Splunk user exam question and answers prep

Which of the following is the recommended way to create multiple dashboards displaying data from the same search? A: Save the search as a report and use it in multiple dashboards as needed. B: Save the search as dashboard panel for each dashboard that needs the data C: Save the search as a scheduled alert and use it in multiple dashboard as needed. D: Export the results of the search to an XML file and use the file as basis of the dashboards

A: Save the search as a report and use it in multiple dashboards as needed.

Which command automatically returns percent and count columns when executing searches? A: top B: state C: table D: Percent

A: top

Which of the following fields stored with the events in the index? A: User B: Source C: location D: SourceIp

C: location

When place early in a search, Which command is most effective at reducing search execution time? A: dedup B: rename C: sort - D: fields +

D: fields +

By default, how long does Splunk retain a search job? A: 10 minutes B: 15 minutes C: 1 day D: 7 days

A: 10 minutes

Which Boolean operator is implied between search terms, unless otherwise specified? A: OR B: AND C: NOT D: NAND

B: AND

What user interface components allows for time selection? A: Time summary B: Time range picker C: Search Time picker D: Data source time statistics

B: Time range picker

When an alert action is configured to run a script, Splunk must be able to locate the script which is one of the directories Splunk will look into find the find the script? A: $SPLUNK_HOME/bin/scripts B: $SPLUNK_HOME/etc/scripts C: $SPLUNK_HOME/bin/etc/scripts D: $SPLUNK_HOME/etc/scripts/bin

A: $SPLUNK_HOME/bin/scripts

When editing a dashboard, which of the following are possible options? (selected all that apply) A: Add an output B: Export a dashboard panel. C: Modify the card type displayed in a dashboard panel. D: Drag a dashboard panel to a different location on the dashboard.

A: Add an output B: Export a dashboard panel. C: Modify the card type displayed in a dashboard panel. D: Drag a dashboard panel to a different location on the dashboard.

What are the step to schedule a report? A: After saving the report, click schedule. B: After saving the report, click event type C: After saving the report, click scheduling D: After saving the report, click dashboard panel

A: After saving the report, click schedule.

Which statement is true about splunk alerts? A: Alerts are based on searches that are either run on a scheduled interval or in real-time. B: Alerts are based on searches and when triggered will only send and email notification. C: Alerts are based on searches and require cron to run on scheduled interval D: Alerts are based on searches that are run exclusively as real-time

A: Alerts are based on searches that are either run on a scheduled interval or in real-time.

A collection of items containing things such as data inputs, UI elements and knowledge objects is knows as what? A: An App, B: JSON C: A role D: An enhanced solution

A: An App,

What type of search can be saved as a report? A: Any search can be saved as a report B: Only searches that generate visualizations C: Only searches containing a transforming command D: Only searches that generate statistics or visualizations

A: Any search can be saved as a report

Select the answer that displays the accurate placing of the pipe in the following search string Index=security sourcetype=access_* status=200 stats count by price A: Index=security sourcetype=access_* status=200 | stats count by price B: Index=security sourcetype=access_* status=200 stats | count by price C: Index=security sourcetype=access_* status=200 stats | count by price D: Index=security sourcetype=access_* status=200 stats | count by

A: Index=security sourcetype=access_* status=200 | stats count by price

When displaying result of a search, which of the following is true about line charts? A: Line Charts are optimal for single and multiple series. B: Line Charts are optimal for single series when using fast mode. C: Line Charts are optimal for multiple series with 3 or more columns D: Line Charts are optimal for multiseries searches with at least 2 or more columns

A: Line Charts are optimal for single and multiple series.

Which stats command function provides a count of how many unique values exist values next for a given field in the result set? A: dc(field) B: count(field) C: count-by(field) D: distinct-count(field)

A: dc(field)

Which search matches the events containing the terms "error" and "fail"? A: index=security Error Fail B: index=security Error OR fail C: index=security "error failure" D: index=security NOT error NOT fail

A: index=security Error Fail

Which of the following searches would return events with failure in index netfw or warn critical in index netops? A: (index=netfw failure) and index=netops warn or critical B: (index=netfw failure) OR (index=netops (warn or critical)) C: (index=netfw failure) and (index=netops (warn or critical)) D: (index=netfw failure) OR index=netops OR (warn or critical)

B: (index=netfw failure) OR (index=netops (warn or critical))

Which of the following is an option after clicking an item in search results? A: Saving the item to a report B: Adding the item to the search C: Adding the item to a dashboard D: Saving the search to a JSON file

B: Adding the item to the search

Which event will be returned by the following search string? Host=www3 status=503 A: All events that either have a host of www3 or a status of 503 B: All events with the host of www3 that also have a status of 503 C: We need more information, We cannot tell without knowing the time range D: We need more information, a search cannot be run specifying without an index

B: All events with the host of www3 that also have a status of 503

The splunk interface, the list of alerts can be filtered based on which characteristics? A: App, Owner, Severity, Type B: App, Owner, Priority, Status C: App, Dashboard, type, severity D: App, Time window, Type, Severity

B: App, Owner, Priority, Status

What is a primary function of a scheduled report? A: Auto-detect change in performance B: Auto-generated PDF reports of overall data trends C: Regularly scheduled archiving to keep disk space low D: Triggering an alerts in your Splunk instance when certain conditions are met

B: Auto-generated PDF reports of overall data trends

When running searches, command modifiers in the search string are displayed in what color? A: Red B: Blue C: Orange D: Highlighted

B: Blue

When a splunk search generate calculated data that appears in the statistics tab, in what format can the results be exported? A: CSV, JSON, PDF B: CSV, XML, JSON C: Raw Events, XML, JSON D: Raw Events, CSV, XML, JSON

B: CSV, XML, JSON

Which of the following components typically resides on the machines where data originated? A: Indexer B: Forwarder C: Search head D: Deployment server

B: Forwarder

Which of the following is true about user account settings and preferences? A: Search and reporting is the only app that can be sent as the default application B: Full name can only be change by the accounts with the power user and admin role C: Time zone are automatically updated based on the settings of the computer accessing Splunk Da: Full name, time zone, default app can be define by clicking the login name in the search bar.

B: Full name can only be change by the accounts with the power user and admin role

What users interface components allows for times selection? A: Time Summary B: Time range picker C: Search time picker D: Data Source Statistics

B: Time range picker

What is the purpose of using a by clause with the stats command? A: To group the results by one or more fields B: To compute numerical statistics on each field C: To specify how the value in a list are delimited D: To partition the input data based on the split-by fields

B: To compute numerical statistics on each field

What is a suggested splunk best practice for naming reports? A: Reports are best named using many numbers so they can be more easily sorted. B: Use a consistent naming convention so they are easily separated by characteristics such as gr C: Name reports as uniquely as possible with no overlap to differentiate them from one another D: Any convention naming is fine as long as you keep an external spreadsheet to keep track.

B: Use a consistent naming convention so they are easily separated by characteristics such as gr

At index time, in which field does Splunk store the timestamp value? A: time B: _time C: EventTime D: timestamp

B: _time

What syntax is used to link key/value pairs in search strings? A: action+purchase B: action=purchase C: action| purchase D: action equal purchase

B: action=purchase

Which of the following index searches would provide the most efficient search performance? A: Index=* B: Index=web OR index=s* C: (index=web OR index=sales) D: *index=sales AND index=web*

C: (index=web OR index=sales)

What determine the scope of data that appear in a scheduled report? A: All data accessible to the user role will appear in the report B: All data accessible to the owner of the report will appear in the report C: All data accessible to user in the report will appear until the next time the report is run D: The owner of the report can configure the permission so that the uses, either the user role or the owner's time.

C: All data accessible to user in the report will appear until the next time the report is run

How can another user gain access to saved report? A: The owner of the report can edit permissions from the Edit dropdown. B: Only users with Admin or Power user role can access other user's reports. C: Anyone can access any reports marked as public within a shared Splunk deployment D: The owner of the report must clone the original report save it to their user account.

C: Anyone can access any reports marked as public within a shared Splunk deployment

Which command is used to validate a lookup file? A: I lookup products . CSV B: inputlookup products . CSV C: I inputlookup products . CSV D: I lookup definition products . CSV

C: I inputlookup products . CSV

Which of the following is a best practice when writing a search string? A: Include all formatting commands before any search terms. B: Include at least one function as this is a search requirement. C: Include the search terms at the beginning of the search string D: Avoid using formatting clauses, as they add much overhead

C: Include the search terms at the beginning of the search string

Which of the following describes lookup files? A: lookup fields cannot be used in searches. B: Lookups contain static data available in the index C: Lookups add more fields to results returned by a search D: Lookups pull data at index time and add them to search results.

C: Lookups add more fields to results returned by a search

What can be included in the All Fields option in the sidebar? A: Dashboards B: Metadata only C: Non-interesting fields. D: Fields descriptions

C: Non-interesting fields.

What is the correct syntax to count the number of events containing a vendor_action field? A: count stats vendor_action B: count stats (vendor_action) C: Stats count (vendor_action) D: Stats vendor_action (count)

C: Stats count (vendor_action)

Which of the following are functions of the stats command? A: Count, Sum, Add B: Count, Sum, less C: Sum, Avg, Values D: Sum, Values, table

C: Sum, Avg, Values

What must be done in order to use a lookup table in Splunk? A: The lookup must be configured to run automatically. B: The contents of the lookup file must be copied and pasted into the search bar C: The lookup file must be uploaded to Splunk and a lookup definition must be created D: The lookup file must be uploaded to the etc/apps/lookups folder for automatic ingestion

C: The lookup file must be uploaded to Splunk and a lookup definition must be created

How do you add or remove fields from search results? A: Use field + to add and field - to remove B: Use table + to add and table - to remove C: Use fields + to add and fields - to remove D: Use fields plus to add and fields minus to remove

C: Use fields + to add and fields - to remove

When looking at a dashboard panel that is based on a report, which of the following is true? A: You can modify the search string in the panel, and you can change and configure the visualization B: You can modify the search string in the panel, but you cannot change and configure the visualization C: You cannot modify the search string in the panel, but you can change and configure the visualization D: You cannot modify the search string in the panel, and you cannot change and configure the visualization

C: You cannot modify the search string in the panel, but you can change and configure the visualization

What is the main requirement for creating visualization using the Splunk UI? A: Your search must transform event data into Excel file format first B: Your search must transform event data into XML formatted data first C: Your search must transform event data into statistical data tables first D: Your search must transform event data into JSON formatted data first

C: Your search must transform event data into statistical data tables first

What does the stats command do? A: Automatically correlates related fields B: Converts fields values into numerical values C: calculates statistics on data that matches the search criteria D: Analyzes numerical fields for their ability to predict another discrete field

C: calculates statistics on data that matches the search criteria

According to Splunk best practices, which placement of the wildcard results in the most efficient search? A: f*il B: *fail C: fail* D: *fail*

C: fail*

When sorting on multiple fields with the sort command, what delimiter can be used between the field names in the search A: | B: $ C: ! D: ,

D: ,

When sorting on multiple fields with the sort command, what delimiter can be used between the field names in the search? A: I B: S C: ! D: ,

D: ,

When viewing the results of a search, what is an interesting field? A: A field that appears in any event B: A field that appears in every event C: A field that appears in the top 10 events D: A field that appears in at least 20% of the events

D: A field that appears in at least 20% of the events

Which statement is true about the top Command? A: It returns the top 10 results B: It displays the output in table format C: It returns the count and percentage column per row. D: All of the above

D: All of the above

What can be configured using the Edit Job Settings menu? A: Export the results to CSV format B: Add the Job results to a dashboard C: Schedule the job to re-run in 10 minutes D: Change job lifetime from 10 minutes to 7 days

D: Change job lifetime from 10 minutes to 7 days

In the deployment with multiple indexes, what will happen when a search is run and an index is not specified in the search string? A: No events will be returned. B: Splunk will promote you to specify an index C: All-non-indexed events to which the user has access will be returned D: Events from every index searched by default to which the user has access will be returned

D: Events from every index searched by default to which the user has access will be returned

What does the following specified time range do? Earliest=-72h@h latest=@d A: Look back 3 days ago and prior B: look back 72 hours, up to one day ago C: look back 72 hours, up to the end of today D: Look back from 3 days ago, up to the beginning of today

D: Look back from 3 days ago, up to the beginning of today

What syntax is use to link Key/value pair in search strings? A: @ or # symbol B: Parentheses C: Question Marks D: Relational Operator Such as =, < or >

D: Relational Operator Such as =, < or >

By default, which of the following is a Selected field? A: Action B: CategoryId C: ClientIp D: Sourcetype

D: Sourcetype

What happens when a field is added to selected fields list is the field sidebar? A: Splunk will re-run the search job in Verbose mode to prioritize the new selected field. B: Splunk will highlighted related fields As a suggestion to add them to the selected fields list. C: Custom selection will replace the interesting fields that splunk populated into the list at search time. D: The selected field and its corresponding value will appear underneath the event in the search field.

D: The selected field and its corresponding value will appear underneath the event in the search field.

Which is the primary function of the timeline located under the search bar? A: To differentiate between structured and unstructured events in the data. B: To sort the events returned by the search command in chronological order. C: To zoom in and zoom out, although this does not change the scale of the cart. D: To Show peaks and/or valleys in the timeline, Which can indicate spikes in activity or downtime.

D: To Show peaks and/or valleys in the timeline, Which can indicate spikes in activity or downtime.

What is the primary use of the rare command? A: To short field values in descending order B: To return only fields containing five or fewer values C: To find the latest command values of a field in a dataset D: To find the fields with the fewest number of values across a dataset

D: To find the fields with the fewest number of values across a dataset

Which search string is the most efficient? A: "Failed password" B: "Failed password"* C: index=* "Failed password" D: index=security "Failed password"

D: index=security "Failed password"

Which of the following are common constraints of the top command? A: limit, count B: limit, showpercent C: limits, countfield D: showperc, countfield

D: showperc, countfield

Which search string matches only event with the status_code of 404? A: status_code!=404 B: status_code>=400 C: status_code<=404 D: status_code>403 status_code<405

D: status_code>403 status_code<405