SPLUNK CORE CERTIFIED POWER USER PRACTICE TEST-3 - Results

Ace your homework & exams now with Quizwiz!

What is a Splunk Job? (Select all that apply.) A.A user-defined Splunk capability. B.Searches that are subjected to some usage quota. C.A search process kicked off via a report or an alert. D.A child OS process manifested from the splunkd process.

A search process kicked off via a report or an alert. (Correct) A child OS process manifested from the splunkd process. (Correct)

Which of the following data models are included in the Splunk Common Information Model (CIM) add-on? (Choose all that apply.) A.Alerts B.Email C.Databases D.User permissions

A.Alerts (Correct) B.Email (Correct) C.Databases (Correct) Explanation Splunk CIM Add-On Data Models Alerts Authentication Email Databases Java Virtual Machines (JVM) Application State Malware Network Resolution (DNS) Certificates Network Sessions Change Analysis Network Traffic CIM Validation (S.o.S) Performance Splunk Audit Logs Ticket Management Interprocess Messaging Updates Intrusion Detection Vulnerabilities Inventory Web

Data model fields can be added using the Auto-Extracted method. Which of the following statements describe Auto-Extracted fields? (Choose all that apply.) A.Auto-Extracted fields can be hidden in Pivot. B.Auto-Extracted fields can have their data type changed. C.Auto-Extracted fields can be given a friendly name for use in Pivot. D.Auto-Extracted fields can be added if they already exist in the dataset with constraints.

A.Auto-Extracted fields can be hidden in Pivot. (Correct) B.Auto-Extracted fields can have their data type changed. (Correct) C.Auto-Extracted fields can be given a friendly name for use in Pivot. (Correct) D.Auto-Extracted fields can be added if they already exist in the dataset with constraints. (Correct) Explanation Adding Fields- Auto-Extracted Hidden: This field is not displayed to Pivot users when they select the dataset in Pivot Auto-Extracted fields can have their data type changed like string, number, boolean,IPV4. Give the field a friendly name for use in Pivot Fields that already exist for the constraint can be added as attributes to the data model

What is the relationship between data models and pivots? A.Data models provide the datasets for pivots. B.Pivots and data models have no relationship. C.Pivots and data models are the same thing. D.Pivots provide the datasets for data models.

A.Data models provide the datasets for pivots. (Correct) Explanation Data model provides the datasets for Pivots

Which of the following statements about event types is true? (Choose all that apply.) A.Event types can be tagged. B.Event types must include a time range. C.Event types categorize events based on a search. D.Event types can be a useful method for capturing and sharing knowledge.

A.Event types can be tagged. (Correct) C.Event types categorize events based on a search. (Correct) D.Event types can be a useful method for capturing and sharing knowledge. (Correct) Explanation Event Types Categorize events based on a search string Tag event types to organize data into categories The eventtype field can be included in a search string Does not include a time range A useful method for institutional knowledge capturing and sharing Can be tagged to group similar types of events

The eval command allows you to do which of the following? (Choose all that apply.) A.Format values B.Convert values C.Perform calculations D.Use conditional statements Explanation Use the eval command to: Perform calculations Convert values Round values Format values Use conditional statements

A.Format values (Correct) B.Convert values (Correct) C.Perform calculations (Correct) D.Use conditional statements (Correct) Explanation Use the eval command to: Perform calculations Convert values Round values Format values Use conditional statements

Which of the following is a function of the Splunk Common Information Model (CIM)? A.Normalizing data across a Splunk deployment. B.Providing templates for reports and dashboards. C.Algorithmically shifting events to other indexes. D.Reingesting previously indexed data with new field names.

A.Normalizing data across a Splunk deployment. (Correct) Explanation The Splunk Common Information Model (CIM) provides a methodology to normalize data. Leverage the CIM when creating field extractions, field aliases,event types, and tags to ensure: - Multiple apps can co-exist on a single Splunk deployment - Object permissions can be set to global for the use of multiple apps - Easier and more efficient correlation of data from different sources and source types The Common Information Model Add-on is based on the idea that you can break down most log files into two components: - fields - event category tags

When using the timechart command, how can a user group the events into buckets based on time? A.Using the span argument. B.Using the duration argument. C.Using the interval argument. D.Adjusting the fieldformat options.

A.Using the span argument. (Correct) Explanation The timechart command "buckets" the values of the _time field This provides dynamic sampling intervals, based upon the time range of the search. Example defaults: Last 60 minutes uses span=1m Last 24 hours uses span=30m Adjust the interval using the span argument, e.g. span=15m Search query example: index=security sourcetype=linux_secure vendor_action=* | timechart span=15m count by vendor_action

What does the transaction command do? A.Groups a set of transactions based on time. B.Creates a single event from a group of events. C.Separates two events based on one or more values. D.Returns the number of credit card transactions found in the event logs.

B.Creates a single event from a group of events. (Correct) Explanation transaction Command The transaction command creates a single event from a group of events The events must share the same value in a specified field Transactions can cross multiple tiers such as web servers or application servers For example, you can easily view the events for JSESSIONID Ex- index=web sourcetype=access_combined | transaction JSESSIONID

What does the following search do? index=corndog type= mysterymeat action=eaten | stats count as corndog_count by user A.Creates a table of the total count of users and split by corndogs. B.Creates a table of the total count of mysterymeat corndogs split by user. C.Creates a table with the count of all types of corndogs eaten split by user. D.Creates a table that groups the total number of users by vegetarian corndogs.

B.Creates a table of the total count of mysterymeat corndogs split by user. (Correct)

Which of the following statements describe the search string below? | datamodel Application_State All_Application_State search A.Events will be returned from dataset named Application_State. B.Events will be returned from the data model named Application_State. C.Events will be returned from the data model named All_Application_State. D.No events will be returned because the pipe should occur after the datamodel command.

B.Events will be returned from the data model named Application_State. (Correct) Explanation Syntax: | datamodel [data model name] [dataset name] [search mode {search, flat, accelerate_search}]

Which of the following statements describes field aliases? A.Field alias names replace the original field name. B.Field aliases can be used in lookup file definitions. C.Field aliases only normalize data across sources and sourcetypes. D.Field alias names are not case sensitive when used as part of a search.

B.Field aliases can be used in lookup file definitions. (Correct) Explanation Field Aliases A way to normalize data over any default field (host, source or sourcetype) Multiple aliases can be applied to one field Applied after field extractions, before lookups • Can be referenced by a lookup • When you create a field alias, the original field is not affected • Both fields appear in the All Fields and Interesting Fields lists, if they appear in at least 20% of events • Fields aliases are also case sensitive as field names are case sensitive.

Which of the following statements is true, especially in large environments? A.Use the stats command when you need to group events by two or more fields. B.The stats command is faster and more efficient than the transaction command. C.The transaction command is faster and more efficient than the stats command. D.Use the transaction command when you want to see the results of a calculation

B.The stats command is faster and more efficient than the transaction command. (Correct) Explanation transaction vs. stats When you have a choice, use stats—it's faster and more efficient, especially in large Splunk environments Use stats when you: Want to see the results of a calculation Can group events based on a field value (e.g., by src_ip) By default, there's a limit of 1,000 events per transaction - No such limit applies to stats - Admins can change limit by configuring max_events_per_bucket in limits.conf Only use transaction when you: Need to see events correlated together Must define event grouping based on start/end values or segment on time

Which of the following searches would return a report of sales by product_name? A.chart sales by product_name B.chart sum(price) as sales by product_name C.stats sum(price) as sales over product_name D.timechart list(sales), values(product_name)

B.chart sum(price) as sales by product_name (Correct) Explanation Learners can try this in a Splunk practice lab. You can download trail version of Splunk from https://www.splunk.com/en_us/download. Download lab practice data from the below link: https://docs.splunk.com/Documentation/Splunk/9.0.1/SearchTutorial/Systemrequirements Download_the_tutorial_data_files Download the tutorialdata.zip file. Download the Prices.csv.zip file. Do not uncompress the file at this time

In most large Splunk environments, what is the most efficient command that can be used to group events by fields? A.join B.stats C.streamstats D.transaction

B.stats (Correct) Explanation transaction vs. stats • When you have a choice, use stats—it's faster and more efficient, especially in large Splunk environments • Only use transaction when you: - Need to see events correlated together - Must define event grouping based on start/end values or segment on time • Use stats when you: - Want to see the results of a calculation - Can group events based on a field value (e.g., by src_ip) • By default, there's a limit of 1,000 events per transaction - No such limit applies to stats - Admins can change limit by configuring max_events_per_bucket in limits.conf

Which type of visualization shows relationships between discrete values in three dimensions? A.Pie chart B.Line chart C.Bubble chart D.Scatter chart

C.Bubble chart (Correct) Explanation Bubble chart provides a visual way to view a three dimensional series. Each bubble plots against two dimensions on the X and Y axes. The size of the bubble represents the value for the third dimension.

Which of the following statements describes the use of the Field Extractor (FX)? A.The Field Extractor automatically extracts all fields at search time. B.The Field Extractor uses PERL to extract fields from the raw events. C.Fields extracted using the Field Extractor persist as knowledge objects. D.Fields extracted using the Field Extractor do not persist and must be defined for each search.

C.Fields extracted using the Field Extractor persist as knowledge objects. (Correct) Explanation In addition to the many fields Splunk auto-extracts, you can also extract your own fields with the Field Extractor (FX) Use FX to extract fields that are static and that you use often in searches Graphical UI - Extract fields from events using regex or delimiter Extracted fields persist as knowledge objects Can be shared and re-used in multiple searches

Which statement is true? A.Pivot is used for creating datasets. B.Data models are randomly structured datasets. C.Pivot is used for creating reports and dashboards. D.In most cases, each Splunk user will create their own data model.

C.Pivot is used for creating reports and dashboards. (Correct) Explanation Data models are hierarchically structured datasets that generate searches and drive Pivot. Pivot reports are created based on datasets Pivot are used for creating reports and dashboards As a knowledge manager, you're responsible for building the data model that provides the datasets for Pivot

Which workflow uses field values to perform a secondary search? A.POST B.Action C.Search D.Sub-search

C.Search (Correct) Explanation Execute workflow actions from an event in your search results to interact with external resources or run another search GET - retrieve information from an external resource POST - send field values to an external resource Search - use field values to perform a secondary search

The Field Extractor (FX) is used to extract a custom field. A report can be created using this custom field. The created report can then be shared with other people in the organization. If another person in the organization runs the shared report and no results are returned, why might this be? (Choose all that apply.) A.Fast mode is enabled. B.The dashboard is private. C.The extraction is private. D.The person in the organization running the report does not have access to the index.

C.The extraction is private. (Correct) D.The person in the organization running the report does not have access to the index. (Correct)

Which of the following statements describes Search workflow actions? A.By default, Search workflow actions will run as a real-time search. B.Search workflow actions can be configured as scheduled searches. C.The user can define the time range of the search when created the workflow action. D.Search workflow actions cannot be configured with a search string that includes the transaction command.

C.The user can define the time range of the search when created the workflow action. (Correct) Explanation Creating a Search Workflow Action Settings > Fields > Workflow actions> New Select the app Name the workflow action with no spaces or special characters Define the label, which will appear in the Event Action menu Determine if your workflow action applies to a field or event type From the Show action in the dropdown list, select Event menu From the Action type dropdown list, select search Enter the Search string Select the app if it is different from the current app Enter the view name where the search will execute Indicate if the search should run in a New window or the Current window Enter the time range for the search or choose to use the same time range as the search Save

Which of the following commands support the same set of functions? A.stats, eval, table (Incorrect) B.search, where, eval C.stats, chart, timechart D.transaction, chart, timechart

C.stats, chart, timechart (Correct)

Which of the following statements about data models and pivot are true? (Choose all that apply.) A.They are both knowledge objects. B.Data models are created out of datasets called pivots. C.Pivot requires users to input SPL searches on data models. D.Pivot allows the creation of data visualizations that present different aspects of a data model.

D.Pivot allows the creation of data visualizations that present different aspects of a data model. (Correct) Explanation Pivots are used for creating reports and dashboards First, identify a dataset that you want to report on, and then use a drag-and-drop interface to design and generate pivots that present different aspects of that data in the form of tables, charts, and other visualizations. Data model provides the datasets for pivots. (Makes B invalid) The Pivot tool lets you report on a specific data set without the Splunk Search Processing Language (SPL) (makes C invalid)

What is a limitation of searches generated by workflow actions? A.Searches generated by workflow actions cannot use macros. B.Searches generated by workflow actions must be less than 256 characters long. C.Searches generated by workflow actions must run in the same app as the workflow action. D.Searches generated by workflow actions run with the same permissions as the user running them. Explanation Your role and permissions determine your ability to modify an object's settings

D.Searches generated by workflow actions run with the same permissions as the user running them. (Correct) Explanation Your role and permissions determine your ability to modify an object's settings

What is the correct syntax to search for a tag associated with a value on a specific field? A.tag=<field> B.tag=<field>(<tagname>) C.tag=<field>::<tagname> D.tag::<field>=<tagname> Explanation

D.tag::<field>=<tagname> (Correct) Explanation Searching for Tags To search for a tag associated with a value:- tag=<tagname> Ex: tag=privileged To search for a tag associated with a value on a specific field:- tag::<field>=<tagname> Ex: tag::user=privileged To search for a tag using a partial field value:- Use (*) wildcard Ex: tag=p* Note: tagname in this example has been taken as "privileged". Ref: https://docs.splunk.com/Documentation/Splunk/8.0.3/Knowledge/TagandaliasfieldvaluesinSplunkWeb

Explanation Adding Fields- Auto-Extracted

Hidden: This field is not displayed to Pivot users when they select the dataset in Pivot Auto-Extracted fields can have their data type changed like string, number, boolean,IPV4. Give the field a friendly name for use in Pivot Fields that already exist for the constraint can be added as attributes to the data model

The Splunk Common Information Model (CIM) provides a methodology to normalize data.

Leverage the CIM when creating field extractions, field aliases,event types, and tags to ensure: - Multiple apps can co-exist on a single Splunk deployment - Object permissions can be set to global for the use of multiple apps - Easier and more efficient correlation of data from different sources and source types The Common Information Model Add-on is based on the idea that you can break down most log files into two components: - fields - event category tags

In addition to the many fields Splunk auto-extracts, you can also extract your own fields with the Field Extractor (FX)

Use FX to extract fields that are static and that you use often in searches Graphical UI - Extract fields from events using regex or delimiter Extracted fields persist as knowledge objects Can be shared and re-used in multiple searches

The transaction command creates a single event from a group of events

application servers For example, you can easily view the events for JSESSIONID Ex- index=web sourcetype=access_combined | transaction JSESSIONID

Your role and permissions determine

your ability to modify an object's settings


Related study sets

#4. SPED 520 Social Skills Instruction and Approaches

View Set

Midterm - Data Structures and Algorithms

View Set

Chapter 7: NC laws and rules pertinent to insurance

View Set

NU372 EAQ Evolve Elsevier: HESI Prep Immunologic System and Infectious Disease

View Set

Introduction to International Business-Ch 5

View Set

Monotheism: Zoroastrianism, Judaism, Christianity, Islam

View Set

A&P LAB: Ex. 30: Blood Vessel Identification - MAJOR ARTERIES OF THE PELVIS & LOWER EXTREMITIES

View Set