Splunk Core User Exam -- Redux
When an alert action is configured to run a script, Splunk must be able to locate the script. Which is one of the directories Splunk will look in to find the script?
$SPLUNK_HOME/bin/scripts
When sorting multiple fields with the sort command, what delimiter can be used between the field names in the search?
, (comma)
How many results are shown by default when using a Top or Rare Command?
10
By default, how long does Splunk retain a search job?
10 mins
Which Boolean operator is implied between two search terms unless otherwise specified?
AND
A field exists in search results, but isn't being displayed in the fields sidebar. How can it be added to the fields sidebar?
Click all fields and select the field to add it to Selected Fields
When editing a dashboard, which of the following are options?
Drag a dashboard panel to a different location on the dashboard
When using a .csv file for Lookups, the first row in the file represents this.
Field names
After running a search, what effect does clicking and dragging across the timeline have?
Filters current search results
Top Command
Finds the most common values of a given field
What is true about account settings and preferences?
Full name, time zone and default app can be defined by clicking the login name in the Splunk Bar
What represents the recommended naming convention for dashboards
Group_object_description
How are events displayed after each search is executed?
In reverse chronological order
Search requests are processed by the ____________.
Indexer
What is one benefit of creating dashboard panels from reports?
It makes the dashboard more efficient because it only has to run one search string
which file type is an option for exporting Splunk search results?
JSON
When displaying the results of a search, what is true about line charts?
Line charts are optimal for multiple series with 3 or more columns
List function
Lists all values for a given field
What does the values function of the stats command do?
Lists unique values of a given field
When running searches, command modifiers in the search string are displayed in what color?
Orange
Which time ranger picker configuration would return real events for the past 30 seconds?
Real-time -Earliest: 30-seconds ago, Latest: Now
Rare Command
Shows the least common values of a field set
How does Splunk determine which fields to extract data from?
Splunk automatically discovers many fields based on sourcetype and key/value pairs found in the data
What must be done before an automatic lookup can be created?
The lookup definition must be created
What must be done in order to use a lookup table in Splunk?
The lookup file must be uploaded and the lookup definition must be created.
What determines the scope of data that appears in a scheduled report?
The owner of the report can configure permissions so that the report uses either the user role or the owner's profile at run time
Set the number of times to trigger an alert with the ____
Trigger setting
What is a primary function of a scheduled report?
Triggering an alert in your Splunk instance when certain conditions are met.
How do you add or remove fields from search results?
Use fields +to add fields - to remove
When looking at a dashboard panel that is based on a report, which of the following is true?
You cannot modify the search string in the panel, but you can change and configure the visualization
What is the main requirement for creating visualizations in the Splunk UI?
Your search must transform event data into statistical data tables first
In the fields sidebar, which character denotes alpha numeric fields values?
a
What syntax is used to link key/value pairs in search strings?
action=purchase
Which statement is true about Splunk alerts?
alerts are base on searches that are either run on a scheduled interval or in real time
scheduled alert type
allows you to set a schedule and time range for the search to be run
A collection of items containing things such as data inputs, UI elements and knowledge objects is known as a what?
an app
In the splunk interface, the list of alerts can be filtered based on which characteristics?
app, owner, severity, type
Alerts
based on searches that run on scheduled intervals or in real-time notify you when the results of a search meet defined conditions triggered when search is completed
How can search results be kept longe than 7 days
by scheduling a report
once defined, lookup field values are ____ by default
case-sensitive
when looking at a statistics table, what is one way to drill down to view underlying events?
click on the visualizations tab
Common stats functions
count distinct count (dc) sum average min max list values
Average (avg) function
creates an average value for a given field
knowledge objects that provide the data structure for pivot
data models
Which stats command provides a count of how many unique values exist for a given field in the result set?
dc(field)
two steps to define a lookup table:
define a lookup table define the lookup
which search will return results where fail, 400 and error exist in every event?
error AND (fail OR 400)
Once an alert is created, you can no longer edit its defining search
false
When zooming in on the event time line, a new search is run.
false
What is true about case sensitivity?
field names are case sensitive, field values are not.
which of the following is a Splunk best practice?
filter as early as possible
Which search string only returns events from hostWWW3
host=WWW3
By default, which of the following fields would be listed in the fields sidebar under interesting fields?
index
which of the following index searches would provide the most efficient search performance?
index=*
Which search string returns a field containing the number of matching events and names that field event count?
index=security failure | stats count as "Event Count"
Select the answer that displays the accurate placing of the pipe in the following search string: index=security sourcetype=access_* status=200 stats count by price
index=security sourcetype=access_* status=200 | stats count by price
In a dashboard, a time range picker will only work on panels that include a(n) __________ search.
inline
Finish this command so that it displays data from the http_status.csv Lookup file | ______ http_status.csv
inputlookup
What command is used to review the contents of a static lookup file?
inputlookup
Alerts (functions)
ist in interface log events output to lookup send to a telemetry endpoint trigger scripts send emails use a webhook run a custom alert
data models
knowledge objects that provide the data structure that drives Pivots
Which of the following constrains can be used with the top command?
limit
real-time alerts run continuously and can place _____ on system performance
more overhead
In a deployment with multiple indexes, what will happen when a search is run and an index is not specified in the search string?
no events will be returned
The instant pivot button is displayed in the statistics and visualization tabs when a _____ search is run.
non-transforming
Files indexed using the upload option get indexed __________
once
transforming commands
order search results into a data table for statistical purposes
To keep from overwriting existing fields with your Lookup you can use the ____ clause.
outputnew
to keep from overwriting existing fields with your Lookup, you can use the _________ clause
outputnew
Trigger conditions
per result number of results number of hosts number of sources custom
To verify that a lookup is working _____
pipe to the inputlookup command
which syntax is used to link key/value pairs in search strings?
relational operators such as =, <, or >
min/max functions
return the minimum and maximum values for fields
Count function
returns a count of events matching search criteria
distinct count function (dc)
returns the count of unique values in the search results
What does the rare command do?
returns the least common field values of a given field in the results
sum function
returns the sum of all numerical values in a field
Value function
returns unique values for a given field
an alert is an action triggered by a _____
saved search
External data used by a Lookup can come from sources like:
scripts CSV files Geospatial data
Which of the following Splunk components typically resides on the machines where data originates?
search head
Define a lookup
settings lookup add new lookup definition give the lookup a name select file based select the .csv file
Which of the following are common constraints of the Top Command?
showperc, countfield
when placed early in the search, which command is most effective at reducing search execution time?
sort -
Splunk uses ______ to categorize the type of data being indexed
sourcetype
what search would return events from the access_combined sourcetype?
sourcetype=Access_Combined
what is the correct syntax to count the number of events containing a vendor_action field?
stats count (vendor_action)
When writing searches in Splunk, which of the following is true about booleans
they must be in uppercase
what is the most efficient filter for running searches in Splunk?
time
What user interface component allows time selection?
time range picker
what is the purpose of using a by clause with the stats command?
to group the results by one or more fields
Pivots can be saved as dashboard panels
true
Real-time alerts will run the search continuously in the background.
true
The monitor input option will allow you to continuously monitor files
true
a lookup is categorized as a dataset
true
alerts can be shared to all apps
true
alerts can run uploaded scripts
true
alerts can send email
true
what is a suggested Splunk best practice for naming reports?
use a consistent naming convention so they are easily separated by characteristics such as group and object
real-time alert type
will run the search continuously in the background as soon as alert conditions are satisfied an action is triggered