Splunk Core Certified User & Splunk Fundamentals 1

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

This symbol is used in the "Advanced" section of the time range picker to round down to nearest unit of specified time. (Select your answer.) A) % B) ^ C) @ D) & E) *

C) @

Which one of these is not a stats function? A) Count B) Avg C) Addtotals D) List E) Sum

C) Addtotals

Field names are ________. *(Select all that apply.)* A) Always capitalized. B) Not important in Splunk. C) Case sensitive. D) Case insensitive.

C) Case sensitive

Which function is not a part of a single instance deployment? A) Searching B) Parsing C) Clustering D) Indexing

C) Clustering

What is missing from this search?... sourcetype=a* | rename ip as "User IP" | table User IP A) A pipe. B) Search terms C) Quotation marks around User IP. D) A table command.

C) Quotation marks around User IP.

_________ define what users can do in Splunk. A) Tokens B) Disk permissions C) Roles

C) Roles

The default username and password for a newly installed Splunk instance is: A) username and password B) admin and changeme C) admin and 12345 D) buttercup and rawks

B) admin and changeme

What command would you use to *remove the status field* from the returned events? sourcetype=a* status=404 | ___________ status A) table B) fields - C) not D) fields

B) fields -

In a dashboard, a time range picker will only work on panels that include a(n) __________ search. A) transforming B) inline C) visualization D) accelerated

B) inline

The instant pivot button is displayed in the statistics and visualization tabs when a _______ search is run. A) transforming B) non-transforming

B) non-transforming

Which clause would you use to rename the count field? sourcetype=vendor* | stats count __________ "Units Sold" A) rename B) to C) as D) show

C) as

Finish the rename command to change the name of the status field to HTTP Status. sourcetype=a* status=404 | rename ______________ A) as "HTTP Status" B) status as "HTTP Status" C) status to "HTTP Status" D) status as HTTP Status

B) status as "HTTP Status"

Search heads send searches to...

Indexers

Search requests are processed by the ___________.

Indexers

What do Indexes point to?

Indexes point to raw compressed data.

T/F: Machine data is always structured.

False. Machine data can be structured or unstructured.

T/F: These searches will return the same results... failed password failed AND password

True

T/F: You can launch and manage apps from the home app.

True

When should you avoid using wildcards?

When the items searched against have *punctuation*, such as SF-RT_5G01 A typical search would be: productID=S*G01 But due to the way Splunk indexes punctuation (such as underscore or dash), this search would likely fail.

Machine data makes up for more than ___% of the data accumulated by organizations.

90

T/F: Real-time alerts will run the search continuously in the background.

True

T/F: The monitor input option will allow you to continuously monitor files.

True

Which is not a comparison operator in Splunk? (Select your answer.) A) > B) ?= C) <= D) != E) =

?=

What are the *five* Splunk data bucket ages, from most current to oldest?

1) Hot 2) Warm 3) Cold 4) Frozen 5) Thawed

What is the Splunk data inspector process?

1) Look at data and decide how to process it. 2) Label data by source type. 3) Break data into events. 4) Normalize timestamps. 5) Added to Splunk index to be searched

How many results are shown by default when using a Top or Rare Command?

10

As the Indexer indexes data, it creates a number of files organized by __________

age (using the imestamps)

What is the job of the Search Head?

*Handle search requests* using Splunk search language. Enriches data with reports, dashboards, visualizations.

What are the *three* Splunk search modes?

1) *Verbose* (returns most amount of data) 2) *Fast* (limits types of data returned and emphasizes speed) 3) *Smart* (switches to verbose or fast based on search)

Indexes consist of what *two* types of files?

1) Raw data files 2) Index files

What are the *five* default fields for every event in Splunk?

1) host 2) source 3) source type 4) index 5) timestamp

What is an index?

A collection of databases.

What does a generating command do?

A generating command *fetches information* from the indexes, *without any transformations*. Generating commands are either event-generating (distributable or centralized) or report-generating. Most report-generating commands are also centralized. Depending on which type the command is, the results are returned in a list or a table.

What is a scheduled report?

A report that is scheduled to run on a regular interval, making it a type of *scheduled search*. Scheduled reports typically initialize one or more alert actions each time they run, such as sending the results of the report run to a set of recipients, logging and indexing custom log events, or adding the results to a CSV lookup.

What is a transforming command?

A type of search command that *orders the results into a data table*. Transforming commands "transform" the specified cell values for each event into numerical values that Splunk Enterprise can use for statistical purposes.

These roles can create reports: *(Select all that apply.)* A) Admin B) User C) Power

A) Admin B) User C) Power

How is the *asterisk* used in Splunk search? A) As a wildcard. B) To make a nose for your clown emoticon. C) As a place holder. D) To add up numbers.

A) As a wildcard.

What is the most efficient way to filter events in Splunk? A) By time. B) Using booleans. C) With an asterisk.

A) By time.

_____________ are reports gathered together into a single pane of glass. A) Dashboards B) Panels C) Alerts D) Scheduled Reports

A) Dashboards

Which command removes results with duplicate field values? A) Dedup B) Limit C) Join D) Distinct

A) Dedup

Having separate indexes allows: *(Select all that apply.)* A) Faster Searches. B) Ability to limit access. C) Multiple retention policies.

A) Faster Searches. B) Ability to limit access. C) Multiple retention policies.

When using a .csv file for Lookups, the first row in the file represents this. A) Field names. B) Output fields. C) Nothing, it is ignored. D) Input fields.

A) Field names.

Which apps ship with Splunk Enterprise? *(Select all that apply.)* A) Home App B) Sideview Utils C) Search & Reporting D) DB Connect

A) Home App C) Search & Reporting

What are the three main processing components of Splunk? *(Select all that apply.)* A) Indexers B) Deployment Maker C) Search Heads D) Forwarders E) Distributors

A) Indexers C) Search Heads D) Forwarders

What attributes describe the field below? a dest 4 (Select all that apply.) A) It contains 4 values. B) It contains numerical values. C) It cannot be used in a search. D) It contains string values.

A) It contains 4 values. D) It contains string values.

External data used by a Lookup can come from sources like: *(Select all that apply.)* A) Scripts. B) CSV files. C) None. Only internal data can be used. D) Geospatial data.

A) Scripts B) CSV files D) Geospatial data

Which following search mode toggles behavior based on the type of search being run? A) Smart B) Fast C) Verbose

A) Smart

This role will only see their own knowledge objects and those that have been shared with them. A) User B) Power C) Admin

A) User

Finish this search command so that it displays data from the http_status.csv Lookup file. | _________________ http_status.csv A) inputlookup B) lookup=* C) datalookup D) lookup

A) inputlookup

To display the most common values in a specific field, what command would you use? A) top B) all C) table D) rare

A) top

What is time-series data?

Any data with time stamps.

A search job will remain active for _____ minutes after it is run. A) 5 B) 10 C) 30 D) 60 E) 90

B) 10

Adding child data model objects is like the ______ operator in the Splunk search language. A) NOT B) AND C) OR

B) AND

Which of these is *not* a main component of Splunk? A) Search and investigate. B) Compress and archive. C) Add knowledge. D) Collect and index data.

B) Compress and archive

Would the ip column be removed in the results of this search? Why or why not? sourcetype=a* | rename ip as "User" | fields - ip A) Yes, because a pipe was used between search commands. B) No, because the name was changed. C) No, because table columns can not be removed. D) Yes, because the negative sign was used.

B) No, because the name was changed.

Splunk knows where to break the event, where the time stamp is located and how to automatically create field value pairs using these. A) Line breaks B) Source types C) File names

B) Source types

If a search returns this, you can view the results as a *chart*. A) A list. B) Statistical values C) Time limits. D) Numbers

B) Statistical values

What are the three main default roles in Splunk Enterprise? *(Select all that apply.)* A) King B) User C) Manager D) Admin E) Power

B) User D) Admin E) Power

What does CIM stand for and what is it?

Common Information Model (CIM). A shared semantic model focused on extracting value from data. The CIM is implemented as an add-on that contains a collection of data models, documentation, and tools that support the consistent, normalized treatment of data for maximum efficiency at search time.

These are knowledge objects that provide the data structure for pivot. A) Alerts B) Indexes C) Reports D) Data models

D) Data models

Files indexed using the *upload* input option get indexed _____. A) Each time Splunk restarts. B) Every hour. C) On every search. D) Once.

D) Once.

An alert is an action triggered by a _____________. A) Selected field B) Tag C) Report D) Saved search

D) Saved Search

What happens to data once it reaches the frozen bucket?

Depending on the aging policy, the data in the frozen bucket is either *archived or deleted*.

T/F: As a general practice, exclusion is better than inclusion in a Splunk search.

False

T/F: Events are always returned in chronological order.

False

T/F: Excluding fields using the Fields Command will benefit performance.

False

T/F: Field values are case sensitive.

False

T/F: Machine data is only generated by web servers.

False

T/F: Once an alert is created, you can no longer edit its defining search.

False

T/F: Pivots cannot be saved as reports panels.

False

T/F: The User role can not create reports.

False

T/F: Time to search can only be set by the time range picker.

False

T/F: When zooming in on the event time line, a new search is run.

False

T/F: Wildcards cannot be used with field searches.

False

In most Splunk deployments, ________ serve as the primary way data is supplied for indexing.

Forwarders

In most production environments, _____________ will be used as your the source of data input.

Forwarders

What does a Splunk license specify?

How much *data* you can index per calendar day.

Where would you go to determine whether the built-in search optimizations are helping your search to complete faster?

Job Inspector

What is a lookup?

Lookup is a command to *invoke field value lookups*. The lookup command can merge unstructured and structured data For example: ...| lookup <lookup-table-name> <lookup-field1> AS <event-field1>

To keep from *overwriting* existing fields with your Lookup you can use the _________ clause.

OUTPUTNEW

What is pivot?

Pivot is a command that applies a pivot operation to data. For example: This command counts the number of events in the "HTTP Requests" object in the "Tutorial" data model. ...| pivot Tutorial HTTP_requests count(HTTP_requests) AS "Count of HTTP requests"

All of Splunk's configurations are written within what file type?

Plain text *.conf* files.

Search strings are sent from the _________.

Search Head

What does SPL stand for and what are some of it's features?

Search Processing Language (SPL) It is Splunk's *proprietary* language. SPL encompasses all the search commands and their functions, arguments, and clauses. Its syntax was originally *based on the Unix pipeline and SQL*. The scope of SPL includes *data searching, filtering, modification, manipulation, insertion, and deletion*.

What is the most recent version of Splunk that is stable?

Spunk Version 7.2.1 (As of 12/06/2018)

What is the difference between *stats*, *chart*, and *time chart*?

Stats: Tabular format that allows *unlimited fields*. Chart: Graphical format that allows *two fields* (x and y axis) and can be pie chart, bar chart, line chart etc. Time Chart: Allows display in bar or line graph format, and only takes in *one field* because it uses time for the X axis.

What processes machine data, storing the results in indexes as events, and enables fast search and analysis?

The Splunk *Indexer*.

What does the metadata command do?

The metadata command returns a list of sources, sourcetypes, or hosts from a specified index or distributed search peer. For Example: ...| metadata type=hosts

What are the *three* required parts of a pivot?

The pivot command is a generating command and must be first in a search pipeline. It requires a large number of inputs: *the data model*, *the data model object*, and *pivot elements*. ...| pivot <datamodel-name> <object-name> <pivot-element>

How does Splunk indexing work?

Time-series data is broken into events, based on the timestamps.

What are *seven* common transforming commands?

Transforming commands include: 1) chart 2) timechart 3) stats 4) top 5) rare 6) contingency 7) highlight.

T/F: A lookup is categorized as a dataset.

True

T/F: A time range picker can be included in a report.

True

T/F: Alerts can be shared to all apps.

True

T/F: Alerts can run uploaded scripts.

True

T/F: Alerts can send an email.

True

T/F: Pivots can be saved as dashboards panels.

True

Which stats function would you use to find the average value of a field?

average (or avg)

How would you use a wildcard to create a search that looks for all of the *product IDs* that begin with the letter *S* and end in *G01*.

productID=S*G01

Splunk uses ______________ to categorize the type of data being indexed.

sourcetype


Ensembles d'études connexes

Chapter 5: Introduction to Valuation - Time Value of Money

View Set

EMT Chapter 3 lifting and moving parts

View Set

Intro to Psychology Exam 2 Study Set

View Set

Computer Fundamentals 1.04 Section 4- Operating Systems

View Set

Chapter 7: Blood Collection Equipment, Additives, and Order of Draw

View Set

Chapter 21: Respiratory Care Modalities

View Set