Splunk 6 Knowlede Manager, Splunk Certification, Splunk Power Users Certification

Splunk 6 Knowlede Manager, Splunk Certification, Splunk Power Users Certification

essay

A

Get Full Essay

Get access to this section to get all the help you need with your essay and educational goals.

Get Access

Matching search terms are ________ in Splunk search results.
highlighted
Which of the following search controls will re-run the search?
zoom out
Default fields are added to every event in Splunk at INDEX time. (True or False)
true

SOURCE: http://docs.splunk.com/Documentation/Splunk/6.2.0/Data/Aboutdefaultfields
“The fields that Splunk adds automatically are known as default fields.”

These are the default selected fields.
host, source and sourcetype

SOURCE: http://docs.splunk.com/Documentation/Storm/Storm/User/Usefieldstosearch
“Notice that default fields host, source, and sourcetype are selected”

These 2 searches will return exactly the same results; SEARCH 1: user=ROOT SEARCH2: USER=ROOT (True or False)
false
Splunk alerts CANNOT be based on real-time searches. (True or False)
false

SOURCE: http://docs.splunk.com/Splexicon:Realtimealert
“An alert that is based on a real-time search.”

Running a saved report ________.
returns a fresh result set.
Which of the following actions is not a valid option for reports?
rename
Once you have defined the rows in the pivot editor you can also split the columns to add fields to the resulting table. (True or False)
true

SOURCE: http://docs.splunk.com/Documentation/Splunk/6.2.0/PivotTutorial/Createandsavepivot

The following searches will return the same result: SEARCH 1: 404 SEARCH 2: status=404. (True or False)
false
This command allows you to break multi-line events into individual events at search time.
multikv
By default, the top command returns the top _______ values.
10
Which of the following searches will show the number of bytes used by each host?
sourcetype=*memorylog* | stats sum(bytes) by host

SOURCE: http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/Stats

These kinds of charts represent a series in a single bar with multiple sections.
split series

SOURCE: http://answers.splunk.com/answers/6317/multiple-searches-on-one-chart.html

Hovering over a VALUE IN THE CHART LEGEND, ________.
highlights the field value across the chart
What is wrong with this search? SEARCH: usage=Violation | timechart count(usage)
nothing it is a valid search
What is wrong with this search command? COMMAND: sourcetype=cisco_w* | stats count by s_hostname where count > 20
missing | before where

SOURCE: http://answers.splunk.com/answers/87000/variable-where-clause.html

What is wrong with this eval command? COMMAND: | eval usage = if(usage = Business, Business, Other)
the argument must be enclosed in quotes

SOURCE: http://answers.splunk.com/answers/87652/eval-macro-with-string-argument.html

Which if the following commands is more efficient and better supported by MapReduce.
stats

SOURCE: http://answers.splunk.com/answers/53748/alternative-to-transaction-command.html

If a field in a lookup table represents a(n) _______, you can create a time based lookup.
timestamp

SOURCE: docs.splunk.com/Documentation/Splunk/latest/User/CreateAndConfigureFieldLookups
“if the field matching depends on time information (a field in the lookup table that represents the timestamp).”

If you have selected to ‘accelerate’ a search but it is not currently viable to do so, Splunk will continue to check periodicallyy and automatically build the summary once it is appropriate. (True or False)
true

SOURCE: http://docs.splunk.com/Documentation/Splunk/6.1.3/Knowledge/Manageacceleratedsearchsummaries#How_reports_qualify_for_acceleration
“If you define a summary and Splunk Enterprise does not create it because these conditions are met, it continues to periodically check to see if conditions improve”

If a field alias is required for multiple source types _______.
only one field alias needs to be created

SOURCE: http://answers.splunk.com/answers/2605/field-aliasing-using-host-tags.html

_______ normalize field/value pairs, whereas ________ normalizes fields with similar data and different field names.
field aliases, tags
Calculated fields do not require special syntax, they can be used in searches like any other extracted field. (True or False)
true
SEARCH workflow action can use a different time range than the original search.
True

SOURCE: http://docs.splunk.com/Splexicon:Workflowaction
“Launch secondary Splunk searches that use one or more field values from selected events.”

When the search criteria will not change you should us a(n) _________.
report
A macro _______ contain a search within its destination.
can

SOURCE: http://docs.splunk.com/Documentation/Splunk/6.2.0/Search/Usesearchmacros#Create_search_macros_in_Splunk_Web
“Your search macro can be any chunk of your search string or search command pipeline that you want to re-use as part of another search. “

It is not possible to have a data model that includes only transaction objects.
False
Object ______ are a set of fields associated with the data set.
attributes

SOURCE: http://docs.splunk.com/Splexicon:Attribute
“An object’s attributes are fields that are associated with the dataset that the object represents.”

Pivot users cannot use child objects, they must use a parent object. (True or False)
false

SOURCE: http://docs.splunk.com/Documentation/Splunk/6.2.0/Knowledge/Aboutdatamodels
“Your Pivot users can then use these child objects to design reports with datasets that already have extraneous data prefiltered out.”

Attributes can be defined using EVAL expressions. (True or False)
true

SOURCE: http://docs.splunk.com/Splexicon:Attribute
“Eval expression: A field derived from an eval expression. Definitions for these attributes often involve one or more auto-extracted fields. “

Splunk _______ can create custom roles.
administrators

SOURCE:http://docs.splunk.com/Documentation/Splunk/latest/Security/Aboutusersandroles
“admin: this role is intended for administrators who will manage all or most of the users, objects, and configuration and comes predefined with the most assigned capabilities.”

This field in an event specifies the NAME of the input file or stream.
source

SOURCE: http://docs.splunk.com/Splexicon:Source
“source consists of the full pathname of the file or directory”

These are displayed at the end of each event in the search results.
selected fields

SOURCE: http://docs.splunk.com/Documentation/Storm/Storm/User/Usefieldstosearch
“The selected fields are displayed under your search results if they exist in that particular event.”

The splunk search language supports the *wildcard. (True or False)
true

SOURCE: http://dev.splunk.com/web_assets/developers/pdf/splunk_reference.pdf
“wildcards (e.g., fail* will match fail, fails, failure, etc.)”

The time range specified for a real time search defines the ______.
amount of data shown on the timeline as data streams in in

SOURCE: http://docs.splunk.com/Splexicon:Realtimesearch
“Time bounds for real-time searches are constantly updating”

You must have at least this role to share your knowledge objects.
power user

SOURCE: http://docs.splunk.com/Documentation/WebLog/1.0/User/Sharefieldextractions
“By default only the Admin and Power roles can set permissions for knowledge objects”

Field discovery occurs at ______ time.
search

SOURCE: http://docs.splunk.com/Splexicon:Fielddiscovery
“The process by which Splunk Enterprise recognizes and extracts key=value pairs from event data at search time”

The fields sidebar ______. Select all that apply
Displays the list of selected fields.
Can be used to create a quick chart of top values by time
Can be used to see the top values in a field
Displays the list of interesting fields
This search user=* ______.
display only events that contain a value for a user
Which of the following is the correct way to use a tag X in a search?
tag=X

SOURCE: http://www.splunk.com/view/SP-CAAAGYJ
SOURCE: http://docs.splunk.com/Splexicon:Tag
“You could tag these values “homeoffice” and then search on tag=homeoffice to find all the events with field values that have the homeoffice tag.”

Alerts can be defined to trigger only when a certain number of unique sources are returned.
true

SOURCE: http://docs.splunk.com/Documentation/Splunk/latest/Alert/Definescheduledalerts
Section: “Basic conditional alert”

______ represent a set of events in the hierarchical structure.
data model objects

SOURCE: http://docs.splunk.com/Splexicon:Datamodelobjectc
“Data model objects are hierarchical. They are arranged in parent-child relationships.”

Which of the following would match this search? Select all that apply. SEARCH: “web error”
there is an error
there is a web request
Search terms are case ______.
sensitive
Internal fields such as _raw and _time must be specifically removed with the fields – command; simply not including them in the fields + does not exclude them from extraction. (True or False)
true

SOURCE: http://docs.splunk.com/Splexicon:Internalfield
“A default field that contains general information about the events that Splunk Enterprise indexed”

This command allows you to extract fields at search time; these fields do not persist as knowledge objects.
erex

SOURCE: http://docs.splunk.com/Documentation/Splunk/5.0.3/SearchReference/Erex
“Automatically extracts field values similar to the example values. “

The ‘as’ clause can be used with this command.
stats

SOURCE: http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/Stat
Example. stats (stats-function(field) [as field])+ [by field-list]

This search command returns an unlimited number of results. SEARCH: error | top host limit = 0
true (spaces?)

SOURCE: http://answers.splunk.com/answers/52583/setting-top-limit-to-display-all-fields.html
“Specifies how many tuples to return, “0” returns all values. Default is “10”.”

Which of the following searches returns a SINGLE VALUE representing the number of items purchaes?
sourcetype=access_* action=purchase | stats count
When a search returns ______, you can view the results as a chart.
statistical values

SOURCE: http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/Stats

When using a split series on a chart, the series MUST be displayed using the STACKED option. (True or False)
false
By default, the timechart command plots time on the ______.
x-axis

SOURCE: http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/Timechart
“Create a chart for a statistical aggregation applied to a field against time as the x-axis”

This command converts results into a format suitable for graphing.
xyseries

SOURCE: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Xyseries
“Converts results into a format suitable for graphing.”

This function can be used with the eval command to reduce the number of decimal points displayed.
round

SOURCE: http://answers.splunk.com/answers/8046/rounding-decimal-places.html
“You can use round as follows”

Results from the transaction command can include events from multiple applications or hosts. (True or False)
true

SOURCE: http://docs.splunk.com/Splexicon:Transaction
“A group of conceptually-related events that spans time.”

The command shown here does which of the following? COMMAND: | inputlookup products.csv
displays the data in a lookup file products.csv

SOURCE: http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/Inputlookup
“Loads search results from a specified lookup table. The name of the lookup file (must end with .csv or .csv.gz).”

There are cases where splunk allows you to accelerate a search, but a summary is not created. (True or False)
false

SOURCE: http://docs.splunk.com/Splexicon:Reportacceleration
SOURCE: http://docs.splunk.com/Documentation/Splunk/6.2.0/Knowledge/Aboutsummaryindexing
“Report acceleration is similar to summary indexing, in that it accelerates searches building a separate summary of the data”

Users can create objects that are shared across ALL apps. Select all that apply.
power users
administrators

SOURCE: http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Manageknowledgeobjectpermissions
“By default, only users with a power or admin role can share and promote knowledge objects”

Which action is not valid for field aliases?
rename
When several source types contain a field with similar data, use ______ to make correlation easier.
field aliases

SOURCE: http://docs.splunk.com/Splexicon:Alias
“You can use field aliasing to normalize different field names to one name and simplify searching for those related fields.”

Field extractions created using ______ are re-usable in multiple searches.
Interactive field extractor (IFX)

SOURCE: http://docs.splunk.com/Documentation/Splunk/6.2.0/Knowledge/ExtractfieldsinteractivelywithIFX
“After you save this input, you can enter the Field Extractor and extract fields from the events associated with the vendors source type. “

This workflow action uses fields from the results in a secondary search.
GET

SOURCE: http://docs.splunk.com/Splexicon:Workflowaction
SOURCE: http://docs.splunk.com/Documentation/Splunk/6.2.0/Knowledge/CreateworkflowactionsinSplunkWeb#Set_up_a_GET_workflow_action
“allowing you to pass information to an external web resource, such as a search engine or IP lookup service”

The eventtype field can be added as a selected field. (True or False)
true
A macro ______ contain commands within its definition.
can

SOURCE: http://docs.splunk.com/Documentation/Splunk/6.2.0/Search/Usesearchmacros#Create_search_macros_in_Splunk_Web
“Your search macro can be any chunk of your search string or search command pipeline that you want to re-use as part of another search. “

5 Main components of Splunk ES
Index Data, Search & investigate, Add knowledge, Monitor & Alert, Report & Analyze.
What does index data do? (3)
1. Collects data
2. Label data with source type
3. Stored in splunk index
Three main roles in splunk? (3)
Admin, Power, User
An admin does what?
Install apps, create knowledge objects for all users (what apps a user will see by default)
A power user does what?
Creates and shares knowledge objects for users of app, real-time searches
A Splunk user does what?
Only see own knowledge objects and those shared to them.
Apps in Splunk?
1. Pre-built dashboards, reports, alerts and workflows
2. In-depth data analysis for power users
3. Search & Reporting
What does the search and reporting app do in splunk?
Creates knowledge objects, reports, and dashboards
The seven main components in splunk searching and reporting?
1. Splunk bar
2. App bar
3. Search bar
4. Time range picker
5. How to search panel
6. What to search panel
7. Search History
What does the time range picker do?
Allow search by preset times, relative times. Real time (earliest, latest), date range. Retrieve events over a specific time period.
Limiting search by ___________ is key to faster results and is a best practice
time
The time range picker is set to _________ by default.
All-time
Search jobs are available after ____ minutes by default.
10
________ commands create statistics and visualizations.
Transforming
________ tab is default tab for searches
Event
What are the three main search modes?
Fast, Verbose, and Smart
_______ mode discovery off for event searches. No event or field data for stats searches.
Fast
______ mode all events and field data; switches to this mode after visualization
Verbose
______ mode (default-based on search string data). Field discovery ON for event searches. No event or field data for stats searches.
Smart
This search action button “Job V” does what?
Edit job settings, send job to background, inspect and delete job.
Saved searches are set to ______ by default.
private
Timestamp seen in events is based on______setting in user account profile
time zone
List the three booleans
AND OR NOT
________boolean is used if none is implied.
AND
Exact phrases use______
quotes
Use a _______ for searching a string with quotes in the string.
Backslash
Example: info=”user “chrisV4″ not in database” info=”user”chrisV4″ not in database “
Three default search fields automatically selected?
Source, Host, Sourcetype
_______ sidebar shows all field extracted at search time.
Fields
_______ Fields appear in event, default-host, sourcetype, source
Selected
_______ fields have values in at least 20% of the events
Interesting
Clicking on a field shows a list of _______, ________, and ________.
values, count, and percentage
These fields can launch a quick report by clicking on them (4)
top values, top values by time, rare values, events with this field
Use ______ to limit search to only one sourcetype
sourcetype=
Field names _____ case sensitive- Values _______ case sensitive
are, are not
The field operators are used with numerical string values (symbols)
= != –>
These symbols are only used with numerical values?
> >= < <= -->
Using _____ and ____ (symbols) would return the same results.
NOT, !=
Use _______ to nest boolean searches
parenthesis
______ is better than exclusion
inclusion
Use _____ for searches
time
When creating reports you can edit, clone, embed, and delete under the ______ tab
report
What are search commands used for?
Creating charts, computing statistics, and formatting
Top command returns top ____ results with a count and percentage
10
What are the three ways to create visualizations?
1. Select a field from the fields sidebar
2. Use the pivot interface
3. Use the Splunk search language commands in the search bar with statistics and visualization tabs
Save visual reports as _______ or _______
report or dashboard pannel
Dashboards are searches gathered together and can use _______input or ________ visualization
form or custom
________ is an action that a saved search triggers based on the results of the search
Alert
________ designs reports in simple interface without having to craft a search string
Pivot
Default time for pivot is ______
all the time
Data model is framework and ______ is interface to the data
pivot
________ interface is the total amount of purchases, documentation actions, job actions, tools to filter/slice up data, and a side bar?
Pivot
_______ object is the main source of data
Root
_______ object acts like an AND boolean
Child
_________ pivot allows instant access to data without having a data model
Instant
Alerts combine a _______ search.
Saved
The alerts use a _______ search to check for events.
saved
Adjust the ______ type to configure how often the search runs
alert
Use ________ alert to check for events on a regular basis
Scheduled
_______ alert to monitor for events continuously
Real-time
A _______ action can notify you of a triggered alert and help you start responding to it
alert
Search terms include (6)
Keywords, booleans, phrases, fields, wildcards, and comparisons.
Comparison symbols
=, !=, <=, >, >=
______ is the most efficient filter
Time
Best practices to use while searching in Splunk (4)
1. Time is the most efficient filter
2. More you tell search the better your results
3. Inclusion is better than exclusion
4. Filter as early as possible
_____ are case insensitive.
(components of search language)
Search terms
______ tell Splunk what we want to do with results (ex. stats)
(components of search language)
Commands
______how we want to deal with results (ex. list)
(components of search language)
Functions
______ variables to apply to function (ex. Product name)
(components of search language)
Arguments
_______ how we want results defined.
(components of search language)
Clauses
_____ is used to pass current results to the next component
Pipe
_________ command works from left to right
Search
Once and item is filtered _____ it is no longer available in the search string
Out
_____ command include or exclude fields from search results.
Fields
Exclude a field by using ______ symbol
minus (-)
Primary fields _______ and _______ will always be extracted, but can also be removed by using the minus symbol
_time & _raw
Field_____happens after field______only affecting displayed results.
exclusion, extraction
________ command retains searched data in a tabulated format
table
In regards to a rename command, once a field is renamed the ______ name is not available to later search commands
original
This command removes events with duplicate values
Dedup
This command displays results in ascending or descending order.
Sort
This command combine fields from external sources to searched events, based on event field
Lookup
This command produces statistics of a search result
Stats command
This command shows number of events matching search criteria
Stats count
This command is the sum of numerical value
Stats Sum command
This is a command that preforms stats aggregation against time
Timechart command
___ split data by an additional field
by
Usenull = _____ will remove NULL values
f
Admin, Power, User
Out of the box there are 3 main roles
Click Data Summary in the Searching & Reporting app
How can you view all sourcetypes?
Host, Sources, and Sourcetypes on separate tabs
What is shown in the Data Summary?
The local timezone set in your profile.
What timezone is data displayed for, in searches?
insensitive
Search terms are case sensitive or insensitive?
AND, OR, NOT
What booleans are supported in splunk search?
!=
Symbol for “does not equal”
Reverse chronological order (newest first)
In what chronological order are events displayed, after a search?
timestamp, host, source, sourcetype
Each event has these field value pairs.
s
Time range abbreviations for seconds
m
Time range abbreviations for minutes
h
Time range abbreviations for hours
d
Time range abbreviations for days
w
Time range abbreviations for weeks
mon
Time range abbreviations for months
y
Time range abbreviations for year
[email protected]
Current search time is 09:37:12. What is the time range equation to search back 5 minutes on the minute?
earliest and latest
eg: earliest=-h [email protected]
What are the commands for specifying a time range in a search string?
No, it only filters the results
Does narrowing the time range by dragging the selection bars across the timeline re-execute the search?
CSV, XML, JSON
What formats may search results be exported to?
Instead of returning all the results, from a search, it returns a random sampling of events.
What does “event sampling” do?
Each event, found in a search, has a 1 in 100, or 1% change of being included in the sample result set.
What does an event sample of 1:100 indicate?
searchable key/value pairs from event data.
What is a Field?
Based on sourcetype and key/value pairs found in the data.
How does Splunk discover fields?
20% of events have these fields present in them.
What percentage of search results have the fields listed under “Interesting Fields”?
Fast, Smart, Verbose
What are the three search modes?
Smart
What is the default search mode?
Case sensitive
Field names are case sensitive or insensitive?
True
True/False: Splunk is subnet/CIDR aware for IP fields?
Returns everything except the events matching the NOT boolean
How does NOT affect search results?
One or more panels displaying data visually in a useful way.
What is a dashboard?
rename
What command changes the name of a field in search?
When including spaces or special characters
When should quotes be used around values in search?
fields
What command allows you to include/exclude fields in your search?
+ (include) occurs before field extraction and improves performance
– (exclude) occurs after field extraction, and no performance improvement
What is the difference between +/- with the fields command?
The limit option
e.g: | sort limit=20 -categoryID, product_name
How can you reduce the returned results with the sort command?
top
What command finds the most common values of a given field?
10
How many results are returned by the top command, by default?
count & percent
What two columns are automatically returned by the top command?
limit (limit=0 returns unlimited results)
What option changes the number of results returned by the top command?
rare
What command returns the least common field values?
stats
What command allows you to calculate statistics on data that matches your search criteria?
as
What option allows you to rename fields, within the stats command?
list
What stats command shows all field values for a given field?
values
What stats command shows all unique field values for a given field?
chart or timechart
To get multi-series tables you need to set up the underlying search with commands like…
line, area, column, bar, bubble, scatter, pie
What are the seven chart types?
tostring
What eval command allows you to format for currency?
transaction
What command allows you to create a single event from a group of events that share the same value in a given field?
1,000
Max events displayed by transaction command
case_sensitive_match
What is the transforms.conf flag to switch whether or not a lookup field value is case-sensitive or not?
Field Aliases
What is a way to normalize data over any default field?
Tags
What are nicknames that you create for related field/value pairs?
Settings > Tags > List by field value pair
Where can you view a list of all Tags?
Event Type
A method of categorizing events based on a search
Workflow Actions
What may be run from an event in your search results to interact with external resources or run another search?
GET
Workflow action to pass information to an external web resource.
POST
Workflow action to send field values to an external resource.
Search
Workflow action to use field values to perform a secondary search.
backticks
Macros must be surrounded with what character?
events, searches, transactions
What three datasets make up a Data Model?
Common Information Model (CIM)
What tool provides a methodology to normalize data?
Romantic Era (AP English 12) chapter 3 – The Formal Appraisal Process

Leave a Reply

Your email address will not be published. Required fields are marked *