Splunk Certification Questions and Answers Already Passed

Splunk Certification Questions and Answers Already Passed 5 Main components of Splunk ES Index Data, Search & investigate, Add knowledge, Monitor & Alert, Report & Analyze. What does index data do? (3) 1. Collects data 2. Label data with source type 3. Stored in splunk index Three main roles in splunk? (3) Admin, Power, User An admin does what? Install apps, create knowledge objects for all users (what apps a user will see by default) A power user does what? Creates and shares knowledge objects for users of app, real-time searches A Splunk user does what? Only see own knowledge objects and those shared to them. Apps in Splunk? 1. Pre-built dashboards, reports, alerts and workflows 2. In-depth data analysis for power users 3. Search & Reporting What does the search and reporting app do in splunk? Creates knowledge objects, reports, and dashboards The seven main components in splunk searching and reporting? 1. Splunk bar 2. App bar 3. Search bar 4. Time range picker 5. How to search panel 6. What to search panel 7. Search History What does the time range picker do? Allow search by preset times, relative times. Real time (earliest, latest), date range. Retrieve events over a specific time period. Limiting search by ___________ is key to faster results and is a best practice time The time range picker is set to _________ by default. All-time Search jobs are available after ____ minutes by default. 10 ________ commands create statistics and visualizations. Transforming ________ tab is default tab for searches Event What are the three main search modes? Fast, Verbose, and Smart _______ mode discovery off for event searches. No event or field data for stats searches. Fast ______ mode all events and field data; switches to this mode after visualization Verbose ______ mode (default-based on search string data). Field discovery ON for event searches. No event or field data for stats searches. Smart This search action button "Job V" does what? Edit job settings, send job to background, inspect and delete job. Saved searches are set to ______ by default. private Timestamp seen in events is based on______setting in user account profile time zone List the three booleans AND OR NOT ________boolean is used if none is implied. AND Exact phrases use______ quotes Use a _______ for searching a string with quotes in the string. Backslash Example: info="user "chrisV4" not in database" info="user"chrisV4" not in database " Three default search fields automatically selected? Source, Host, Sourcetype _______ sidebar shows all field extracted at search time. Fields _______ Fields appear in event, default-host, sourcetype, source Selected _______ fields have values in at least 20% of the events Interesting Clicking on a field shows a list of _______, ________, and ________. values, count, and percentage These fields can launch a quick report by clicking on them (4) top values, top values by time, rare values, events with this field Use ______ to limit search to only one sourcetype sourcetype= Field names _____ case sensitive- Values _______ case sensitive are, are not The field operators are used with numerical string values (symbols) = != --> These symbols are only used with numerical values? > >= < <= --> Using _____ and ____ (symbols) would return the same results. NOT, != Use _______ to nest boolean searches parenthesis ______ is better than exclusion inclusion Use _____ for searches time When creating reports you can edit, clone, embed, and delete under the ______ tab report What are search commands used for? Creating charts, computing statistics, and formatting Top command returns top ____ results with a count and percentage 10 What are the three ways to create visualizations? 1. Select a field from the fields sidebar 2. Use the pivot interface 3. Use the Splunk search language commands in the search bar with statistics and visualization tabs Save visual reports as _______ or _______ report or dashboard pannel Dashboards are searches gathered together and can use _______input or ________ visualization form or custom ________ is an action that a saved search triggers based on the results of the search Alert ________ designs reports in simple interface without having to craft a search string Pivot Default time for pivot is ______ all the time Data model is framework and ______ is interface to the data pivot ________ interface is the total amount of purchases, documentation actions, job actions, tools to filter/slice up data, and a side bar? Pivot _______ object is the main source of data Root _______ object acts like an AND boolean Child _________ pivot allows instant access to data without having a data model Instant Alerts combine a _______ search. Saved The alerts use a _______ search to check for events. saved Adjust the ______ type to configure how often the search runs alert Use ________ alert to check for events on a regular basis Scheduled _______ alert to monitor for events continuously Real-time A _______ action can notify you of a triggered alert and help you start responding to it alert Search terms include (6) Keywords, booleans, phrases, fields, wildcards, and comparisons. Comparison symbols =, !=, <=, >, >= ______ is the most efficient filter Time Best practices to use while searching in Splunk (4) 1. Time is the most efficient filter 2. More you tell search the better your results 3. Inclusion is better than exclusion 4. Filter as early as possible _____ are case insensitive. (components of search language) Search terms ______ tell Splunk what we want to do with results (ex. stats) (components of search language) Commands ______how we want to deal with results (ex. list) (components of search language) Functions ______ variables to apply to function (ex. Product name) (components of search language) Arguments _______ how we want results defined. (components of search language) Clauses _____ is used to pass current results to the next component Pipe _________ command works from left to right Search Once and item is filtered _____ it is no longer available in the search string Out _____ command include or exclude fields from search results. Fields Exclude a field by using ______ symbol minus (-) Primary fields _______ and _______ will always be extracted, but can also be removed by using the minus symbol _time & _raw Field_____happens after field______only affecting displayed results. exclusion, extraction ________ command retains searched data in a tabulated format table In regards to a rename command, once a field is renamed the ______ name is not available to later search commands original This command removes events with duplicate values Dedup This command displays results in ascending or descending order. Sort This command combine fields from external sources to searched events, based on event field Lookup This command produces statistics of a search result Stats command This command shows number of events matching search criteria Stats count This command is the sum of numerical value Stats Sum command This is a command that preforms stats aggregation against time Timechart command ___ split data by an additional field by Usenull = _____ will remove NULL values f