

T/F:

Pivots can be saved as dashboards panels.

True

T/F:

A lookup is categorized as a dataset.

True

External data used by a Lookup can come from sources like:

(Select all that apply.)

A) Scripts.

B) CSV files.

C) None. Only internal data can be used.

D) Geospatial data.

A) Scripts

B) CSV files

D) Geospatial data

When using a .csv file for Lookups, the first row in the file represents this.

A) Field names.

B) Output fields.

C) Nothing, it is ignored.

D) Input fields.

A) Field names.

Finish this search command so that it displays data from the http_status.csv Lookup file.

| _________________ http_status.csv

A) inputlookup

B) lookup=*

C) datalookup

D) lookup

A) inputlookup

To keep from overwriting existing fields with your Lookup you can use the _________ clause.

OUTPUTNEW

T/F:

Alerts can be shared to all apps.

True

T/F:

Real-time alerts will run the search continuously in the background.

True

T/F:

Alerts can run uploaded scripts.

True

T/F:

Once an alert is created, you can no longer edit its defining search.

False

T/F:

Alerts can send an email.

True

Which function is not a part of a single instance deployment?

A) Searching

B) Parsing

C) Clustering

D) Indexing

C) Clustering

T/F:

Events are always returned in chronological order.

False

Finish the rename command to change the name of the status field to HTTP Status.

sourcetype=a* status=404 | rename ______________

A) as "HTTP Status"

B) status as "HTTP Status"

C) status to "HTTP Status"

D) status as HTTP Status

B) status as "HTTP Status"

_____________ are reports gathered together into a single pane of glass.

A) Dashboards

B) Panels

C) Alerts

D) Scheduled Reports

A) Dashboards

An alert is an action triggered by a _____________.

A) Selected field

B) Tag

C) Report

D) Saved search

D) Saved Search

What is a transforming command?

A type of search command that orders the results into a data table. Transforming commands "transform" the specified cell values for each event into numerical values that Splunk Enterprise can use for statistical purposes.

What are seven common transforming commands?

Transforming commands include:

1) chart

2) timechart

3) stats

4) top

5) rare

6) contingency

7) highlight.

What does CIM stand for and what is it?

Common Information Model (CIM).

A shared semantic model focused on extracting value from data. The CIM is implemented as an add-on that contains a collection of data models, documentation, and tools that support the consistent, normalized treatment of data for maximum efficiency at search time.

What is a lookup?

Lookup is a command to invoke field value lookups. The lookup command can merge unstructured and structured data

For example:

...| lookup AS

What is a scheduled report?

A report that is scheduled to run on a regular interval, making it a type of scheduled search. Scheduled reports typically initialize one or more alert actions each time they run, such as sending the results of the report run to a set of recipients, logging and indexing custom log events, or adding the results to a CSV lookup.

What is pivot?

Pivot is a command that applies a pivot operation to data.

For example: This command counts the number of events in the "HTTP Requests" object in the "Tutorial" data model.

...| pivot Tutorial HTTP_requests count(HTTP_requests) AS "Count of HTTP requests"

What are the three required parts of a pivot?

The pivot command is a generating command and must be first in a search pipeline. It requires a large number of inputs: the data model, the data model object, and pivot elements.

...| pivot

What does SPL stand for and what are some of it's features?

Search Processing Language (SPL)

It is Splunk's proprietary language. SPL encompasses all the search commands and their functions, arguments, and clauses. Its syntax was originally based on the Unix pipeline and SQL. The scope of SPL includes data searching, filtering, modification, manipulation, insertion, and deletion.

What is the most recent version of Splunk that is stable?

Spunk Version 7.2.1

(As of 12/06/2018)

What are the three Splunk search modes?

1) Verbose (returns most amount of data)

2) Fast (limits types of data returned and emphasizes speed)

3) Smart (switches to verbose or fast based on search)

How would you use a wildcard to create a search that looks for all of the product IDs that begin with the letter S and end in G01.

productID=S*G01

Indexes consist of what two types of files?

1) Raw data files

2) Index files

What is an index?

A collection of databases.

What is time-series data?

Any data with time stamps.

How does Splunk indexing work?

Time-series data is broken into events, based on the timestamps.

When should you avoid using wildcards?

When the items searched against have punctuation, such as SF-RT_5G01

A typical search would be: productID=S*G01

But due to the way Splunk indexes punctuation (such as underscore or dash), this search would likely fail.

What is the difference between stats, chart, and time chart?

Stats: Tabular format that allows unlimited fields.

Chart: Graphical format that allows two fields (x and y axis) and can be pie chart, bar chart, line chart etc.

Time Chart: Allows display in bar or line graph format, and only takes in one field because it uses time for the X axis.

What are the five default fields for every event in Splunk?

1) host

2) source

3) source type

4) index

5) timestamp

All of Splunk's configurations are written within what file type?

Plain text .conf files.

What are the five Splunk data bucket ages, from most current to oldest?

1) Hot

2) Warm

3) Cold

4) Frozen

5) Thawed

What happens to data once it reaches the frozen bucket?

Depending on the aging policy, the data in the frozen bucket is either archived or deleted.

What does a Splunk license specify?

How much data you can index per calendar day.

What does a generating command do?

A generating command fetches information from the indexes, without any transformations.

Generating commands are either event-generating (distributable or centralized) or report-generating. Most report-generating commands are also centralized. Depending on which type the command is, the results are returned in a list or a table.

What does the metadata command do?

The metadata command returns a list of sources, sourcetypes, or hosts from a specified index or distributed search peer.

For Example: ...| metadata type=hosts

What is the Splunk data inspector process?

1) Look at data and decide how to process it.

2) Label data by source type.

3) Break data into events.

4) Normalize timestamps.

5) Added to Splunk index to be searched

Where would you go to determine whether the built-in search optimizations are helping your search to complete faster?

Job Inspector

What is the job of the Search Head?

Handle search requests using Splunk search language. Enriches data with reports, dashboards, visualizations.

Search heads send searches to...

Indexers

What processes machine data, storing the results in indexes as events, and enables fast search and analysis?

The Splunk Indexer.

As the Indexer indexes data, it creates a number of files organized by __________

age

(using the imestamps)

What do Indexes point to?

Indexes point to raw compressed data.