Splunk

Ace your homework & exams now with Quizwiz!

weeks

w, week, weeks

Clicking on a field shows a list of _______, ________, and ________.

values, count, and percentage

Search & Reporting, Home App

which two apps ship with Splunk Enterprise

audit event

An event generated when an audited activity is performed in Splunk Enterprise.

Host

An event's host value is typically the hostname, IP address, or fully qualified domain name of the network host from which the event originated

ad hoc search

An unscheduled search

Splunk Enterprise Security

Analytics driven SIEM: user to monitor, detect, analyze, investigate and repond to threats and attacks Complimentary product. Customers must have an equivalent license of Core Splunk (same GB Volume)

analyzefields and af

Analyze numerical fields for their ability to predict another discrete field.

analyzefields

Analyze numerical fields for their ability to predict another discrete field. See Also anomalousvalue.

These are booleans in the Splunk Search Language.

And Not Or

tags

Annotates specified fields in your search results with tags. See Also eval

scrub

Anonymizes the search results.

Machine data can give you insights into:

Application performance Security Hardware monitoring Sales User Behavior

Fields extracted with the field extractor

Are persistent Are specific to a host, source or sourcetype. Are reusable in multiple searches.

______ variables to apply to function (ex. Product name) (components of search language)

Arguments

False

As a general practice, exclusion is better than inclusion in a Splunk search.

How is the asterisk used in Splunk search?

As a wildcard

This command can be used to make Splunk start each time the server is booted.

./splunk enable boot-start

What command is used to start the Splunk Enterprise server?

./splunk start

Location of props.conf:

/opt/splunk/etc/system/default/props.conf --->never edit this file as its conatians default configuration /opt/splunk/etc/system/local/props.conf ----->We can edit this file for configurations

By default, the Fillnull Command replaces null values with this:

0

-1h@h

1 hour ago, to the hour Wednesday, 05 February 2017, 12:00:00 P.M.

-24h

24 hours ago (yesterday) Tuesday, 04 February 2017, 01:37:05 P.M. Equivalent modifiers -24h@s

+24h

24 hours from now, tomorrow Thursday, 06 February 2017, 01:37:05 P.M. Equivalent modifiers +24h@s

Splunk suggests naming your Knowledge Objects using _______ segmented keys.

6

The field operators are used with numerical string values (symbols)

= != -->

Comparison symbols

=, !=, <=, >, >=

These symbols are only used with numerical values?

> >= < <= -->

&=

A comparison operator in Splunk

character set encoding

A method for displaying and working with language characters on computer systems.

Event Type

A method of categorizing events based on a search

Community support

A support service level that entitles the user to public information sources for questions about Splunk Enterprise.

After creating your data model, the next step is to ___________

Add a root object

addinfo

Add fields that contain common information about the current search.

Knowledge

Add knowledge objects to data. Effects how data is interpreted. Classified and enriched, and normalized for future use.

AND

Adding child data model objects is like the ______ Boolean in the Splunk search language.

relevancy

Adds a relevancy field which indicates how well the event matches the query.

iplocation

Adds location information such as city country latitude longitude and so on based on IP addresses.

input

Adds sources to Splunk or disables sources from being processed by Splunk.

streamstats

Adds summary statistics to all search results in a streaming manner.

streamstats

Adds summary statistics to all search results in a streaming manner. See Also eventstats & stats

eventstats

Adds summary statistics to all search results.

eventstats

Adds summary statistics to all search results. See Also stats

Which role defines what apps a user will see by default?

Admin

Which roles can create knowledge objects shared across all apps?

Admin

These roles can create reports:

Admin User Power

Which roles can create data models?

Admin and Power

3 Roles in Splunk?

Admin, Power User, and End-User.

Three main roles in splunk? (3)

Admin, Power, User

True

Administrators CANNOT configure default fields

False

After a report is saved, you can no longer edit the search

________ is an action that a saved search triggers based on the results of the search

Alert

____________ are based on searches that run on a scheduled interval or in real-time.

Alerts

True

Alerts can send an email

What are the predefined ways knowledge objects can be shared?

All apps Private Specifiic App

Forwarder Characteristics

(1) Require minimal resources, (2)little impact on performance, (3) Reside on the machine where the data originates.

Which character acts as a wildcard in the Splunk Search Language?

*

TRUNCATE

- This attribute is nothing to sneeze at. Measured in bytes, this attribute limits the length of an event (line of data), and will break when the limit is met. The default value is 10000 so set this to 999999 bytes or more depending on the size of your event. Because your data is not being broken up into multiline events (given SHOULD_LINEMERGE = false) you will want to ensure your events do not get broken up incorrectly.

what is a bucket in splunk?

- a bucket are directories on servers in splunk: hot, warm, cold, frozen, thawed. - events within splunk are broken down into segments called buckets - inside indexes, files, collection of databases, subdirectories

Search Heads require more _____ than indexers.

CPU Power

makemv

Change a specified field into a multivalued field during a search.

makemv

Change a specified field into a multivalued field during a search. See Also mvcombine & mvexpand & nomv

nomv

Changes a specified multivalued field into a single-value field at search time.

nomv

Changes a specified multivalued field into a single-value field at search time. See Also makemv & mvcombine & mvexpand

True

Charts can be based on numbers, time or location

_______ object acts like an AND boolean

Child

_________ objects can be added to a root event object to narrow down the search.

Child

_______ how we want results defined. (components of search language)

Clauses

Which function is not a part of a single instance deployment?

Clustering

cluster

Clusters similar events together.

cluster

Clusters similar events together. See Also anomalies anomalousvalue cluster kmeans outlier

Main Components of Splunk

Collect and index data, search and investigate.Add knowledge

Index

Collects data from any source. As data enters, inspectors go to work. Determines how to process the data. When it is matched it is labeled with a source type. Data is then broken into single events. Time stamps are identified and normalized to a consistent format. Events then stored in Splunk index where they can be searched.

mvcombine

Combines events in search results that have a single differing field value into one result with a multivalue field of the differing field.

mvcombine

Combines events in search results that have a single differing field value into one result with a multivalue field of the differing field. See Also mvexpand & makemv & nomv

splunk enable app SplunkForwarder -auth <username>:<password>

Command to setup splunk heavy forwarder?

______ tell Splunk what we want to do with results (ex. stats) (components of search language)

Commands

transforming

Commands that create statistics and visualizations are called _________ components.

Splunk Services

Community Standard Enterprise and Global Support PS and CSM

Which of these is not a main component of Splunk?

Compress and archive

anomalies

Computes an "unexpectedness" score for an event.

anomalies

Computes an "unexpectedness" score for an event. See Also anomalousvalue & cluster & kmeans & outlier.

trendline

Computes moving averages of fields.

trendline

Computes moving averages of fields. See Also timechart

delta

Computes the difference in field value between nearby results.

delta

Computes the difference in field value between nearby results. See Also accum & autoregress & trendline & streamstats

addtotals

Computes the sum of all numeric fields for each result.

strcat

Concatenates string values and saves the result to a specified field.

strcat

Concatenates string values.

Props.conf is used to define following configurations

Configuring timestamp recognition Convertig timeformat to our default timeformat Configuring linebreaking for multiline events. Setting up character set encoding Defining manual filed extarction regex Allowing processing of binary files. Configuring event segmentation. Overriding Splunk's automated host and source type matching Defining where to lookup for lookup table etc

_audit

Contains events related to the file system change monitor, auditing, and all user search history

convert

Converts field values into numerical values.

convert

Converts field values into numerical values. See Also eval

untable

Converts results from a tabular format to a format similar to stats output. Inverse of xyseries and maketable.

xyseries

Converts results into a format suitable for graphing.

reltime

Converts the difference between 'now' and '_time' to a human-readable value and adds adds this value to the field 'reltime' in your search results.

reltime

Converts the difference between 'now' and '_time' to a human-readable value and adds adds this value to the field 'reltime' in your search results. See Also convert

websphere_core

Corefile export from Websphere

Splunk Value Stack

Corporate Objectives Business Strategy Initiatives Risks and Critical Capabilities C Level Commercial Insights

crawl

Crawls the filesystem for new sources to add to an index.

timechart

Create a time series chart and corresponding table of statistics. See Functions for stats, chart, and timechart in the Splunk Enterprise Search Reference. See Also chart & bucket

timechart

Create a time series chart and corresponding table of statistics. See Statistical and charting functions in the Splunk Enterprise Search Reference.

Power User Role

Create and share Knowledge Objects for Users of an app and do real time searches.

Search commands can be used with search terms to do the following:

Create charts Compute statistics Format data

mvrange(X,Y,Z)

Creates a multivalue field with a range of numbers between X and Y, incrementing by Z. Basic examples The following example returns a multivalue field with the values 1, 3, 5, 7, 9. ... | eval mv=mvrange(1,11,2)

table

Creates a table using the specified fields.

table

Creates a table using the specified fields. See Also fields

A power user does what?

Creates and shares knowledge objects for users of app, real-time searches

What does the search and reporting app do in splunk?

Creates knowledge objects, reports, and dashboards

What are search commands used for?

Creating charts, computing statistics, and formatting

-5m@m

Current search time is 09:37:12. What is the time range equation to search back 5 minutes on the minute?

ltrim(x,y)

Description: This function takes one or two arguments X and Y, and returns X with the characters in Y trimmed from the left side. If Y is not specified, spaces and tabs are removed. Basic example The following example trims the leading spaces and all of the occurrences of the letter Z from the left side of the string. The value that is returned is x="abcZZ ". ... | eval x=ltrim(" ZZZZabcZZ ", " Z")

The following are Splunk Enterprise processing tiers.

Data input Indexing Search Management

Sourcetype

Data is broken into single events by ___

These are knowledge objects that provide the data structure for pivot.

Data models

Data models are made up of ___________.

Datasets

This command removes events with duplicate values

Dedup

Which command removes results with duplicate field values?

Dedup

True

Default Fields are added to every event

fail* password | stats count by src, dest, user, sourcetype | sort - count | where count > 2

Define a Sample Failed password query

Which is the correct order to use when creating a lookup?

Define a lookup table Define a lookup Create and automatic lookup

Roles

Define what users can do in Splunk.

delete

Delete specific events or search results.

Splunk Light

Delivers a light version of Splunk for Small IT environment 5 users Cheaper 20GB of daily data indexing

deploymentclient.conf

Deployment client uses which configuration files to connect deployment server ? serverclass.conf, deploymentclient.conf, inputs.conf, outputs.conf

replace(x,y,z)

Description: This function returns a string formed by substituting string Z for every occurrence of regex string Y in string X. The third argument Z can also reference groups that are matched in the regex. Basic example: The following example returns date, with the month and day numbers switched. If the input is 1/14/2017 the return value would be 14/1/2017. ... | eval n=replace(date, "^(\d{1,2})/(\d{1,2})/", "\2/\1/")

substr(x,y,z)

Description: This function returns a substring of X, starting at the index specified by Y with the number of characters specified by Z. If Z is not provided, the function returns the rest of the string Basic example: The following example concatenates "str" and "ing" together, returning "string": ... | eval n=substr("string", 1, 3) + substr("string", -3)

len(x)

Description: This function returns the character length of a string X. Basic example ... | eval n=len(field)

urldecode(x)

Description: This function takes one URL string argument X and returns the unescaped or decoded URL string. Basic example The following example returns "http://www.splunk.com/download?r=header". ... | eval n=urldecode("http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fr%3Dheader")

trim(x,y)

Description: This function takes one or two arguments X and Y and returns X with the characters in Y trimmed from both sides. If Y is not specified, spaces and tabs are removed. Basic example: The following example returns "abc". ... | eval n=trim(" ZZZZabcZZ ", " Z")

rtrim(x,y)

Description: This function takes one or two arguments X and Y, and returns X with the characters in Y trimmed from the right side. If Y is not specified, spaces and tabs are removed. Basic example: The following example returns n="ZZZZabc". ... | eval n=rtrim(" ZZZZabcZZ ", " Z")

lower(x)

Description: This function takes one string argument and returns the string in lowercase. Basic example The following example returns the value provided by the field username in lowercase. ... | eval username=lower(username)

upper(x)

Description: This function takes one string argument and returns the string in uppercase. Basic example: The following example returns the value provided by the field username in uppercase. ... | eval n=upper(username)

spath(x,y)

Description: This function takes two arguments, an input source field X and an spath expression Y, that is the XML or JSON formatted location path to the value that you want to extract from X. Basic example: The following example returns the hashtags from a twitter event. index=twitter | eval output=spath(_raw, "entities.hashtags")

Index

Directories where the data is stored

__________ is often the biggest bottle neck in the Splunk indexing pipeline.

Disk I/O

What are the different flavors of spunk?

Enterprise, Cloud, Light

Which Splunk search command allows you to perform mathematical functions on field values?

Eval

Calculated fields are shortcuts for _______________.

Eval Commands

________ tab is default tab for searches

Event

__________ allow you to categorize events based on search terms.

Event Types

Calculated fields can use lookup tables.

False

Data created using the Iplocation Command can not be used with the Geostats Command.

False

Event types do NOT show up in the field list.

False

Excluding fields using the Fields Command will benefit performance.

False

Field values are case sensitive.

False

Forwarders should never be installed on Windows servers.

False

Indexing on a Heavy Forwarder does not affect your license.

False

Machine data is always structured.

False

Machine data is only log files on web servers.

False

Once an alert is created, you can no longer edit its defining search.

False

Once an alert is created, you can no longer edit its defining search/

False

Results of the Eval Commands always replace the existing field.

False

Root search objects benefit from acceleration.

False

Running concurrent reports and the searches behind them puts very low demand on your system hardware.

False

Search macros can only be used once in a given search.

False

Splunk Enterprise should always be run as root in a *NIX environment.

False

The .conf files can only be edited using the Splunk web interface.

False

The functions of the data pipeline vary drastically depending on the deployment.

False

The index does not play a major role in Splunk.

False

The results of a macro can not be piped to other commands.

False

These searches will return the same results? password fail "password fail"

False

Time to search can only be set by the time range picker.

False

Unlike pivot, reports created with instant pivot can not be saved.

False

When a bucket is frozen, by default it is moved to a different location before deleting.

False

When building your data model, Splunk suggests you use root search objects whenever possible.

False

When mixing authentication sources, scripted authentication will always take precedence.

False

When using the chart command, the x-axis should always be numeric.

False

When zooming in on the event time line, a new search is run.

False

Wildcards cannot be used with field searches.

False

You can only add one tag per field value pair.

False

You can only have one field alias per field.

False

You can only use one Eval Command per search.

False

4 Key Assets in Every Sales Play

Prospecting Guide Meeting Guide Differentiation Pitch Champion Guide

Differentiators

Real Time Architecture Universal Machine Data Platform Schema on the Fly Agile Reporting and Analytics Scales from Desktop to Enterprise Fast Time to Value Passionate and Vibrant Community

_______ alert to monitor for events continuously

Real-time

Real Time Architecture

Real-time collection, search, monitoring and analysis across massive streams of machine data in a single solution

xpath

Redefines the XML path.

transpose

Reformats rows of search results as columns.

Time for Shared Search Job

Remain active for 7 days

mvdedup(X)

Removes all of the duplicate values from a multivalue field. Basic example ... | eval s=mvdedup(mvfield)

uniq

Removes any search that is an exact duplicate with a previous result.

uniq

Removes any search that is an exact duplicate with a previous result. See Also dedup

fields

Removes fields from search results.

outlier

Removes outlying numerical values.

outlier

Removes outlying numerical values. See Also anomalies & anomalousvalue & cluster & kmeans

regex

Removes results that do not match the specified regular expression.

regex

Removes results that do not match the specified regular expression. See Also rex & search

dedup

Removes subsequent results that match a specified criteria.

dedup

Removes subsequent results that match a specified criteria. See Also uniq

rename

Renames a specified field; wildcards can be used to specify multiple fields.

filldown

Replaces NULL values with the last non-NULL value.

filldown

Replaces NULL values with the last non-NULL value. See Also fillnull

bucketdir

Replaces a field value with higher-level grouping such as replacing filenames with directories. See Also cluster and dedup.

fillnull

Replaces null values with a specified value.

replace

Replaces values of specified fields with a specified new value.

from

Retrieves data from a dataset such as a data model dataset a CSV lookup a KV Store lookup a saved search or a table dataset.

metasearch

Retrieves event metadata from indexes based on terms in the logical expression. See Also metadata & search

history

Returns a history of searches formatted as an events list or as a table. See Also search

metadata

Returns a list of source sourcetypes or hosts from a specified index or distributed search peer.

metadata

Returns a list of source sourcetypes or hosts from a specified index or distributed search peer. See Also dbinspect

localize

Returns a list of the time ranges in which the search results were found.

localize

Returns a list of the time ranges in which the search results were found. See Also map & transaction

mvappend(X,...)

Returns a multivalue result based on all of values specified. Basic example ... | eval fullName=mvappend(initial_values, "middle value", last_values)

commands(x)

Returns a multivalued field that contains a list of the commands used in X Basic example The following example returns a multivalued field X, that contains 'search', 'stats', and 'sort'. ... | eval x=commands("search foo | stats count | sort count")

mvindex(MVFIELD,STARTINDEX,ENDINDEX)

Returns a set of values from a multivalue field described by STARTINDEX and ENDINDEX. Basic examples Because indexes start at zero, the following example returns the third value in "multifield", if the value exists. ... | eval n=mvindex(multifield, 2)

split(X,"Y")

Returns an mvfield spitting X by the delimited character Y Basic example ... | eval n=split(foo, ";")

audit

Returns audit trail information that is stored in the local audit index.

dbinspect

Returns information about the specified index.

chart

Returns results in a tabular output for charting. See Functions for stats chart and timechart in the Splunk Enterprise Search Reference. See Also timechart

chart

Returns results in a tabular output for charting. See Statistical and charting functions in the Splunk Enterprise Search Reference.

gentimes

Returns results that match a time-range.

mvcount(MVFIELD)

Returns the count of the number of values in the specified field. Extended Example The mvcount() function returns the number of email addresses in the To, From, and Cc fields and saves the addresses in the specified "_count" fields. eventtype="sendmail" | eval To_count=mvcount(split(To,"@"))-1 | eval From_count=mvcount(From) | eval Cc_count= mvcount(split(Cc,"@"))-1

diff

Returns the difference between two search results.

head

Returns the first number n of specified results.

head

Returns the first number n of specified results. See Also reverse & tail

tail

Returns the last number N of specified results

tail

Returns the last number n of specified results. See Also head & reverse

eventcount

Returns the number of events in an index.

eventcount

Returns the number of events in an index. See Also dbinspect

savedsearch

Returns the search results of a saved search.

mvsort(X)

Returns the values of a multivalue field sorted lexicographically. Basic example ... | eval s=mvsort(mvfield)

typeahead

Returns typeahead information on a specified prefix.

reverse

Reverses the order of the results.

reverse

Reverses the order of the results. See Also head & sort & tail

_______________ define what users can do in Splunk.

Roles

Alerts combine a _______ search.

Saved

An alert is an action triggered by a _____________.

Saved search

Use ________ alert to check for events on a regular basis

Scheduled

_________ command works from left to right

Search

Which 2 apps ship with Splunk Enterprise?

Search & Reporting Home App

Which two apps ship with Splunk Enterprise?

Search & Reporting Home App

Search Language Example

Search Term, Commands, Functions

Best Practices

Search by Time, inclusion is better than exclusion,filter command as early as possible in search,

Create charts, compute statistics, format data

Search commands can be used with search terms to do the following

1. selecting a range of bars on the timeline 2. selecting a bar on the timeline 3. deselect

Search controls that will NOT re-run a search

Search strings are sent from the

Search head

When a search is sent to splunk, it becomes a _____.

Search job

search head

Search strings are sent from the _________.

_____ are case insensitive. (components of search language)

Search terms

insensitive

Search terms are case sensitive or insensitive?

Schema on the Fly

Search-time schema delivers flexibility to interact with the data and change perspective on the fly at search time

search

Searches Splunk indexes for matching events.

search

Searches Splunk indexes for matching events. This command is implicit at the start of every search pipeline that does not begin with another generating command.

top values by time

Select this in the field sidebar to automatically pipe your search results to the timechart command

_______ Fields appear in event, default-host, sourcetype, source

Selected

A workflow action can _________________.

Send field values to external resources. Pass variables to a URL. Execute a secondary search.

Reasons to Split Indexes

Separate indexes can make searches faster. Limits data amount Splunk searches. Returns events only from that index.Multiple indexes allow limiting access by user role in order to control who sees what data. Also helps with retention policies

Splunk Enterprise

Serves as your on premise solution for turning machine data into valuable insight Perpetual license users are required to purchase support for the first year

Freeze data when an index grows too large

Set maxTotalDataSizeMB

rangemap

Sets RANGE field to the name of the ranges that match.

setfields

Sets the field values for all results to a common value. See Also eval & fillnull & rename

autoregress

Sets up data for calculating the moving average. See Also accum & autoregress & delta & trendline & streamstats.

MAX_TIMESTAMP_LOOKAHEAD

Setting this attribute makes Splunk happy and run more efficiently because it will not have to spend any extra time and resources to find the time stamp. You can tell Splunk that your timestamp is 20 characters into your event so Splunk will not waste any time looking through the entire event.

7 days

Shared search jobs remain active for _______ by default.

The following can be used to build apps for Splunk:

Simple XML Splunk JavaScript SDKs

Splunk Deployment Scalibility

Single Instance to a full distributed infrastructure.

______ mode (default-based on search string data). Field discovery ON for event searches. No event or field data for stats searches.

Smart

@d-2h

Snap to the beginning of today (12 A.M.) and subtract 2 hours from that time. Resulting Time 10 P.M. last night.

This command displays results in ascending or descending order.

Sort

sort

Sorts search results by the specified fields.

sort

Sorts search results by the specified fields. See Also reverse

Splunk knows where to break the event, where the time stamp is located and how to automatically create field value pairs using these.

Source types

Three default search fields automatically selected?

Source, Host, Sourcetype

Splunk uses ________ to categorize the type of data being indexed.

Sourcetypes

w0, w1, w2, w3, w4, w5, w6, and w7

Specify "snap to" days of the week; where w0 is Sunday, w1 is Monday, etc. When you snap to a week, @w or @week, it is equivalent to snapping to Sunday or @w0. You can use either w0 or w7 for Sunday.

rex

Specify a Perl regular expression named groups to extract fields while you search.

rex

Specify a Perl regular expression named groups to extract fields while you search. See Also extract & kvform & multikv & xmlkv & regex

@q, @qtr, or @quarter

Specify a snap to the beginning of the most recent quarter: Jan 1, Apr 1, July 1, or Oct 1.

latest=now

Specify that the search starts or ends at the current time.

return

Specify the values to return from a subsearch.

return

Specify the values to return from a subsearch. See Also format & search

What would we have to do in a Full Scale Infrastructure Deployment?

Split the functionality across multiple specialized instances of Splunk enterprise. Add forwarders to send data to our indexers and eventually add multiple search heads and indexers to increase our indexing and search capacity. Search heads and indexes can also be clustered making sure data is always available and searchable.

Splunk Offerings (core products)

Splunk Enterprise Splunk Cloud Splunk Light

Splunk Premium Products

Splunk Enterprise Security Splunk IT Service Intelligence Splunk User Behavior Analytics (UBA) Premium Apps

What is SPL

Splunk Processing Language

events

Splunk breaks down data input into individual ___

Forwarders

Splunk enterprise instances that consume data and forward it to the indexers for processing.

Indexer - It indexes the machine data Forwarder - Refers to Splunk instances that forward data to the remote indexers Search Head - Provides GUI for searching Deployment Server -Manages the Splunk components like indexer, forwarder, and search head in computing environment.

Splunk has four important components, what are they?

Indexing stage

Splunk indexing process: a) Breaking all events into segments called buckets that can then be searched upon. You can determine the level of segmentation, which affects indexing and searching speed, search capability, and efficiency of disk compression. b) Building the index data structures. c) Writing the raw data and index files to disk, where post-indexing compression occurs Splunk parsing and indexing phases

Fast Time to Value

Splunk is a fully integrated solution, easy to install, operate and scale.

Source types

Splunk knows where to break the event, where the time stamp is located and how to automatically create field value pairs using these.

Passionate and Vibrant Community

Splunk online communities include splunk base, splunk answers, and spunk dev Active communities including Facebook and Linkedin; regional customer events, user group meetings and annual user conference.

When snapping to the nearest or latest time

Splunk software always snaps backwards or rounds down to the latest time that is not after the specified time. For example, the current time is 15:45:00 and the snap to time is earliest=-h@h. The time modifier snaps to 14:00.

How splunk stores Data?

Splunk stores all its data in directories on server called buckets. Buckets are nothing but directories on servers. A bucket moves through several stages as it ages - hot,warm,cold,frozen

Source Type

Splunk uses ________ to categorize the type of data being indexed.

source type

Splunk uses ________ to categorize the type of data being indexed.

____________ is the system process that handles indexing, searching, forwarding and the web interface for Splunk Enterprise.

Splunkd

apache_error

Standard Apache web server error log

apache_error

Standard Apache web server error log Example: [Sun Aug 7 12:17:35 2005] [error] [client 10.1.1.015] File does not exist: /home/reba/public_html/images/bullet_image.gif

asterisk_cdr

Standard Asterisk IP PBX call detail record

asterisk_event

Standard Asterisk event log (management events)

asterisk_messages

Standard Asterisk messages log (errors and warnings)

asterisk_queue

Standard Asterisk queue log

cisco_syslog

Standard Cisco syslog produced by all Cisco network devices including PIX firewalls routers ACS etc. usually via remote syslog to a central log host

db2_diag

Standard IBM DB2 database administrative and error log

mysqld

Standard MySQL query log; also matches the MySQL binary log following conversion to text

postfix_syslog

Standard Postfix MTA log reported via the Unix/Linux syslog facility

sendmail_syslog

Standard Sendmail MTA log reported via the Unix/Linux syslog facility

sugarcrm_log4php

Standard Sugarcrm activity log reported using the log4php utility

websphere_trlog_syserr

Standard Websphere system error log in the IBM native trlog format

websphere_trlog_sysout

Standard Websphere system out log in the IBM native trlog format; similar to the log4j server log for Resin and Jboss sample format as the system error log but containing lower severity and informational events

linux_messages_syslog

Standard linux syslog (/var/log/messages on most platforms)

mysqld_error

Standard mysql error log

windows_snare_syslog

Standard windows event log reported through a 3rd party Intersect Alliance Snare agent to remote syslog on a Unix or Linuxserver

Any search that returns these values can be viewed as a chart.

Statistical

If a search returns this, you can view the results as a chart.

Statistical values

__________ should be used when you want to see the results of a calculation, or you need to group events on a field value.

Stats

This command is the sum of numerical value

Stats Sum command

This command produces statistics of a search result

Stats command

This command shows number of events matching search criteria

Stats count

Host & Warm: $SPLUNK_HOME/var/lib/splunk/defaultdb/db/* Cold ~defaultdb/colddb/* Thawed ~ defualtdb/thaweddb/*

Storage Bucket locations?

_internal

Stores Splunk Enterprise internal logs and processing metrics.

What is the Difference between NOT and !=

Suppose you have the following fields: fieldA, FieldB, fieldC -- If you search for fieldB!=value3 You will get Results fieldB=value1, fieldB=value2 If fieldB does not exist, nothing is returned. ----------------------------------------------------- Searching with NOT: If you search for NOT fieldB=value3, the search returns everything except fieldB=value3: fieldA=value1, fieldA=value2, fieldA=value3 fieldB=value1, fieldB=value2 fieldC=value1, fieldC=value2, fieldC=value3 If fieldB does not exist, NOT fieldB=value3 returns: fieldA=value1, fieldA=value2, fieldA=value3 fieldC=value1, fieldC=value2, fieldC=value3

!=

Symbol for "does not equal"

mvjoin(MVFIELD,STR)

Takes all of the values in a multivalue field and appends them together delimited by STR. The following search creates the base field with the values. The search then creates the joined field by using the result of the mvjoin function. ... | eval base=mvrange(1,6), joined=mvjoin('base'," OR ")

format

Takes the results of a subsearch and formats them into a single result.

command-line interface

The Splunk Enterprise command-line interface (CLI) is a text interface that you use to enter system commands, edit configuration files, and run searches.

False

The Splunk search language supports the ? wildcard.

False

The User role cannot create reports.

archiving

The action of adding to and maintaining a collection of historical data.

collection

The container for a set of data in an App Key Value Store, similar to a database table where each record has a unique key. Collections exist within the context of a given app.

admin and changeme

The default username and password for a newly installed Splunk instance is:

The easiest way to extract a field is from ____________, allowing you to skip a few steps.

The event actions menu

False

The following searches will return the same results: SEARCH 1: web AND error SEARCH 2: web and error

False

The index does not play a major rule in Splunk

non-transforming

The instant pivot button is displayed in the statistics and visualization tabs when a ____ search is used

non-transforming

The instant pivot button is displayed in the statistics and visualization tabs when a _______ search is run.

False

The interesting fields in the field sidebar will be the same for every search against the same index

$SPLUNK_HOME/var/log/splunk

The location where Splunk log files are stored?

Why would I want to learn splunk?

The money in the field is great, the amount of data that can be analyzed is incredible, 70% of companies are transitioning into splunk, allows you to gain new insight, there is a community called ninjas that allows you to be interactive with, and its fun!

When editing a field extraction, you will be working with _________________.

The regular expression.

Source

The source of an event is the name of the file, stream, or other input from which the event originates

Sourcetype

The source type of an event is the format of the data input from which it originates like for windows .evt files from event viewer

7

There are ___ components to the Search and Reporting app's default interface

How to create new index in splunk?

There are multiple ways to create new index in splunk indexer. You can achieve it t through GUI/CLI or simply editing index.conf at $splunk home/etc/system/local. Simplest way is through GUI (front-end). If number of index are more then simply edit inputs.conf and add all index name to it. Below are steps for the same.

How to configure props.conf in splunk?

There happens to be seven attributes you want to set in props.conf every time you bring data into Splunk

NOT, OR, AND

These are booleans in the Splunk Search Language.

Data models

These are knowledge objects that provide the data structure for pivot

Data models

These are knowledge objects that provide the data structure for pivot.

Admin, Power, User

These roles can create reports:

admin

These users can create objects that are shared across ALL apps

LINE_BREAKER

This attribute looks the toughest and most intimidating. It identifies how your events should be broken apart. This is important because if this is not set correctly you can have data that is spread across multiple events. Using regular expressions, Splunk will look for that specific pattern and break up your events accordingly, and as mentioned before, this should be used in conjunction with SHOULD_LINEMERGE = false.

What is an index?

This is how splunk parses data into an event by taking data and putting a timestamp on it

main

This is the default Splunk Enterprise index. All processed data is stored here unless otherwise specified.

TIME_PREFIX

This is the first attribute is used to tell Splunk where to start to look for the timestamp in your event. ·

User

This role will only see their own knowledge objects and those that have been shared with them.

True

This search user=* displays only events that contain a value for user

time range picker

This shows a list of pre-set time selection choices

@

This symbol is used in the "Advanced" section of the time range picker to round down to nearest unit of specified time.

______ is the most efficient filter

Time

d

Time range abbreviations for days

h

Time range abbreviations for hours

m

Time range abbreviations for minutes

mon

Time range abbreviations for months

s

Time range abbreviations for seconds

w

Time range abbreviations for weeks

y

Time range abbreviations for year

The timechart command clusters data in time intervals dependent on:

Time range selected

in a consistent format

Time stamp are stored ____

This is a command that preforms stats aggregation against time

Timechart command

How to create a new index using index.conf?

To add a new index, add a stanza to indexes.conf in $SPLUNK_HOME/etc/system/local, identified by the name of the new index. For example: [newindex] homePath=<path for hot and warm buckets> coldPath=<path for cold buckets> thawedPath=<path for thawed buckets> ...

top

To display the most common values in a specific field, what command would you use?

chart or timechart

To get multi-series tables you need to set up the underlying search with commands like...

outputnew

To keep from overwriting exiting fields with your Lookup you can use the ____________ clause.

splunktcp

To receive data from forwarder in indexer in inputs.conf file, which is used in stanza ? [ tcp, splunktcp, udp, forwardertcp ]

+1d@d

Tomorrow Thursday, 06 February 2017, 12:00:00 A.M.

__________ should be used when you need to see events correlated together, or when events need to be grouped on start and end values.

Transactions

Commands that create statistics and visualizations are called _______________ commands.

Transforming

________ commands create statistics and visualizations.

Transforming

gauge

Transforms results into a format suitable for display by the Gauge chart types.

A Common Information Model (CIM) is supported by Splunk.

True

A lookup is categorized as a dataset.

True

A real-time alert type is useful when you want to know as soon as your trigger condition is met.

True

A time range picker can be included in a report.

True

After you configure a lookup, its fields can be found in the fields sidebar and you can use them in a search.

True

Alerts can be shared to all apps.

True

Alerts can send an email.

True

As general practice, inclusion is better than exclusion in a Splunk search.

True

Charts can be based on numbers, time or location.

True

Charts can be based on numbers, time, or location.

True

Knowledge objects can be used to normalize data?

True

No matter what user role creates the field alias, it is always set to Private by default.

True

Real-time alerts will run the search continuously in the background.

True

Splunk Enterprise can be installed virtual environments.

True

Tags can be added to event types.

True

The Geostats Command requires both latitude and longitude data to use on a map.

True

As the indexer indexes your data, it creates a number of files. These files contain two types of data: The raw data in compressed form (rawdata) Indexes that point to the raw data, plus some metadata files (index files) Together, these files constitute the Splunk Enterprise index.

How does the indexer store indexes?

As a wildcard

How is the asterisk used in Splunk search?

10

How many results are returned by the top command, by default?

10

How many results are shown by default when using a Top or Rare Command?

... | stats dc(s_hostname) as "Websites visited:"

How many unique websites have your employees visited, displayed as "Websites visited"?

... | stats sum(sc_bytes) as Bandwidth by s_hostname | sort -Bandwidth

How much bandwidth did employees spend at each website? This needs to be sorted in descending order.

Splunk stores data in 2 type of files/directories 1) actual data in zip files takes ~15% of file size 2) index files takes ~35% of file size So around 50% of files size require to store that file and other than this space is required to store search results.

How much disk space is required to store data in Splunk?

... | stats count by user, app, vendor_action

How would you count the number of events by user, app, and vendor?

... | stats count(vendor_action) as ActionEvents, count as TotalEvents

How would you count the number of events that contain a vendor action field? Also count the total number of events.

... | stats count as "Potential Issues"

How would you count the number of failed logins? Change the column name to "Potential Issues".

... | top product_name by Vendor limit=3 countfield="Number of Sales" showperc=f

How would you search for the top three products sold by each vendor?

... | stats value(s_hostname) by cs_username

How would you show each unique website a user has visited?

... | rare product_name by Vendor limit=5 showcount="Number of Sales" showperc=f useother=t

How would you show the five games that sold the least by each of the vendors?

... | stats count as "Units Sold" avg(sale_price) as "Average Selling Price" by product_name

How would you show the number of units sold by a vendor for each specific product as well as the average selling price?

... | rare Vendor limit=5 showcount"Number of Sales" showperc=f useother=t

How would you show the top five vendors that sold the least amount of product?

... | top Vendor limit=5 showperc=f

How would you show the top five vendors without showing the percentage field?

... | top Vendor limit=5 countfield="Number of Sales" userother=t

How would you show the top five vendors, rename the count field to "Number of Sales", and add a row for the number of sales of vendors not listed in the top five?

Market Segments

IT Operations Application Delivery Security and Compliance

associate

Identifies correlations between fields.

associate

Identifies correlations between fields. See Also correlate and contingency.

Modify the splunk-launch.conf to change the defualt splunk data store location.

If I want to change the default Splunk data store location, I need to modify which file?

Statistical Values

If a search returns this, you can view the results as a chart.

Verbose

If we want to see events after running a transforming command, we need to switch to this mode.

earliest=1

If you want to search events from the start of UTC epoch time, use earliest=1. (earliest=0 in the search string indicates that time is not used in the search.) When earliest=1 and latest=now or latest=<a large number>, the search will run over all time. The difference is that: Specifying latest=now (which is the default) does not return future events. Specifying latest=<a big number> returns future events, which are events that contain timestamps later than the current time, now.

bin Directory, ./splunk start

In Linux, how do you start Splunk from a command line?

inline

In a dashboard, a time range picker will only work on panels that include a(n) __________ search.

The management port is required when adding a search peer to a search head.

True

The monitor input option will allow you to continuously monitor files.

True

The time stamp you see in the events is based on the time zone in your user account.

True

The timezone setting in a user's account will effect the timestamp shown in events.

True

You can add additional child objects to either existing objects or the root object.

True

You can extract multiple fields with the field extractor.

True

You can pipe the results of a Macro to other commands.

True

True

True/False. A lookup is categorized as a dataset.

True

True/False. A time range picker can be included in a report.

True

True/False. Alerts can be shared to all apps.

True

True/False. Alerts can run uploaded scripts.

True

True/False. Alerts can send an email.

True

True/False. Charts can be based on numbers, time, or location.

False

True/False. Events are always returned in chronological order.

False

True/False. Excluding fields using the Fields Command will benefit performance.

False

True/False. Field values are case sensitive.

False

True/False. Machine data is always structured.

False

True/False. Machine data is only generated by web servers.

True

True/False. Pivots can be saved as dashboards panels.

True

True/False. Real-time alerts will run the search continuously in the background.

True

True/False. The monitor input option will allow you to continuously monitor files.

True

True/False. The time stamp you see in the events is based on the time zone in your user account.

False

True/False. Time to search can only be set by the time range picker.

False

True/False. When zooming on the event timeline, a new search is run.

False

True/False. Wildcards cannot be used with field searches.

True

True/False. You can launch and manage apps from the home app.

True

True/False: Splunk is subnet/CIDR aware for IP fields?

True - Splunk stores log file in splunkd.log under $SPLUNK_HOME/var/log/splunk/

True/False: Splunk stores log file in splunkd.log under $SPLUNK_HOME/var/log/splunk/

xmlunescape

Unescapes XML.

This component is NOT installed from the Splunk Enterprise Package.

Universal Forwarder

False

Unlike pivot, reports created with instant pivot can not be saved.

days

d, day, days

views

dashboards are

These are knowledge objects that provide the data structure for pivot.

data models

Splunk Enterprise licenses specify how much data you can index per __________.

day

false

default fields are NOT added to every event in Splunk at INDEX time

This stats function will return unique values for a given field.

Value

Splunks Core Selling Tools

Value Stack Whiteboard Differentiators best used together

Arguments

Variables we want to apply to the functions

If we want to see events after running a transforming command, we need to switch to this mode.

Verbose

______ mode all events and field data; switches to this mode after visualization

Verbose

Splunk Market

Vertical and Segments

weblogic_stdout

Weblogic server log in the standard native BEA format

websphere_activity

Websphere activity log also often referred to as the service log

indexes.conf [indexname] enableTsidxreduction=True timePeriodInSecBeforeTsidxReduction=86400

What Splunk file would be used to reduce TSIDX disk usage?

Retention is managed via limits.conf Create bloom filter for specific index via indexes.conf

What Splunk files are used to manage Bloom filter retention and set Bloom Filter for specific index?

Commands tell Splunk what we want to do with the search results such as: - creating charts - computing statistics - formatting

What are Commands?

Have values in at least 20% of the events.

What are Interesting Fields?

- Keywords - Booleans - Phrases - Fields - Wildcards - Comparison Operators - time - specificity - the more you tell the search engine, the better your results - inclusion is better than exclusion

What are Splunk Search Terms

A directory that contains indexed data is known as a Splunk bucket. It also contains events of a certain period.

What are Splunk buckets?

Splunk Management Port 8089 Splunk Index Replication Port 8080 KV store 8191 Splunk Web Port 8000 Splunk Indexing Port 9997 Splunk network port 514

What are common port numbers used by Splunk?

Search macros are reusable chunks of Search Processing Language (SPL) that you can insert into other searches. Macros you define, are stored in macros.conf

What are macros in Splunk?

Tags

What are nicknames that you create for related field/value pairs?

Indexer

What are search requests processed by?

Hot -R/W-NoBackups | Warm-ROnly-YesBackups | Cold-ROnly-YesBackups

What are the 3 main Splunk Bucket Types and their read/write and Backup abilities?

AND, OR and NOT (CS)

What are the Booleans used by Splunk?

AND, NOT, OR

What are the boolean operators in Splunk?

Sorting Results Filtering Results Grouping Results. Filtering, Modifying and Adding Fields Reporting Results

What are the categories of SPL commands?

earliest and latest eg: earliest=-h latest=@d

What are the commands for specifying a time range in a search string?

=, !=, <, <=, >, >=

What are the comparison operators available to use in Splunk search language and what a.......

- Search Terms - Commands - Functions - Arguments - Clauses - Pipe

What are the five components of the Splunk Search Language?

Field value pairs are used to search an extracted field (Field name CS, Field value CI)

What are the properties of Fields?

line, area, column, bar, bubble, scatter, pie

What are the seven chart types?

User, Power, Admin

What are the three main default roles in Splunk Enterprise?

Indexers, Forwarders, Search Heads

What are the three main processing components of Splunk?

Fast, Smart, Verbose

What are the three search modes?

Universal Forwarders - It performs processing on the incoming data before forwarding it to the indexer. Heavy Forwarders - It parses the data before forwarding them to the indexer works as an intermediate forwarder, remote collector.

What are the types of Splunk forwarder?

String value, contains 4 values

What attributes describe the field: a dest 4

AND, OR, NOT

What booleans are supported in splunk search?

stats

What command allows you to calculate statistics on data that matches your search criteria?

transaction

What command allows you to create a single event from a group of events that share the same value in a given field?

fields

What command allows you to include/exclude fields in your search?

rename

What command changes the name of a field in search?

top

What command finds the most common values of a given field?

rare

What command returns the least common field values?

fields -

What command would you use to remove the status field from the returned events? sourcetype=a* status=404 | ________ status

Instead of returning all the results, from a search, it returns a random sampling of events.

What does "event sampling" do?

Input, Parsing, Indexing, and Searching

What does a single-instance deployment of Splunk Enterprise handle?

Each event, found in a search, has a 1 in 100, or 1% change of being included in the sample result set.

What does an event sample of 1:100 indicate?

Delete search or keyword

What does can_delete role do?

tostring

What eval command allows you to format for currency?

inputs.conf for port 9997

What file needs to be configured on Indexer to start receiving data and what port?

server.conf [diskUsage] minFreeSpace = <num>

What file sets limits on disk usage?

CSV, XML, JSON

What formats may search results be exported to?

Distributed Management Console; Dashboard providing insight to your deployment. Install on Search head(not rec for prod), License master, or Deployment server.

What is Splunk DMC?

A time-series index file; A tsidx file associates each unique keyword in your data with location references to events, which are stored in a companion rawdata file. Together, the rawdata file and its related tsidx files make up the contents of an index bucket. Each search you run scans tsidx files for the search keywords and uses their location references to retrieve from the rawdata file the events to which those keywords refer. To speed up searches, bloom filters narrow the set of tsidx files that Splunk Enterprise must search to get accurate results.

What is TSIDX file and how is it used?

A data structure that you use to test whether an element is a member of a set. Splunk Enterprise uses bloom filters to decrease the time it requires to retrieve events from the index. This strategy is effective when you search for rare terms. In Splunk Enterprise, bloom filters work at the index bucket level. The filters rule out buckets that do not contain keywords from the search being run. Splunk Enterprise saves time searching by focusing on the tsidx files within the bucket where the search keywords exist.

What is a Bloom Filter?

searchable key/value pairs from event data.

What is a Field?

One or more panels displaying data visually in a useful way.

What is a dashboard?

Used to decipher file input issues. A subdirectory where Splunk software tracks how far into a file indexing has progressed, to enable the software to detect when data has been added to the file and resume indexing. The fishbucket subdirectory contains seek pointers and CRCs for indexed files. default location /opt/splunk/var/lib/splunk

What is a fishbucket?

Field Aliases

What is a way to normalize data over any default field?

Host, Sources, and Sourcetypes on separate tabs

What is shown in the Data Summary?

System local, App local, App default, System default.

What is the Splunk precedence order Globally?

User Directories for current user, App Directories for current running app, App Dirs for all other apps, System Dirs.

What is the Splunk precedence order within app or user context?

Smart

What is the default search mode?

+ (include) occurs before field extraction and improves performance - (exclude) occurs after field extraction, and no performance improvement

What is the difference between +/- with the fields command?

5000MB or 5GB

What is the minimum free space in splunk?

By time

What is the most efficient way to filter events in Splunk?

NOT, OR, AND

What is the order of evaluation for Boolean operations in Splunk?

case_sensitive_match

What is the transforms.conf flag to switch whether or not a lookup field value is case-sensitive or not?

To Extract fields, parsing etc but do not provide dashboards.

What is the use of Add-on in splunk?

BATCH ("Upload a file" in Splunk Web): TCP: Data distribution: UDP: FIFO (First In, First Out queue): Scripted Input: File system change monitor (fschange monitor) File system monitoring filters: http: (HTTP Event Collector) HTTP Event Collector (HEC) - Local stanza for each token WINDOWS INPUTS: Performance Monitor Windows Event Log Monitor Event Log whitelist and blacklist formats Active Directory Monitor Remote Queue Monitor SQS specific settings Windows Registry Monitor Windows Host Monitoring

What kind of information can we pull in via inputs.conf?

Workflow Actions

What may be run from an event in your search results to interact with external resources or run another search?

as

What option allows you to rename fields, within the stats command?

limit (limit=0 returns unlimited results)

What option changes the number of results returned by the top command?

20% of events have these fields present in them.

What percentage of search results have the fields listed under "Interesting Fields"?

Can Edit all saved searches, alerts, objects, ect

What rights does power role have?

list

What stats command shows all field values for a given field?

values

What stats command shows all unique field values for a given field?

events, searches, transactions

What three datasets make up a Data Model?

The local timezone set in your profile.

What timezone is data displayed for, in searches?

Common Information Model (CIM)

What tool provides a methodology to normalize data?

count & percent

What two columns are automatically returned by the top command?

search job

When a search is sent to splunk, it becomes a _____.

reverse chronological order

When search is run, events are returned in ____

When including spaces or special characters

When should quotes be used around values in search?

field names

When using a .csv file for Lookups, the first row in the file represents this.

Search

When you search the data Splunk will only need to open the directories that match the timeframe of search making searches more efficient.

Settings > Tags > List by field value pair

Where can you view a list of all Tags?

N/A Frozen data gets deleted or archived into a directory location you specify.

Where does frozen bucket get stored?

$SPLUNK_HOME/etc/system/local Server classes are essentially categories. They use filters to control what clients they apply to, contain a set of applications, and may define deployment server behavior for the management of those applications.

Where is the servercalss.conf file stored and what does it do?

Home app and Search & Reporting

Which apps ship with Splunk Enterprise?

Home, Search & Reporting

Which apps ship with Splunk Enterprise?

bar

Which chart is not used for single value?

as

Which clause would you use to rename the count field?

splunk clean eventdata -index web

Which command is used only to delete index web data ?

geostats

Which command is used to create chart for map?

dedup

Which command removes results with duplicate field values?

indexes.conf is used to create index in splunk

Which conf file is used to create index in splunk? [Index.conf, indexes.conf, indexes, index]

Authorize.conf

Which file is used for role and mapping ?

Smart

Which following search mode toggles behavior based on the type of search being run?

Clustering

Which function is not a part of a single instance deployment?

Admin, power

Which role(s) can create data models?

Search head

Which splunk License does not exist? Search head, forwarder, free, Splunk Enterprise?

GET

Workflow action to pass information to an external web resource.

POST

Workflow action to send field values to an external resource.

Search

Workflow action to use field values to perform a secondary search.

case(X,"Y",...)

Works like a case statement in shell scripting. This function takes pairs of arguments X and Y. The X arguments are Boolean expressions that will be evaluated from first to last. When the first X expression is encountered that evaluates to TRUE, the corresponding Y argument will be returned. The function defaults to NULL if none are true.

No, because the name was changed.

Would the ip column be removed in the results of this search? sourcetype=a* | rename IP as "User" | fields - ip

-1d@d

Yesterday Tuesday, 04 February 2017, 12:00:00 A.M.

False

You can NOT specify a relative time range, such as 45 minutes ago, for a search

chained relative time offsets

You can also specify offsets from the snap-to-time or "chain" together the time modifiers for more specific relative time definitions.

True

You can click a search term in the results to add it to the search class.

AND

You can think of adding child data model objects as an ___ boolean in the Splunk search engine

The syntax for the snap to time unit is

[+|-]<time_integer><time_unit>@<time_unit>.

True

[True or False]You can not search the data in frozen stage of bucket?

False

[True/False]Deployment server push configuration files to deployment client

True

[True/False]The deployment server does not automatically deploy apps in response to direct edits of serverclass.conf

Dashboards

_____ are searches gathered together into a single pane of glass

Roles

_________ define what users can do in Splunk.

Dashboards

_____________ are reports gathered together into a single pane of glass.

Splunk uses the ________ index when indexing it's own logs and metrics.

_internal

Primary fields _______ and _______ will always be extracted, but can also be removed by using the minus symbol

_time & _raw

and

a space is an implied ____ in a search string

Escaping characters in Search

add backslash info="keyword1\"keyword2\"not in db"

Which of these is NOT a stats function?

addtotals

Which one of these is not a stats function?

addtotals

The ______ role has the most capabilities of the predefined splunk roles.

admin

______________ is a field extraction method for events that contain fields separated by a character.

delimiter

1. dashboard panel 2. report

after you create a pivot you can save it as a ___________

A _______ action can notify you of a triggered alert and help you start responding to it

alert

Adjust the ______ type to configure how often the search runs

alert

In a windows environment, a local system user will have access to:

all data on the local system

Default time for pivot is ______

all the time

saved search

an alert is an action triggered by a ___

What is the correct way to name a macro with two arguments?

dostuff(2)

Forwarders

In most Splunk deployments, ________ serve as the primary way data is supplied for indexing.

forwarders

In most production environments, _______ will be used as your the source of data input.

Admin Role

Install Apps, Create Knowledge Objects for All Users

An admin does what?

Install apps, create knowledge objects for all users (what apps a user will see by default)

_________ pivot allows instant access to data without having a data model

Instant

Agile Reporting and Analytics

Interactive search and reporting, enabling rapid, interactive analysis and visualization of data.

_______ fields have values in at least 20% of the events

Interesting

True

Interesting fields are those that have values in over 20% of events

Configuring character set encoding

Its nothing but way of storing character/words in memory

selfjoin

Joins results with itself.

selfjoin

Joins results with itself. See Also join

accum

Keeps a running total of the specified numeric field.

Wildcard Search

KeyWord*

Search terms include (6)

Keywords, booleans, phrases, fields, wildcards, and comparisons.

Search

Limiting a search to time frame is a best practice.

linux_secure

Linux securelog

Field names _____ case sensitive- Values _______ case sensitive

are, are not

Splunk Enterprise commands are executed from the ________ directory.

bin

Which actions can be triggered by an alert?

List in triggered alerts Send Email Run a script

As a general practice, exclusion is better than inclusion in a Splunk search.

Fasle

_______ mode discovery off for event searches. No event or field data for stats searches.

Fast

What are the three main search modes?

Fast, Verbose, and Smart

Having multiple indexes allows:

Faster searches Access limiting Multiple retention policies

True

Field NAMES are case sensitive

case sensitive

Field Names are ____

True

Field have names

When using a .csv file for Lookups, the first row in the file represents this.

Field names

case sensitive

Field names are ______.

case sensitive

Field names are ________

Case sensitive

Field names are case sensitive or insensitive?

sensitive

Field names are case...

_____ command include or exclude fields from search results.

Fields

_______ sidebar shows all field extracted at search time.

Fields

True

Fields are searchable key/value pairs

loadjob

Loads events or results of a previously completed search job.

loadjob

Loads events or results of a previously completed search job. See Also inputcsv

inputcsv

Loads search results from the specified CSV file.

inputcsv

Loads search results from the specified CSV file. See Also loadjob & outputcsv

once

Files indexed using the the upload input option get indexed _____.

In most Splunk Deployments, this servers as the primary way data is supplied for indexing.

Forwarder

In most production environments, _______ will be used as your the source of data input.

Forwarders

What are the 3 main processing components of Splunk?

Forwarders Indexers Search Heads

view the results of the instance of that search

From the search jobs page, you can click the job link to ___

log4j

Log4j standard output produced by any J2EE server using log4j

transaction

Groups search results into transactions.

Example of Forwarder

Have a web server we want to monitor we would install the forwarder on the web server and have it send data to the indexer

Multiple retention policies, ability to limit access, and faster searches.

Having separate indexes allows:

Some differences between hot and warm buckets are:

Hot buckets are writable, warm buckets are not. Hot buckets are searched first. The naming convention.

The limit option e.g: | sort limit=20 -categoryID, product_name

How can you reduce the returned results with the sort command?

Click Data Summary in the Searching & Reporting app

How can you view all sourcetypes?

Double quotes around the exact word or phrase (CS)

How do you use exact phrases?

Returns everything except the events matching the NOT boolean

How does NOT affect search results?

Based on sourcetype and key/value pairs found in the data.

How does Splunk discover fields?

This command combine fields from external sources to searched events, based on event field

Lookup

False

Machine data is always structured

What is Machine Data

Machine data is one of the fastest, growing, most complex and most valuable segments of big data

False

Machine data is only log files on web servers

90

Machine data makes up __% of the data accumulated by organizations

90

Machine data makes up for more than ___% of the data accumulated by organizations.

Forwarders are typically installed on __________

Machines where the data originates

Forwarders are typically installed on _____________.

Machines where the data originates

backticks

Macros must be surrounded with what character?

makecontinuous

Makes a field that is supposed to be the x-axis continuous (invoked by chart/timechart)

makecontinuous

Makes a field that is supposed to be the x-axis continuous (invoked by chart/timechart) See Also chart & timechart

Machine Data?

Makes up about 90% of data accumulated by organizations. Structured and Unstructured. Improves Operational Intelligence

TIME_FORMAT

Many people "sleep" on this attribute and shouldn't. It is very important to help Splunk interpret your data. With this attribute you are telling Splunk the format your time stamp is in using strptime Splunk will not have to try to figure out if 10/2/12 is October 2, 2012, February 10, 2012, or even something weird like December 2, 2010.

1,000

Max events displayed by transaction command

Edit $SPLUNK_HOME/etc/splunk-launch.conf

Migration: After moving Splunk index db, what would you edit to reflect this new location?

Splunk breaks data into ___________.

events

Validating macro arguments can be done with which type of command?

boolean expressions eval expressions

outputtext

Ouputs the raw text field (_raw) of results into the _xml field.

outputtext

Ouputs the raw text field (_raw) of results into the _xml field. See Also outputtext

Once and item is filtered _____ it is no longer available in the search string

Out

Admin, Power, User

Out of the box there are 3 main roles

outputcsv

Outputs search results to a specified CSV file.

outputcsv

Outputs search results to a specified CSV file. See Also inputcsv & outputtext

This workflow action sends field value to external resources.

POST

___ split data by an additional field

by

chronological, alphabetical, ascii

by default, search results are NOT returned in ____ order.

What is the most efficient way to filter events in Splunk?

by time

Only the ________ role can use the Delete Command by default.

can_delete

Field values are _______.

case insensitive

Field values are __________.

case insensitive

Field names are _________.

case sensitive

Field names are _____________.

case sensitive

Parsing can be done in Props & transforms.

Parsing can be done in which conf file? Inputs, Props Only? Transforms only? Props & transforms?

When would you use a single-instance deployment

Perfect environment for proof of concept, personal use, learning, and night serve the need of small department-sized environments.

where

Performs arbitrary filtering on your data. See Evaluation functions in the Splunk Enterprise Search Reference.

where

Performs arbitrary filtering on your data. See Functions for eval and where in the Splunk Enterprise Search Reference. See Also eval

kmeans

Performs k-means clustering on selected fields.

kmeans

Performs k-means clustering on selected fields. See Also anomalies & anomalousvalue & cluster & outlier

set

Performs set operations (union diff intersect) on subsearches.

set

Performs set operations (union, diff, intersect) on subsearches. See Also append & appendcols & join & diff

adds the highlighted value to the search criteria

clicking a segment on a chart ________________

_____ is used to pass current results to the next component

Pipe

________ designs reports in simple interface without having to craft a search string

Pivot

________ interface is the total amount of purchases, documentation actions, job actions, tools to filter/slice up data, and a side bar?

Pivot

False

Pivots can not be saved as reports or dashboard panels

False

Pivots cannot be saved as reports panels. T/F

Which role(s) can create data models?

Power Admin

default fields

these kinds of fields are identified in your data at INDEX time.

SHOULD_LINEMERGE

this attribute is the leader and decision maker of the group. Depending on the value of this attribute, other attributes are required. This setting should be set to "false" and used along with the LINE_BREAKER attribute, which can greatly increase processing speed.

rare

this command displays the least common values in a specific field

Field_____happens after field______only affecting displayed results.

exclusion, extraction

Usenull = _____ will remove NULL values

f

false (fast, smart, verbose)

fast, optimized, verbose are all selectable search modes

search

field discovery occurs at _____ time

When using a .csv file for lookups, the first row in the file represents this.

field names

What command would you use to remove the status field from the returned events?

fields -

inputlookup

finish this search command so that it displays data from the http_status.csv lookup file: | _________ https_status.csv

Dashboards are searches gathered together and can use _______input or ________ visualization

form or custom

In most Splunk deployments, _________ serve as the primary way data is supplied for indexing.

forwarders

In most production environments, _______ will be used as your main source of data input.

forwarders

raw data

full log files

Which command do you use when creating a choropeth map?

geom

hours

h, hr, hrs, hour, hours

metadata

host, source, source type, time stamp

As data is input into Splunk Enterprise, it is first placed into a ________ bucket.

hot

Which is the correct argument order when using the eval if function?

if (Boolean, Is True, Is False)

Identifying line termination using linebreaking rules

if your logs are very long or messy then it will break them in small parts easy to understand

Time stamps are stored ____________.

in a consistent format.

false

in automatic lookup definitions, you can only have 3 output fields maximum

______ is better than exclusion

inclusion

When migrating from a single instance deployment to a distributed environment, you will want to use the existing instance as an _______.

indexer

Events are written to disk during the ____ segment of the data pipeline.

indexing

The licensing meter takes placed at data ______ time.

indexing

What could be said of the circled field below: A dest 4

it contains four values its was extracted at search time it contains string values

false

it is not possible for a single instance of Splunk to manage the input, parsing, and indexing of machine data.

index files

key keywords from logs

Finish this search so that it uses the http_status.csv lookup to return events. | sourcetype=access_c* NOT status=200 | _________ http_status code as status

lookup

true

lookups allow you to overwrite your raw event

true

lookups can be private for a user

minutes

m, min, minute, minutes

The ________ index is used when an index is not specified at input time.

main

splunk preconfigured indexes

main _internal _audit:

Which of these is NOT a field created with the transaction command?

maxcount

What should you use with the transaction command to set the maximum total time between the earliest and latest events returned.

maxspan

The alerts use a _______ search to check for events.

saved

An alert is an action triggered by a ____________.

saved search

An indexer in a distributed search environment is called a __________.

search peer

Identifying timestamps or creating them if they don't exis

sort logs as per time or as they occurred.

Data is broken into single events by:

sourcetype

Use ______ to limit search to only one sourcetype

sourcetype=

Splunk uses ____________ to categorize the type of data being indexed.

sourcetypes

if you want to search for events in the previous month

specify earliest=-mon@mon latest=@mon. This example begins at the start of the previous month and ends at the start of the current month.

false

splunk alerts are based on historical searches only

1. on a regular schedule 2. in real-time

splunk alerts can be based on searches that run ______

Finish the rename command to change the name of the status field to HTTP Status.

status as "HTTP Status"

Finish the rename command to change the name of the status field to HTTP Status. sourcetype=access* status=404 | rename ______

status as "HTTP Status"

________ command retains searched data in a tabulated format

table

Which search would limit an "alert" tag to the "host" field?

tag::host=alert

Exclude a field by using ______ symbol

minus (-)

months

mon, month, months

The instant pivot button is displayed in the statistics and visualization tabs when a _______ search is run.

non-transforming

The instant pivot button is displayed in the statistics and visualization tabs when a _______ search is used.

non-transforming

Field aliases are used to __________ data.

normalize

properties in the _______ file allow you to configure how data is transformed as it is processed.

not alter.conf

What are some of the components installed from the Splunk Enterprise Package?

not indexer search head universal forwarder

The segment of the data pipeline that stores user's knowledge objects is the __________ segment.

not indexing not data ainput not parsing

Properties in the _______ file allow you to configure how data is transformed as it is processed.

not later

The segment of the data pipeline that stores user's knowledge objects is the _______ segment.

not parsing not data input

false

only splunk admninistrators can assign selected fields

In regards to a rename command, once a field is renamed the ______ name is not available to later search commands

original

To keep from overwriting existing fields with your Lookup you can use the ____________ clause.

outputnew

Use _______ to nest boolean searches

parenthesis

Event separation happens during the ________ segment of the data pipeline.

parsing

Event separation happens during the __________ segment of the data pipeline.

parsing

Splunk indexer working can be divided in two stages:

parsing phase and indexing phase

Which search will return the same events as the search in the searchbar? password failed

password AND failed

False

password fail and "password fail" return the same results

Data model is framework and ______ is interface to the data

pivot

9997

port open for indexing

Saved searches are set to ______ by default.

private

quarters

q, qtr, qtrs, quarter, quarters

When creating reports you can edit, clone, embed, and delete under the ______ tab

report

Save visual reports as _______ or _______

report or dashboard pannel

iplocation

returns location information such as city country latitude longitude and so on based on IP addresses.

When a search is run, events are returned in _____________.

reverse chronological order

seconds

s, sec, secs, second, seconds

It is suggested that you have a single deployment instance available for _________.

testing and development

all extracted fields

the fields sidebar does NOT show________

true

the following searches will NOT return the same results: search 1 purchase ==== search 2 action=purchase

table

the stats command will create a _______ by default

TZ

the time zone attribute is probably the most forgotten of the group. You will want to set the time zone for each host in your Splunk environment. This will ensure the time is displayed correctly on your search head.

Frozen

this is data that is pushed to a dead media like tape or deleted. There is a thawing process possible if not deleted completely to allow data to be pushed back into higher tier buckets

Hot

this is the directory where all data is written and the most recent data is kept here. Warm - the next tier down, read only and likely still searched

rex

this list clause is used to group the output of a stats command by a specific name

1. treats field values in a case-INsensitive manner 2. allows searching on a keyword

true about Splunk search language

fields -

use this command to control which fields are extracted at search time and to (typically) improve search

inputlookup

use this command to use lookup fields in a search and see the lookup fields in the field sidebar

Finish this search to remove any results that do not contain a value in the product_name field. sourcetype=access_c* status>299 | chart count over host by product_name _______

usenull=f

Which is not a comparison operator in Splunk?

&=

map

A looping operator, performs a search over each search result.

verbose mode

which search mode returns all event and field data?

What is the proper syntax for using a macro called "dostuff" sourcetype=gamelog |

'dostuff'

What is an event

A single entity such as an row in a table. Or if you have an alert that comes into splunk which will be timestamped

saved search

An alert is an action triggered by a _____________.

alias

An alternate name that you assign to a field, allowing you to use that name to search for events that contain that field.

What is splunk?

An application that ingests machine data, indexes it, and visualizes it for users to

app

An application that runs on Splunk Enterprise and typically addresses several use cases.

What is a pivot?

Anything visualization that we create such as a table or a chart

What is search?

Anything when we're looking for our data

What is machine data?

Data generated by machines, computer processing, application and sensor data

CSV, scripts, geospatial data

External data used by a Lookup can come from sources like:

xmlkv

Extracts XML key-value pairs.

xmlkv

Extracts XML key-value pairs. See Also extract & kvform & multikv & rex

extract and kv

Extracts field-value pairs from search results.

extract and kv

Extracts field-value pairs from search results. See Also kvform & multikv & xmlkv & rex

multikv

Extracts field-values from table-formatted events.

iplocation

Extracts location information from IP addresses.

kvform

Extracts values from search results using a form template.

kvform

Extracts values from search results using a form template. See Also extract & kvform & multikv & xmlkv & rex

false

Using the export function, you can export a maximum of 2000 results

True

Using the export function, you can export an unlimited number of results.

bucket fixing

is the remedial activity that occurs when a peer node goes offline.

Any editing done to .conf files should be done in the _____ directory.

local

Any editing done to .conf files should be done in the ________ directory.

local

Which is not a comparison operator in Splunk?

%=

To escape the "fieldname" value which command would you use? $_________fieldname$

!

Exact Search

"Keyword"

splunk index location

$SPLUNK_HOME/var/lib/splunk

Cold

- rarely searched data as it has aged or been archived (rolled) to this bucket. While read only and still searchable, this is considered the archive tier.

What does index data do? (3)

1. Collects data 2. Label data with source type 3. Stored in splunk index

Apps in Splunk?

1. Pre-built dashboards, reports, alerts and workflows 2. In-depth data analysis for power users 3. Search & Reporting

Splunk Search Language Sytnax

1. Search Terms. 2. Commands. 3. Functions 4. Arguments 5. Clauses

What are the three ways to create visualizations?

1. Select a field from the fields sidebar 2. Use the pivot interface 3. Use the Splunk search language commands in the search bar with statistics and visualization tabs

The seven main components in splunk searching and reporting?

1. Splunk bar 2. App bar 3. Search bar 4. Time range picker 5. How to search panel 6. What to search panel 7. Search History

Best practices to use while searching in Splunk (4)

1. Time is the most efficient filter 2. More you tell search the better your results 3. Inclusion is better than exclusion 4. Filter as early as possible

When logging into Splunk Enterprise for the first time, a username of ______ and a password of are used.

1. admin 2. changeme

Search heads do not require as much ______ as indexers but require more _________.

1. disk space 2. CPU power

The ___________ handle search management while ___________ perform the searches.

1. search heads 2. indexers

How many events are shown by default when using the top or rare command?

10

How many results are shown by default when using a Top or Rare Command?

10

Search jobs are available after ____ minutes by default.

10

Top command returns top ____ results with a count and percentage

10

Splunk indexers and Search Heads on virtual machines should have ____ of the vCPU reserved to them.

100%

A total of ____ cores are recommended per search head.

16

Splunk Enterprise deployment typically has ___ processing tiers.

3

The Search & Reporting App has how many search modes?

3

The Trendline Command requires this many arguments:

3

-60m

60 minutes ago Wednesday, 05 February 2017, 12:37:05 P.M. Equivalent modifiers -60m@s

There are ______ components to the Search and Reporting app's default interface.

7

-7d@d

7 days ago, 1 week ago today Wednesday, 28 January 2017, 12:00:00 A.M.

-7d@m

7 days ago, snap to minute boundary Wednesday, 28 January 2017, 01:37:00 P.M.

SplunkWeb is accessed on port _______ by default.

8000

The default management port for Splunkd is:

8089

Machine data makes up for more than _____% of the data accumulated by organizations.

90

Which is not a comparison operator in Splunk?

?=

This symbol is used in the "Advanced" section of the time range picker to round down to nearest unit of specified time.

@

nix

A Splunk Enterprise term that describes any Unix or Linux-based system.

command-line tool

A Splunk utility that can be run from the command-line interface (CLI) to troubleshoot a Splunk Enterprise deployment.

What is the dashboard

A collection of pivots

conditional routing

A data routing scenario where a forwarder selectively sends event data to receivers based on patterns in the event data.

bloom filter

A data structure that you use to test whether an element is a member of a set.

500 - 1000 Clients, even more than this and it depends of the periodicity, and the size of the bundles to deploy.

A dedicated deployment server can handle how many clients ?

calculated field

A field that represents the output of an eval expression.

bucket

A file system directory containing a portion of a Splunk Enterprise index.

blacklist

A filtering rule that excludes one or more members from a set.

map

A looping operator performs a search over each search result.

table, chart or visualization based on a datamodel set

A pivot table is a _______

True

A power user can allow read/write permissions on a report

constantly running in the background

A real-time alert is __________

alert action

A response, such as an email notification or webhook, to alert triggering or report completion.

What is a forwarder

A script that sends data from a device to the splunk device

10

A search job will remain active for ___ minutes after it is run.

base search

A search on which you can base multiple similar searches.

Common Information Model (CIM)

A set of preconfigured data models that you can apply to your data at search time.

Build Event Type utility

A tool which dynamically creates event types based on the analysis of a selected event.

add-on

A type of app that runs on the Splunk platform and provides specific capabilities to other apps, such as getting data in, mapping data, or providing saved searches and macros. An add-on is not typically run as a standalone app. Instead, an add-on is a reusable component that supports other apps across a number of different use cases.

adaptive response action

A type of custom alert action that conforms to the common action model.

Automatic key value field

A type of field extraction that uses the KV_MODE attribute in props.conf to automatically extract fields for events associated with a specific host, source, or source type.

capability

A user action within Splunk Enterprise.

Adding child data model objects is like the ______ Boolean in the Splunk search language.

AND

You can think of adding child data model objects as an _________ Boolean in the Splunk search language.

AND

________boolean is used if none is implied.

AND

List the three booleans

AND OR NOT

rest

Access a REST endpoint and display the returned entities as search results.

Splunk Cloud

All the power of Splunk Enterprise, delivered as a service. Runs in an Amazon Web Service AWS GovCloud-Splunk Cloud solution hosted in secure enviornment for public sector 1.33X more expensive but its in the cloud and support is included

The time range picker is set to _________ by default.

All-time

What does the time range picker do?

Allow search by preset times, relative times. Real time (earliest, latest), date range. Retrieve events over a specific time period.

Search Macros _______________

Allow you to store entire search strings, including pipes and eval statements. Are time range independent. Can pass arguments to the search.

Search head

Allows users to use the Splunk search language to search the index data. Search heads handle search requests from users and distribute requests to the indexers which perform the actual searches on the data. Search heads then consolidate and enrich the results from the indexers before returning them to the user.

erex

Allows you to specify example or counter example values to automatically extract fields that have similar values.

erex

Allows you to specify example or counter example values to automatically extract fields that have similar values. See Also extract & kvform & multikv & regex & rex & xmlkv

In the following search, what should the empty argument contain? sourcetype=linux_secure | iplocation ______

An IP address.

append

Appends subsearch results to current results.

append

Appends subsearch results to current results. See Also appendcols & appendcsv & join & set.

appendcols

Appends the fields of the subsearch results to current results first results to first result second to second and so on.

appendcols

Appends the fields of the subsearch results to current results first results to first result second to second etc. See Also append & appendcsv & join & set.

appendcols

Appends the fields of the subsearch results to current results. first results to first result. second to second etc.

appendpipe

Appends the result of the subpipeline applied to the current result set to results.

appendpipe

Appends the result of the subpipeline applied to the current result set to results. See Also append & appendcols & join & set.

Statistical

Any search that returns these values can be viewed as a chart

frozenTimePeriodInSecs

Attributes in indexes.conf to freeze data when it grows too old?

What attributes can be added to an object?

Auto-Extracted Eval Expression Lookup Regular Expression Geo IP

Use a _______ for searching a string with quotes in the string.

Backslash Example: info="user "chrisV4" not in database" info="user\"chrisV4\" not in database "

@w0

Beginning of the current week Sunday, 02 February 2017, 12:00:00 A.M.

rtorder

Buffers events from real-time search to emit them in ascending time order when possible.

contingency

Builds a contingency table for two fields.

contingency and counttable and ctable

Builds a contingency table for two fields.

counttable

Builds a contingency table for two fields.

ctable

Builds a contingency table for two fields.

contingency and counttable and ctable

Builds a contingency table for two fields. See Also associate correlate

Splunk Sale Stages

Business Qualification Technical Interlock Champion Tested Proof Completed Mutually Agreed Closed Plan

Time for Search Job

By default will remain active for 10 minutes

What is the most efficient way to filter events in Splunk?

By time

What is the most efficient way to filter events in Splunk?

By time.

eval

Calculates an expression and puts the value into a field. See Functions for eval and where in the Splunk Enterprise Search Reference.

eval

Calculates an expression and puts the value into a field. See Functions for eval and where in the Splunk Enterprise Search Reference. See Also where

relevancy

Calculates how well the event matches the query.

mstats

Calculates statistics for the measurement metric_name and dimension fields in metric indexes. See Also stats

correlate

Calculates the correlation between different fields.

correlate

Calculates the correlation between different fields. See Also associate & contingency

typer

Calculates the eventtypes for the search results.

typer

Calculates the eventtypes for the search results. See Also typelearner

Commands that Create Statistics and Visualizations

Called Transforming Commands which transform data into data tables.

Monitor & Alert

Can Monitor infrastructure in real time to identify issues, problems, and attacks before they impact customers and services. Create alerts and automatically respond with a variety of actions.

Field Aliases ___________________

Can be referenced by lookup tables. Are applicable to a specified app context. Make correlation easier.

Field names are ________.

Case sensitive

highlight

Causes Splunk Web to highlight specified terms.

________ are searches gathered together in a single pane of glass.

Dashboards

_____________ are reports gathered together into a single pane of glass.

Dashboards

3 Things Search can produce

Dashboards, Reports and Visualization to assist the search experience.

Splunk IT Service Intelligence

Data Driven service insight for root cause isolation and improved service operations Complimentary Product. Customers must have an equivalent license of Core Splunk (same GB Volume)

Splunk User Behavior Analytics (UBA)

Detect cyber-attacks and insider threats using data science, machine learning, behavior baseline, peer group analytics, and advanced correlation Licensing: Number of authorized users(the number of users or system accounts in Microsoft AD, lightweight directory access protocol (LDAP) or an similar service that is used to authenticate users inside the network. needs to be sold with content subscription packs

rare

Displays the least common values of a field.

rare

Displays the least common values of a field. See Also stats & top

top

Displays the most common values of a field.

top

Displays the most common values of a field. See Also rare & stats

DMC stands for

Distributed Management Console

No, it only filters the results

Does narrowing the time range by dragging the selection bars across the timeline re-execute the search?

timestamp, host, source, sourcetype

Each event has these field value pairs.

This search action button "Job V" does what?

Edit job settings, send job to background, inspect and delete job.

sendemail

Emails search results either inline or as an attachment to one or more specified email addresses.

sendemail

Emails search results to a specified email address.

sendemail

Emails search results, either inline or as an attachment, to one or more specified email addresses

sendemail

Emails search results, either inline or as an attachment, to one or more specified email addresses.

x11

Enables you to determine the trend in your data by removing the seasonal pattern.

x11

Enables you to determine the trend in your data by removing the seasonal pattern. See Also predict

predict

Enables you to use time series algorithms to predict future values of fields.

predict

Enables you to use time series algorithms to predict future values of fields. See Also x11

searches with relative time modifiers.

Example 1: Web access errors from the beginning of the week to the current time of your search (now). eventtype=webaccess error earliest=@w0 This search returns matching events starting from 12:00 A.M. of the Sunday of the current week to the current time. Of course, this means that if you run this search on Monday at noon, you will only see events for 36 hours of data. -------------------------------------------------------- Example 2: Web access errors from the current business week (Monday to Friday). eventtype=webaccess error earliest=@w1 latest=+7d@w6 This search returns matching events starting from 12:00 A.M. of the Monday of the current week and ending at 11:59 P.M. of the Friday of the current week. If you run this search on Monday at noon, you will only see events for 12 hours of data. Whereas, if you run this search on Friday, you will see events from the beginning of the week to the current time on Friday. The timeline however, will display for the full business week. -------------------------------------------------------- Example 3: Web access errors from the last full business week. eventtype=webaccess error earliest=-7d@w1 latest=@w6 This search returns matching events starting from 12:00 A.M. of last Monday and ending at 11:59 P.M. of last Friday

exim_main

Exim MTA mainlog

exim_reject

Exim reject log

mvexpand

Expands the values of a multivalue field into separate events for each value of the multivalue field.

mvexpand

Expands the values of a multivalue field into separate events for each value of the multivalue field. See Also mvcombine & makemv & nomv

Clauses

Explain how we want the results grouped or defined.

Functins

Explain how we want to chart, compute, and evaluate the results.

Bucket lifecycle includes following stages: Hot - It contains newly indexed data and is open for writing. For each index, there are one or more hot buckets available Warm - Data rolled from hot Cold - Data rolled from warm Frozen - Data rolled from cold. The indexer deletes frozen data by default but users can also archive it. Thawed - Data restored from an archive. If you archive frozen data , you can later return it to the index by thawing (defrosting) it.

Explain the bucket lifecycle ?

fieldformat

Expresses how to render a field at output time without changing the underlying value. See Also eval & where

A license violation causes all data to stop being indexed.

False

Adding more machines no matter the hardware will make your deployment perform better.

False

After a report is saved, you can no longer edit the search.

False

mvfilter(X)

Filters a multivalue field based on an arbitrary Boolean expression X. Basic examples The following example returns all of the values in field email that end in .net or .org. ... | eval n=mvfilter(match(email, "\.net$") OR match(email, "\.org$"))

Search

Find values across multiple sources allowing to analyze and run statistics.

anomalousvalue

Finds and summarizes irregular or uncommon search results.

anomalousvalue

Finds and summarizes irregular or uncommon search results. See Also analyzefields & anomalies & cluster & kmeans & outlier.

arules

Finds association rules between field values.

arules

Finds association rules between field values. See Also associate & correlate.

mvfind(MVFIELD,"REGEX")

Finds the index of a value in a multivalue field that matches the REGEX. Basic example ... | eval n=mvfind(mymvfield, "err\d+")

searchtxn

Finds transaction events within specified search constraints.

searchtxn

Finds transaction events within specified search constraints. See Also transaction

status as "HTTP Status"

Finish the rename command to change the name of the status field to HTTP Status. sourcetype=a* status=404 | rename _______

Scales from Desktop to Enterprise

Flexible data engine that scales to index terabytes of data per day and permits thousands of users to concurrently search petabytes of data

______how we want to deal with results (ex. list) (components of search language)

Functions

This workflow action passes variables in a URL.

GET

geostats

Generate statistics which are clustered into geographical bins to be rendered on a world map.

geostats

Generate statistics which are clustered into geographical bins to be rendered on a world map. See Also stats & xyseries

findtypes

Generates a list of suggested event types. See Also typer

fieldsummary

Generates summary information for all or a subset of the fields. See Also af & anomalies & anomalousvalue & stats

gentimes

Generates time-range results.

External data used by a Lookup can come from sources like:

Geospatial data CSV files Scripts

Reverse chronological order (newest first)

In what chronological order are events displayed, after a search?

Authentication.conf is used to add LDAP groups.

In which file we need to add LDAP group details for authentication? Authorize.conf or Authentication.conf?

authorize.conf

In which files are role mappings done?

A group of indexers configured to replicate each other's data is called a ________.

Index Cluster

5 Main components of Splunk ES

Index Data, Search & investigate, Add knowledge, Monitor & Alert, Report & Analyze.

How does Splunk help with Machine Data?

Index Data, Search and Investigate, Add Knowledge, Monitor and Alert, and Report & Analyze

A server acting as a ___________ require the same hardware as a single deployment server.

Indexer

Search requests are processed by the ____________.

Indexer

Search requests are processed by?

Indexers

3 Main Splunk Processing Components

Indexers, Search Heads, and Forwarders.

Events are written to disk during the _______ segment of the data pipeline.

Indexing

Parsing and Indexing are both part of the ____ processing tier.

Indexing

Single Instance Deployment Splunk Instance

Input, Parsing, Indexing and Searching

Having separate indexes allows:

Multiple retention policies Ability to limit access Faster Searches

!=

Multivalued field values that don't exactly match "foo". Example: field!=foo

=

Multivalued field values that exactly match "foo". Example: field=foo

access_combined

NCSA combined format http web server logs (can be generated by apache or other web servers)

access_combined

NCSA combined format http web server logs (can be generated by apache or other web servers) Example: 10.1.1.43 - webdev [08/Aug/2005:13:18:16 -0700] "GET / HTTP/1.0" 200 0442 "-" "check_http/1.10 (nagios-plugins 1.4)"

access_combined_wcookie

NCSA combined format http web server logs (can be generated by apache or other web servers) with cookie field added at end

access_combined_wcookie

NCSA combined format http web server logs (can be generated by apache or other web servers), with cookie field added at end Example: "66.249.66.102.1124471045570513" 59.92.110.121 - - [19/Aug/2005:10:04:07 -0700] "GET /themes/splunk_com/images/logo_splunk.png HTTP/1.1" 200 994 "http://www.splunk.org/index.php/docs" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050524 Fedora/1.0.4-4 Firefox/1.0.4" "61.3.110.148.1124404439914689"

access_common

NCSA common format http web server logs (can be generated by apache or other web servers)

access_common

NCSA common format http web server logs (can be generated by apache or other web servers) Examples: 10.1.1.140 - - [16/May/2005:15:01:52 -0700] "GET /themes/ComBeta/images/bullet.png HTTP/1.1" 404 304

Using _____ and ____ (symbols) would return the same results.

NOT, !=

Would the ip column be removed in the results of this search? Why or why not?

No, because the name was changed

Would the clientip column be removed in the results of this search? Why or why not? sourcetype=access* | rename clientip as "user" | table user status | fields - clientip

No, because the name was changed.

Search Booleans

Not, Or, And. Add parenthesis: Keyword 1 NOT (Keyword2 OR Keyword 2)

now

Now, the current time Wednesday, 05 February 2017, 01:37:05 P.M. now

>=

Numerical field values that are greater than and equal to x. Example: field>=x

>

Numerical field values that are greater than x. Example: field>x

<=

Numerical field values that are less than and equal to x. Example: field<=x

<

Numerical field values that are less than x. Example: field<x

Which is not a comparison operator in Splunk?

OR

Difference between relative time and relative snap to time

On April 28th, you decide to run a search at 14:05. If you specify earliest=-2d, the search goes back exactly two days, starting at 14:05 on April 26th. If you specify earliest=-2d@d, the search goes back to two days and snaps to the beginning of the day. The search looks for events starting from 00:00 on April 26th.

Files indexed using the the upload input option get indexed _____.

Once

False

Once an alert is created, you can no longer edit its defining search. T/F

1. add the report to a dashboard 2. open the report and edit it 3. accelerate slow running reports

Once you create a report you can

-mon@mon+7d

One month ago, snapped to the first of the month at midnight, and add 7 days. Resulting Time The 8th of last month at 12 A.M.

A Splunk user does what?

Only see own knowledge objects and those shared to them.

Universal Machine Data Platform

Open, extensible platform delivering integrated, end-to-end data collection, management and analysis

Indexer

Processes incoming data storing it as indexes as events. As the indexer indexes data, it creates a number of files in directories by age (time).

spath

Provides a straightforward means for extracting fields from structured data formats XML and JSON.

spath

Provides a straightforward means for extracting fields from structured data formats, XML and JSON. See Also xpath

App Key Value Store

Provides a way to save and retrieve data within your Splunk apps as collections of key-value pairs, letting you manage and maintain the state of your apps and store additional information.

Reports

Provides reports and the ability to do dashboards empowering groups in the organization by giving them the information they need organized into a single pane.

stats

Provides statistics grouped optionally by fields. See Functions for stats chart and timechart in the Splunk Enterprise Search Reference.

stats

Provides statistics grouped optionally by fields. See Statistical and charting functions in the Splunk Enterprise Search Reference.

stats

Provides statistics, grouped optionally by fields. See Functions for stats, chart, and timechart in the Splunk Enterprise Search Reference. See Also eventstats & top & rare

bin and discretize

Puts continuous numerical values into discrete sets.

bin and discretize

Puts continuous numerical values into discrete sets. See Also chart and timechart.

What is missing from this search? sourcetype=acc* status=404 | rename clientip as "User ID" | table USer ID status host

Quotation marks around User ID

_______ object is the main source of data

Root

foreach

Run a templatized streaming subsearch for each field in a wildcarded field list. See Also eval

multisearch

Run multiple streaming searches at the same time. See Also append & join

returns a fresh result set

Running a scheduled saved report ___________

script and run

Runs an external Perl or Python script as part of your search.

join

SQL-like joining of results from the main results pipeline with the results from the subpipeline.

join

SQL-like joining of results from the main results pipeline with the results from the subpipeline. See Also selfjoin & appendcols

mvzip(X,Y,"Z")

Takes two multivalue fields, X and Y, and combines them by stitching together the first value of X with the first value of field Y, then the second with the second, and so on. The third argument, Z, is optional and is used to specify a delimiting character to join the two values. The default delimiter is a comma. Basic example ... | eval nserver=mvzip(hosts,ports)

Commands

Tells Splunk what we want to do with Search Results such as creating charts, computing statisitcs, and formatting

If you want to format values without changing their characteristics, which would you use?

The Fieldformat Command.

Alerting IS NOT A COMMAND

Use the above command to email the results of a search.

fields -

Use this command to exclude fields used in the search to make the results easier to read.

Which roles can create Private Knowledge Objects?

User, Power, Admin

concurrency

Uses a duration field to find the number of "concurrent" events for each event. See Also timechart

alerts

Uses a saved search to look for events in real time or on a schedule.

Batch - Use batch to set up a one time, destructive input of data from a source. For continuous, non-destructive inputs, use monitor. Remember, after the batch input is indexed, Splunk Enterprise deletes the file.

Which stanza can be used to destroy a file after reading the file?[ fschange, monitor, batch, destroy ]

avg

Which stats function would you use to find the average value of a field?

lable

Which tag is not the part to implement drilldown?

query

Which tag is used for search string in simplexml for dashboard?

fieldset

Which tag is used to create input in form in simple xml?

Parsing stage

While parsing splunk performs and extracts a set of default for each event like host, source, and sourcetype.

True

Wildcards can be used with field value searches

End User Role

Will only see their own knowledge objects and those shared with them.

This is an example of a search using __________. sourcetype=access_combined

a field value pair

app manifest

a file generated by the Packaging Toolkit to describe a Splunk app, including dependencies and input groups.

Which clause would you use to rename the count field?

as

Which clause would you use to rename the count field? sourcetype=vendor_sales | stats count(linecount) ______ "Units Sold"

as

Which stats function would you use to find the average value of a field?

avg

transforming commands

commands that create statistics or visualizations are called ____

Which of these is NOT a main component of Splunk?

compress and archive

Raw data in an index is stored in a ________ form.

compressed

For exact time ranges, the syntax for the time modifiers is %m/%d/%Y:%H:%M:%S. For example, the following search specifies a time range from 12 A.M. October 19, 2016 to 12 A.M. October 27, 2016.

earliest=10/19/2016:0:0:0 latest=10/27/2016:0:0:0

The _______ folder inside the Splunk Enterprise installation directory contains licenses and configuration files.

etc

In a dashboard, a time range picker will only work on panels that include a(n) __________ search.

inline

Finish this search command so that it displays data from the http_status.csv Lookup file.

inputlookup

Finish this search command so that it displays data from the http_status.csv lookup file. | __________ http_status.csv

inputlookup

Finish this search to return unlimited results. sourcetype=access_combined action=purchase | rare product_name _________

limit=0

It is a best practice to ____________ forwarders across all indexers in a search peer group.

load balance

Exact phrases use______

quotes

two types of splunk indexes

raw data (full log files) index files (key keywords from logs)

The server that data is forwarded to is called the ______________.

receiver

fale

this command returns an unlimited number of results. search: error | top host limit =9999

Keeping ____ synchronized across your deployment, makes sure events are returned in the proper order.

time

Limiting search by ___________ is key to faster results and is a best practice

time

Use _____ for searches

time

Timestamp seen in events is based on______setting in user account profile

time zone

You can also define the relative time modifier using only the snap to time unit.

to snap to a specific day of the week, use @w0 for Sunday, @w1 for Monday, and so forth. For Sunday, you can specify either w0 or w7.

To display the most common values in a specific field, what command would you use?

top

To display the most common values in a specific field, what command would you use? sourcetype=vendor_sales | ______ Vendor

top

These fields can launch a quick report by clicking on them (4)

top values, top values by time, rare values, events with this field

This command allows you to correlate related events on a field or list of fields that span time.

transaction

Commands that create statistics or visualizations are called ____________.

transforming commands

Summary index is used to give fast result of report/dashboard. You can store any cron/save search result in summary index so that you can reduce the data in summary index.

what is summary index in splunk?

1. create the lookup table 2. define the lookup 3. configure the lookup to run automatically

what is the correct order of steps for creating a new lookup?

statistical values

when a search returns _________, you can view the results as a list

*

which character acts as a wildcard in the search Splunk language?

Rename

which is not a valid option when editing a report?

forwarders

which of the following are responsible for collecting data and sending it for further processing?

search head

which of the following are responsible for dispatching a search request?

indexers

which of the following are responsible for parsing incoming data and storing data on disc?

sourcetype=access_* | stats max(bytes)

which of the following will show the maximum bytes?

accounting response for TradeID

which of the following would match this search? SEARCH: "accounting response"

admin

which role can create data models?

admin

which role defines what apps a user will see by default

smart

which search mode automatically decides how to return fields based on your search?

When using the search below, what axis would time be on? sourcetype=vendor_sales | timechart count(linecount)

x

years

y, yr, yrs, year, years


Related study sets

Context Clues (Multiple Choice) Grad 4-8 Vocabulary

View Set

Chapter 12 Managerial Accounting

View Set

Chapter 4 - Marketing Information and Insights

View Set

Combo with "EMT Basic Chapter 32" and 3 others

View Set

Week 6- Non-verbal communications and cultures

View Set

Industrial and Organizational Psychology (Levy Ch. 1-5)

View Set