Splunk
weeks
w, week, weeks
Clicking on a field shows a list of _______, ________, and ________.
values, count, and percentage
Search & Reporting, Home App
which two apps ship with Splunk Enterprise
audit event
An event generated when an audited activity is performed in Splunk Enterprise.
Host
An event's host value is typically the hostname, IP address, or fully qualified domain name of the network host from which the event originated
ad hoc search
An unscheduled search
Splunk Enterprise Security
Analytics driven SIEM: user to monitor, detect, analyze, investigate and repond to threats and attacks Complimentary product. Customers must have an equivalent license of Core Splunk (same GB Volume)
analyzefields and af
Analyze numerical fields for their ability to predict another discrete field.
analyzefields
Analyze numerical fields for their ability to predict another discrete field. See Also anomalousvalue.
These are booleans in the Splunk Search Language.
And Not Or
tags
Annotates specified fields in your search results with tags. See Also eval
scrub
Anonymizes the search results.
Machine data can give you insights into:
Application performance Security Hardware monitoring Sales User Behavior
Fields extracted with the field extractor
Are persistent Are specific to a host, source or sourcetype. Are reusable in multiple searches.
______ variables to apply to function (ex. Product name) (components of search language)
Arguments
False
As a general practice, exclusion is better than inclusion in a Splunk search.
How is the asterisk used in Splunk search?
As a wildcard
This command can be used to make Splunk start each time the server is booted.
./splunk enable boot-start
What command is used to start the Splunk Enterprise server?
./splunk start
Location of props.conf:
/opt/splunk/etc/system/default/props.conf --->never edit this file as its conatians default configuration /opt/splunk/etc/system/local/props.conf ----->We can edit this file for configurations
By default, the Fillnull Command replaces null values with this:
0
-1h@h
1 hour ago, to the hour Wednesday, 05 February 2017, 12:00:00 P.M.
-24h
24 hours ago (yesterday) Tuesday, 04 February 2017, 01:37:05 P.M. Equivalent modifiers -24h@s
+24h
24 hours from now, tomorrow Thursday, 06 February 2017, 01:37:05 P.M. Equivalent modifiers +24h@s
Splunk suggests naming your Knowledge Objects using _______ segmented keys.
6
The field operators are used with numerical string values (symbols)
= != -->
Comparison symbols
=, !=, <=, >, >=
These symbols are only used with numerical values?
> >= < <= -->
&=
A comparison operator in Splunk
character set encoding
A method for displaying and working with language characters on computer systems.
Event Type
A method of categorizing events based on a search
Community support
A support service level that entitles the user to public information sources for questions about Splunk Enterprise.
After creating your data model, the next step is to ___________
Add a root object
addinfo
Add fields that contain common information about the current search.
Knowledge
Add knowledge objects to data. Effects how data is interpreted. Classified and enriched, and normalized for future use.
AND
Adding child data model objects is like the ______ Boolean in the Splunk search language.
relevancy
Adds a relevancy field which indicates how well the event matches the query.
iplocation
Adds location information such as city country latitude longitude and so on based on IP addresses.
input
Adds sources to Splunk or disables sources from being processed by Splunk.
streamstats
Adds summary statistics to all search results in a streaming manner.
streamstats
Adds summary statistics to all search results in a streaming manner. See Also eventstats & stats
eventstats
Adds summary statistics to all search results.
eventstats
Adds summary statistics to all search results. See Also stats
Which role defines what apps a user will see by default?
Admin
Which roles can create knowledge objects shared across all apps?
Admin
These roles can create reports:
Admin User Power
Which roles can create data models?
Admin and Power
3 Roles in Splunk?
Admin, Power User, and End-User.
Three main roles in splunk? (3)
Admin, Power, User
True
Administrators CANNOT configure default fields
False
After a report is saved, you can no longer edit the search
________ is an action that a saved search triggers based on the results of the search
Alert
____________ are based on searches that run on a scheduled interval or in real-time.
Alerts
True
Alerts can send an email
What are the predefined ways knowledge objects can be shared?
All apps Private Specifiic App
Forwarder Characteristics
(1) Require minimal resources, (2)little impact on performance, (3) Reside on the machine where the data originates.
Which character acts as a wildcard in the Splunk Search Language?
*
TRUNCATE
- This attribute is nothing to sneeze at. Measured in bytes, this attribute limits the length of an event (line of data), and will break when the limit is met. The default value is 10000 so set this to 999999 bytes or more depending on the size of your event. Because your data is not being broken up into multiline events (given SHOULD_LINEMERGE = false) you will want to ensure your events do not get broken up incorrectly.
what is a bucket in splunk?
- a bucket are directories on servers in splunk: hot, warm, cold, frozen, thawed. - events within splunk are broken down into segments called buckets - inside indexes, files, collection of databases, subdirectories
Search Heads require more _____ than indexers.
CPU Power
makemv
Change a specified field into a multivalued field during a search.
makemv
Change a specified field into a multivalued field during a search. See Also mvcombine & mvexpand & nomv
nomv
Changes a specified multivalued field into a single-value field at search time.
nomv
Changes a specified multivalued field into a single-value field at search time. See Also makemv & mvcombine & mvexpand
True
Charts can be based on numbers, time or location
_______ object acts like an AND boolean
Child
_________ objects can be added to a root event object to narrow down the search.
Child
_______ how we want results defined. (components of search language)
Clauses
Which function is not a part of a single instance deployment?
Clustering
cluster
Clusters similar events together.
cluster
Clusters similar events together. See Also anomalies anomalousvalue cluster kmeans outlier
Main Components of Splunk
Collect and index data, search and investigate.Add knowledge
Index
Collects data from any source. As data enters, inspectors go to work. Determines how to process the data. When it is matched it is labeled with a source type. Data is then broken into single events. Time stamps are identified and normalized to a consistent format. Events then stored in Splunk index where they can be searched.
mvcombine
Combines events in search results that have a single differing field value into one result with a multivalue field of the differing field.
mvcombine
Combines events in search results that have a single differing field value into one result with a multivalue field of the differing field. See Also mvexpand & makemv & nomv
splunk enable app SplunkForwarder -auth <username>:<password>
Command to setup splunk heavy forwarder?
______ tell Splunk what we want to do with results (ex. stats) (components of search language)
Commands
transforming
Commands that create statistics and visualizations are called _________ components.
Splunk Services
Community Standard Enterprise and Global Support PS and CSM
Which of these is not a main component of Splunk?
Compress and archive
anomalies
Computes an "unexpectedness" score for an event.
anomalies
Computes an "unexpectedness" score for an event. See Also anomalousvalue & cluster & kmeans & outlier.
trendline
Computes moving averages of fields.
trendline
Computes moving averages of fields. See Also timechart
delta
Computes the difference in field value between nearby results.
delta
Computes the difference in field value between nearby results. See Also accum & autoregress & trendline & streamstats
addtotals
Computes the sum of all numeric fields for each result.
strcat
Concatenates string values and saves the result to a specified field.
strcat
Concatenates string values.
Props.conf is used to define following configurations
Configuring timestamp recognition Convertig timeformat to our default timeformat Configuring linebreaking for multiline events. Setting up character set encoding Defining manual filed extarction regex Allowing processing of binary files. Configuring event segmentation. Overriding Splunk's automated host and source type matching Defining where to lookup for lookup table etc
_audit
Contains events related to the file system change monitor, auditing, and all user search history
convert
Converts field values into numerical values.
convert
Converts field values into numerical values. See Also eval
untable
Converts results from a tabular format to a format similar to stats output. Inverse of xyseries and maketable.
xyseries
Converts results into a format suitable for graphing.
reltime
Converts the difference between 'now' and '_time' to a human-readable value and adds adds this value to the field 'reltime' in your search results.
reltime
Converts the difference between 'now' and '_time' to a human-readable value and adds adds this value to the field 'reltime' in your search results. See Also convert
websphere_core
Corefile export from Websphere
Splunk Value Stack
Corporate Objectives Business Strategy Initiatives Risks and Critical Capabilities C Level Commercial Insights
crawl
Crawls the filesystem for new sources to add to an index.
timechart
Create a time series chart and corresponding table of statistics. See Functions for stats, chart, and timechart in the Splunk Enterprise Search Reference. See Also chart & bucket
timechart
Create a time series chart and corresponding table of statistics. See Statistical and charting functions in the Splunk Enterprise Search Reference.
Power User Role
Create and share Knowledge Objects for Users of an app and do real time searches.
Search commands can be used with search terms to do the following:
Create charts Compute statistics Format data
mvrange(X,Y,Z)
Creates a multivalue field with a range of numbers between X and Y, incrementing by Z. Basic examples The following example returns a multivalue field with the values 1, 3, 5, 7, 9. ... | eval mv=mvrange(1,11,2)
table
Creates a table using the specified fields.
table
Creates a table using the specified fields. See Also fields
A power user does what?
Creates and shares knowledge objects for users of app, real-time searches
What does the search and reporting app do in splunk?
Creates knowledge objects, reports, and dashboards
What are search commands used for?
Creating charts, computing statistics, and formatting
-5m@m
Current search time is 09:37:12. What is the time range equation to search back 5 minutes on the minute?
ltrim(x,y)
Description: This function takes one or two arguments X and Y, and returns X with the characters in Y trimmed from the left side. If Y is not specified, spaces and tabs are removed. Basic example The following example trims the leading spaces and all of the occurrences of the letter Z from the left side of the string. The value that is returned is x="abcZZ ". ... | eval x=ltrim(" ZZZZabcZZ ", " Z")
The following are Splunk Enterprise processing tiers.
Data input Indexing Search Management
Sourcetype
Data is broken into single events by ___
These are knowledge objects that provide the data structure for pivot.
Data models
Data models are made up of ___________.
Datasets
This command removes events with duplicate values
Dedup
Which command removes results with duplicate field values?
Dedup
True
Default Fields are added to every event
fail* password | stats count by src, dest, user, sourcetype | sort - count | where count > 2
Define a Sample Failed password query
Which is the correct order to use when creating a lookup?
Define a lookup table Define a lookup Create and automatic lookup
Roles
Define what users can do in Splunk.
delete
Delete specific events or search results.
Splunk Light
Delivers a light version of Splunk for Small IT environment 5 users Cheaper 20GB of daily data indexing
deploymentclient.conf
Deployment client uses which configuration files to connect deployment server ? serverclass.conf, deploymentclient.conf, inputs.conf, outputs.conf
replace(x,y,z)
Description: This function returns a string formed by substituting string Z for every occurrence of regex string Y in string X. The third argument Z can also reference groups that are matched in the regex. Basic example: The following example returns date, with the month and day numbers switched. If the input is 1/14/2017 the return value would be 14/1/2017. ... | eval n=replace(date, "^(\d{1,2})/(\d{1,2})/", "\2/\1/")
substr(x,y,z)
Description: This function returns a substring of X, starting at the index specified by Y with the number of characters specified by Z. If Z is not provided, the function returns the rest of the string Basic example: The following example concatenates "str" and "ing" together, returning "string": ... | eval n=substr("string", 1, 3) + substr("string", -3)
len(x)
Description: This function returns the character length of a string X. Basic example ... | eval n=len(field)
urldecode(x)
Description: This function takes one URL string argument X and returns the unescaped or decoded URL string. Basic example The following example returns "http://www.splunk.com/download?r=header". ... | eval n=urldecode("http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fr%3Dheader")
trim(x,y)
Description: This function takes one or two arguments X and Y and returns X with the characters in Y trimmed from both sides. If Y is not specified, spaces and tabs are removed. Basic example: The following example returns "abc". ... | eval n=trim(" ZZZZabcZZ ", " Z")
rtrim(x,y)
Description: This function takes one or two arguments X and Y, and returns X with the characters in Y trimmed from the right side. If Y is not specified, spaces and tabs are removed. Basic example: The following example returns n="ZZZZabc". ... | eval n=rtrim(" ZZZZabcZZ ", " Z")
lower(x)
Description: This function takes one string argument and returns the string in lowercase. Basic example The following example returns the value provided by the field username in lowercase. ... | eval username=lower(username)
upper(x)
Description: This function takes one string argument and returns the string in uppercase. Basic example: The following example returns the value provided by the field username in uppercase. ... | eval n=upper(username)
spath(x,y)
Description: This function takes two arguments, an input source field X and an spath expression Y, that is the XML or JSON formatted location path to the value that you want to extract from X. Basic example: The following example returns the hashtags from a twitter event. index=twitter | eval output=spath(_raw, "entities.hashtags")
Index
Directories where the data is stored
__________ is often the biggest bottle neck in the Splunk indexing pipeline.
Disk I/O
What are the different flavors of spunk?
Enterprise, Cloud, Light
Which Splunk search command allows you to perform mathematical functions on field values?
Eval
Calculated fields are shortcuts for _______________.
Eval Commands
________ tab is default tab for searches
Event
__________ allow you to categorize events based on search terms.
Event Types
Calculated fields can use lookup tables.
False
Data created using the Iplocation Command can not be used with the Geostats Command.
False
Event types do NOT show up in the field list.
False
Excluding fields using the Fields Command will benefit performance.
False
Field values are case sensitive.
False
Forwarders should never be installed on Windows servers.
False
Indexing on a Heavy Forwarder does not affect your license.
False
Machine data is always structured.
False
Machine data is only log files on web servers.
False
Once an alert is created, you can no longer edit its defining search.
False
Once an alert is created, you can no longer edit its defining search/
False
Results of the Eval Commands always replace the existing field.
False
Root search objects benefit from acceleration.
False
Running concurrent reports and the searches behind them puts very low demand on your system hardware.
False
Search macros can only be used once in a given search.
False
Splunk Enterprise should always be run as root in a *NIX environment.
False
The .conf files can only be edited using the Splunk web interface.
False
The functions of the data pipeline vary drastically depending on the deployment.
False
The index does not play a major role in Splunk.
False
The results of a macro can not be piped to other commands.
False
These searches will return the same results? password fail "password fail"
False
Time to search can only be set by the time range picker.
False
Unlike pivot, reports created with instant pivot can not be saved.
False
When a bucket is frozen, by default it is moved to a different location before deleting.
False
When building your data model, Splunk suggests you use root search objects whenever possible.
False
When mixing authentication sources, scripted authentication will always take precedence.
False
When using the chart command, the x-axis should always be numeric.
False
When zooming in on the event time line, a new search is run.
False
Wildcards cannot be used with field searches.
False
You can only add one tag per field value pair.
False
You can only have one field alias per field.
False
You can only use one Eval Command per search.
False
4 Key Assets in Every Sales Play
Prospecting Guide Meeting Guide Differentiation Pitch Champion Guide
Differentiators
Real Time Architecture Universal Machine Data Platform Schema on the Fly Agile Reporting and Analytics Scales from Desktop to Enterprise Fast Time to Value Passionate and Vibrant Community
_______ alert to monitor for events continuously
Real-time
Real Time Architecture
Real-time collection, search, monitoring and analysis across massive streams of machine data in a single solution
xpath
Redefines the XML path.
transpose
Reformats rows of search results as columns.
Time for Shared Search Job
Remain active for 7 days
mvdedup(X)
Removes all of the duplicate values from a multivalue field. Basic example ... | eval s=mvdedup(mvfield)
uniq
Removes any search that is an exact duplicate with a previous result.
uniq
Removes any search that is an exact duplicate with a previous result. See Also dedup
fields
Removes fields from search results.
outlier
Removes outlying numerical values.
outlier
Removes outlying numerical values. See Also anomalies & anomalousvalue & cluster & kmeans
regex
Removes results that do not match the specified regular expression.
regex
Removes results that do not match the specified regular expression. See Also rex & search
dedup
Removes subsequent results that match a specified criteria.
dedup
Removes subsequent results that match a specified criteria. See Also uniq
rename
Renames a specified field; wildcards can be used to specify multiple fields.
filldown
Replaces NULL values with the last non-NULL value.
filldown
Replaces NULL values with the last non-NULL value. See Also fillnull
bucketdir
Replaces a field value with higher-level grouping such as replacing filenames with directories. See Also cluster and dedup.
fillnull
Replaces null values with a specified value.
replace
Replaces values of specified fields with a specified new value.
from
Retrieves data from a dataset such as a data model dataset a CSV lookup a KV Store lookup a saved search or a table dataset.
metasearch
Retrieves event metadata from indexes based on terms in the logical expression. See Also metadata & search
history
Returns a history of searches formatted as an events list or as a table. See Also search
metadata
Returns a list of source sourcetypes or hosts from a specified index or distributed search peer.
metadata
Returns a list of source sourcetypes or hosts from a specified index or distributed search peer. See Also dbinspect
localize
Returns a list of the time ranges in which the search results were found.
localize
Returns a list of the time ranges in which the search results were found. See Also map & transaction
mvappend(X,...)
Returns a multivalue result based on all of values specified. Basic example ... | eval fullName=mvappend(initial_values, "middle value", last_values)
commands(x)
Returns a multivalued field that contains a list of the commands used in X Basic example The following example returns a multivalued field X, that contains 'search', 'stats', and 'sort'. ... | eval x=commands("search foo | stats count | sort count")
mvindex(MVFIELD,STARTINDEX,ENDINDEX)
Returns a set of values from a multivalue field described by STARTINDEX and ENDINDEX. Basic examples Because indexes start at zero, the following example returns the third value in "multifield", if the value exists. ... | eval n=mvindex(multifield, 2)
split(X,"Y")
Returns an mvfield spitting X by the delimited character Y Basic example ... | eval n=split(foo, ";")
audit
Returns audit trail information that is stored in the local audit index.
dbinspect
Returns information about the specified index.
chart
Returns results in a tabular output for charting. See Functions for stats chart and timechart in the Splunk Enterprise Search Reference. See Also timechart
chart
Returns results in a tabular output for charting. See Statistical and charting functions in the Splunk Enterprise Search Reference.
gentimes
Returns results that match a time-range.
mvcount(MVFIELD)
Returns the count of the number of values in the specified field. Extended Example The mvcount() function returns the number of email addresses in the To, From, and Cc fields and saves the addresses in the specified "_count" fields. eventtype="sendmail" | eval To_count=mvcount(split(To,"@"))-1 | eval From_count=mvcount(From) | eval Cc_count= mvcount(split(Cc,"@"))-1
diff
Returns the difference between two search results.
head
Returns the first number n of specified results.
head
Returns the first number n of specified results. See Also reverse & tail
tail
Returns the last number N of specified results
tail
Returns the last number n of specified results. See Also head & reverse
eventcount
Returns the number of events in an index.
eventcount
Returns the number of events in an index. See Also dbinspect
savedsearch
Returns the search results of a saved search.
mvsort(X)
Returns the values of a multivalue field sorted lexicographically. Basic example ... | eval s=mvsort(mvfield)
typeahead
Returns typeahead information on a specified prefix.
reverse
Reverses the order of the results.
reverse
Reverses the order of the results. See Also head & sort & tail
_______________ define what users can do in Splunk.
Roles
Alerts combine a _______ search.
Saved
An alert is an action triggered by a _____________.
Saved search
Use ________ alert to check for events on a regular basis
Scheduled
_________ command works from left to right
Search
Which 2 apps ship with Splunk Enterprise?
Search & Reporting Home App
Which two apps ship with Splunk Enterprise?
Search & Reporting Home App
Search Language Example
Search Term, Commands, Functions
Best Practices
Search by Time, inclusion is better than exclusion,filter command as early as possible in search,
Create charts, compute statistics, format data
Search commands can be used with search terms to do the following
1. selecting a range of bars on the timeline 2. selecting a bar on the timeline 3. deselect
Search controls that will NOT re-run a search
Search strings are sent from the
Search head
When a search is sent to splunk, it becomes a _____.
Search job
search head
Search strings are sent from the _________.
_____ are case insensitive. (components of search language)
Search terms
insensitive
Search terms are case sensitive or insensitive?
Schema on the Fly
Search-time schema delivers flexibility to interact with the data and change perspective on the fly at search time
search
Searches Splunk indexes for matching events.
search
Searches Splunk indexes for matching events. This command is implicit at the start of every search pipeline that does not begin with another generating command.
top values by time
Select this in the field sidebar to automatically pipe your search results to the timechart command
_______ Fields appear in event, default-host, sourcetype, source
Selected
A workflow action can _________________.
Send field values to external resources. Pass variables to a URL. Execute a secondary search.
Reasons to Split Indexes
Separate indexes can make searches faster. Limits data amount Splunk searches. Returns events only from that index.Multiple indexes allow limiting access by user role in order to control who sees what data. Also helps with retention policies
Splunk Enterprise
Serves as your on premise solution for turning machine data into valuable insight Perpetual license users are required to purchase support for the first year
Freeze data when an index grows too large
Set maxTotalDataSizeMB
rangemap
Sets RANGE field to the name of the ranges that match.
setfields
Sets the field values for all results to a common value. See Also eval & fillnull & rename
autoregress
Sets up data for calculating the moving average. See Also accum & autoregress & delta & trendline & streamstats.
MAX_TIMESTAMP_LOOKAHEAD
Setting this attribute makes Splunk happy and run more efficiently because it will not have to spend any extra time and resources to find the time stamp. You can tell Splunk that your timestamp is 20 characters into your event so Splunk will not waste any time looking through the entire event.
7 days
Shared search jobs remain active for _______ by default.
The following can be used to build apps for Splunk:
Simple XML Splunk JavaScript SDKs
Splunk Deployment Scalibility
Single Instance to a full distributed infrastructure.
______ mode (default-based on search string data). Field discovery ON for event searches. No event or field data for stats searches.
Smart
@d-2h
Snap to the beginning of today (12 A.M.) and subtract 2 hours from that time. Resulting Time 10 P.M. last night.
This command displays results in ascending or descending order.
Sort
sort
Sorts search results by the specified fields.
sort
Sorts search results by the specified fields. See Also reverse
Splunk knows where to break the event, where the time stamp is located and how to automatically create field value pairs using these.
Source types
Three default search fields automatically selected?
Source, Host, Sourcetype
Splunk uses ________ to categorize the type of data being indexed.
Sourcetypes
w0, w1, w2, w3, w4, w5, w6, and w7
Specify "snap to" days of the week; where w0 is Sunday, w1 is Monday, etc. When you snap to a week, @w or @week, it is equivalent to snapping to Sunday or @w0. You can use either w0 or w7 for Sunday.
rex
Specify a Perl regular expression named groups to extract fields while you search.
rex
Specify a Perl regular expression named groups to extract fields while you search. See Also extract & kvform & multikv & xmlkv & regex
@q, @qtr, or @quarter
Specify a snap to the beginning of the most recent quarter: Jan 1, Apr 1, July 1, or Oct 1.
latest=now
Specify that the search starts or ends at the current time.
return
Specify the values to return from a subsearch.
return
Specify the values to return from a subsearch. See Also format & search
What would we have to do in a Full Scale Infrastructure Deployment?
Split the functionality across multiple specialized instances of Splunk enterprise. Add forwarders to send data to our indexers and eventually add multiple search heads and indexers to increase our indexing and search capacity. Search heads and indexes can also be clustered making sure data is always available and searchable.
Splunk Offerings (core products)
Splunk Enterprise Splunk Cloud Splunk Light
Splunk Premium Products
Splunk Enterprise Security Splunk IT Service Intelligence Splunk User Behavior Analytics (UBA) Premium Apps
What is SPL
Splunk Processing Language
events
Splunk breaks down data input into individual ___
Forwarders
Splunk enterprise instances that consume data and forward it to the indexers for processing.
Indexer - It indexes the machine data Forwarder - Refers to Splunk instances that forward data to the remote indexers Search Head - Provides GUI for searching Deployment Server -Manages the Splunk components like indexer, forwarder, and search head in computing environment.
Splunk has four important components, what are they?
Indexing stage
Splunk indexing process: a) Breaking all events into segments called buckets that can then be searched upon. You can determine the level of segmentation, which affects indexing and searching speed, search capability, and efficiency of disk compression. b) Building the index data structures. c) Writing the raw data and index files to disk, where post-indexing compression occurs Splunk parsing and indexing phases
Fast Time to Value
Splunk is a fully integrated solution, easy to install, operate and scale.
Source types
Splunk knows where to break the event, where the time stamp is located and how to automatically create field value pairs using these.
Passionate and Vibrant Community
Splunk online communities include splunk base, splunk answers, and spunk dev Active communities including Facebook and Linkedin; regional customer events, user group meetings and annual user conference.
When snapping to the nearest or latest time
Splunk software always snaps backwards or rounds down to the latest time that is not after the specified time. For example, the current time is 15:45:00 and the snap to time is earliest=-h@h. The time modifier snaps to 14:00.
How splunk stores Data?
Splunk stores all its data in directories on server called buckets. Buckets are nothing but directories on servers. A bucket moves through several stages as it ages - hot,warm,cold,frozen
Source Type
Splunk uses ________ to categorize the type of data being indexed.
source type
Splunk uses ________ to categorize the type of data being indexed.
____________ is the system process that handles indexing, searching, forwarding and the web interface for Splunk Enterprise.
Splunkd
apache_error
Standard Apache web server error log
apache_error
Standard Apache web server error log Example: [Sun Aug 7 12:17:35 2005] [error] [client 10.1.1.015] File does not exist: /home/reba/public_html/images/bullet_image.gif
asterisk_cdr
Standard Asterisk IP PBX call detail record
asterisk_event
Standard Asterisk event log (management events)
asterisk_messages
Standard Asterisk messages log (errors and warnings)
asterisk_queue
Standard Asterisk queue log
cisco_syslog
Standard Cisco syslog produced by all Cisco network devices including PIX firewalls routers ACS etc. usually via remote syslog to a central log host
db2_diag
Standard IBM DB2 database administrative and error log
mysqld
Standard MySQL query log; also matches the MySQL binary log following conversion to text
postfix_syslog
Standard Postfix MTA log reported via the Unix/Linux syslog facility
sendmail_syslog
Standard Sendmail MTA log reported via the Unix/Linux syslog facility
sugarcrm_log4php
Standard Sugarcrm activity log reported using the log4php utility
websphere_trlog_syserr
Standard Websphere system error log in the IBM native trlog format
websphere_trlog_sysout
Standard Websphere system out log in the IBM native trlog format; similar to the log4j server log for Resin and Jboss sample format as the system error log but containing lower severity and informational events
linux_messages_syslog
Standard linux syslog (/var/log/messages on most platforms)
mysqld_error
Standard mysql error log
windows_snare_syslog
Standard windows event log reported through a 3rd party Intersect Alliance Snare agent to remote syslog on a Unix or Linuxserver
Any search that returns these values can be viewed as a chart.
Statistical
If a search returns this, you can view the results as a chart.
Statistical values
__________ should be used when you want to see the results of a calculation, or you need to group events on a field value.
Stats
This command is the sum of numerical value
Stats Sum command
This command produces statistics of a search result
Stats command
This command shows number of events matching search criteria
Stats count
Host & Warm: $SPLUNK_HOME/var/lib/splunk/defaultdb/db/* Cold ~defaultdb/colddb/* Thawed ~ defualtdb/thaweddb/*
Storage Bucket locations?
_internal
Stores Splunk Enterprise internal logs and processing metrics.
What is the Difference between NOT and !=
Suppose you have the following fields: fieldA, FieldB, fieldC -- If you search for fieldB!=value3 You will get Results fieldB=value1, fieldB=value2 If fieldB does not exist, nothing is returned. ----------------------------------------------------- Searching with NOT: If you search for NOT fieldB=value3, the search returns everything except fieldB=value3: fieldA=value1, fieldA=value2, fieldA=value3 fieldB=value1, fieldB=value2 fieldC=value1, fieldC=value2, fieldC=value3 If fieldB does not exist, NOT fieldB=value3 returns: fieldA=value1, fieldA=value2, fieldA=value3 fieldC=value1, fieldC=value2, fieldC=value3
!=
Symbol for "does not equal"
mvjoin(MVFIELD,STR)
Takes all of the values in a multivalue field and appends them together delimited by STR. The following search creates the base field with the values. The search then creates the joined field by using the result of the mvjoin function. ... | eval base=mvrange(1,6), joined=mvjoin('base'," OR ")
format
Takes the results of a subsearch and formats them into a single result.
command-line interface
The Splunk Enterprise command-line interface (CLI) is a text interface that you use to enter system commands, edit configuration files, and run searches.
False
The Splunk search language supports the ? wildcard.
False
The User role cannot create reports.
archiving
The action of adding to and maintaining a collection of historical data.
collection
The container for a set of data in an App Key Value Store, similar to a database table where each record has a unique key. Collections exist within the context of a given app.
admin and changeme
The default username and password for a newly installed Splunk instance is:
The easiest way to extract a field is from ____________, allowing you to skip a few steps.
The event actions menu
False
The following searches will return the same results: SEARCH 1: web AND error SEARCH 2: web and error
False
The index does not play a major rule in Splunk
non-transforming
The instant pivot button is displayed in the statistics and visualization tabs when a ____ search is used
non-transforming
The instant pivot button is displayed in the statistics and visualization tabs when a _______ search is run.
False
The interesting fields in the field sidebar will be the same for every search against the same index
$SPLUNK_HOME/var/log/splunk
The location where Splunk log files are stored?
Why would I want to learn splunk?
The money in the field is great, the amount of data that can be analyzed is incredible, 70% of companies are transitioning into splunk, allows you to gain new insight, there is a community called ninjas that allows you to be interactive with, and its fun!
When editing a field extraction, you will be working with _________________.
The regular expression.
Source
The source of an event is the name of the file, stream, or other input from which the event originates
Sourcetype
The source type of an event is the format of the data input from which it originates like for windows .evt files from event viewer
7
There are ___ components to the Search and Reporting app's default interface
How to create new index in splunk?
There are multiple ways to create new index in splunk indexer. You can achieve it t through GUI/CLI or simply editing index.conf at $splunk home/etc/system/local. Simplest way is through GUI (front-end). If number of index are more then simply edit inputs.conf and add all index name to it. Below are steps for the same.
How to configure props.conf in splunk?
There happens to be seven attributes you want to set in props.conf every time you bring data into Splunk
NOT, OR, AND
These are booleans in the Splunk Search Language.
Data models
These are knowledge objects that provide the data structure for pivot
Data models
These are knowledge objects that provide the data structure for pivot.
Admin, Power, User
These roles can create reports:
admin
These users can create objects that are shared across ALL apps
LINE_BREAKER
This attribute looks the toughest and most intimidating. It identifies how your events should be broken apart. This is important because if this is not set correctly you can have data that is spread across multiple events. Using regular expressions, Splunk will look for that specific pattern and break up your events accordingly, and as mentioned before, this should be used in conjunction with SHOULD_LINEMERGE = false.
What is an index?
This is how splunk parses data into an event by taking data and putting a timestamp on it
main
This is the default Splunk Enterprise index. All processed data is stored here unless otherwise specified.
TIME_PREFIX
This is the first attribute is used to tell Splunk where to start to look for the timestamp in your event. ·
User
This role will only see their own knowledge objects and those that have been shared with them.
True
This search user=* displays only events that contain a value for user
time range picker
This shows a list of pre-set time selection choices
@
This symbol is used in the "Advanced" section of the time range picker to round down to nearest unit of specified time.
______ is the most efficient filter
Time
d
Time range abbreviations for days
h
Time range abbreviations for hours
m
Time range abbreviations for minutes
mon
Time range abbreviations for months
s
Time range abbreviations for seconds
w
Time range abbreviations for weeks
y
Time range abbreviations for year
The timechart command clusters data in time intervals dependent on:
Time range selected
in a consistent format
Time stamp are stored ____
This is a command that preforms stats aggregation against time
Timechart command
How to create a new index using index.conf?
To add a new index, add a stanza to indexes.conf in $SPLUNK_HOME/etc/system/local, identified by the name of the new index. For example: [newindex] homePath=<path for hot and warm buckets> coldPath=<path for cold buckets> thawedPath=<path for thawed buckets> ...
top
To display the most common values in a specific field, what command would you use?
chart or timechart
To get multi-series tables you need to set up the underlying search with commands like...
outputnew
To keep from overwriting exiting fields with your Lookup you can use the ____________ clause.
splunktcp
To receive data from forwarder in indexer in inputs.conf file, which is used in stanza ? [ tcp, splunktcp, udp, forwardertcp ]
+1d@d
Tomorrow Thursday, 06 February 2017, 12:00:00 A.M.
__________ should be used when you need to see events correlated together, or when events need to be grouped on start and end values.
Transactions
Commands that create statistics and visualizations are called _______________ commands.
Transforming
________ commands create statistics and visualizations.
Transforming
gauge
Transforms results into a format suitable for display by the Gauge chart types.
A Common Information Model (CIM) is supported by Splunk.
True
A lookup is categorized as a dataset.
True
A real-time alert type is useful when you want to know as soon as your trigger condition is met.
True
A time range picker can be included in a report.
True
After you configure a lookup, its fields can be found in the fields sidebar and you can use them in a search.
True
Alerts can be shared to all apps.
True
Alerts can send an email.
True
As general practice, inclusion is better than exclusion in a Splunk search.
True
Charts can be based on numbers, time or location.
True
Charts can be based on numbers, time, or location.
True
Knowledge objects can be used to normalize data?
True
No matter what user role creates the field alias, it is always set to Private by default.
True
Real-time alerts will run the search continuously in the background.
True
Splunk Enterprise can be installed virtual environments.
True
Tags can be added to event types.
True
The Geostats Command requires both latitude and longitude data to use on a map.
True
As the indexer indexes your data, it creates a number of files. These files contain two types of data: The raw data in compressed form (rawdata) Indexes that point to the raw data, plus some metadata files (index files) Together, these files constitute the Splunk Enterprise index.
How does the indexer store indexes?
As a wildcard
How is the asterisk used in Splunk search?
10
How many results are returned by the top command, by default?
10
How many results are shown by default when using a Top or Rare Command?
... | stats dc(s_hostname) as "Websites visited:"
How many unique websites have your employees visited, displayed as "Websites visited"?
... | stats sum(sc_bytes) as Bandwidth by s_hostname | sort -Bandwidth
How much bandwidth did employees spend at each website? This needs to be sorted in descending order.
Splunk stores data in 2 type of files/directories 1) actual data in zip files takes ~15% of file size 2) index files takes ~35% of file size So around 50% of files size require to store that file and other than this space is required to store search results.
How much disk space is required to store data in Splunk?
... | stats count by user, app, vendor_action
How would you count the number of events by user, app, and vendor?
... | stats count(vendor_action) as ActionEvents, count as TotalEvents
How would you count the number of events that contain a vendor action field? Also count the total number of events.
... | stats count as "Potential Issues"
How would you count the number of failed logins? Change the column name to "Potential Issues".
... | top product_name by Vendor limit=3 countfield="Number of Sales" showperc=f
How would you search for the top three products sold by each vendor?
... | stats value(s_hostname) by cs_username
How would you show each unique website a user has visited?
... | rare product_name by Vendor limit=5 showcount="Number of Sales" showperc=f useother=t
How would you show the five games that sold the least by each of the vendors?
... | stats count as "Units Sold" avg(sale_price) as "Average Selling Price" by product_name
How would you show the number of units sold by a vendor for each specific product as well as the average selling price?
... | rare Vendor limit=5 showcount"Number of Sales" showperc=f useother=t
How would you show the top five vendors that sold the least amount of product?
... | top Vendor limit=5 showperc=f
How would you show the top five vendors without showing the percentage field?
... | top Vendor limit=5 countfield="Number of Sales" userother=t
How would you show the top five vendors, rename the count field to "Number of Sales", and add a row for the number of sales of vendors not listed in the top five?
Market Segments
IT Operations Application Delivery Security and Compliance
associate
Identifies correlations between fields.
associate
Identifies correlations between fields. See Also correlate and contingency.
Modify the splunk-launch.conf to change the defualt splunk data store location.
If I want to change the default Splunk data store location, I need to modify which file?
Statistical Values
If a search returns this, you can view the results as a chart.
Verbose
If we want to see events after running a transforming command, we need to switch to this mode.
earliest=1
If you want to search events from the start of UTC epoch time, use earliest=1. (earliest=0 in the search string indicates that time is not used in the search.) When earliest=1 and latest=now or latest=<a large number>, the search will run over all time. The difference is that: Specifying latest=now (which is the default) does not return future events. Specifying latest=<a big number> returns future events, which are events that contain timestamps later than the current time, now.
bin Directory, ./splunk start
In Linux, how do you start Splunk from a command line?
inline
In a dashboard, a time range picker will only work on panels that include a(n) __________ search.
The management port is required when adding a search peer to a search head.
True
The monitor input option will allow you to continuously monitor files.
True
The time stamp you see in the events is based on the time zone in your user account.
True
The timezone setting in a user's account will effect the timestamp shown in events.
True
You can add additional child objects to either existing objects or the root object.
True
You can extract multiple fields with the field extractor.
True
You can pipe the results of a Macro to other commands.
True
True
True/False. A lookup is categorized as a dataset.
True
True/False. A time range picker can be included in a report.
True
True/False. Alerts can be shared to all apps.
True
True/False. Alerts can run uploaded scripts.
True
True/False. Alerts can send an email.
True
True/False. Charts can be based on numbers, time, or location.
False
True/False. Events are always returned in chronological order.
False
True/False. Excluding fields using the Fields Command will benefit performance.
False
True/False. Field values are case sensitive.
False
True/False. Machine data is always structured.
False
True/False. Machine data is only generated by web servers.
True
True/False. Pivots can be saved as dashboards panels.
True
True/False. Real-time alerts will run the search continuously in the background.
True
True/False. The monitor input option will allow you to continuously monitor files.
True
True/False. The time stamp you see in the events is based on the time zone in your user account.
False
True/False. Time to search can only be set by the time range picker.
False
True/False. When zooming on the event timeline, a new search is run.
False
True/False. Wildcards cannot be used with field searches.
True
True/False. You can launch and manage apps from the home app.
True
True/False: Splunk is subnet/CIDR aware for IP fields?
True - Splunk stores log file in splunkd.log under $SPLUNK_HOME/var/log/splunk/
True/False: Splunk stores log file in splunkd.log under $SPLUNK_HOME/var/log/splunk/
xmlunescape
Unescapes XML.
This component is NOT installed from the Splunk Enterprise Package.
Universal Forwarder
False
Unlike pivot, reports created with instant pivot can not be saved.
days
d, day, days
views
dashboards are
These are knowledge objects that provide the data structure for pivot.
data models
Splunk Enterprise licenses specify how much data you can index per __________.
day
false
default fields are NOT added to every event in Splunk at INDEX time
This stats function will return unique values for a given field.
Value
Splunks Core Selling Tools
Value Stack Whiteboard Differentiators best used together
Arguments
Variables we want to apply to the functions
If we want to see events after running a transforming command, we need to switch to this mode.
Verbose
______ mode all events and field data; switches to this mode after visualization
Verbose
Splunk Market
Vertical and Segments
weblogic_stdout
Weblogic server log in the standard native BEA format
websphere_activity
Websphere activity log also often referred to as the service log
indexes.conf [indexname] enableTsidxreduction=True timePeriodInSecBeforeTsidxReduction=86400
What Splunk file would be used to reduce TSIDX disk usage?
Retention is managed via limits.conf Create bloom filter for specific index via indexes.conf
What Splunk files are used to manage Bloom filter retention and set Bloom Filter for specific index?
Commands tell Splunk what we want to do with the search results such as: - creating charts - computing statistics - formatting
What are Commands?
Have values in at least 20% of the events.
What are Interesting Fields?
- Keywords - Booleans - Phrases - Fields - Wildcards - Comparison Operators - time - specificity - the more you tell the search engine, the better your results - inclusion is better than exclusion
What are Splunk Search Terms
A directory that contains indexed data is known as a Splunk bucket. It also contains events of a certain period.
What are Splunk buckets?
Splunk Management Port 8089 Splunk Index Replication Port 8080 KV store 8191 Splunk Web Port 8000 Splunk Indexing Port 9997 Splunk network port 514
What are common port numbers used by Splunk?
Search macros are reusable chunks of Search Processing Language (SPL) that you can insert into other searches. Macros you define, are stored in macros.conf
What are macros in Splunk?
Tags
What are nicknames that you create for related field/value pairs?
Indexer
What are search requests processed by?
Hot -R/W-NoBackups | Warm-ROnly-YesBackups | Cold-ROnly-YesBackups
What are the 3 main Splunk Bucket Types and their read/write and Backup abilities?
AND, OR and NOT (CS)
What are the Booleans used by Splunk?
AND, NOT, OR
What are the boolean operators in Splunk?
Sorting Results Filtering Results Grouping Results. Filtering, Modifying and Adding Fields Reporting Results
What are the categories of SPL commands?
earliest and latest eg: earliest=-h latest=@d
What are the commands for specifying a time range in a search string?
=, !=, <, <=, >, >=
What are the comparison operators available to use in Splunk search language and what a.......
- Search Terms - Commands - Functions - Arguments - Clauses - Pipe
What are the five components of the Splunk Search Language?
Field value pairs are used to search an extracted field (Field name CS, Field value CI)
What are the properties of Fields?
line, area, column, bar, bubble, scatter, pie
What are the seven chart types?
User, Power, Admin
What are the three main default roles in Splunk Enterprise?
Indexers, Forwarders, Search Heads
What are the three main processing components of Splunk?
Fast, Smart, Verbose
What are the three search modes?
Universal Forwarders - It performs processing on the incoming data before forwarding it to the indexer. Heavy Forwarders - It parses the data before forwarding them to the indexer works as an intermediate forwarder, remote collector.
What are the types of Splunk forwarder?
String value, contains 4 values
What attributes describe the field: a dest 4
AND, OR, NOT
What booleans are supported in splunk search?
stats
What command allows you to calculate statistics on data that matches your search criteria?
transaction
What command allows you to create a single event from a group of events that share the same value in a given field?
fields
What command allows you to include/exclude fields in your search?
rename
What command changes the name of a field in search?
top
What command finds the most common values of a given field?
rare
What command returns the least common field values?
fields -
What command would you use to remove the status field from the returned events? sourcetype=a* status=404 | ________ status
Instead of returning all the results, from a search, it returns a random sampling of events.
What does "event sampling" do?
Input, Parsing, Indexing, and Searching
What does a single-instance deployment of Splunk Enterprise handle?
Each event, found in a search, has a 1 in 100, or 1% change of being included in the sample result set.
What does an event sample of 1:100 indicate?
Delete search or keyword
What does can_delete role do?
tostring
What eval command allows you to format for currency?
inputs.conf for port 9997
What file needs to be configured on Indexer to start receiving data and what port?
server.conf [diskUsage] minFreeSpace = <num>
What file sets limits on disk usage?
CSV, XML, JSON
What formats may search results be exported to?
Distributed Management Console; Dashboard providing insight to your deployment. Install on Search head(not rec for prod), License master, or Deployment server.
What is Splunk DMC?
A time-series index file; A tsidx file associates each unique keyword in your data with location references to events, which are stored in a companion rawdata file. Together, the rawdata file and its related tsidx files make up the contents of an index bucket. Each search you run scans tsidx files for the search keywords and uses their location references to retrieve from the rawdata file the events to which those keywords refer. To speed up searches, bloom filters narrow the set of tsidx files that Splunk Enterprise must search to get accurate results.
What is TSIDX file and how is it used?
A data structure that you use to test whether an element is a member of a set. Splunk Enterprise uses bloom filters to decrease the time it requires to retrieve events from the index. This strategy is effective when you search for rare terms. In Splunk Enterprise, bloom filters work at the index bucket level. The filters rule out buckets that do not contain keywords from the search being run. Splunk Enterprise saves time searching by focusing on the tsidx files within the bucket where the search keywords exist.
What is a Bloom Filter?
searchable key/value pairs from event data.
What is a Field?
One or more panels displaying data visually in a useful way.
What is a dashboard?
Used to decipher file input issues. A subdirectory where Splunk software tracks how far into a file indexing has progressed, to enable the software to detect when data has been added to the file and resume indexing. The fishbucket subdirectory contains seek pointers and CRCs for indexed files. default location /opt/splunk/var/lib/splunk
What is a fishbucket?
Field Aliases
What is a way to normalize data over any default field?
Host, Sources, and Sourcetypes on separate tabs
What is shown in the Data Summary?
System local, App local, App default, System default.
What is the Splunk precedence order Globally?
User Directories for current user, App Directories for current running app, App Dirs for all other apps, System Dirs.
What is the Splunk precedence order within app or user context?
Smart
What is the default search mode?
+ (include) occurs before field extraction and improves performance - (exclude) occurs after field extraction, and no performance improvement
What is the difference between +/- with the fields command?
5000MB or 5GB
What is the minimum free space in splunk?
By time
What is the most efficient way to filter events in Splunk?
NOT, OR, AND
What is the order of evaluation for Boolean operations in Splunk?
case_sensitive_match
What is the transforms.conf flag to switch whether or not a lookup field value is case-sensitive or not?
To Extract fields, parsing etc but do not provide dashboards.
What is the use of Add-on in splunk?
BATCH ("Upload a file" in Splunk Web): TCP: Data distribution: UDP: FIFO (First In, First Out queue): Scripted Input: File system change monitor (fschange monitor) File system monitoring filters: http: (HTTP Event Collector) HTTP Event Collector (HEC) - Local stanza for each token WINDOWS INPUTS: Performance Monitor Windows Event Log Monitor Event Log whitelist and blacklist formats Active Directory Monitor Remote Queue Monitor SQS specific settings Windows Registry Monitor Windows Host Monitoring
What kind of information can we pull in via inputs.conf?
Workflow Actions
What may be run from an event in your search results to interact with external resources or run another search?
as
What option allows you to rename fields, within the stats command?
limit (limit=0 returns unlimited results)
What option changes the number of results returned by the top command?
20% of events have these fields present in them.
What percentage of search results have the fields listed under "Interesting Fields"?
Can Edit all saved searches, alerts, objects, ect
What rights does power role have?
list
What stats command shows all field values for a given field?
values
What stats command shows all unique field values for a given field?
events, searches, transactions
What three datasets make up a Data Model?
The local timezone set in your profile.
What timezone is data displayed for, in searches?
Common Information Model (CIM)
What tool provides a methodology to normalize data?
count & percent
What two columns are automatically returned by the top command?
search job
When a search is sent to splunk, it becomes a _____.
reverse chronological order
When search is run, events are returned in ____
When including spaces or special characters
When should quotes be used around values in search?
field names
When using a .csv file for Lookups, the first row in the file represents this.
Search
When you search the data Splunk will only need to open the directories that match the timeframe of search making searches more efficient.
Settings > Tags > List by field value pair
Where can you view a list of all Tags?
N/A Frozen data gets deleted or archived into a directory location you specify.
Where does frozen bucket get stored?
$SPLUNK_HOME/etc/system/local Server classes are essentially categories. They use filters to control what clients they apply to, contain a set of applications, and may define deployment server behavior for the management of those applications.
Where is the servercalss.conf file stored and what does it do?
Home app and Search & Reporting
Which apps ship with Splunk Enterprise?
Home, Search & Reporting
Which apps ship with Splunk Enterprise?
bar
Which chart is not used for single value?
as
Which clause would you use to rename the count field?
splunk clean eventdata -index web
Which command is used only to delete index web data ?
geostats
Which command is used to create chart for map?
dedup
Which command removes results with duplicate field values?
indexes.conf is used to create index in splunk
Which conf file is used to create index in splunk? [Index.conf, indexes.conf, indexes, index]
Authorize.conf
Which file is used for role and mapping ?
Smart
Which following search mode toggles behavior based on the type of search being run?
Clustering
Which function is not a part of a single instance deployment?
Admin, power
Which role(s) can create data models?
Search head
Which splunk License does not exist? Search head, forwarder, free, Splunk Enterprise?
GET
Workflow action to pass information to an external web resource.
POST
Workflow action to send field values to an external resource.
Search
Workflow action to use field values to perform a secondary search.
case(X,"Y",...)
Works like a case statement in shell scripting. This function takes pairs of arguments X and Y. The X arguments are Boolean expressions that will be evaluated from first to last. When the first X expression is encountered that evaluates to TRUE, the corresponding Y argument will be returned. The function defaults to NULL if none are true.
No, because the name was changed.
Would the ip column be removed in the results of this search? sourcetype=a* | rename IP as "User" | fields - ip
-1d@d
Yesterday Tuesday, 04 February 2017, 12:00:00 A.M.
False
You can NOT specify a relative time range, such as 45 minutes ago, for a search
chained relative time offsets
You can also specify offsets from the snap-to-time or "chain" together the time modifiers for more specific relative time definitions.
True
You can click a search term in the results to add it to the search class.
AND
You can think of adding child data model objects as an ___ boolean in the Splunk search engine
The syntax for the snap to time unit is
[+|-]<time_integer><time_unit>@<time_unit>.
True
[True or False]You can not search the data in frozen stage of bucket?
False
[True/False]Deployment server push configuration files to deployment client
True
[True/False]The deployment server does not automatically deploy apps in response to direct edits of serverclass.conf
Dashboards
_____ are searches gathered together into a single pane of glass
Roles
_________ define what users can do in Splunk.
Dashboards
_____________ are reports gathered together into a single pane of glass.
Splunk uses the ________ index when indexing it's own logs and metrics.
_internal
Primary fields _______ and _______ will always be extracted, but can also be removed by using the minus symbol
_time & _raw
and
a space is an implied ____ in a search string
Escaping characters in Search
add backslash info="keyword1\"keyword2\"not in db"
Which of these is NOT a stats function?
addtotals
Which one of these is not a stats function?
addtotals
The ______ role has the most capabilities of the predefined splunk roles.
admin
______________ is a field extraction method for events that contain fields separated by a character.
delimiter
1. dashboard panel 2. report
after you create a pivot you can save it as a ___________
A _______ action can notify you of a triggered alert and help you start responding to it
alert
Adjust the ______ type to configure how often the search runs
alert
In a windows environment, a local system user will have access to:
all data on the local system
Default time for pivot is ______
all the time
saved search
an alert is an action triggered by a ___
What is the correct way to name a macro with two arguments?
dostuff(2)
Forwarders
In most Splunk deployments, ________ serve as the primary way data is supplied for indexing.
forwarders
In most production environments, _______ will be used as your the source of data input.
Admin Role
Install Apps, Create Knowledge Objects for All Users
An admin does what?
Install apps, create knowledge objects for all users (what apps a user will see by default)
_________ pivot allows instant access to data without having a data model
Instant
Agile Reporting and Analytics
Interactive search and reporting, enabling rapid, interactive analysis and visualization of data.
_______ fields have values in at least 20% of the events
Interesting
True
Interesting fields are those that have values in over 20% of events
Configuring character set encoding
Its nothing but way of storing character/words in memory
selfjoin
Joins results with itself.
selfjoin
Joins results with itself. See Also join
accum
Keeps a running total of the specified numeric field.
Wildcard Search
KeyWord*
Search terms include (6)
Keywords, booleans, phrases, fields, wildcards, and comparisons.
Search
Limiting a search to time frame is a best practice.
linux_secure
Linux securelog
Field names _____ case sensitive- Values _______ case sensitive
are, are not
Splunk Enterprise commands are executed from the ________ directory.
bin
Which actions can be triggered by an alert?
List in triggered alerts Send Email Run a script
As a general practice, exclusion is better than inclusion in a Splunk search.
Fasle
_______ mode discovery off for event searches. No event or field data for stats searches.
Fast
What are the three main search modes?
Fast, Verbose, and Smart
Having multiple indexes allows:
Faster searches Access limiting Multiple retention policies
True
Field NAMES are case sensitive
case sensitive
Field Names are ____
True
Field have names
When using a .csv file for Lookups, the first row in the file represents this.
Field names
case sensitive
Field names are ______.
case sensitive
Field names are ________
Case sensitive
Field names are case sensitive or insensitive?
sensitive
Field names are case...
_____ command include or exclude fields from search results.
Fields
_______ sidebar shows all field extracted at search time.
Fields
True
Fields are searchable key/value pairs
loadjob
Loads events or results of a previously completed search job.
loadjob
Loads events or results of a previously completed search job. See Also inputcsv
inputcsv
Loads search results from the specified CSV file.
inputcsv
Loads search results from the specified CSV file. See Also loadjob & outputcsv
once
Files indexed using the the upload input option get indexed _____.
In most Splunk Deployments, this servers as the primary way data is supplied for indexing.
Forwarder
In most production environments, _______ will be used as your the source of data input.
Forwarders
What are the 3 main processing components of Splunk?
Forwarders Indexers Search Heads
view the results of the instance of that search
From the search jobs page, you can click the job link to ___
log4j
Log4j standard output produced by any J2EE server using log4j
transaction
Groups search results into transactions.
Example of Forwarder
Have a web server we want to monitor we would install the forwarder on the web server and have it send data to the indexer
Multiple retention policies, ability to limit access, and faster searches.
Having separate indexes allows:
Some differences between hot and warm buckets are:
Hot buckets are writable, warm buckets are not. Hot buckets are searched first. The naming convention.
The limit option e.g: | sort limit=20 -categoryID, product_name
How can you reduce the returned results with the sort command?
Click Data Summary in the Searching & Reporting app
How can you view all sourcetypes?
Double quotes around the exact word or phrase (CS)
How do you use exact phrases?
Returns everything except the events matching the NOT boolean
How does NOT affect search results?
Based on sourcetype and key/value pairs found in the data.
How does Splunk discover fields?
This command combine fields from external sources to searched events, based on event field
Lookup
False
Machine data is always structured
What is Machine Data
Machine data is one of the fastest, growing, most complex and most valuable segments of big data
False
Machine data is only log files on web servers
90
Machine data makes up __% of the data accumulated by organizations
90
Machine data makes up for more than ___% of the data accumulated by organizations.
Forwarders are typically installed on __________
Machines where the data originates
Forwarders are typically installed on _____________.
Machines where the data originates
backticks
Macros must be surrounded with what character?
makecontinuous
Makes a field that is supposed to be the x-axis continuous (invoked by chart/timechart)
makecontinuous
Makes a field that is supposed to be the x-axis continuous (invoked by chart/timechart) See Also chart & timechart
Machine Data?
Makes up about 90% of data accumulated by organizations. Structured and Unstructured. Improves Operational Intelligence
TIME_FORMAT
Many people "sleep" on this attribute and shouldn't. It is very important to help Splunk interpret your data. With this attribute you are telling Splunk the format your time stamp is in using strptime Splunk will not have to try to figure out if 10/2/12 is October 2, 2012, February 10, 2012, or even something weird like December 2, 2010.
1,000
Max events displayed by transaction command
Edit $SPLUNK_HOME/etc/splunk-launch.conf
Migration: After moving Splunk index db, what would you edit to reflect this new location?
Splunk breaks data into ___________.
events
Validating macro arguments can be done with which type of command?
boolean expressions eval expressions
outputtext
Ouputs the raw text field (_raw) of results into the _xml field.
outputtext
Ouputs the raw text field (_raw) of results into the _xml field. See Also outputtext
Once and item is filtered _____ it is no longer available in the search string
Out
Admin, Power, User
Out of the box there are 3 main roles
outputcsv
Outputs search results to a specified CSV file.
outputcsv
Outputs search results to a specified CSV file. See Also inputcsv & outputtext
This workflow action sends field value to external resources.
POST
___ split data by an additional field
by
chronological, alphabetical, ascii
by default, search results are NOT returned in ____ order.
What is the most efficient way to filter events in Splunk?
by time
Only the ________ role can use the Delete Command by default.
can_delete
Field values are _______.
case insensitive
Field values are __________.
case insensitive
Field names are _________.
case sensitive
Field names are _____________.
case sensitive
Parsing can be done in Props & transforms.
Parsing can be done in which conf file? Inputs, Props Only? Transforms only? Props & transforms?
When would you use a single-instance deployment
Perfect environment for proof of concept, personal use, learning, and night serve the need of small department-sized environments.
where
Performs arbitrary filtering on your data. See Evaluation functions in the Splunk Enterprise Search Reference.
where
Performs arbitrary filtering on your data. See Functions for eval and where in the Splunk Enterprise Search Reference. See Also eval
kmeans
Performs k-means clustering on selected fields.
kmeans
Performs k-means clustering on selected fields. See Also anomalies & anomalousvalue & cluster & outlier
set
Performs set operations (union diff intersect) on subsearches.
set
Performs set operations (union, diff, intersect) on subsearches. See Also append & appendcols & join & diff
adds the highlighted value to the search criteria
clicking a segment on a chart ________________
_____ is used to pass current results to the next component
Pipe
________ designs reports in simple interface without having to craft a search string
Pivot
________ interface is the total amount of purchases, documentation actions, job actions, tools to filter/slice up data, and a side bar?
Pivot
False
Pivots can not be saved as reports or dashboard panels
False
Pivots cannot be saved as reports panels. T/F
Which role(s) can create data models?
Power Admin
default fields
these kinds of fields are identified in your data at INDEX time.
SHOULD_LINEMERGE
this attribute is the leader and decision maker of the group. Depending on the value of this attribute, other attributes are required. This setting should be set to "false" and used along with the LINE_BREAKER attribute, which can greatly increase processing speed.
rare
this command displays the least common values in a specific field
Field_____happens after field______only affecting displayed results.
exclusion, extraction
Usenull = _____ will remove NULL values
f
false (fast, smart, verbose)
fast, optimized, verbose are all selectable search modes
search
field discovery occurs at _____ time
When using a .csv file for lookups, the first row in the file represents this.
field names
What command would you use to remove the status field from the returned events?
fields -
inputlookup
finish this search command so that it displays data from the http_status.csv lookup file: | _________ https_status.csv
Dashboards are searches gathered together and can use _______input or ________ visualization
form or custom
In most Splunk deployments, _________ serve as the primary way data is supplied for indexing.
forwarders
In most production environments, _______ will be used as your main source of data input.
forwarders
raw data
full log files
Which command do you use when creating a choropeth map?
geom
hours
h, hr, hrs, hour, hours
metadata
host, source, source type, time stamp
As data is input into Splunk Enterprise, it is first placed into a ________ bucket.
hot
Which is the correct argument order when using the eval if function?
if (Boolean, Is True, Is False)
Identifying line termination using linebreaking rules
if your logs are very long or messy then it will break them in small parts easy to understand
Time stamps are stored ____________.
in a consistent format.
false
in automatic lookup definitions, you can only have 3 output fields maximum
______ is better than exclusion
inclusion
When migrating from a single instance deployment to a distributed environment, you will want to use the existing instance as an _______.
indexer
Events are written to disk during the ____ segment of the data pipeline.
indexing
The licensing meter takes placed at data ______ time.
indexing
What could be said of the circled field below: A dest 4
it contains four values its was extracted at search time it contains string values
false
it is not possible for a single instance of Splunk to manage the input, parsing, and indexing of machine data.
index files
key keywords from logs
Finish this search so that it uses the http_status.csv lookup to return events. | sourcetype=access_c* NOT status=200 | _________ http_status code as status
lookup
true
lookups allow you to overwrite your raw event
true
lookups can be private for a user
minutes
m, min, minute, minutes
The ________ index is used when an index is not specified at input time.
main
splunk preconfigured indexes
main _internal _audit:
Which of these is NOT a field created with the transaction command?
maxcount
What should you use with the transaction command to set the maximum total time between the earliest and latest events returned.
maxspan
The alerts use a _______ search to check for events.
saved
An alert is an action triggered by a ____________.
saved search
An indexer in a distributed search environment is called a __________.
search peer
Identifying timestamps or creating them if they don't exis
sort logs as per time or as they occurred.
Data is broken into single events by:
sourcetype
Use ______ to limit search to only one sourcetype
sourcetype=
Splunk uses ____________ to categorize the type of data being indexed.
sourcetypes
if you want to search for events in the previous month
specify earliest=-mon@mon latest=@mon. This example begins at the start of the previous month and ends at the start of the current month.
false
splunk alerts are based on historical searches only
1. on a regular schedule 2. in real-time
splunk alerts can be based on searches that run ______
Finish the rename command to change the name of the status field to HTTP Status.
status as "HTTP Status"
Finish the rename command to change the name of the status field to HTTP Status. sourcetype=access* status=404 | rename ______
status as "HTTP Status"
________ command retains searched data in a tabulated format
table
Which search would limit an "alert" tag to the "host" field?
tag::host=alert
Exclude a field by using ______ symbol
minus (-)
months
mon, month, months
The instant pivot button is displayed in the statistics and visualization tabs when a _______ search is run.
non-transforming
The instant pivot button is displayed in the statistics and visualization tabs when a _______ search is used.
non-transforming
Field aliases are used to __________ data.
normalize
properties in the _______ file allow you to configure how data is transformed as it is processed.
not alter.conf
What are some of the components installed from the Splunk Enterprise Package?
not indexer search head universal forwarder
The segment of the data pipeline that stores user's knowledge objects is the __________ segment.
not indexing not data ainput not parsing
Properties in the _______ file allow you to configure how data is transformed as it is processed.
not later
The segment of the data pipeline that stores user's knowledge objects is the _______ segment.
not parsing not data input
false
only splunk admninistrators can assign selected fields
In regards to a rename command, once a field is renamed the ______ name is not available to later search commands
original
To keep from overwriting existing fields with your Lookup you can use the ____________ clause.
outputnew
Use _______ to nest boolean searches
parenthesis
Event separation happens during the ________ segment of the data pipeline.
parsing
Event separation happens during the __________ segment of the data pipeline.
parsing
Splunk indexer working can be divided in two stages:
parsing phase and indexing phase
Which search will return the same events as the search in the searchbar? password failed
password AND failed
False
password fail and "password fail" return the same results
Data model is framework and ______ is interface to the data
pivot
9997
port open for indexing
Saved searches are set to ______ by default.
private
quarters
q, qtr, qtrs, quarter, quarters
When creating reports you can edit, clone, embed, and delete under the ______ tab
report
Save visual reports as _______ or _______
report or dashboard pannel
iplocation
returns location information such as city country latitude longitude and so on based on IP addresses.
When a search is run, events are returned in _____________.
reverse chronological order
seconds
s, sec, secs, second, seconds
It is suggested that you have a single deployment instance available for _________.
testing and development
all extracted fields
the fields sidebar does NOT show________
true
the following searches will NOT return the same results: search 1 purchase ==== search 2 action=purchase
table
the stats command will create a _______ by default
TZ
the time zone attribute is probably the most forgotten of the group. You will want to set the time zone for each host in your Splunk environment. This will ensure the time is displayed correctly on your search head.
Frozen
this is data that is pushed to a dead media like tape or deleted. There is a thawing process possible if not deleted completely to allow data to be pushed back into higher tier buckets
Hot
this is the directory where all data is written and the most recent data is kept here. Warm - the next tier down, read only and likely still searched
rex
this list clause is used to group the output of a stats command by a specific name
1. treats field values in a case-INsensitive manner 2. allows searching on a keyword
true about Splunk search language
fields -
use this command to control which fields are extracted at search time and to (typically) improve search
inputlookup
use this command to use lookup fields in a search and see the lookup fields in the field sidebar
Finish this search to remove any results that do not contain a value in the product_name field. sourcetype=access_c* status>299 | chart count over host by product_name _______
usenull=f
Which is not a comparison operator in Splunk?
&=
map
A looping operator, performs a search over each search result.
verbose mode
which search mode returns all event and field data?
What is the proper syntax for using a macro called "dostuff" sourcetype=gamelog |
'dostuff'
What is an event
A single entity such as an row in a table. Or if you have an alert that comes into splunk which will be timestamped
saved search
An alert is an action triggered by a _____________.
alias
An alternate name that you assign to a field, allowing you to use that name to search for events that contain that field.
What is splunk?
An application that ingests machine data, indexes it, and visualizes it for users to
app
An application that runs on Splunk Enterprise and typically addresses several use cases.
What is a pivot?
Anything visualization that we create such as a table or a chart
What is search?
Anything when we're looking for our data
What is machine data?
Data generated by machines, computer processing, application and sensor data
CSV, scripts, geospatial data
External data used by a Lookup can come from sources like:
xmlkv
Extracts XML key-value pairs.
xmlkv
Extracts XML key-value pairs. See Also extract & kvform & multikv & rex
extract and kv
Extracts field-value pairs from search results.
extract and kv
Extracts field-value pairs from search results. See Also kvform & multikv & xmlkv & rex
multikv
Extracts field-values from table-formatted events.
iplocation
Extracts location information from IP addresses.
kvform
Extracts values from search results using a form template.
kvform
Extracts values from search results using a form template. See Also extract & kvform & multikv & xmlkv & rex
false
Using the export function, you can export a maximum of 2000 results
True
Using the export function, you can export an unlimited number of results.
bucket fixing
is the remedial activity that occurs when a peer node goes offline.
Any editing done to .conf files should be done in the _____ directory.
local
Any editing done to .conf files should be done in the ________ directory.
local
Which is not a comparison operator in Splunk?
%=
To escape the "fieldname" value which command would you use? $_________fieldname$
!
Exact Search
"Keyword"
splunk index location
$SPLUNK_HOME/var/lib/splunk
Cold
- rarely searched data as it has aged or been archived (rolled) to this bucket. While read only and still searchable, this is considered the archive tier.
What does index data do? (3)
1. Collects data 2. Label data with source type 3. Stored in splunk index
Apps in Splunk?
1. Pre-built dashboards, reports, alerts and workflows 2. In-depth data analysis for power users 3. Search & Reporting
Splunk Search Language Sytnax
1. Search Terms. 2. Commands. 3. Functions 4. Arguments 5. Clauses
What are the three ways to create visualizations?
1. Select a field from the fields sidebar 2. Use the pivot interface 3. Use the Splunk search language commands in the search bar with statistics and visualization tabs
The seven main components in splunk searching and reporting?
1. Splunk bar 2. App bar 3. Search bar 4. Time range picker 5. How to search panel 6. What to search panel 7. Search History
Best practices to use while searching in Splunk (4)
1. Time is the most efficient filter 2. More you tell search the better your results 3. Inclusion is better than exclusion 4. Filter as early as possible
When logging into Splunk Enterprise for the first time, a username of ______ and a password of are used.
1. admin 2. changeme
Search heads do not require as much ______ as indexers but require more _________.
1. disk space 2. CPU power
The ___________ handle search management while ___________ perform the searches.
1. search heads 2. indexers
How many events are shown by default when using the top or rare command?
10
How many results are shown by default when using a Top or Rare Command?
10
Search jobs are available after ____ minutes by default.
10
Top command returns top ____ results with a count and percentage
10
Splunk indexers and Search Heads on virtual machines should have ____ of the vCPU reserved to them.
100%
A total of ____ cores are recommended per search head.
16
Splunk Enterprise deployment typically has ___ processing tiers.
3
The Search & Reporting App has how many search modes?
3
The Trendline Command requires this many arguments:
3
-60m
60 minutes ago Wednesday, 05 February 2017, 12:37:05 P.M. Equivalent modifiers -60m@s
There are ______ components to the Search and Reporting app's default interface.
7
-7d@d
7 days ago, 1 week ago today Wednesday, 28 January 2017, 12:00:00 A.M.
-7d@m
7 days ago, snap to minute boundary Wednesday, 28 January 2017, 01:37:00 P.M.
SplunkWeb is accessed on port _______ by default.
8000
The default management port for Splunkd is:
8089
Machine data makes up for more than _____% of the data accumulated by organizations.
90
Which is not a comparison operator in Splunk?
?=
This symbol is used in the "Advanced" section of the time range picker to round down to nearest unit of specified time.
@
nix
A Splunk Enterprise term that describes any Unix or Linux-based system.
command-line tool
A Splunk utility that can be run from the command-line interface (CLI) to troubleshoot a Splunk Enterprise deployment.
What is the dashboard
A collection of pivots
conditional routing
A data routing scenario where a forwarder selectively sends event data to receivers based on patterns in the event data.
bloom filter
A data structure that you use to test whether an element is a member of a set.
500 - 1000 Clients, even more than this and it depends of the periodicity, and the size of the bundles to deploy.
A dedicated deployment server can handle how many clients ?
calculated field
A field that represents the output of an eval expression.
bucket
A file system directory containing a portion of a Splunk Enterprise index.
blacklist
A filtering rule that excludes one or more members from a set.
map
A looping operator performs a search over each search result.
table, chart or visualization based on a datamodel set
A pivot table is a _______
True
A power user can allow read/write permissions on a report
constantly running in the background
A real-time alert is __________
alert action
A response, such as an email notification or webhook, to alert triggering or report completion.
What is a forwarder
A script that sends data from a device to the splunk device
10
A search job will remain active for ___ minutes after it is run.
base search
A search on which you can base multiple similar searches.
Common Information Model (CIM)
A set of preconfigured data models that you can apply to your data at search time.
Build Event Type utility
A tool which dynamically creates event types based on the analysis of a selected event.
add-on
A type of app that runs on the Splunk platform and provides specific capabilities to other apps, such as getting data in, mapping data, or providing saved searches and macros. An add-on is not typically run as a standalone app. Instead, an add-on is a reusable component that supports other apps across a number of different use cases.
adaptive response action
A type of custom alert action that conforms to the common action model.
Automatic key value field
A type of field extraction that uses the KV_MODE attribute in props.conf to automatically extract fields for events associated with a specific host, source, or source type.
capability
A user action within Splunk Enterprise.
Adding child data model objects is like the ______ Boolean in the Splunk search language.
AND
You can think of adding child data model objects as an _________ Boolean in the Splunk search language.
AND
________boolean is used if none is implied.
AND
List the three booleans
AND OR NOT
rest
Access a REST endpoint and display the returned entities as search results.
Splunk Cloud
All the power of Splunk Enterprise, delivered as a service. Runs in an Amazon Web Service AWS GovCloud-Splunk Cloud solution hosted in secure enviornment for public sector 1.33X more expensive but its in the cloud and support is included
The time range picker is set to _________ by default.
All-time
What does the time range picker do?
Allow search by preset times, relative times. Real time (earliest, latest), date range. Retrieve events over a specific time period.
Search Macros _______________
Allow you to store entire search strings, including pipes and eval statements. Are time range independent. Can pass arguments to the search.
Search head
Allows users to use the Splunk search language to search the index data. Search heads handle search requests from users and distribute requests to the indexers which perform the actual searches on the data. Search heads then consolidate and enrich the results from the indexers before returning them to the user.
erex
Allows you to specify example or counter example values to automatically extract fields that have similar values.
erex
Allows you to specify example or counter example values to automatically extract fields that have similar values. See Also extract & kvform & multikv & regex & rex & xmlkv
In the following search, what should the empty argument contain? sourcetype=linux_secure | iplocation ______
An IP address.
append
Appends subsearch results to current results.
append
Appends subsearch results to current results. See Also appendcols & appendcsv & join & set.
appendcols
Appends the fields of the subsearch results to current results first results to first result second to second and so on.
appendcols
Appends the fields of the subsearch results to current results first results to first result second to second etc. See Also append & appendcsv & join & set.
appendcols
Appends the fields of the subsearch results to current results. first results to first result. second to second etc.
appendpipe
Appends the result of the subpipeline applied to the current result set to results.
appendpipe
Appends the result of the subpipeline applied to the current result set to results. See Also append & appendcols & join & set.
Statistical
Any search that returns these values can be viewed as a chart
frozenTimePeriodInSecs
Attributes in indexes.conf to freeze data when it grows too old?
What attributes can be added to an object?
Auto-Extracted Eval Expression Lookup Regular Expression Geo IP
Use a _______ for searching a string with quotes in the string.
Backslash Example: info="user "chrisV4" not in database" info="user\"chrisV4\" not in database "
@w0
Beginning of the current week Sunday, 02 February 2017, 12:00:00 A.M.
rtorder
Buffers events from real-time search to emit them in ascending time order when possible.
contingency
Builds a contingency table for two fields.
contingency and counttable and ctable
Builds a contingency table for two fields.
counttable
Builds a contingency table for two fields.
ctable
Builds a contingency table for two fields.
contingency and counttable and ctable
Builds a contingency table for two fields. See Also associate correlate
Splunk Sale Stages
Business Qualification Technical Interlock Champion Tested Proof Completed Mutually Agreed Closed Plan
Time for Search Job
By default will remain active for 10 minutes
What is the most efficient way to filter events in Splunk?
By time
What is the most efficient way to filter events in Splunk?
By time.
eval
Calculates an expression and puts the value into a field. See Functions for eval and where in the Splunk Enterprise Search Reference.
eval
Calculates an expression and puts the value into a field. See Functions for eval and where in the Splunk Enterprise Search Reference. See Also where
relevancy
Calculates how well the event matches the query.
mstats
Calculates statistics for the measurement metric_name and dimension fields in metric indexes. See Also stats
correlate
Calculates the correlation between different fields.
correlate
Calculates the correlation between different fields. See Also associate & contingency
typer
Calculates the eventtypes for the search results.
typer
Calculates the eventtypes for the search results. See Also typelearner
Commands that Create Statistics and Visualizations
Called Transforming Commands which transform data into data tables.
Monitor & Alert
Can Monitor infrastructure in real time to identify issues, problems, and attacks before they impact customers and services. Create alerts and automatically respond with a variety of actions.
Field Aliases ___________________
Can be referenced by lookup tables. Are applicable to a specified app context. Make correlation easier.
Field names are ________.
Case sensitive
highlight
Causes Splunk Web to highlight specified terms.
________ are searches gathered together in a single pane of glass.
Dashboards
_____________ are reports gathered together into a single pane of glass.
Dashboards
3 Things Search can produce
Dashboards, Reports and Visualization to assist the search experience.
Splunk IT Service Intelligence
Data Driven service insight for root cause isolation and improved service operations Complimentary Product. Customers must have an equivalent license of Core Splunk (same GB Volume)
Splunk User Behavior Analytics (UBA)
Detect cyber-attacks and insider threats using data science, machine learning, behavior baseline, peer group analytics, and advanced correlation Licensing: Number of authorized users(the number of users or system accounts in Microsoft AD, lightweight directory access protocol (LDAP) or an similar service that is used to authenticate users inside the network. needs to be sold with content subscription packs
rare
Displays the least common values of a field.
rare
Displays the least common values of a field. See Also stats & top
top
Displays the most common values of a field.
top
Displays the most common values of a field. See Also rare & stats
DMC stands for
Distributed Management Console
No, it only filters the results
Does narrowing the time range by dragging the selection bars across the timeline re-execute the search?
timestamp, host, source, sourcetype
Each event has these field value pairs.
This search action button "Job V" does what?
Edit job settings, send job to background, inspect and delete job.
sendemail
Emails search results either inline or as an attachment to one or more specified email addresses.
sendemail
Emails search results to a specified email address.
sendemail
Emails search results, either inline or as an attachment, to one or more specified email addresses
sendemail
Emails search results, either inline or as an attachment, to one or more specified email addresses.
x11
Enables you to determine the trend in your data by removing the seasonal pattern.
x11
Enables you to determine the trend in your data by removing the seasonal pattern. See Also predict
predict
Enables you to use time series algorithms to predict future values of fields.
predict
Enables you to use time series algorithms to predict future values of fields. See Also x11
searches with relative time modifiers.
Example 1: Web access errors from the beginning of the week to the current time of your search (now). eventtype=webaccess error earliest=@w0 This search returns matching events starting from 12:00 A.M. of the Sunday of the current week to the current time. Of course, this means that if you run this search on Monday at noon, you will only see events for 36 hours of data. -------------------------------------------------------- Example 2: Web access errors from the current business week (Monday to Friday). eventtype=webaccess error earliest=@w1 latest=+7d@w6 This search returns matching events starting from 12:00 A.M. of the Monday of the current week and ending at 11:59 P.M. of the Friday of the current week. If you run this search on Monday at noon, you will only see events for 12 hours of data. Whereas, if you run this search on Friday, you will see events from the beginning of the week to the current time on Friday. The timeline however, will display for the full business week. -------------------------------------------------------- Example 3: Web access errors from the last full business week. eventtype=webaccess error earliest=-7d@w1 latest=@w6 This search returns matching events starting from 12:00 A.M. of last Monday and ending at 11:59 P.M. of last Friday
exim_main
Exim MTA mainlog
exim_reject
Exim reject log
mvexpand
Expands the values of a multivalue field into separate events for each value of the multivalue field.
mvexpand
Expands the values of a multivalue field into separate events for each value of the multivalue field. See Also mvcombine & makemv & nomv
Clauses
Explain how we want the results grouped or defined.
Functins
Explain how we want to chart, compute, and evaluate the results.
Bucket lifecycle includes following stages: Hot - It contains newly indexed data and is open for writing. For each index, there are one or more hot buckets available Warm - Data rolled from hot Cold - Data rolled from warm Frozen - Data rolled from cold. The indexer deletes frozen data by default but users can also archive it. Thawed - Data restored from an archive. If you archive frozen data , you can later return it to the index by thawing (defrosting) it.
Explain the bucket lifecycle ?
fieldformat
Expresses how to render a field at output time without changing the underlying value. See Also eval & where
A license violation causes all data to stop being indexed.
False
Adding more machines no matter the hardware will make your deployment perform better.
False
After a report is saved, you can no longer edit the search.
False
mvfilter(X)
Filters a multivalue field based on an arbitrary Boolean expression X. Basic examples The following example returns all of the values in field email that end in .net or .org. ... | eval n=mvfilter(match(email, "\.net$") OR match(email, "\.org$"))
Search
Find values across multiple sources allowing to analyze and run statistics.
anomalousvalue
Finds and summarizes irregular or uncommon search results.
anomalousvalue
Finds and summarizes irregular or uncommon search results. See Also analyzefields & anomalies & cluster & kmeans & outlier.
arules
Finds association rules between field values.
arules
Finds association rules between field values. See Also associate & correlate.
mvfind(MVFIELD,"REGEX")
Finds the index of a value in a multivalue field that matches the REGEX. Basic example ... | eval n=mvfind(mymvfield, "err\d+")
searchtxn
Finds transaction events within specified search constraints.
searchtxn
Finds transaction events within specified search constraints. See Also transaction
status as "HTTP Status"
Finish the rename command to change the name of the status field to HTTP Status. sourcetype=a* status=404 | rename _______
Scales from Desktop to Enterprise
Flexible data engine that scales to index terabytes of data per day and permits thousands of users to concurrently search petabytes of data
______how we want to deal with results (ex. list) (components of search language)
Functions
This workflow action passes variables in a URL.
GET
geostats
Generate statistics which are clustered into geographical bins to be rendered on a world map.
geostats
Generate statistics which are clustered into geographical bins to be rendered on a world map. See Also stats & xyseries
findtypes
Generates a list of suggested event types. See Also typer
fieldsummary
Generates summary information for all or a subset of the fields. See Also af & anomalies & anomalousvalue & stats
gentimes
Generates time-range results.
External data used by a Lookup can come from sources like:
Geospatial data CSV files Scripts
Reverse chronological order (newest first)
In what chronological order are events displayed, after a search?
Authentication.conf is used to add LDAP groups.
In which file we need to add LDAP group details for authentication? Authorize.conf or Authentication.conf?
authorize.conf
In which files are role mappings done?
A group of indexers configured to replicate each other's data is called a ________.
Index Cluster
5 Main components of Splunk ES
Index Data, Search & investigate, Add knowledge, Monitor & Alert, Report & Analyze.
How does Splunk help with Machine Data?
Index Data, Search and Investigate, Add Knowledge, Monitor and Alert, and Report & Analyze
A server acting as a ___________ require the same hardware as a single deployment server.
Indexer
Search requests are processed by the ____________.
Indexer
Search requests are processed by?
Indexers
3 Main Splunk Processing Components
Indexers, Search Heads, and Forwarders.
Events are written to disk during the _______ segment of the data pipeline.
Indexing
Parsing and Indexing are both part of the ____ processing tier.
Indexing
Single Instance Deployment Splunk Instance
Input, Parsing, Indexing and Searching
Having separate indexes allows:
Multiple retention policies Ability to limit access Faster Searches
!=
Multivalued field values that don't exactly match "foo". Example: field!=foo
=
Multivalued field values that exactly match "foo". Example: field=foo
access_combined
NCSA combined format http web server logs (can be generated by apache or other web servers)
access_combined
NCSA combined format http web server logs (can be generated by apache or other web servers) Example: 10.1.1.43 - webdev [08/Aug/2005:13:18:16 -0700] "GET / HTTP/1.0" 200 0442 "-" "check_http/1.10 (nagios-plugins 1.4)"
access_combined_wcookie
NCSA combined format http web server logs (can be generated by apache or other web servers) with cookie field added at end
access_combined_wcookie
NCSA combined format http web server logs (can be generated by apache or other web servers), with cookie field added at end Example: "66.249.66.102.1124471045570513" 59.92.110.121 - - [19/Aug/2005:10:04:07 -0700] "GET /themes/splunk_com/images/logo_splunk.png HTTP/1.1" 200 994 "http://www.splunk.org/index.php/docs" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050524 Fedora/1.0.4-4 Firefox/1.0.4" "61.3.110.148.1124404439914689"
access_common
NCSA common format http web server logs (can be generated by apache or other web servers)
access_common
NCSA common format http web server logs (can be generated by apache or other web servers) Examples: 10.1.1.140 - - [16/May/2005:15:01:52 -0700] "GET /themes/ComBeta/images/bullet.png HTTP/1.1" 404 304
Using _____ and ____ (symbols) would return the same results.
NOT, !=
Would the ip column be removed in the results of this search? Why or why not?
No, because the name was changed
Would the clientip column be removed in the results of this search? Why or why not? sourcetype=access* | rename clientip as "user" | table user status | fields - clientip
No, because the name was changed.
Search Booleans
Not, Or, And. Add parenthesis: Keyword 1 NOT (Keyword2 OR Keyword 2)
now
Now, the current time Wednesday, 05 February 2017, 01:37:05 P.M. now
>=
Numerical field values that are greater than and equal to x. Example: field>=x
>
Numerical field values that are greater than x. Example: field>x
<=
Numerical field values that are less than and equal to x. Example: field<=x
<
Numerical field values that are less than x. Example: field<x
Which is not a comparison operator in Splunk?
OR
Difference between relative time and relative snap to time
On April 28th, you decide to run a search at 14:05. If you specify earliest=-2d, the search goes back exactly two days, starting at 14:05 on April 26th. If you specify earliest=-2d@d, the search goes back to two days and snaps to the beginning of the day. The search looks for events starting from 00:00 on April 26th.
Files indexed using the the upload input option get indexed _____.
Once
False
Once an alert is created, you can no longer edit its defining search. T/F
1. add the report to a dashboard 2. open the report and edit it 3. accelerate slow running reports
Once you create a report you can
-mon@mon+7d
One month ago, snapped to the first of the month at midnight, and add 7 days. Resulting Time The 8th of last month at 12 A.M.
A Splunk user does what?
Only see own knowledge objects and those shared to them.
Universal Machine Data Platform
Open, extensible platform delivering integrated, end-to-end data collection, management and analysis
Indexer
Processes incoming data storing it as indexes as events. As the indexer indexes data, it creates a number of files in directories by age (time).
spath
Provides a straightforward means for extracting fields from structured data formats XML and JSON.
spath
Provides a straightforward means for extracting fields from structured data formats, XML and JSON. See Also xpath
App Key Value Store
Provides a way to save and retrieve data within your Splunk apps as collections of key-value pairs, letting you manage and maintain the state of your apps and store additional information.
Reports
Provides reports and the ability to do dashboards empowering groups in the organization by giving them the information they need organized into a single pane.
stats
Provides statistics grouped optionally by fields. See Functions for stats chart and timechart in the Splunk Enterprise Search Reference.
stats
Provides statistics grouped optionally by fields. See Statistical and charting functions in the Splunk Enterprise Search Reference.
stats
Provides statistics, grouped optionally by fields. See Functions for stats, chart, and timechart in the Splunk Enterprise Search Reference. See Also eventstats & top & rare
bin and discretize
Puts continuous numerical values into discrete sets.
bin and discretize
Puts continuous numerical values into discrete sets. See Also chart and timechart.
What is missing from this search? sourcetype=acc* status=404 | rename clientip as "User ID" | table USer ID status host
Quotation marks around User ID
_______ object is the main source of data
Root
foreach
Run a templatized streaming subsearch for each field in a wildcarded field list. See Also eval
multisearch
Run multiple streaming searches at the same time. See Also append & join
returns a fresh result set
Running a scheduled saved report ___________
script and run
Runs an external Perl or Python script as part of your search.
join
SQL-like joining of results from the main results pipeline with the results from the subpipeline.
join
SQL-like joining of results from the main results pipeline with the results from the subpipeline. See Also selfjoin & appendcols
mvzip(X,Y,"Z")
Takes two multivalue fields, X and Y, and combines them by stitching together the first value of X with the first value of field Y, then the second with the second, and so on. The third argument, Z, is optional and is used to specify a delimiting character to join the two values. The default delimiter is a comma. Basic example ... | eval nserver=mvzip(hosts,ports)
Commands
Tells Splunk what we want to do with Search Results such as creating charts, computing statisitcs, and formatting
If you want to format values without changing their characteristics, which would you use?
The Fieldformat Command.
Alerting IS NOT A COMMAND
Use the above command to email the results of a search.
fields -
Use this command to exclude fields used in the search to make the results easier to read.
Which roles can create Private Knowledge Objects?
User, Power, Admin
concurrency
Uses a duration field to find the number of "concurrent" events for each event. See Also timechart
alerts
Uses a saved search to look for events in real time or on a schedule.
Batch - Use batch to set up a one time, destructive input of data from a source. For continuous, non-destructive inputs, use monitor. Remember, after the batch input is indexed, Splunk Enterprise deletes the file.
Which stanza can be used to destroy a file after reading the file?[ fschange, monitor, batch, destroy ]
avg
Which stats function would you use to find the average value of a field?
lable
Which tag is not the part to implement drilldown?
query
Which tag is used for search string in simplexml for dashboard?
fieldset
Which tag is used to create input in form in simple xml?
Parsing stage
While parsing splunk performs and extracts a set of default for each event like host, source, and sourcetype.
True
Wildcards can be used with field value searches
End User Role
Will only see their own knowledge objects and those shared with them.
This is an example of a search using __________. sourcetype=access_combined
a field value pair
app manifest
a file generated by the Packaging Toolkit to describe a Splunk app, including dependencies and input groups.
Which clause would you use to rename the count field?
as
Which clause would you use to rename the count field? sourcetype=vendor_sales | stats count(linecount) ______ "Units Sold"
as
Which stats function would you use to find the average value of a field?
avg
transforming commands
commands that create statistics or visualizations are called ____
Which of these is NOT a main component of Splunk?
compress and archive
Raw data in an index is stored in a ________ form.
compressed
For exact time ranges, the syntax for the time modifiers is %m/%d/%Y:%H:%M:%S. For example, the following search specifies a time range from 12 A.M. October 19, 2016 to 12 A.M. October 27, 2016.
earliest=10/19/2016:0:0:0 latest=10/27/2016:0:0:0
The _______ folder inside the Splunk Enterprise installation directory contains licenses and configuration files.
etc
In a dashboard, a time range picker will only work on panels that include a(n) __________ search.
inline
Finish this search command so that it displays data from the http_status.csv Lookup file.
inputlookup
Finish this search command so that it displays data from the http_status.csv lookup file. | __________ http_status.csv
inputlookup
Finish this search to return unlimited results. sourcetype=access_combined action=purchase | rare product_name _________
limit=0
It is a best practice to ____________ forwarders across all indexers in a search peer group.
load balance
Exact phrases use______
quotes
two types of splunk indexes
raw data (full log files) index files (key keywords from logs)
The server that data is forwarded to is called the ______________.
receiver
fale
this command returns an unlimited number of results. search: error | top host limit =9999
Keeping ____ synchronized across your deployment, makes sure events are returned in the proper order.
time
Limiting search by ___________ is key to faster results and is a best practice
time
Use _____ for searches
time
Timestamp seen in events is based on______setting in user account profile
time zone
You can also define the relative time modifier using only the snap to time unit.
to snap to a specific day of the week, use @w0 for Sunday, @w1 for Monday, and so forth. For Sunday, you can specify either w0 or w7.
To display the most common values in a specific field, what command would you use?
top
To display the most common values in a specific field, what command would you use? sourcetype=vendor_sales | ______ Vendor
top
These fields can launch a quick report by clicking on them (4)
top values, top values by time, rare values, events with this field
This command allows you to correlate related events on a field or list of fields that span time.
transaction
Commands that create statistics or visualizations are called ____________.
transforming commands
Summary index is used to give fast result of report/dashboard. You can store any cron/save search result in summary index so that you can reduce the data in summary index.
what is summary index in splunk?
1. create the lookup table 2. define the lookup 3. configure the lookup to run automatically
what is the correct order of steps for creating a new lookup?
statistical values
when a search returns _________, you can view the results as a list
*
which character acts as a wildcard in the search Splunk language?
Rename
which is not a valid option when editing a report?
forwarders
which of the following are responsible for collecting data and sending it for further processing?
search head
which of the following are responsible for dispatching a search request?
indexers
which of the following are responsible for parsing incoming data and storing data on disc?
sourcetype=access_* | stats max(bytes)
which of the following will show the maximum bytes?
accounting response for TradeID
which of the following would match this search? SEARCH: "accounting response"
admin
which role can create data models?
admin
which role defines what apps a user will see by default
smart
which search mode automatically decides how to return fields based on your search?
When using the search below, what axis would time be on? sourcetype=vendor_sales | timechart count(linecount)
x
years
y, yr, yrs, year, years
