Splunk Advanced Power User Part 1

Lakukan tugas rumah & ujian kamu dengan baik sekarang menggunakan Quizwiz!

2.1 Using conversion functions What are some of the formats used with the printf function?

%d or %i - integers %f or %F - floating point numbers %s or %z - strings %o - Octal numbers (base-8) %x or %X or %p - hexadecimal numbers (base-16)

5.0 Advanced Field Creation and Management What are the quantifiers in regex?

* + ? {}

3.4 Using external lookups Where must external lookups live?

-$SPLUNK_HOME/etc/searchscripts -$SPLUNK_HOME/etc/apps/<app_name>/bi

5.0 Advanced Field Creation and Management In regex, what does /d and /w represent?

/d - any digit /w - any word character

8.2 Identifying which reports qualify for acceleration What is considered the number limit on events for report acceleration?

100k events

2.1 Using conversion functions What is the range of the optional base on the tonumber function?

2 - 36

8.2 Identifying which reports qualify for acceleration What is a streaming command?

A command that acts on events as they come in from a search; does not require the full set of search events to be completed

8.2 Identifying which reports qualify for acceleration What is a non-streaming command?

A command that requires the full set of search events to complete before they are executed

4.3 Outputting alert results to a lookup What happens when you output to a lookup that does not yet exist?

A lookup will be created in the default directory of the associated app

1.6 Using streamstats What does the streamstats command do?

Adds cumulative summary statistics to all search results in a streaming manner; Calculates statistics for each event at the time the event is seen

4.1 Logging and Indexing searchable alert events Which permissions are required to create alerts?

Admin or the edit_tcp capability

3.3 Using KV Store Lookups Who can create or define a KV store lookup?

Administrator

5.4 Understand how to improve regex performance in Splunk What are some good practices for using regex?

Avoid backtracking by avoiding greedy operators like (.) Use non-greedy operators like (?) Use simple expressions Avoid using multiple wildcard matches Use + rather than * Check search.kv in job inspector

2.1 Using conversion functions What are integers represented by in the printf function? A) %I B) %d C) %e D) %i

B) %d D) %i

2.1 Using conversion functions What are floating point numbers represented by in the printf function? A) %p B) %f C) %P D) %F

B) %f D) %F

2.1 Using conversion functions What are strings represented by in the printf function? A) %S B) %s C) %Z D) %z

B) %s D) %z

2.1 Using conversion functions What does the function printf do?

Builds a string value based on a string format and optional arguments

1.2 Using fieldsummary What does the fieldsummary command do?

Calculates a variety of summary stats for all or a subset of the fields

2.1 Using conversion functions What does the function tonumber do?

Converts a string or field to a numeric value

2.7 Date and Time Functions What does the function strptime do?

Converts a time in string format into a timestamp. Opposite of strftime.

2.7 Date and Time Functions What is the function strftime used for?

Converts a timestamp to a string format eval Hour=strftime(_time, "%b %d, %I %p") 173463712 = Jan 24 11 AM

2.2 Using text functions What do the lower and upper functions do?

Converts string to lower and upper case, respectively

1.6 Using streamstats What are 3 arguments associated with streamstats?

Current Window Time_Window (events must be sorted by _time)

6.1 Understanding self-describing data What defines self-describing data?

Data that has a structure or scheme

1.2 Using fieldsummary True or False The maxvals argument can be negative

False

3.3 Using KV Store Lookups True or False A KV store lookup can be modified by multiple users at the same time

False

3.3 Using KV Store Lookups True or False KV store lookups support case-insensitive input

False

3.3 Using KV Store Lookups True or False REST API access is not able to be used with a KV Store lookup

False

2.5 Using statistical functions True or false The function max returns the total max of all values

False Function max returns the highest value found

1.5 Using eventstats What does the eventstats command do?

Generates summary statistics of all existing fields in your search results

3.5 Using Geospatial Lookups What command is used with a geospatial lookup?

Geom

2.2 Using text functions What are the requirements of the substr function?

Has 2 or 3 arguments; The first 2 are X, a string, and Y, a numeric. Z is optional and numeric.

2.4 Using informational functions What does the function isnull do?

If the field returns a null value it will return true, otherwise it will return false

3.3 Using KV Store Lookups Where is the KV store lookup defined?

In the collections.conf file

5.4 Understand how to improve regex performance in Splunk With regex, where can you find search.kv?

In the job inspector

1.2 Using fieldsummary What does is_exact field do?

Indicates whether distinct_count is exact through a boolean (0 or 1)

6.2 Using the spath command What are the 3 optional arguments used with spath?

Input Output Path

1.3 Using appendpipe What does the appendpipe command do?

It appends the results of the sub-pipeline as new lines to the outer search. Unlike a subsearch, the subpipeline is not run first but instead when the search reaches the appendpipe command

2.2 Using text functions What does the substr function do?

It returns a substring of X, starting at the index specified by Y and number of characters specified by Z; if Z is not provided the function returns the rest of the string

6.2 Using the spath command If a field has an integer like {3}, what does it represent?

It specifies the position of the data in the file

1.2 Using fieldsummary If maxvals is set to 0, what will this return?

It will return all available distinct values for each field

6.1 Understanding self-describing data What file types are considered self-describing data?

JSON and XML

3.5 Using Geospatial Lookups What are the file types associated with geospatial lookups?

KML files (Keyhole Markup Language) KMZ files (Compressed Keyhole Markup Language files)

3.3 Using KV Store Lookups What does KV stand for?

Key Value

3.3 Using KV Store Lookups What is a KV store lookup?

Lookup used for large lookup files that require regular editing

1.1 Performing Statistical Analysis with Stats function What does the var function of the stats command do?

Measures how far the values are spread out (variance)

1.1 Performing Statistical Analysis with Stats function What does the stdev function of the stats command do?

Measures standard deviation (the extend of deviation of the values)

4.5 Creating a log event alert action What are the 4 types of log event tokens?

Metadata Search Results Server Information Job Information

3.1 Applying advanced lookup options What are the advanced options when creating a lookup file?

Minimum matches - minimum number of matches for each lookup value Default matches - value to output when fewer than minimum matches present for a given input Maximum matches - maximum number of matches for each lookup value Case sensitive - if unchecked, case-insensitive matching performed for all fields in the lookup table Batch index query - If checked, improves performance of large lookup files Filter lookup - filters results from lookup table before returning data Match type - similar to filter lookup, but using wildcards and/or CIDR

8.2 Identifying which reports qualify for acceleration What type of commands come after a transforming command in an accelerated search? Give examples

Non-streaming eval rename

3.3 Using KV Store Lookups Where does a KV Store lookup live?

On the search head

3.4 Using external lookups What kind of executables must external lookups be?

Python or binary

2.2 Using text functions What does the replace function do?

Replaces a value with another, specified with regex | eval clientip=replace(clientip(X),"regex"(Y),"Z")

8.1 Describing acceleration What are the 3 types of acceleration?

Report Summary Indexing Data Model

2.3 Using comparison and conditional functions Coalesce(X1,X2...) what does this function do?

Retrieves the value from the first field defined in the current event Used to normalize field names from result sets where two or more field names represent the same data field

2.7 Date and Time Functions What does the function relative_time do?

Returns a timestamp relative to a supplied time

2.3 Using comparison and conditional functions What does the function typeof do?

Returns an argument that tells the data type of the argument (string, number or boolean)

2.3 Using comparison and conditional functions Cidrmatch(X,Y) what does this function do?

Returns as true or false based on whether the provided IP address Y matches the subnet X Internal ip=87.x.x.x/25| eval islocal=if(cidrmatch("87.194.216.0/25", src), "local", "not local"Statement would return a "local" as it's true.

2.2 Using text functions substr (X,Y,Z) if no Z is provided what will happen

Returns the rest of the string starting with the number specified by Y

2.3 Using comparison and conditional functions match(field,regex) what does the match function do?

Returns true or false depending whether the value matches regex e.g. | eval new_field = if(match('first name',".+_8"),"true","false") Look at the field first name, Specify regex, in our case any character, more than once and have _8If true, mark as trueIf false, mark as false

2.5 Using statistical functions What do the functions ceiling and floor do?

Rounds up and down, respectively

4.4 Using a webhook alert action When a webhook alert is generated, what information is provided in the JSON file?

Search ID (SID) Link to results Owner and App First result row from triggering search results

8.1 Describing acceleration Which search modes allow for report acceleration?

Smart Fast

1.2 Using fieldsummary What does the maxvals argument do?

Specifies the max distinct values to return for each field

8.2 Identifying which reports qualify for acceleration What type of command comes before transforming commands in an accelerated search? Give examples

Streaming Commands eval search fields multikv rex rename replace

6.4 Using the multikv command Where are the field names taken from when using multikv?

The header of the table

2.7 Date and Time Functions What are the variables used with the strftime function?

Time %H - 24 hour (00 to 23) %T - 24 hour (HMS) %I 12 hour (0 to 12) %M - minute (00 to 59) %p - AM or PM Days %d - Day of month (01-31) %w - Weekday (0 to 6) %a - Abbreviated weekday (Sun)%A - Weekday (Sunday) Month %b - Abbreviated month name (Jan)%B - Month Name (January)%m - Month number (01 to 12)

2.6 Using the makeresults command What is the purpose of the makeresults command?

To generate the specified number of search results in temporary memory If no number is entered then just a timestamp in a table will be returned

8.2 Identifying which reports qualify for acceleration What type of command is required to accelerate a report?

Transforming

1.3 Using appendpipe True or False Appendpipe runs inline

True

2.6 Using the makeresults command True or false The makeresults command needs to be the first command in a search

True

4.3 Outputting alert results to a lookup True or False Outputting to a lookup that already exists will overwrite it.

True

7.1 Using nested search macros True or False Arguments from the outer macro can be used for the inner macro.

True

7.3 Using other knowledge objects with macros True or false Tags and eventtypes can be used in macros

True

8.3 Identifying when Splunk doesn't build an acceleration summary True or False Splunk periodically checks to make sure a report meets the acceleration requirements if it did not in the past.

True

3.6 Understanding best practices for lookups What are some best practices for lookups?

Use KV store lookups for large lookups Use automatic lookups for commonly used fields Order key fields in lookup tables from left to right Use search.lookup in the job inspector to see how long it took to execute

7.1 Using nested search macros What does it mean to nest a macro?

Using a macro within another macro

6.4 Using the multikv command What does the multikv command do?

When you have events that are tabulated, it will place each row and column into their own events.

2.7 Date and Time Functions strptime(x,y) what is x and what is y?

X = a time represented by a string (11:59:00 AM) Y = a timestamp format (using the same variables as strftime)

6.3 Using the eval command with the spath function Spath (X,Y) - What does the X and Y refer to?

X = input source field Y = XML or JSON location path to the value you want to extract from X

2.2 Using text functions replace(X,Y,Z) What does each letter in the above function do?

X is the value for the function to run on Y is the regex setting the criteria for character replacement Z is the characters that will replace the old characters

6.2 Using the spath command If a string has an @symbol in it, what does it specify?

XML attribute

2.2 Using text functions replace(X,Y,Z) Which letter contains the regex to specify the characters to replace?

Y

5.0 Advanced Field Creation and Management What does ? represent in regex?

Zero or one occurrence; makes a search non-greedy

2.5 Using statistical functions What is the range of the function random? a) 2 to power 33 -1 b) 2 to power 35 -1 c) 2 to power 31 -1 d) 2 to power 32 -1

c) 2 to power 31 -1

7.2 Previewing search macros before executing What is the keyboard shortcut to preview a macro?

ctrl + shift + e

2.7 Date and Time Functions What type of time does the function strftime convert?

epoch time/Unix time

5.3 Performing search time field extraction using the erex and rex commands What are two search options in Splunk to perform regex?

erex rex

3.4 Using external lookups What default script comes with a Splunk deployment?

external_lookup.py

1.2 Using fieldsummary Which fields does the fieldsummary command come with?

field count distinct_count is_exact - Boolean (0 or 1) max (numeric field) min numeric_count stdev (if field is numeric) values

6.4 Using the multikv command What option is used to extract the specified fields?

fields

6.4 Using the multikv command What option is used to filter?

filter

3.5 Using Geospatial Lookups What two geo lookups come with Splunk?

geo_us_states geo_countries

1.2 Using fieldsummary What are the optional arguments for the fieldsummary command?

maxvals

2.5 Using statistical functions What are the 4 hashes supported by the cryptographic function?

md5 shal sha256 sha512

2.7 Date and Time Functions What are the specifier abbreviations for relative_time?

s - seconds m - minutes d - days w - weeks mon - months y -years

8.1 Describing acceleration What privilege must you have for report acceleration?

schedule_search_privilege

8.2 Identifying which reports qualify for acceleration What are some examples of transforming commands needed for report acceleration?

stats chart timechart top rare

2.2 Using text functions Lower(X) will result in what?

x (lowercase)

3.6 Understanding best practices for lookups What command should be used to validate a uploaded lookup in search?

| inputlookup <lookup>


Set pelajaran terkait

You're welcome B*tches!! A Sociology of the Family Inquisitive

View Set

Chapter 45: Hormones & the endocrine system

View Set