SPLK-1001

Ace your homework & exams now with Quizwiz!

When an alert action is configured to run a script, Splunk must be able to locate the script.Which is one of the directories Splunk will look in to find the script?

$SPLUNK_HOME/bin/scripts

Which of the following searches would return events with failure in index netfw or warn or critical in index netops?

(index=netfw failure) OR (index=netops (warn OR critical))

Which of the following index searches would provide the most efficient search performance?

(index=web OR index=sales)

When sorting on multiple fields with the sort command, what delimiter can be used between the field names in the search?

,

By default, how long does Splunk retain a search job?

10 Minutes

In the fields sidebar, what indicates that a field is numeric?

A # symbol to the left of the field name.

When viewing the results of a search, what is an Interesting Field?

A field that appears in at least 20% of the events.

Which Boolean operator iterm-30s always implied between two search terms, unless otherwise specified?

AND

Which of the following is an option after clicking an item in search results?

Adding the item to the search.

What are the steps to schedule a report?

After saving the report, click Schedule.

Which statement is true about Splunk alerts?

Alerts are based on searches that are either run on a scheduled interval or in real-time.

Which events will be returned by the following search string? host=www3 status=503

All events with a host of www3 that also have a status of 503.

What kind of logs can Splunk Index?

All firewall, web server, database, router and switch logs

Which statement is true about the top command?

All of the above.

A collection of items containing things such as data inputs, UI elements, and knowledge objects is known as what?

An app

What is one benefit of creating dashboard panels from reports?

Any change to the underlying report will affect every dashboard that utilizes that report.

What type of search can be saved as a report?

Any search can be saved as a report.

In the Splunk interface, the list of alerts can be filtered based on which characteristics?

App, Owner, Severity, and Type

How can search results be kept longer than 7 days?

By scheduling a report.

When a Splunk search generates calculated data that appears in the Statistics tab, in what formats can the results be exported?

CSV, XML, JSON

What does the stats command do?

Calculates statistics on data that matches the search criteria.

What can be configured using the Edit Job Settings menu?

Change Job Lifetime from 10 minutes to 7 days.

A field exists in search results, but isn't being displayed in the fields sidebar.How can it be added to the fields sidebar?

Click All Fields and select the field to add it to Selected Fields.

When looking at a statistics table, what is one way to drill down to see the underlying events?

Clicking on any field value in the table.

Splunk apps are used for following (Choose three.):

Designed to cater numerous use cases and empower Splunk. Allows multiple workspaces for different use cases/user roles. It is collection of different Splunk config files like data inputs, UI and Knowledge Object.

In a deployment with multiple indexes, what will happen when a search is run and an index is not specified in the search string?

Events from every index searched by default to which the user has access will be returned.

Portal for Splunk apps can be accessed through www.splunkbase.com

False www.splunkbase.splunk.com

Which of the following statements about case sensitivity is true?

Field names ARE case sensitive; field values are NOT.

Which of the following is a Splunk search best practice?

Filter as early as possible.

After running a search, what effect does clicking and dragging across the timeline have?

Filters current search results.

Which of the following Splunk components typically resides on the machines where data originates?

Forwarder

Three basic components of Splunk are (Choose three.):

Forwarders Indexer Search Head

Which of the following is true about user account settings and preferences?

Full name, time zone, and default app can be defined by clicking the login name in the Splunk bar.

Which of the following represents the Splunk recommended naming convention for dashboards?

Group_Object_Description

Log filtering/parsing can be done from _____________.

Heavy Forwarders (HF)

How are events displayed after a search is executed?

In reverse chronological order.

Which of the following is a best practice when writing a search string?

Include the search terms at the beginning of the search string.

Which component of Splunk is primarily responsible for saving data?

Indexer

_______________ transforms raw data into events and distributes the results into an index.

Indexer

Which of the following file types is an option for exporting Splunk search results?

JSON

When displaying results of a search, which of the following is true about line charts?

Line charts are optimal for single and multiple series.

What does the values function of the stats command do?

Lists unique values of a given field.

What does the following specified time range do?earliest=-72h@h latest=@d

Look back from 3 days ago, up to the beginning of today.

Which of the following describes lookup files?

Lookups add more fields to results returned by a search.

When editing a dashboard, which of the following are possible options? (Choose all that apply.)

Modify the chart type displayed in a dashboard panel. Drag a dashboard panel to a different location on the dashboard.

What can be included in the All Fields option in the sidebar?

Non-interesting fields

When running searches, command modifiers in the search string are displayed in what color?

Orange

Which time range picker configuration would return real-time events for the past 30 seconds?

Real-time - Earliest: 30-seconds ago, Latest: Now

What syntax is used to link key/value pairs in search strings?

Relational operators such as =, <, or >

What does the rare command do?

Returns the least common field values of a given field in the results.

Which of the following is the recommended way to create multiple dashboards displaying data from the same search?

Save the search as a report and use it in multiple dashboards as needed.

Which component of Splunk let us write SPL query to find the required data?

Search head

Which is the default app for Splunk Enterprise?

Searching and Reporting

How does Splunk determine which fields to extract from data?

Splunk automatically discovers many fields based on sourcetype and key/value pairs found in the data.

What is Splunk?

Splunk is a software platform to search, analyze and visualize the machine-generated data.

What must be done before an automatic lookup can be created? (Choose all terms that apply.)

The lookup definition must be created.

What must be done in order to use a lookup table in Splunk?

The lookup file must be uploaded to Splunk and a lookup definition must be created.

What determines the scope of data that appears in a scheduled report?

The owner of the report can configure permissions so that the report uses either the User role or the owner's profile at run time.

How can another user gain access to a saved report?

The owner of the report can edit permissions from the Edit dropdown.

What happens when a field is added to the Selected Fields list in the fields sidebar?

The selected field and its corresponding values will appear underneath the events in the search results.

When writing searches in Splunk, which of the following is true about Booleans?

They must be uppercase.

Which of the following is the most efficient filter for running searches in Splunk?

Time

What user interface component allows for time selection?

Time range picker

What is the primary use for the rare command?

To find the least common values of a field in a dataset.

What is the purpose of using a by clause with the stats command?

To group the results by one or more fields.

Which is primary function of the timeline located under the search bar?

To show peaks and/or valleys in the timeline, which can indicate spikes in activity or downtime.

What is a primary function of a scheduled report?

Triggering an alert in your Splunk instance when certain conditions are met.

All components are installed and administered in Splunk Enterprise on-premise.

True

Documentations for Splunk can be found at docs.splunk.com

True

Splunk Enterprise is used as a Scalable service in Splunk Cloud.

True

Universal forwarder is recommended for forwarding the logs to indexers.

True

We should use heavy forwarder for sending event-based data to Indexers.

True

What is a suggested Splunk best practice for naming reports?

Use a consistent naming convention so they are easily separated by characteristics such as group and object.

How do you add or remove fields from search results?

Use field +to add and field -to remove.

When looking at a dashboard panel that is based on a report, which of the following is true?

You cannot modify the search string in the panel, but you can change and configure the visualization.

What is the main requirement for creating visualizations using the Splunk UI?

Your search must transform event data into statistical data tables first.

At index time, in which field does Splunk store the timestamp value?

_time

In the fields sidebar, which character denotes alphanumeric field values?

a

What syntax is used to link key/value pairs in search strings?

action=purchase

Which stats command function provides a count of how many unique values exist for a given field in the result set?

dc(field)

Which of the following searches will return results where fail, 400, and error exist in every event?

error AND (fail AND 400)

According to Splunk best practices, which placement of the wildcard results in the most efficient search?

fail*

When placed early in a search, which command is most effective at reducing search execution time?

fields +

Which search string only returns events from hostWWW3?

host=WWW3

By default, which of the following fields would be listed in the fields sidebar under interesting Fields?

index

Which search string is the most efficient?

index=security "Failed password"

Which search matches the events containing the terms `error` and `fail`?

index=security Error Fail

Which search string returns a filed containing the number of matching events and names that field Event Count?

index=security failure | stats count as "Event Count"

Select the answer that displays the accurate placing of the pipe in the following search string: index=security sourcetype=access_* status=200 stats count by price

index=security sourcetype=access_* status=200 | stats count by price

Which command is used to review the contents of a specified static lookup file?

inputlookup

Which of the following constraints can be used with the top command?

limit

Which of the following are common constraints of the top command?

showperc, countfield

Which of the following fields is stored with the events in the index?

source

By default, which of the following is a Selected Field?

sourcetype

Which search would return events from the access_combined sourcetype?

sourcetype=Access_Combined

What is the correct syntax to count the number of events containing a vendor_action field?

stats count (vendor_action)

Which search string matches only events with the status_code of 404?

status_code>403 status_code<405

Which of the following are functions of the stats command?

sum, avg, values

Which command automatically returns percent and count columns when executing searches?

top

Which command is used to validate a lookup file?

| inputlookup products.csv


Related study sets

Final Exame Risk Management & Insurance

View Set

American Government Midterm The powers of the president include all of the following EXCEPT

View Set

Mental Health Chapter 36 Practice Questions

View Set

Features of Operating Systems Quiz

View Set

Biochemistry Chapter 2 study set

View Set

Chapter 2- Collecting Subjective Data: The Interview and Health History

View Set