Splunk 6 Knowlede Manager, Splunk Certification, Splunk Power Users Certification – Flashcards
Unlock all answers in this set
Unlock answersquestion
Matching search terms are ________ in Splunk search results.
answer
highlighted
question
Which of the following search controls will re-run the search?
answer
zoom out
question
Default fields are added to every event in Splunk at INDEX time. (True or False)
answer
true SOURCE: http://docs.splunk.com/Documentation/Splunk/6.2.0/Data/Aboutdefaultfields "The fields that Splunk adds automatically are known as default fields."
question
These are the default selected fields.
answer
host, source and sourcetype SOURCE: http://docs.splunk.com/Documentation/Storm/Storm/User/Usefieldstosearch "Notice that default fields host, source, and sourcetype are selected"
question
These 2 searches will return exactly the same results; SEARCH 1: user=ROOT SEARCH2: USER=ROOT (True or False)
answer
false
question
Splunk alerts CANNOT be based on real-time searches. (True or False)
answer
false SOURCE: http://docs.splunk.com/Splexicon:Realtimealert "An alert that is based on a real-time search."
question
Running a saved report ________.
answer
returns a fresh result set.
question
Which of the following actions is not a valid option for reports?
answer
rename
question
Once you have defined the rows in the pivot editor you can also split the columns to add fields to the resulting table. (True or False)
answer
true SOURCE: http://docs.splunk.com/Documentation/Splunk/6.2.0/PivotTutorial/Createandsavepivot
question
The following searches will return the same result: SEARCH 1: 404 SEARCH 2: status=404. (True or False)
answer
false
question
This command allows you to break multi-line events into individual events at search time.
answer
multikv
question
By default, the top command returns the top _______ values.
answer
10
question
Which of the following searches will show the number of bytes used by each host?
answer
sourcetype=*memorylog* | stats sum(bytes) by host SOURCE: http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/Stats
question
These kinds of charts represent a series in a single bar with multiple sections.
answer
split series SOURCE: http://answers.splunk.com/answers/6317/multiple-searches-on-one-chart.html
question
Hovering over a VALUE IN THE CHART LEGEND, ________.
answer
highlights the field value across the chart
question
What is wrong with this search? SEARCH: usage=Violation | timechart count(usage)
answer
nothing it is a valid search
question
What is wrong with this search command? COMMAND: sourcetype=cisco_w* | stats count by s_hostname where count > 20
answer
missing | before where SOURCE: http://answers.splunk.com/answers/87000/variable-where-clause.html
question
What is wrong with this eval command? COMMAND: | eval usage = if(usage = Business, Business, Other)
answer
the argument must be enclosed in quotes SOURCE: http://answers.splunk.com/answers/87652/eval-macro-with-string-argument.html
question
Which if the following commands is more efficient and better supported by MapReduce.
answer
stats SOURCE: http://answers.splunk.com/answers/53748/alternative-to-transaction-command.html
question
If a field in a lookup table represents a(n) _______, you can create a time based lookup.
answer
timestamp SOURCE: docs.splunk.com/Documentation/Splunk/latest/User/CreateAndConfigureFieldLookups "if the field matching depends on time information (a field in the lookup table that represents the timestamp)."
question
If you have selected to 'accelerate' a search but it is not currently viable to do so, Splunk will continue to check periodicallyy and automatically build the summary once it is appropriate. (True or False)
answer
true SOURCE: http://docs.splunk.com/Documentation/Splunk/6.1.3/Knowledge/Manageacceleratedsearchsummaries#How_reports_qualify_for_acceleration "If you define a summary and Splunk Enterprise does not create it because these conditions are met, it continues to periodically check to see if conditions improve"
question
If a field alias is required for multiple source types _______.
answer
only one field alias needs to be created SOURCE: http://answers.splunk.com/answers/2605/field-aliasing-using-host-tags.html
question
_______ normalize field/value pairs, whereas ________ normalizes fields with similar data and different field names.
answer
field aliases, tags
question
Calculated fields do not require special syntax, they can be used in searches like any other extracted field. (True or False)
answer
true
question
SEARCH workflow action can use a different time range than the original search.
answer
True SOURCE: http://docs.splunk.com/Splexicon:Workflowaction "Launch secondary Splunk searches that use one or more field values from selected events."
question
When the search criteria will not change you should us a(n) _________.
answer
report
question
A macro _______ contain a search within its destination.
answer
can SOURCE: http://docs.splunk.com/Documentation/Splunk/6.2.0/Search/Usesearchmacros#Create_search_macros_in_Splunk_Web "Your search macro can be any chunk of your search string or search command pipeline that you want to re-use as part of another search. "
question
It is not possible to have a data model that includes only transaction objects.
answer
False
question
Object ______ are a set of fields associated with the data set.
answer
attributes SOURCE: http://docs.splunk.com/Splexicon:Attribute "An object's attributes are fields that are associated with the dataset that the object represents."
question
Pivot users cannot use child objects, they must use a parent object. (True or False)
answer
false SOURCE: http://docs.splunk.com/Documentation/Splunk/6.2.0/Knowledge/Aboutdatamodels "Your Pivot users can then use these child objects to design reports with datasets that already have extraneous data prefiltered out."
question
Attributes can be defined using EVAL expressions. (True or False)
answer
true SOURCE: http://docs.splunk.com/Splexicon:Attribute "Eval expression: A field derived from an eval expression. Definitions for these attributes often involve one or more auto-extracted fields. "
question
Splunk _______ can create custom roles.
answer
administrators SOURCE:http://docs.splunk.com/Documentation/Splunk/latest/Security/Aboutusersandroles "admin: this role is intended for administrators who will manage all or most of the users, objects, and configuration and comes predefined with the most assigned capabilities."
question
This field in an event specifies the NAME of the input file or stream.
answer
source SOURCE: http://docs.splunk.com/Splexicon:Source "source consists of the full pathname of the file or directory"
question
These are displayed at the end of each event in the search results.
answer
selected fields SOURCE: http://docs.splunk.com/Documentation/Storm/Storm/User/Usefieldstosearch "The selected fields are displayed under your search results if they exist in that particular event."
question
The splunk search language supports the *wildcard. (True or False)
answer
true SOURCE: http://dev.splunk.com/web_assets/developers/pdf/splunk_reference.pdf "wildcards (e.g., fail* will match fail, fails, failure, etc.)"
question
The time range specified for a real time search defines the ______.
answer
amount of data shown on the timeline as data streams in in SOURCE: http://docs.splunk.com/Splexicon:Realtimesearch "Time bounds for real-time searches are constantly updating"
question
You must have at least this role to share your knowledge objects.
answer
power user SOURCE: http://docs.splunk.com/Documentation/WebLog/1.0/User/Sharefieldextractions "By default only the Admin and Power roles can set permissions for knowledge objects"
question
Field discovery occurs at ______ time.
answer
search SOURCE: http://docs.splunk.com/Splexicon:Fielddiscovery "The process by which Splunk Enterprise recognizes and extracts key=value pairs from event data at search time"
question
The fields sidebar ______. Select all that apply
answer
Displays the list of selected fields. Can be used to create a quick chart of top values by time Can be used to see the top values in a field Displays the list of interesting fields
question
This search user=* ______.
answer
display only events that contain a value for a user
question
Which of the following is the correct way to use a tag X in a search?
answer
tag=X SOURCE: http://www.splunk.com/view/SP-CAAAGYJ SOURCE: http://docs.splunk.com/Splexicon:Tag "You could tag these values "homeoffice" and then search on tag=homeoffice to find all the events with field values that have the homeoffice tag."
question
Alerts can be defined to trigger only when a certain number of unique sources are returned.
answer
true SOURCE: http://docs.splunk.com/Documentation/Splunk/latest/Alert/Definescheduledalerts Section: "Basic conditional alert"
question
______ represent a set of events in the hierarchical structure.
answer
data model objects SOURCE: http://docs.splunk.com/Splexicon:Datamodelobjectc "Data model objects are hierarchical. They are arranged in parent-child relationships."
question
Which of the following would match this search? Select all that apply. SEARCH: "web error"
answer
there is an error there is a web request
question
Search terms are case ______.
answer
sensitive
question
Internal fields such as _raw and _time must be specifically removed with the fields - command; simply not including them in the fields + does not exclude them from extraction. (True or False)
answer
true SOURCE: http://docs.splunk.com/Splexicon:Internalfield "A default field that contains general information about the events that Splunk Enterprise indexed"
question
This command allows you to extract fields at search time; these fields do not persist as knowledge objects.
answer
erex SOURCE: http://docs.splunk.com/Documentation/Splunk/5.0.3/SearchReference/Erex "Automatically extracts field values similar to the example values. "
question
The 'as' clause can be used with this command.
answer
stats SOURCE: http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/Stat Example. stats (stats-function(field) [as field])+ [by field-list]
question
This search command returns an unlimited number of results. SEARCH: error | top host limit = 0
answer
true (spaces?) SOURCE: http://answers.splunk.com/answers/52583/setting-top-limit-to-display-all-fields.html "Specifies how many tuples to return, "0" returns all values. Default is "10"."
question
Which of the following searches returns a SINGLE VALUE representing the number of items purchaes?
answer
sourcetype=access_* action=purchase | stats count
question
When a search returns ______, you can view the results as a chart.
answer
statistical values SOURCE: http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/Stats
question
When using a split series on a chart, the series MUST be displayed using the STACKED option. (True or False)
answer
false
question
By default, the timechart command plots time on the ______.
answer
x-axis SOURCE: http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/Timechart "Create a chart for a statistical aggregation applied to a field against time as the x-axis"
question
This command converts results into a format suitable for graphing.
answer
xyseries SOURCE: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Xyseries "Converts results into a format suitable for graphing."
question
This function can be used with the eval command to reduce the number of decimal points displayed.
answer
round SOURCE: http://answers.splunk.com/answers/8046/rounding-decimal-places.html "You can use round as follows"
question
Results from the transaction command can include events from multiple applications or hosts. (True or False)
answer
true SOURCE: http://docs.splunk.com/Splexicon:Transaction "A group of conceptually-related events that spans time."
question
The command shown here does which of the following? COMMAND: | inputlookup products.csv
answer
displays the data in a lookup file products.csv SOURCE: http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/Inputlookup "Loads search results from a specified lookup table. The name of the lookup file (must end with .csv or .csv.gz)."
question
There are cases where splunk allows you to accelerate a search, but a summary is not created. (True or False)
answer
false SOURCE: http://docs.splunk.com/Splexicon:Reportacceleration SOURCE: http://docs.splunk.com/Documentation/Splunk/6.2.0/Knowledge/Aboutsummaryindexing "Report acceleration is similar to summary indexing, in that it accelerates searches building a separate summary of the data"
question
Users can create objects that are shared across ALL apps. Select all that apply.
answer
power users administrators SOURCE: http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Manageknowledgeobjectpermissions "By default, only users with a power or admin role can share and promote knowledge objects"
question
Which action is not valid for field aliases?
answer
rename
question
When several source types contain a field with similar data, use ______ to make correlation easier.
answer
field aliases SOURCE: http://docs.splunk.com/Splexicon:Alias "You can use field aliasing to normalize different field names to one name and simplify searching for those related fields."
question
Field extractions created using ______ are re-usable in multiple searches.
answer
Interactive field extractor (IFX) SOURCE: http://docs.splunk.com/Documentation/Splunk/6.2.0/Knowledge/ExtractfieldsinteractivelywithIFX "After you save this input, you can enter the Field Extractor and extract fields from the events associated with the vendors source type. "
question
This workflow action uses fields from the results in a secondary search.
answer
GET SOURCE: http://docs.splunk.com/Splexicon:Workflowaction SOURCE: http://docs.splunk.com/Documentation/Splunk/6.2.0/Knowledge/CreateworkflowactionsinSplunkWeb#Set_up_a_GET_workflow_action "allowing you to pass information to an external web resource, such as a search engine or IP lookup service"
question
The eventtype field can be added as a selected field. (True or False)
answer
true
question
A macro ______ contain commands within its definition.
answer
can SOURCE: http://docs.splunk.com/Documentation/Splunk/6.2.0/Search/Usesearchmacros#Create_search_macros_in_Splunk_Web "Your search macro can be any chunk of your search string or search command pipeline that you want to re-use as part of another search. "
question
5 Main components of Splunk ES
answer
Index Data, Search & investigate, Add knowledge, Monitor & Alert, Report & Analyze.
question
What does index data do? (3)
answer
1. Collects data 2. Label data with source type 3. Stored in splunk index
question
Three main roles in splunk? (3)
answer
Admin, Power, User
question
An admin does what?
answer
Install apps, create knowledge objects for all users (what apps a user will see by default)
question
A power user does what?
answer
Creates and shares knowledge objects for users of app, real-time searches
question
A Splunk user does what?
answer
Only see own knowledge objects and those shared to them.
question
Apps in Splunk?
answer
1. Pre-built dashboards, reports, alerts and workflows 2. In-depth data analysis for power users 3. Search & Reporting
question
What does the search and reporting app do in splunk?
answer
Creates knowledge objects, reports, and dashboards
question
The seven main components in splunk searching and reporting?
answer
1. Splunk bar 2. App bar 3. Search bar 4. Time range picker 5. How to search panel 6. What to search panel 7. Search History
question
What does the time range picker do?
answer
Allow search by preset times, relative times. Real time (earliest, latest), date range. Retrieve events over a specific time period.
question
Limiting search by ___________ is key to faster results and is a best practice
answer
time
question
The time range picker is set to _________ by default.
answer
All-time
question
Search jobs are available after ____ minutes by default.
answer
10
question
________ commands create statistics and visualizations.
answer
Transforming
question
________ tab is default tab for searches
answer
Event
question
What are the three main search modes?
answer
Fast, Verbose, and Smart
question
_______ mode discovery off for event searches. No event or field data for stats searches.
answer
Fast
question
______ mode all events and field data; switches to this mode after visualization
answer
Verbose
question
______ mode (default-based on search string data). Field discovery ON for event searches. No event or field data for stats searches.
answer
Smart
question
This search action button "Job V" does what?
answer
Edit job settings, send job to background, inspect and delete job.
question
Saved searches are set to ______ by default.
answer
private
question
Timestamp seen in events is based on______setting in user account profile
answer
time zone
question
List the three booleans
answer
AND OR NOT
question
________boolean is used if none is implied.
answer
AND
question
Exact phrases use______
answer
quotes
question
Use a _______ for searching a string with quotes in the string.
answer
Backslash Example: info="user "chrisV4" not in database" info="user"chrisV4" not in database "
question
Three default search fields automatically selected?
answer
Source, Host, Sourcetype
question
_______ sidebar shows all field extracted at search time.
answer
Fields
question
_______ Fields appear in event, default-host, sourcetype, source
answer
Selected
question
_______ fields have values in at least 20% of the events
answer
Interesting
question
Clicking on a field shows a list of _______, ________, and ________.
answer
values, count, and percentage
question
These fields can launch a quick report by clicking on them (4)
answer
top values, top values by time, rare values, events with this field
question
Use ______ to limit search to only one sourcetype
answer
sourcetype=
question
Field names _____ case sensitive- Values _______ case sensitive
answer
are, are not
question
The field operators are used with numerical string values (symbols)
answer
= != -->
question
These symbols are only used with numerical values?
answer
> >= <
question
Using _____ and ____ (symbols) would return the same results.
answer
NOT, !=
question
Use _______ to nest boolean searches
answer
parenthesis
question
______ is better than exclusion
answer
inclusion
question
Use _____ for searches
answer
time
question
When creating reports you can edit, clone, embed, and delete under the ______ tab
answer
report
question
What are search commands used for?
answer
Creating charts, computing statistics, and formatting
question
Top command returns top ____ results with a count and percentage
answer
10
question
What are the three ways to create visualizations?
answer
1. Select a field from the fields sidebar 2. Use the pivot interface 3. Use the Splunk search language commands in the search bar with statistics and visualization tabs
question
Save visual reports as _______ or _______
answer
report or dashboard pannel
question
Dashboards are searches gathered together and can use _______input or ________ visualization
answer
form or custom
question
________ is an action that a saved search triggers based on the results of the search
answer
Alert
question
________ designs reports in simple interface without having to craft a search string
answer
Pivot
question
Default time for pivot is ______
answer
all the time
question
Data model is framework and ______ is interface to the data
answer
pivot
question
________ interface is the total amount of purchases, documentation actions, job actions, tools to filter/slice up data, and a side bar?
answer
Pivot
question
_______ object is the main source of data
answer
Root
question
_______ object acts like an AND boolean
answer
Child
question
_________ pivot allows instant access to data without having a data model
answer
Instant
question
Alerts combine a _______ search.
answer
Saved
question
The alerts use a _______ search to check for events.
answer
saved
question
Adjust the ______ type to configure how often the search runs
answer
alert
question
Use ________ alert to check for events on a regular basis
answer
Scheduled
question
_______ alert to monitor for events continuously
answer
Real-time
question
A _______ action can notify you of a triggered alert and help you start responding to it
answer
alert
question
Search terms include (6)
answer
Keywords, booleans, phrases, fields, wildcards, and comparisons.
question
Comparison symbols
answer
=, !=, , >=
question
______ is the most efficient filter
answer
Time
question
Best practices to use while searching in Splunk (4)
answer
1. Time is the most efficient filter 2. More you tell search the better your results 3. Inclusion is better than exclusion 4. Filter as early as possible
question
_____ are case insensitive. (components of search language)
answer
Search terms
question
______ tell Splunk what we want to do with results (ex. stats) (components of search language)
answer
Commands
question
______how we want to deal with results (ex. list) (components of search language)
answer
Functions
question
______ variables to apply to function (ex. Product name) (components of search language)
answer
Arguments
question
_______ how we want results defined. (components of search language)
answer
Clauses
question
_____ is used to pass current results to the next component
answer
Pipe
question
_________ command works from left to right
answer
Search
question
Once and item is filtered _____ it is no longer available in the search string
answer
Out
question
_____ command include or exclude fields from search results.
answer
Fields
question
Exclude a field by using ______ symbol
answer
minus (-)
question
Primary fields _______ and _______ will always be extracted, but can also be removed by using the minus symbol
answer
_time & _raw
question
Field_____happens after field______only affecting displayed results.
answer
exclusion, extraction
question
________ command retains searched data in a tabulated format
answer
table
question
In regards to a rename command, once a field is renamed the ______ name is not available to later search commands
answer
original
question
This command removes events with duplicate values
answer
Dedup
question
This command displays results in ascending or descending order.
answer
Sort
question
This command combine fields from external sources to searched events, based on event field
answer
Lookup
question
This command produces statistics of a search result
answer
Stats command
question
This command shows number of events matching search criteria
answer
Stats count
question
This command is the sum of numerical value
answer
Stats Sum command
question
This is a command that preforms stats aggregation against time
answer
Timechart command
question
___ split data by an additional field
answer
by
question
Usenull = _____ will remove NULL values
answer
f
question
Admin, Power, User
answer
Out of the box there are 3 main roles
question
Click Data Summary in the Searching & Reporting app
answer
How can you view all sourcetypes?
question
Host, Sources, and Sourcetypes on separate tabs
answer
What is shown in the Data Summary?
question
The local timezone set in your profile.
answer
What timezone is data displayed for, in searches?
question
insensitive
answer
Search terms are case sensitive or insensitive?
question
AND, OR, NOT
answer
What booleans are supported in splunk search?
question
!=
answer
Symbol for "does not equal"
question
Reverse chronological order (newest first)
answer
In what chronological order are events displayed, after a search?
question
timestamp, host, source, sourcetype
answer
Each event has these field value pairs.
question
s
answer
Time range abbreviations for seconds
question
m
answer
Time range abbreviations for minutes
question
h
answer
Time range abbreviations for hours
question
d
answer
Time range abbreviations for days
question
w
answer
Time range abbreviations for weeks
question
mon
answer
Time range abbreviations for months
question
y
answer
Time range abbreviations for year
question
-5m@m
answer
Current search time is 09:37:12. What is the time range equation to search back 5 minutes on the minute?
question
earliest and latest eg: earliest=-h latest=@d
answer
What are the commands for specifying a time range in a search string?
question
No, it only filters the results
answer
Does narrowing the time range by dragging the selection bars across the timeline re-execute the search?
question
CSV, XML, JSON
answer
What formats may search results be exported to?
question
Instead of returning all the results, from a search, it returns a random sampling of events.
answer
What does "event sampling" do?
question
Each event, found in a search, has a 1 in 100, or 1% change of being included in the sample result set.
answer
What does an event sample of 1:100 indicate?
question
searchable key/value pairs from event data.
answer
What is a Field?
question
Based on sourcetype and key/value pairs found in the data.
answer
How does Splunk discover fields?
question
20% of events have these fields present in them.
answer
What percentage of search results have the fields listed under "Interesting Fields"?
question
Fast, Smart, Verbose
answer
What are the three search modes?
question
Smart
answer
What is the default search mode?
question
Case sensitive
answer
Field names are case sensitive or insensitive?
question
True
answer
True/False: Splunk is subnet/CIDR aware for IP fields?
question
Returns everything except the events matching the NOT boolean
answer
How does NOT affect search results?
question
One or more panels displaying data visually in a useful way.
answer
What is a dashboard?
question
rename
answer
What command changes the name of a field in search?
question
When including spaces or special characters
answer
When should quotes be used around values in search?
question
fields
answer
What command allows you to include/exclude fields in your search?
question
+ (include) occurs before field extraction and improves performance - (exclude) occurs after field extraction, and no performance improvement
answer
What is the difference between +/- with the fields command?
question
The limit option e.g: | sort limit=20 -categoryID, product_name
answer
How can you reduce the returned results with the sort command?
question
top
answer
What command finds the most common values of a given field?
question
10
answer
How many results are returned by the top command, by default?
question
count & percent
answer
What two columns are automatically returned by the top command?
question
limit (limit=0 returns unlimited results)
answer
What option changes the number of results returned by the top command?
question
rare
answer
What command returns the least common field values?
question
stats
answer
What command allows you to calculate statistics on data that matches your search criteria?
question
as
answer
What option allows you to rename fields, within the stats command?
question
list
answer
What stats command shows all field values for a given field?
question
values
answer
What stats command shows all unique field values for a given field?
question
chart or timechart
answer
To get multi-series tables you need to set up the underlying search with commands like...
question
line, area, column, bar, bubble, scatter, pie
answer
What are the seven chart types?
question
tostring
answer
What eval command allows you to format for currency?
question
transaction
answer
What command allows you to create a single event from a group of events that share the same value in a given field?
question
1,000
answer
Max events displayed by transaction command
question
case_sensitive_match
answer
What is the transforms.conf flag to switch whether or not a lookup field value is case-sensitive or not?
question
Field Aliases
answer
What is a way to normalize data over any default field?
question
Tags
answer
What are nicknames that you create for related field/value pairs?
question
Settings > Tags > List by field value pair
answer
Where can you view a list of all Tags?
question
Event Type
answer
A method of categorizing events based on a search
question
Workflow Actions
answer
What may be run from an event in your search results to interact with external resources or run another search?
question
GET
answer
Workflow action to pass information to an external web resource.
question
POST
answer
Workflow action to send field values to an external resource.
question
Search
answer
Workflow action to use field values to perform a secondary search.
question
backticks
answer
Macros must be surrounded with what character?
question
events, searches, transactions
answer
What three datasets make up a Data Model?
question
Common Information Model (CIM)
answer
What tool provides a methodology to normalize data?
