All About SPL
Where are saved searches stored on the backend?
/opt/splunk/etc/apps/<AppName>/local/savedsearch.conf
What are the suggested segmented keys for naming knowledge objects?
1) Group 2) Type 3) Platform 4) Category 5) Time 6) Description
What are the 3 predefined ways that permissions of knowledge can be displayed to users?
1) Private (Default for a user) 2) Shared - for a specific app (Private and Admin controlled) 3) Shared - All apps (Admin only controlled)
When does a splunk value become case sensitive?
1) Regex 2) Eval
What are two ways you can edit a lookup file through the GUI?
1) The lookup editor, which first must be installed. 2) output lookup append=t
What are 3 ways you can do field extractions?
1) props and transforms 2) the rex command 3) the field extractor
What do the addcoltotals and addtotals commands do?
Adds the totals of your table as either a row or a column.
What are the differences between stats, eventstats, and streamstats?
All of these commands operate with statistical functions however event stats and streamstats give you a new field. Finally streamstats shows your data over time.
What clause cannot be used with the table command?
As
What is the field format command used for and what is the syntax?
Changes how results of a field are rendered using an eval expression. Creates a new field.
What does the | transaction command do?
Collapses a set of events that belong to a single transaction into a single event.
What are transforming commands?
Commands that have visualizations
What does the _raw internal field show?
Contains the original raw data of an event
What does the iplocation command do? What are its limitations?
Converts ip addresses into geographical location like city, state, zipcode, and country. It is limited because it is not regularly kept up to date. For security, companies will often download alternatives like maxmind for more accurate conversions.
What does the nomv(no multivalue) command do?
Converts the values of a specified multivalue field into one value.
What does the | convert command do?
Converts values of a field into numerical values. Commonly used to change epoch time into something human readable.
What are as clauses for?
Customizes your field names, essentially renames them
What are Tags?
Descriptive names for key value pairs.
How does streamstats differ from the eventstats command?
Does the same thing as eventstats but does so while aggregating the data by time.
What is the mvexpand command for?
Expands the values within a multivalued field across multiple events - one event per value in the multivalued field.
What must a calculated field be based upon?
Extracted fields
True or false. The table command retains default fields.
False, the table command removes all default fields.
What is a calculated field?
Fields added to events at search time that perform calculations on the values of two or more extracted fields already present. This is a shortcut to transforming commands using eval.
What does the rare command do?
Finds the least common values for the fields in the field list. It does so by calculating a count and percentage for frequency of occurrence.
What does the top command do?
Finds the most common values for the fields in the fields list. It does so by calculating a count and percentage for frequency of occurrence.
What are by clauses for?
Groups your results by a specified field
How would you leverage scheduled search to be used across multiple dashboards?
I would use the load job command
What is important to remember about the list function?
It automatically truncates, so you may have 12k events but only 100 are actually shown.
What is the limitation of the sort command?
It returns a max of 10,000 events by default. You can set the limit=0 to return all results.
What is the | regex command for?
Just helps you filter your data. Does not create a field.
What does the limit option do in Spl?
Limits your search results to return a specified number of your choosing.
What is the only thing you can do with the table command?
List fields behind it to be part of the table. You cannot use commands like the as or by clause
What is the difference between lists and values?
List shows all occurrences and values excludes duplicate data.
Can you use the "as" command after using the "by" command?
No, after using the by command you must use a different method to rename fields
Does dedup optimize your searches?
No, because it is a non streaming command so it returns your search results after all results are complete.
How many by fields can you specify with the time chart command?
One
What does the bin aka bucket command do?
Places continuous numerical values into sets depending on what option you choose. Bins option can work for sizing, span is used for time,
What does the _cd internal field show?
Provides an address for the event within an index
What is the | stats command, and what are some of its functions?
Provides statistics, grouped optionally by fields. Avg()/mean(), count(), max(), min(), median(), mode(), sum(), list(), values(), dc()/distinctcount()
What is the difference between the rare command and the top command?
Rare returns the least common events and top returns the most common results
What does the makemv(make multivalue) command do?
Recognizes values separated by a delimiter as containing more than one value.
What's the difference between a saved search and a report?
Reports have visualizations and saved searches do not.
What are streaming commands?
Results are calculated and returned while Splunk is running your search.
What are non streaming commands?
Results are only analyzed and returned after gathering all of your data and looking at it together.
What does the list function return?
Returns all of the values
What does the values function return?
Returns all unique values (does not include any dupe data)
What can be done with the rest command?
Returns data from the splunk rest api endpoints.
What does the count function return?
Returns the count of all values
What does the dc/distinctcount function return?
Returns the count of the number of unique values.
Would you use the search command or the regex command to filter your search?
Search
How do you start a new line in a search?
Shift + return
What does the _bkt internal field show?
Shows the bucket ID the event is located in
What does the _indextime internal field show?
Shows the time the event was indexed
What are the options of the trend line command and what do they mean?
Simple moving average (sma) is the standard option. Exponential moving average(ema). And weighted moving average(wma) which gives more credence to the most recent averages.
What does the sort command do?
Sorts all results by a field(s)
What commands can use a span option?
Stats bin time chart
Is the timechart command streaming or non-streaming?
Streaming
Is the | fields command streaming or non-streaming
Streaming
What is the table command?
Tables a list of fields to retain in your results in a tabular format. with exception to scattergraph, table is not used for visualizations or charts.
What is the | fields command?
Tells Splunk which fields to retain in your results
What command computes the moving average of fields?
The Trendline command.
What command returns info about a specified index and is useful for troubleshooting?
The dbinspect command
What command would you use to learn the number of events within a particular index?
The eventcount command
What do the max and min functions return?
The largest and smallest values respectively
What does the median function return?
The middle value
What is the difference between the rex command and the regex command?
The rex command is used for search time field extractions. Regex is used to filter your search through pattern matching.
Should you use many rex commands in your searches? Why or why not?
The rex command is very resource intensive so using many of them will show your searches. Best practice is to create the saved field extraction on the search head.
You need to perform a search using the search command or the transaction command to bring back the same results. Which would you use and why?
The search command because the transaction command is resource intensive.
What does the _time internal field show?
The time that an event occurred
What does the mode function return?
The value that appears most in the set
How do you perform search time field extractions?
The | rex command
What are internal fields?
They are the default fields that come automatically attached to events but are hidden from view. They are preceded by an "_" (underscore)
What does the predict command do?
This command follows a time chart command and forecasts values into the future (or fills in missing values). Has many options that are math algorithms that you can choose depending on the scenario.
What is the | search command?
This command is implied at the start of the search. Required as a piped in command in latter parts of the query.
What is the | outputlookup command used for?
To save a search as a lookup table.
When do you use transaction vs stats? And which is more efficient?
Transaction is for showing events in correlation with one another or when they need to be grouped by start/end values. Stats is for seeing the statistical calculations on a field and when you need to sort the results by other fields. Stats is more efficient and should be used whenever possible as opposed to transaction.
Tags values are case sensitive when used in searches? True or False
True
True or false. The fields command is suitable for visualizations.
True
How many by fields can be called out in the stats command?
Unlimited
What is the geostats command for?
Used to gather statistical information and generate it on a map. Can use the same statistical functions as stats but has added options such as longfield and latfield which are specific to maps. Can be used with iplocation, which give you the latitude and longitude.
When would you use the | rex command?
When there are values within your raw data that you wish to pair with a given field name.
What is the chart command?
Will return your data in a table format with an x axis and y axis.
What is a field alias?
You can apply many aliases to one or more fields to apply to lookups. Example - multiple username fields across multiple sourcetypes.
What fields does the | fields command retain in your results by default?
_raw and _time
Name two ways that you would deal with a search that has to be run over a long period of time and has an abundance of data.
_summary indexing: summarize the data over time Create a lookup: Make lookup and set definition and jump results of search over time into the lookup table
What are the clauses you can use with the chart command?
as by over
How does the eventstats command differ from the stats command?
eventstats will perform the statistical calculation and put it into its own field without getting rid of your raw data.
What is the difference between the head and tail commands?
head brings back the top events in the search and tail brings back the bottom events in the results.
What is the difference between a csv lookup and kv store lookups?
kv store is dynamic and csv is static. When you make a change through the csv you have to remove and re-upload the csv again, whereas with the kv store you can update the lookup in the GUI. KV store is better if your lookup data changes frequently.
Where is the savedsearch.conf file located?
opt/splunk/etc/apps/appname/local/savedsearch.conf
What does the replace command do?
renames a value within a specified field of your choosing. (Replace value with newValue in field)
What option would you use to set the results to run at a given interval of your choosing?
span=5m (example)
What command would you use to search across structured data?
spath, which allows you to search within the nested structured data.
What commands use statistical functions?
stats, chart, and timechart
What goes in front of all commands?
the "|"
What conf file stores lookups and where is it located?
the collections.conf file at /opt/splunk/etc/apps/Admin/local
What command is used to calls a saved lookup table in your search?
| inputlookup
How would you leverage a scheduled search across multiple dashboards?
| loadjobs command
What command would you use to return the fields of your choosing from a lookup table?
| lookup