SPLUNK CORE CERTIFIED USER PRACTICE TEST-2

When sorting on multiple fields with the sort command, what delimiter can be used between the field names in the search? A. , B.$ C.! D.|

A., (Correct) Explanation Syntax: [ - | + ] <sort-field>, ( - | + ) <sort-field> ...

By default, which of the following fields would be listed in the fields sidebar under interesting Fields? A.index B.sourcetype C.source D.host

A.index (Correct) Explanation By default, the selected fields are: host source sourcetype

Field names ARE

case sensitive; field values are NOT

How do you add or remove fields from search results? A.Use fields + to add and fields - to remove B.Use table +to add and table -to remove C.Use fields Plus to add and fields Minus to remove D.Use field +to add and field -to remove

A.Use fields + to add and fields - to remove (Correct) Explanation To include, use fields + (default) Occurs before field extraction Improves performance To exclude, use fields - Occurs after field extraction No performance benefit Exclude fields used in search to make the table/display easier to read

In the fields sidebar, which character denotes alphanumeric field values? A.% B.a# C.# D.a

D.a (Correct) Explanation a : indicates the field's values are alpha-numeric #: indicates that the majority of the field values are numeric

What does the values function of the stats command do? A.Lists unique values of a given field B.Returns the number of events that match the search C.Lists all values of a given field D.Returns a count of unique values for a given field

A.Lists unique values of a given field (Correct) Explanation stats enables you to calculate statistics on data that matches your search criteria Function: values- lists unique values of a given field

By default, the selected fields are:

host source sourcetype

#:

indicates that the majority of the field values are numeric

a :

indicates the field's values are alpha-numeric

distinct_count, dc -

returns a count of unique values for a given field

Why Create Panels from Reports?

-It is efficient to create most dashboard panels based on reports because 1.A single report can be used across different dashboards 2.This links the report definition to the dashboard -Any change to the underlying report affects every dashboard panel that utilizes that report

To include, use fields + (default)

1.Occurs before field extraction 2.Improves performance To exclude, use fields - 1.Occurs after field extraction 2.No performance benefit 3.Exclude fields used in search to make the table/display easier to read

What is one benefit of creating dashboard panels from reports? A.Any change to the underlying report will affect every dashboard that utilizes that report B.It makes the dashboard more efficient because it only has to run one search string C.Any newly created dashboard will include that report D.There are no benefits to creating dashboard panels from reports

A.Any change to the underlying report will affect every dashboard that utilizes that report (Correct) Explanation Why Create Panels from Reports? It is efficient to create most dashboard panels based on reports because A single report can be used across different dashboards This links the report definition to the dashboard Any change to the underlying report affects every dashboard panel that utilizes that report

Which of the following statements about case sensitivity is true? A.Field names ARE case sensitive; field values are NOT B.Both field names and field values ARE NOT case sensitive C.Both field names and field values ARE case sensitive D.Field values ARE case sensitive; field names ARE NOT

A.Field names ARE case sensitive; field values are NOT (Correct) Explanation Field names ARE case sensitive; field values are NOT

Which time range picker configuration would return real-time events for the past 30 seconds? A.Real-time - Earliest: 30-seconds ago, Latest: Now B.Preset - Relative: 30-seconds ago C.Advanced - Earliest: 30-seconds ago, Latest: Now D.Relative - Earliest: 30-seconds ago, Latest: Now

A.Real-time - Earliest: 30-seconds ago, Latest: Now (Correct) Explanation To specify a beginning and an ending for a time range, use earliest and latest Examples: earliest=-h looks back one hour earliest=-2d@d latest=@d looks back from two days ago, upto the beginning of the day. Reference: https://docs.splunk.com/Documentation/Splunk/7.2.6/Search/Selecttimerangestoapply

What is the main requirement for creating visualizations using the Splunk UI? A.Your search must transform event data into statistical data tables first B.Your search must transform event data into JSON formatted data first C.Your search must transform event data into XML formatted data first D.Your search must transform event data into Excel file format first

A.Your search must transform event data into statistical data tables first (Correct)

A collection of items containing things such as data inputs, UI elements, and knowledge objects is known as what? A.JSON B.An app C.An enhanced solution D.A role

B.An app (Correct) Explanation Designed to address a wide variety of use cases and to extend the power of Splunk Collections of files containing data inputs, UI elements, and/or knowledge objects Allows multiple workspaces for different use cases/user roles to co-exist on a single Splunk instance

After running a search, what effect does clicking and dragging across the timeline have? A.Expands the time range of the search B.Filters current search results C.Moves to past or future events D.Executes a new search

B.Filters current search results (Correct) Explanation To select a narrower timerange, click and drag across a series of bars This action filters the current search results and does not re-execute the search This filters the events and displays them in reverse chronological order (most recent first)

What does the rare command do? A.Returns the most common field values of a given field in the results B.Returns the least common field values of a given field in the results C.Returns the lowest 10 field values of a given field in the results. D.Returns the top 10 field values of a given field in the results

B.Returns the least common field values of a given field in the results (Correct) Explanation The rare command returns the least common field values of a given field in the results Options are identical to the top command

What is the purpose of using a by clause with the stats command? A.To specify how the values in a list are delimited B.To group the results by one or more fields C.To compute numerical statistics on each field D.To partition the input data based on the split-by fields

B.To group the results by one or more fields (Correct) Explanation by-clause Syntax: by <field-list> Description: Fields to group by. Example: BY addr, port Example: BY host

Which command is used to review the contents of a specified static lookup file? A.outputlookup B.inputlookup C.csvlookup D.lookup

B.inputlookup (Correct) Explanation Use the inputlookup command to load the results from a specified static lookup • Useful to: Review the data in the .csv file Validate the lookup

When an alert action is configured to run a script, Splunk must be able to locate the script. Which is one of the directories Splunk will look in to find the script? A.$SPLUNK_HOME/etc/scripts B.$SPLUNK_HOME/bin/etc/scripts C.$SPLUNK_HOME/bin/scripts D.$SPLUNK_HOME/etc/scripts/bin

C.$SPLUNK_HOME/bin/scripts (Correct) Explanation If you have Splunk Enterprise, you can configure an alert to run a shell script or batch file when the alert triggers. The script or batch file that an alert triggers must be at either of the following locations: $SPLUNK_HOME/bin/scripts $SPLUNK_HOME/etc/apps/<AppName>/bin/scripts Specify an absolute path whenever a path is needed. If you use relative paths, it is important to remember that they are rooted in the Search and Reporting app's bin folder. Reference: https://docs.splunk.com/Documentation/Splunk/7.2.6/Alert/Configuringscriptedalerts

Which statement is true about Splunk alerts? A.Alerts are based on searches and require cron to run on scheduled interval B.Alerts are based on searches that are run exclusively as real-time C.Alerts are based on searches that are either run on a scheduled interval or in real-time D.Alerts are based on searches and when triggered will only send an email notification

C.Alerts are based on searches that are either run on a scheduled interval or in real-time (Correct) Explanation Splunk alerts are based on searches that can run either: On a regular scheduled interval In real-time Alerts are triggered when the results of the search meet a specific condition that you define Based on your needs, alerts can: Create an entry in Triggered Alerts Log an event Output results to a lookup file Send emails Use a webhook Perform a custom action

A field exists in search results, but isn't being displayed in the fields sidebar. How can it be added to the fields sidebar? A.Click Selected Fields and select the field to add it to Interesting Fields B.Click Interesting Fields and select the field to add it to Selected Fields C.Click All Fields and select the field to add it to Selected Fields D.This scenario isn't possible because all fields returned from a search always appear in the fields sidebar

C.Click All Fields and select the field to add it to Selected Fields (Correct) Explanation All Fields link to view all fields (including non-interesting fields) Selected fields and their values are listed under every event that includes those fields You can choose any field and make it a selected field

What must be done in order to use a lookup table in Splunk? A.The lookup file must be uploaded to the etc/apps/lookups folder for automatic ingestion B.The contents of the lookup file must be copied and pasted into the search bar C.The lookup file must be uploaded to Splunk and a lookup definition must be created D.The lookup must be configured to run automatically

C.The lookup file must be uploaded to Splunk and a lookup definition must be created (Correct) Explanation Creating a Lookup Upload the file required for the lookup(Lookup table files are files that contain a lookup table. A standard lookup pulls fields out of this table and adds them to your events when corresponding fields in the table are matched in your events. ) Define the lookup type (lookup defination-A lookup definition provides a lookup name and a path to find the lookup table. Lookup definitions can include extra settings such as matching rules, or restrictions on the fields that the lookup is allowed to match. One lookup table can have multiple lookup definitions. All lookup types require a lookup definition. After you create a lookup definition you can invoke the lookup in a search with the lookup command. ) Optionally, configure the lookup to run automatically (Use automatic lookups to apply a lookup to all searches at search time. After you define an automatic lookup for a lookup definition, you do not need to manually invoke it in searches with the lookup command.)

Which stats command function provides a count of how many unique values exist for a given field in the result set? A.count(field) B.count-by(field) C.dc(field) D.distinct-count(field)

C.dc(field) (Correct) Explanation distinct_count, dc - returns a count of unique values for a given field

What is the correct syntax to count the number of events containing a vendor_action field? A.count stats vendor_action B.stats vendor_action (count) C.stats count (vendor_action) D.count stats (vendor_action)

C.stats count (vendor_action) (Correct) Explanation stats (stats-function(field) [AS field])... [BY field-list] Here stats is a command, count is a function and vender_action is field. count returns the number of matching events based on the current search criteria Scenario Use the as clause to rename the count field

To specify a beginning and an ending for a time range, use earliest and latest

Examples: earliest=-h looks back one hour earliest=-2d@d latest=@d looks back from two days ago, upto the beginning of the day.

stats enables you to calculate statistics on data that matches your search criteria

Function: values- lists unique values of a given field

by-clause

Syntax: by <field-list> Description: Fields to group by. Example: BY addr, port Example: BY host

Use the inputlookup command to load the results from a specified static lookup •

Useful to: Review the data in the .csv file Validate the lookup