Splunk Core User Practice Exam Questions and Answers Already Passed

plunk Core User Practice Exam Questions and Answers Already Passed (T/F) It is not possible for a single instance of Splunk to manage the input, parsing and indexing of machine data. True Which search string only returns events from hostWWW3? a. host=* b. host=WWW3 c. host=WWW* d. Host=WWW3 B. host=WWW3 By default, how long does Splunk retain a search job? a. 15 minutes b. 1 day c. 7 days d. 10 minutes d. 10 minutes What must be done before an automatic lookup can be created? (select all that apply) a. The lookup file must be uploaded to Splunk. b. The lookup definition must be created. c. The lookup command must be used. d. The lookup file must be verified using the inputlookup command. a. The lookup file must be uploaded to splunk b. The lookup definition must be created. Which of the following Splunk components typically resides on the machines where data originates? a. Search head b. Forwarder c. Indexer d. Deployment server b. forwarder What determines the scope of data that appears in a scheduled report? a. All data accessible to all users will appear in the report until the next time the report is run. b. All data accessible to the User role will appear in the report. c. All data accessible to the owner of the report will appear in the report. d. The owner of the report can configure permissions so that the report uses either the User role or the owner's profile at run time. d. The owner of the report can configure permissions so that the report uses either the User role or the owner's profile at run time. When writing searches in Splunk, which of the following is true about Booleans? a. They must be uppercase. b. They must be in quotations. c. They must be in parentheses. d. They must be lowercase. a. They must be uppercase Select the answer that displays the accurate placing of the pipe in the following search string: index=security sourcetype=access_* status=200 stats count by price. a. Index=security sourcetype=access_* | status=200 | stats count by price b. Index=security sourcetype=access_* status=200 | stats count by price c. Index=security sourcetype=access_* status=200 | stats count | by price d. Index=security sourcetype=access_* status=200 stats | count by price b. Index=security sourcetype=access_* status=200 | stats count by price Which of the following constraints can be used with the top command? a. Addtotals b. Useperc c. Limit d. Fieldcount c. Limit When editing a dashboard, which of the following are possible options? (select all that apply) a. Drag a dashboard panel to a different location on the dashboard. b. Modify the chart type displayed in a dashboard panel. c. Export a dashboard panel.