IT Certification Exam
In the fields sidebar, which character denotes alphanumeric field values?
%
By default , how long does Splunk retain a search job? A. 10 Minutes B. 15 Minutes C. 1 Day D. 7 Days
A. 10 minutes
A collection of items containing things such as data inputs, UI elements, and knowledge objects is known as what? A. An app B. JSON C. A role D. An enhanced solution
A. An App
By default search results are not returned in ________ order. A. Chronological B. Reverser chronological C. ASCIE D. Alphabetical
A. Chronological D. Alphabetical
Splunk apps are used for following (Choose three.): A. Designed to cater numerous use cases and empower Splunk. B. We can not install Splunk App. C. Allows multiple workspaces for different use cases/user roles. D. It is collection of different Splunk config files like data inputs, UI and Knowledge Object.
A. Designed to cater numerous use cases and empower Splunk. C. Allows multiple workspaces for different use cases/user roles. D. It is collection of different Splunk config files like data inputs, UI and Knowledge Object.
Data summary button just below the search bar gives you the following (Choose three.): A. Hosts B. Sourcetypes C. Sources D. Indexes
A. Hosts B. Source types D. indexes
This function of the stats command allows you to return the middle-most value of field X. A. Median(X) B. Eval by X C. Fields(X) D. Values(X)
A. Median(X)
What does the rare command do? A. Returns the least common field values of a given field in the results. B. Returns the most common field values of a given field in the results. C. Returns the top 10 field values of a given field in the results. D. Returns the lowest 10 field values of a given field in the results.
A. Returns the least common field values of a given field in the results.
Select the best options for "search best practices" in Splunk: (Choose five.) A. Select the time range always. B. Try to specify index values. C. Include as many search terms as possible. D. Never select time range. E. Try to use * with every search term. F. Inclusion is generally better than exclusion. G. Try to keep specific search terms.
A. Select the time range always. B. Try to specify index values. C. Include as many search terms as possible. F. Inclusion is generally better than exclusion. G. Try to keep specific search terms.
What is Splunk? A. Splunk is a software platform to search, analyze and visualize the machine-generated data. B. Database management tool. C. Security Information and Event Management (SIEM). D. Cloud based application that help in analyzing logs.
A. Splunk is a software platform to search, analyze and visualize the machine-generated data.
Which of the following are Splunk premium enhanced solutions (choose three) A. Splunk user behavior analysis (UBA) B. Splunk IT service intelligence (ITSI) C. Splunk enterprise security (ES) D. Splunk analytics security (AS)
A. Splunk user behavior analysis (UBA) B. Splunk IT service intelligence (ITSI) C. Splunk enterprise security (ES)
You can view the search result in following format (Choose three.): A. Table B. Raw C. Pie Chart D. List
A. Table B. Raw D. List
Select the statements that are true for timeline in Splunk (Choose four.): A. Timeline shows distribution of events specified in the time range in the form of bars. B. Single click to see the result for particular time period. C. You can click and drag across the bar for selecting the range. D. This is default view and you can't make any changes to it. E. You can hover your mouse for details like total events, time and date.
A. Timeline shows distribution of events specified in the time range in the form of bars. B. Single click to see the result for particular time period. C. You can click and drag across the bar for selecting the range. E. You can hover your mouse for details like total events, time and date.
Query - status != 100: A. Will return event where status field exist but value of that field is not 100. B. Will return event where status field exist but value of that field is not 100 and all events where status field doesn't exist. C. Will get different results depending on data.
A. Will return event where status field exist but value of that field is not 100.
The command shown here does witch of the following: Command: |outputlookup products.csv A. Writes search results to a file named products.csv B. Returns the contents of a file named products.csv
A. Writes search results to a file named products.csv
At the time of searching the start time is 03:35:08. Will it look back to 03:00:00 if we use -30m@h in searching? A. Yes B. No
A. Yes
Which of the following is a Splunk internal Field? A. _raw B. Host C. _host D. Index
A. _raw
This is what Splunk uses to categorize the data that is being indexed. A. sourcetype B. index C. source D. host
A. sourcetype
This function of the stats command allows you to return the sample standard deviation of a field. A. stdev B. dev C. count deviation D. by standarddev
A. stdev
Which of the following searches will show the number of categoryld used by each host A) Sourcetype=access_* |sum bytes by host B) Sourcetype=access_* |stats sum(categoryID) by host C) Sourcetype=access_* |sum(bytes) by host D) Sourcetype=access_* |stats Sun by host
B) Sourcetype=access_*|stats sum(categoryID) by host
Which of the following searches would return events with failure in index netfw or warn or critical in index netops? A. (index=netfw failure) AND index=netops warn OR critical B. (index=netfw failure) OR (index=netops (warn OR critical)) C. (index=netfw failure) AND (index=netops (warn OR critical)) D. (index=netfw failure) OR index=netops OR (warn OR critical)
B. (index=netfw failure) OR (index=netops (warn OR critical))
______________ is the default web port used by Splunk. A. 8089 B. 8000 C. 8080 D. 443
B. 8000
Following are the time selection option while making search: (choose all that apply) A. Date & Time Range B. Advanced C. Date Range D. Presets E. Relative
B. Advanced
When is the pipe character, I, used in search strings? A. Before clauses. For example: stats sum(bytes) | by host B. Before commands. For example: | stats sum(bytes) by host C. Before arguments. For example: stats sum| (bytes) by host D. Before functions. For example: stats |sum(bytes) by host
B. Before commands. For example: | stats sum(bytes) by host
You can on-board data to Splunk using following means (Choose four.): A. Props B. CLI C. Splunk Web D. savedsearches.conf E. Splunk apps and add-ons F. indexes.conf G. inputs.conf H. metadata.conf
B. CLI C. Splunk Web E. Splunk apps and add-ons G. inputs.conf
What is the correct way to use time range specifier in the search bar so that the search looks back 2 hours? A. Latest = -2h B. Earliest = -2h C. Latest = -2hour@d D. Earliest = -2hour@d
B. Earliest = -2h
Which of the following statements about case sensitivity is true? A. Both field names and field values ARE case sensitive B. Field names ARE case sensitive; field values are NOT. C. Field values ARE case sensitive; field names ARE NOT D. Both field names and field values ARE NOT case sensitive.
B. Field names ARE case sensitive; field values are NOT.
After running a search, what effect does clicking and dragging across the timeline have? A. Executes a new search. B. Filters current search results. C. Moves to past or future events. D. Expands the time range of the search.
B. Filters current search results
Which of the following Splunk components typically resides on the machines where data originates? A. Indexer B. Forwarder C. Search head D. Deployment server
B. Forwarder
How can results from a specified static lookup file be displayed? A. Lookup command B. Input lookup command C. Settings > lookups > input D. Settings > lookups > upload
B. Input lookup command
Which of the following file types is an option for exporting Splunk search results? A. PDF B. JSON C. XLS D. RTF
B. JSON
What are the three main Splunk components? A. Search head, GPU, Streamer B. Search head, indexer, forwarder C. Search head, SQL database, forwarder D. Search head, SSD, heavy weight agent
B. Search head, indexer, forwarder
Put query into separate lines where | (Pipes) are used by selecting following options. A. CTRL + Enter B. Shift + Enter C. Space + Enter D. ALT + Enter
B. Shift + Enter
This is what Splunk uses to categorize the data that is being indexed. A. Host B. Sourcetype C. Index D. Source
B. Sourcetype
Assuming a user has the capability to edit reports, which of the following are editable? A. Acceleration, schedule, permissions B. The report's name, schedule, permissions C. The report's name, acceleration, schedule D. The report's name, acceleration, permissions
B. The report's name, schedule, permissions
When writing searches in Splunk, which of the following is true about Booleans? A. They must be lowercase. B. They must be uppercase. C. They must be in quotations. D. They must be in parentheses.
B. They must be uppercase.
What are the two most efficient search filters? A. _time and host B. _time and index C. host and sourcetype D. index and sourcetype
B. _time and index
What syntax is used to link key/value pairs in search strings? A. action+purchase B. action=purchase C. action | purchase D. action equal purchase
B. action=purchase
Which Field/Value pair will return only events found in the index named security? A. Index=Security B. index=Security C. Index=security D. index!=Security
B. index=Security
Select the answer that displays the accurate placing of the pipe in the following search string: index=security sourcetype=access_* status=200 stats count by price A. index=security sourcetype=access_* status=200 stats | count by price B. index=security sourcetype=access_* status=200 | stats count by price C. index=security sourcetype=access_* status=200 | stats count | by price index=security sourcetype=access_* | status=200 | stats count by price
B. index=security sourcetype=access_* status=200 | stats count by price
Splunk Components: Which of the following are responsible for reducing search results? A. search heads B. indexers C. forwarders
B. indexers
Which of the following represents the Splunk recommended naming convention for dashboards? A. Description_Group_Object B. Group_Description_Object C. Group_Object_Description D. Object_Group_Description
C. Group_Object_Description
How are events displayed after a search is executed? A. In chronological order. B. Randomly by default. C. In reverse chronological order. D. Alphabetically according to field name.
C. In reverse chronological order.
Which component of Splunk is primarily responsible for saving data? A. Search Head B. Heavy Forwarder C. Indexer D. Universal Forwarder
C. Indexer
When saving a search directly to a dashboard panel instead of saving as a report first, which of the following is created? A. Cloned panel B. Inline panel C. Report panel D. Prebuilt panel
C. Report panel
What is Search Assistant in Splunk? A. It is only available to Admins. B. Such feature does not exist in Splunk. C. Shows options to complete the search string
C. Shows options to complete the search string
When a search returns ______, you can view the results as a list. A. a list of events B. transactions C. statistical values
C. Statistical values
What must be done in order to use a lookup table in Splunk? A. The lookup must be configured to run automatically. B. The contents of the lookup file must be copied and pasted into the search bar. C. The lookup file must be uploaded to Splunk and a lookup definition must be created. D. The lookup file must be uploaded to the etc/apps/lookups folder for automatic ingestion.
C. The lookup file must be uploaded to Splunk and a lookup definition must be created.
When viewing results of a search job from the activity menu, which of the following is displayed? A. New events based on the current time range picker B. The same events based on the current time range picker C. The same events from when the original search was executed D. New events in addition to the same events from the original search
C. The same events from when the original search was executed
How do you add or remove fields from search results? A. Use field +to add and field -to remove. B. Use table +to add and table -to remove. C. Use fields +to add and fields -to remove. D. Use fields Plus to add and fields Minus to remove.
C. Use fields +to add and fields -to remove.
When looking at a dashboard panel that is based on a report, which of the following is true? A. You can modify the search string in the panel, and you can change and configure the visualization. B. You can modify the search string in the panel, but you cannot change and configure the visualization. C. You cannot modify the search string in the panel, but can change and configure the visualization. D. You cannot modify the search string in the panel, and you cannot change and configure the visualization.
C. You cannot modify the search string in the panel, but can change and configure the visualization.
What is the main requirement for creating visualizations using the Splunk UI? A. Your search must transform event data into Excel file format first. B. Your search must transform event data into XML formatted data first. C. Your search must transform event data into statistical data tables first. D. Your search must transform event data into JSON formatted data first.
C. Your search must transform event data into statistical data tables first.
Which of the following searches will return results where fail, 400, and error exist in every event? A. error AND (fail AND 400) B. error OR (fail and 400) C. error AND (fail OR 400) D. error OR fail OR 400
C. error AND (fail OR 400)
Which search will return only events containing the word "error" and display the results as a table that includes the fields named action, src, and dest? A. error | table action, src, dest B. error | tabular action, src, dest C. error | stats table action, src, dest D. error | table column=action column=src column=dest
C. error | stats table action, src, dest
According to Splunk best practices, which placement of the wildcard results in the most efficient search? A. f*il B. *fail C. fail* D. *fail*
C. fail*
Which command is used to review the contents of a specified static lookup file? A. lookup B. csvlookup C. inputlookup D. outputlookup
C. inputlookup
Which of the following commands will show the maximum bytes? A. sourcetype=access_*|maximum totals by bytes B. sourcetype=access_*| avg (bytes) C. sourcetype=access_*| stats max(bytes) D. sourcetype=access_*| max(bytes)
C. sourcetype=access_*| stats max(bytes)
What result will you get with following search index =test Sourcetype="The_Questionnaire_P*"? A. the_questionnaire _pedia B. the_questionnaire pedia C. the_questionnaire_pedia D. the_questionnaire Pedia
C. the_questionnaire_pedia
Which of the following is a correct way to limit search results to display the 5 most common values of a field? A. | rare top=5 B. | top rare=5 C. | top limit=5 D. | rare limit=5
C. | top limit=5
A field exists in search results, but isn't being displayed in the fields sidebar. How can it be added to the fields side bar?
Click all fields and select the field to add it to selected fields
When viewing the results of a search, what is an Interesting Field? A. A field that appears in any event B. A field that appears in every event C. A field that appears in the top 10 events D. A field that appears in at least 20% of the events
D. A field that appears in at least 20% of the events
Which statement is true about the top command? A. It returns the top 10 results B. It displays the output in table format C. It returns the count and percent columns per row D. All of the above
D. All of the above
What is the default lifetime of every Splunk search job? A. All search jobs are saved for 10 days B. All search jobs are saved for 10 hours C. All search jobs are saved for 10 weeks D. All search jobs are saved for 10 minutes
D. All search jobs are saved for 10 minutes
In the Splunk interface, the list of alerts can be filtered based on which characteristics? A. App, Owner, Severity, and Type B. App, Owner, Priority, and Status C. App, Dashboard, Severity, and Type D. App, Time Window, Type, and Severity
D. App, Time Window, Type, and Severity
This clause is used to group the output of a stats command by a specific name. A. Rex B. As C. List D. By
D. By
When editing a dashboard, which of the following are possible options? (select all that apply) A. Add an output. B. Export a dashboard panel. C. Modify the chart type displayed in a dashboard panel. D. Drag a dashboard panel to a different location on the dashboard.
D. Drag a dashboard panel to a different location on the dashboard.
Data sources being opened and read applies to: A. None of the above B. Indexing Phase C. Parsing Phase D. Input Phase E. License Metering
D. Input Phase
What does the following specified time range do? earliest=-72h@h latest=@d A. Look back 3 days ago and prior B. Look back 72 hours up to one day ago C. Look back 72 hours, up to the end of today D. Look back from 3 days ago up to the beginning of today
D. Look back from 3 days ago up to the beginning of today
When a Splunk search generates calculated data that appears in the Statistics tab. in what formats can the results be exported? A. CSV, JSON, PDF B. CSV, XML JSON C. Raw Events, XML, JSON D. Raw Events, CSV, XML, JSON
D. Raw Events, CSV, XML, JSON
Which component of Splunk let us write SPL query to find the required data? A. Forwarders B. Indexer C. Heavy Forwarders D. Search head
D. Search head
By default, which of the following is a selected field? A. Action B. Clientip C. Categoryld D. Sourcetype
D. Sourcetype
How does Splunk determine which fields to extract from data? A. Splunk only extracts the most interesting data from the last 24 hours. B. Splunk only extracts fields users have manually specified in their data. C. Splunk automatically extracts any fields that generate interesting visualizations. D. Splunk automatically discovers many fields based on sourcetype and key/value pairs found in the data.
D. Splunk automatically discovers many fields based on sourcetype and key/value pairs found in the data.
What determines the scope of data that appears in a scheduled report? A. All data accessible to the User role will appear in the report. B. All data accessible to the owner of the report will appear in the report. C. All data accessible to all users will appear in the report until the next time the report is run. D. The owner of the report can configure permissions so that the report uses either the User role or the owner's profile at run time.
D. The owner of the report can configure permissions so that the report uses either the User role or the owner's profile at run time.
Which is a primary function of the timeline located under the search bar? A. To differentiate between structured and unstructured events in the data B. To sort the events returned by the search command in chronological order C. To zoom in and zoom out. although this does not change the scale of the chart D. To show peaks and/or valleys in the timeline, which can indicate spikes in activity or downtime
D. To show peaks and/or valleys in the timeline, which can indicate spikes in activity or downtime
What is a primary function of a scheduled report? A. Auto-detect changes in performance B. Auto-generated PDF reports of overall data trends C. Regularly scheduled archiving to keep disk space use low D. Triggering an alert in your Splunk instance when certain conditions are met
D. Triggering an alert in your Splunk instance when certain conditions are met
In the Search and Reporting app, which tab displays timecharts and bar charts? A. Events B. Patterns C. Statistics D. Visualization
D. Visualization
Which search string is the most efficient? A. "failed password" B. ''failed password"* C. index=* "failed password" D. index=security "failed password"
D. index=security "failed password"
Which search string matches only events with the status_code of 4:4? A. status_code ! =404 B. status_code>=400 C. status_code<=404 D. status_code>403 status_code<405
D. status_code>403 status_code<405
Which is not a comparison operator in Splunk A. <= B. = C. != D. > E. ?=
E. ?=
Which of the following are not true about lookups? (Select all that apply.) A. Lookups can be time based B. Search results can be used to populate a lookup table C. Splunk DB Connect can be used to populate a lookup table from relational databases D. Output from a script can be used to populate a lookup table E. Lookup have a 10mg maximum size limit
E. Lookup have a 10mg maximum size limit
T/F: != and NOT are same arguments.
False
It is mandatory for the lookup file to have this for an automatic lookup to work.
Input filed
Will the queries following below get the same result? 1. index=log sourcetype=error_log status !=100 2. index=log sourcetype=error_log NOT status =100 A. Yes B. No
No
In the fields sidebar, what does the number directly to the right of the the field name indicate?
The number of unique values for the field
T/F: All components are installed and administered in Splunk Enterprise on-premise
True
T/F: Forward Option gather and forward data to indexers over a receiving port from remote machines.
True
T/F: Splunk Enterprise is used as a Scalable service in Splunk Cloud.
True
T/F: Splunk extracts fields from event data at index time and at search time.
True
T/F: Spunk indexes the data on the basis of time stamps
True
T/F: The default host name used in Inputs general settings can not be changed.
True
Beginning parentheses is automatically highlighted to guide you on the presence of complimenting parentheses
Yes
These users can create global knowledge objects. (Select all that apply.) A. users B. power users C. administrators
b) power users c) administrators
Clicking a SEGMENT on a chart, ________. A. drills down for that value B. highlights the field value across the chart C. adds the highlighted value to the search criteria
c) adds the highlighted value to the search criteria
T/F: Field values are case sensitive.
false
T/F: It is not possible for a single instance of Splunk to manage the input, parsing and indexing of machine.
false
In automatic lookup definitions, the _____ fields are those that are not in the event data. A. input B. output
output
T/F: Interesting fields are the fields that have at least 20% of resulting fields.
true
T/F: Lookups allow you to overwrite your raw event.
true
Snapping rounds down to the nearest specified unit. A. Yes B. No
yes
Zoom Out and Zoom to Selection re-executes the search. No Yes
yes