Splunk core certified user exam questions

Pataasin ang iyong marka sa homework at exams ngayon gamit ang Quizwiz!

Click All Fields and select the field to add it to Selected Fields

A field exists in search results, but isn't being displayed in the fields sidebar. How can it be added to the fields sidebar?

Filters current search results

After running a search, what effect does clicking and dragging across the timeline have?

_time

At index time, in which field does Splunk store the timestamp value?

Index

By default, which of the following fields would be listed in the fields sidebar under interesting Fields?

Input Phase

Data sources being opened and read applies to

CSV, scripts, geospatial data

External data used by a Lookup can come from sources like

True

Fields are searchable name and value pairings that differentiates one event from another.

The owner of the report can edit permissions from the Edit dropdown.

How can another user gain access to a saved report?

By scheduling a report

How can search results be kept longer than 7 days?

Splunk automatically discovers many fields based on sourcetype and key/value pairs found in the data

How does Splunk determine which fields to extract from data?

Events from every index searched by default to which the user has access will be returned

In a deployment with multiple indexes, what will happen when a search is run and an index is not specified in the

Filed & Directories, HTTP Event Collector (HEC), TCP/UDP and Scripts

In monitor option you can select the following options in GUI.

App, Owner, Severity, and Type

In the Splunk interface, the list of alerts can be filtered based on which characteristics?

What indicates that a field is numeric?

In the fields sidebar, what indicates that a field is numeric?

True

License Meter runs before data compression

Both One-time and continuous monitoring

Monitor option in Add Data provides

Host, Source, Sourcetype

Name the defult selected fields

True

Prefix wildcards might cause performance issues.

True

Search Assistant is enabled by default in the SPL editor with compact settings.

index=security sourcetype=access_* status=200 | stats count by price

Select the answer that displays the accurate placing of the pipe in the following search string: index=security sourcetype=access_* status=200 stats count by price

True

Splunk Enterprise is used as a Scalable service in Splunk Cloud.

Designed to cater numerous use cases and empower Splunk Allows multiple workspaces for different use cases/user roles It is collection of different Splunk config files like data inputs, UI and Knowledge Object.

Splunk apps are used for following

True

T/F : When you make a change to the visualization settings such as Min/Max the Visualization updates immediately

False

The default host name used in Inputs general settings can not be changed.

non-transforming

The instant pivot button is displayed in the statistics and visualization tabs when a _______ search is used.

1)Select fields from the fields sidebar and choose to run a report 2) Use Pivot Interface 3) use the search language transforming command in search bar

Three main methods to create tables and vizualizations are:

False

Upload option creates inputs.conf

True

We should use heavy forwarder for sending event-based data to Indexers.

After saving the report, click Schedule

What are the steps to schedule a report?

Change Job Lifetime from 10 minutes to 7 days.

What can be configured using the Edit Job Settings menu?

Field descriptions

What can be included in the All Fields option in the sidebar?

The owner of the report can configure permissions so that the report uses either the User role or the owner's profile at run time

What determines the scope of data that appears in a scheduled report?

Look back from 3 days ago, up to the beginning of today.

What does the following specified time range do? earliest=-72h@h latest=@d

Returns the least common field values of a given field in the results

What does the rare command do?

Calculates statistics on data that matches the search criteria

What does the stats command do?

Lists unique values of a given field

What does the values function of the stats command do?

The selected field and its corresponding values will appear underneath the events in the search results.

What happens when a field is added to the Selected Fields list in the fields sidebar?

Group > Object > Description

What is a suggested Splunk best practice for naming reports?

Any change to the underlying report will affect every dashboard that utilizes that report

What is one benefit of creating dashboard panels from reports?

stats count (vendor_action)

What is the correct syntax to count the number of events containing a vendor_action field?

A data model is the collection of data sets

What is the difference between a DataModel and a DataSet?

Your search must transform event data into statistical data tables first

What is the main requirement for creating visualizations using the Splunk UI?

To find the least common values of a field in a dataset.

What is the primary use for the rare command?

To group the results by one or more fields

What is the purpose of using a by clause with the stats command?

All firewall, web server, database, router and switch logs

What kind of logs can Splunk Index?

The lookup file must be uploaded to Splunk and a lookup definition must be created

What must be done in order to use a lookup table in Splunk?

Relational operators such as =, <, or >

What syntax is used to link key/value pairs in search strings?

Any search can be saved as a report

What type of search can be saved as a report?

CSV, XML, JSON

When a Splunk search generates calculated data that appears in the Statistics tab, in what formats can the results

$SPLUNK_HOME/bin/scripts

When an alert action is configured to run a script, Splunk must be able to locate the script. Which is one of the directories Splunk will look in to find the script?

Line charts are optimal for single and multiple series

When displaying results of a search, which of the following is true about line charts?

Modify the chart type displayed in a dashboard panel. Drag a dashboard panel to a different location on the dashboard.

When editing a dashboard, which of the following are possible options? (select all that apply)

You cannot modify the search string in the panel, but you can change and configure the visualization.

When looking at a dashboard panel that is based on a report, which of the following is true?

Clicking on any field value in the table.

When looking at a statistics table, what is one way to drill down to see the underlying events?

fields +

When placed early in a search, which command is most effective at reducing search execution time?

Orange

When running searches, command modifiers in the search string are displayed in what color?

Indexer

Where does Licensing meter happen?

AND

Which Boolean operator is always implied between two search terms, unless otherwise specified?

inputlookup

Which command is used to review the contents of a specified static lookup file?

| inputlook products.csv

Which command is used to validate a lookup file?

Indexer

Which component of Splunk is primarily responsible for saving data?

Search Head

Which component of Splunk let us write SPL query to find the required data?

All events with a host of www3 that also have a status of 503

Which events will be returned by the following search string? host=www3 status=503

To show peaks and/or valleys in the timeline, which can indicate spikes in activity or downtime.

Which is primary function of the timeline located under the search bar?

Splunk User Behavior Analytics (UBA) Splunk IT Service Intelligence (ITSI) Splunk Enterprise Security (ES)

Which of the following are Splunk premium enhanced solutions?

showperc, countfield

Which of the following are common constraints of the top command?

sum, avg, values

Which of the following are functions of the stats command?

limit

Which of the following constraints can be used with the top command?

Lookups contain static data available in the index. Lookups add more fields to results returned by a search.

Which of the following describes lookup files

Source

Which of the following fields is stored with the events in the index?

CSV, XML, JSON

Which of the following file types is an option for exporting Splunk search result

(index=web OR index=sales)

Which of the following index searches would provide the most efficient search performance?

Filter as early as possible

Which of the following is a Splunk search best practice?

Avoid using formatting clauses, as they add too much overhead

Which of the following is a best practice when writing a search string?

Adding the item to the search.

Which of the following is an option after clicking an item in search results?

Time

Which of the following is the most efficient filter for running searches in Splunk?

Export the results of the search to an XML file and use the file as the basis of the dashboards.

Which of the following is the recommended way to create multiple dashboards displaying data from the same search?

Full names can only be changed by accounts with a Power User or Admin role

Which of the following is true about user account settings and preferences?

Group_Object_Description

Which of the following represents the Splunk recommended naming convention for dashboards?

error AND (fail AND 400)

Which of the following searches will return results where fail, 400, and error exist in every event?

(index=netfw failure) OR (index=netops (warn OR critical))

Which of the following searches would return events with failure in index netfw or warn or critical in index netops?

Can be accessed by Apps > Search & Reporting. Provides default interface for searching and analyzing logs. Enables the user to create knowledge object, reports, alerts and dashboards.

Which of the following statements are correct about Search & Reporting App?

parsing, Indexing & forwarding

Which of the statements are correct about HF?

Zoom to selection: Narrows the time range and re-executes the search. Format Timeline: Hides or shows the timeline in different views Zoom-out: Expands the time focus and re-executes the search

Which of the statements are correct?

The new result after selecting the range by dragging filters the events and displays the most recent first

Which of the statements is correct regarding click and drag option in timeline?

index=security Error Fail

Which search matches the events containing the terms "error" and "fail"?

index=security "failed password"

Which search string is the most efficient?

status_code>403 status_code<405

Which search string matches only events with the status_code of 404?

host=WWW3

Which search string only returns events from hostWWW3?

index=security failure | stats count as "Event Count"

Which search string returns a filed containing the number of matching events and names that field Event Count?

Alerts are based on searches that are either run on a scheduled interval or in real-time

Which statement is true about Splunk alerts?

It returns the top 10 results. It displays the output in table format. It returns the count and percent columns per row.

Which statement is true about the top command?

Real-time - Earliest: 30-seconds ago, Latest: Now

Which time range picker configuration would return real-time events for the past 30 seconds?

Instant Pivot

Which tool can can be used use to get users working with the data without a data model who are new too Splunk

Instant Pivot

Which tool can we use to get users working with the data without a data model. Assuming the users are new too Splunk and don't know how to use the search language.

CLI Splunk Web Splunk apps and add-ons inputs.conf

You can on-board data to Splunk using following means

earliest= latest=

You can use the following options to specify start and end time for the query range:

True

Zoom Out and Zoom to Selection re-executes the search

Indexer

transforms raw data into events and distributes the results into an index.


Kaugnay na mga set ng pag-aaral

older adult exam 2 practice questions

View Set

Chapter 12: Skin, Hair, and Nails

View Set

Unit 3- Clinical decision making

View Set

U12Ch46 어(魚/漁): fish, to fish (KBC)

View Set