Advanced Searching and Reporting

Question 1

What kind of searches are prime candidates for optimization

Answer 1

Searched that run often or query broad amounts of data

Question 2

What is stored in a journal.gz file and a .tsidx file on the buckets within indexers?

Answer 2

Compressed raw event data is stored in journal

Reference to journals raw events is stored in .tsidx

Question 3

What are the components of the .tsidx file?

Answer 3

Lexicon with unique terms from event data
Posting list provides reference to values array Values Array is has posting value and a seek address as reference into the journal.gz

Question 4

What is a bloom filter?

Answer 4

A bit array associated with each bucket and search string used to predict if a lexicon term is likely to be found in the bucket

Question 5

Are false positives and negatives possible with a bloom filters?

Answer 5

False positive are possible,

False negatives are not possible

Question 6

What is the series of events for retrieving event data with a bloom filter?

Answer 6

1. Searchstring bloom filter created
2. Find buckets in index within timerange
3. Compare search bloom to bucket bloom
4. If a match, find search terms in .tsidx
5. Use .tsidx to get events from journal.gz
6. Do search time extractions for final filter

Question 7

What does the job inspector command.search.index inform you of?

Answer 7

The time to get location info in .tsidx

Question 8

What does the job inspector command.search.rawdata inform you of?

Answer 8

Time to extract event data from journal.gz

Question 9

What does the job inspector command.search.kv inform you of?

Answer 9

Time to perform search time field extractions

Question 10

What do you use to calculate performance with the job inspector?

Answer 10

scanCount/time to get events per second including the time to read all events from disk

Question 11

In a distributed environment will the search execute faster if commands are on the SH or the indexer?

Answer 11

Execute faster on the indexer

Question 12

Where are transforming commands executed?

Answer 12

Operate on the entire results set on the Search head

Question 13

Does order of events matter when running a transforming command?

Answer 13

no

Question 14

What are the two types of streaming command?

Answer 14

Distributable - could be run on indexer

centralized - always run on search head

Question 15

Is the event order important for streaming commands?

Answer 15

Distributable - No

Centralized - Yes

Question 16

When is a distributable command run on the search head vs the indexer?

Answer 16

Search head if any preceding commands are executed on search head
Indexer if all preceding commands execute on indexer

Question 17

Do streaming commands need the entire event result set prior to executing?

Answer 17

Distributable - no

Centralized - yes

Question 18

Do streaming commands operate on the entire results set of event data?

Answer 18

No they operate on each event returned by a search

Question 19

How does having more disk reads affect search execution?

Answer 19

More disk reads leads to longer search execution time

Question 20

How does splunk decide which events to read after determining which buckets match bloom filters?

Answer 20

Tokens (or terms) from search string are compared to tokens in events and match results in event being read from disk

Question 21

How are event tokens derived?

Answer 21

Derived by breaking up searches and event data using segmenters

Question 22

What are segmenters?

Answer 22

Major or minor breakers that separate searches and events into smaller pieces

Question 23

What are major breakers?

Answer 23

Character set used to divide words, phrases, terms into large tokens: space, newline, carriage return, tab, [] () {} ! ? ; , ‘ “ &

Question 24

What are minor breakers?

Answer 24

Used to divide large tokens into smaller tokens: / : = @ . - $ # % \ \ _

Question 25

Where are tokens created from event data stored?

Answer 25

.tsidx files

Question 26

Where can you see how the base search was tokenized?

Answer 26

Use the job inspector and look for the token after ‘base lispy’

Question 27

In prefix notation where does the operator appear?

Answer 27

Before the operands. Ex with search index=web 21.12: lispy: [ AND 12 21 index::web]

Question 28

What is a directive?

Answer 28

An instruction for how part of a search should be processed

Question 29

What does the case sensitive ‘TERM’ directive do?

Answer 29

Forces Splunk to only look for a complete value by searching only based on major breakers and skip minor breakers - term must be bound by major breakers

Question 30

Can key value pairs be passed into the TERM() directive?

Answer 30

Yes because key=value only has a minor breaker in it

Question 31

Does negation in a search yield negation in a lispy?

Answer 31

Works for negating single terms but not for terms that include minor breakers UNLESS you use TERM()
Ex that will work: NOT TERM(example.1)
Ex does not work: NOT example.1

Question 32

Do wildcards in a search work in a lispy?

Answer 32

Only when they are at the middle or end of a string and have no major or minor breakers

Question 33

How do index time fields appear in lispy?

Answer 33

Appear as field::value instead of field=value like they do in a search

Question 34

As more fields are extracted at index time what happens to the size of .tsidx files and resource usage at indexer?

Answer 34

Both are increased

Question 35

What type of data can have indexed field extraction to a specific source type>?

Answer 35

Sourcetypes with certain types of structured data (JSON, CSV, W3C)

Question 36

Do comparisons against fields extracted at search time result in filtering events returned from the disk?

Answer 36

No, all events from a sourcetype will still be read from the disk (except for an equals operator).

Question 37

What would the lispy be for a search: index=web sourcetype=a_c status>400

Answer 37

Lispy: [ AND index::web sourcetype::a_c ]

Comparisons are not included when filtering what is read from disk

Question 38

Does the TERM() directive work with aliases?

Answer 38

No

Question 39

When are lookups completed while using a lispy?

Answer 39

In the search itself, lookup can be done before the lispy is created.
Lookups done for transformations or other pipe commands can be done post lispy

Question 40

What does a subsearch do?

Answer 40

Takes the results from an inner search and using boolean AND, combines the results with the outer search - an OR boolean is inserted between each inner search result

Question 41

What command do subsearches typically begin with?

Answer 41

[ search search_criteria… ]

Question 42

Is an inner search or outer search completed first?

Answer 42

Inner subsearch completed first

Question 43

How do you send only specific fields of a subsearch to the outer search?

Answer 43

Using fields or results command

Question 44

What is returned by default when using the results command in a subsearch?

Answer 44

First value of each specified field is returned with the field name and the field value

Question 45

How do you adjust the defaults for the |return command in a subsearch?

Answer 45

Specify a number with ‘count’ and omit a field name with $before field name:
|return 5 $ip_address => returns first 5 values of ip_address

Question 46

Can you return subsearch results as an alias?

Answer 46

Yes, use |return alias_name=field

Question 47

What is the time and event count limit on a subsearch?

Answer 47

60 seconds and 10,000 events

Question 48

Over what time range will a subsearch execute if the root search is run in real-time?

Answer 48

Run over all time by default unless setting earliest and latest restriction in subsearch

Question 49

Should you use stats and/or eval over using subsearch?

Answer 49

Yes, whenever possible especially if searches are executed often

Question 50

What does the append command do?

Answer 50

Using only historical data, appends results of subsearch to the current results

Question 51

Does the |append command overlay primary and subsearch results?

Answer 51

No, they will appear one after another in a graph (when used with both stats and timechart as main search)

Question 52

How do you get appended results to overlay primary search results?

Answer 52

Use | stats first(*) as *

Or | timechart first(*) as *

Question 53

What command will overlay search and subsearch results in one step?

Answer 53

|appendcols

Question 54

When should you take caution using the appendcols command?

Answer 54

When used with stats because if there is a null value in the data, the empty values get pushed up and values may not be aligned to fields appropriately

Question 55

For larger amounts of data, should you use append and appendcols?

Answer 55

No, they should be avoided as more efficient searches should be used

Question 56

If a search can be done with stats or join/union which is usually more efficient?

Answer 56

stats command is usually more efficient

Question 57

What does the join command do?

Answer 57

Combines results from two searches with a default of inner join - results only include events from first search that match the second search

Question 58

What does the left, or outer join argument of the join command define?

Answer 58

Includes results from only the first search and those events matching in the second search

Question 59

How do you define which fields to use for the join command?

Answer 59

Define after the |join command:

| join fields_to_use

Question 60

What search combines two or more result sets into a single search?

Answer 60

union

Question 61

What can be used to specify a result search when using the union command?

Answer 61

Use a regular search, subsearch or a data model(defined with datamodel command)

Question 62

Does the union command execute on the search head or indexer?

Answer 62

As a distributable streaming command it executes in parallel on indexers if all searches are distributable otherwise on search head

Question 63

What is the union syntax?

Answer 63

union datamodel:name1.dataset datamodel:name2.dataset …
Search1 |union [search2]
Search1 |union datamodel:search2 …

Question 64

What command puts numerical values into discrete sets?

Answer 64

| where binoptions is optional

bin binoptions field

Question 65

How are bin sizes set?

Answer 65

Through the span=size option

| bin fieldname span=size

Question 66

What happens if span created more buckets than the max specified by bins?

Answer 66

bins is ignored

Question 67

What command reformats chartable, tabular output as a stats-like output?

Answer 67

| xfield:x-axis yfield:data labels datafield:fields with the charted data

untable xfield yfield datafield

Question 68

What command reformats stats-like output as chartable, tabular output?

Answer 68

xyseries xfield yfield datafield

Question 69

What does the forearch command do?

Answer 69

foreach replaces the <> token with field names that match: |foreach www* [eval <> = round(<>/2)]

Question 70

What are multivalue eval functions used for?

Answer 70

Used to analyze and format multivalue data

Question 71

What command do you use to convert a single value into a multivalue field /

Answer 71

|makemv command

Question 72

What do JSON array contents become when auto extracted by Splunk?

Answer 72

Contents become multivalue fields

Question 73

In JSON data, what to the {} and [] indicate?

Answer 73

{} is an object, a grouping of field value pairs

[] is an array of objects

Question 74

How are fields nested within a JSON event represented when extracted into Splunk?

Answer 74

Event_name{}.field1

Event_name{}.field2 …

Question 75

Which commands can you use with multivalue functions?

Answer 75

eval where and fieldformat commands

Question 76

What does the mvsort() function do?

Answer 76

Intakes a multivalue field and returns the values sorted lexicographically

Question 77

How are numbers sorted in lexicographical order?

Answer 77

Numbers are sorted before letters and are sorted based on the first digit not the number as a whole: 100 200 70 9 is in order

Question 78

Are uppercase or lowercase letters first in lexicographical order?

Answer 78

Uppercase is first

Question 79

Can functions and commands process fields that contain a {}

Answer 79

No, so mv fields extracted from JSON will have to be renamed

Question 80

What does the mvfilter function do?

Answer 80

Filters(refines) one mvfield based on a boolean expression

Question 81

How do you remove null values returned from mvfilter function?

Answer 81

Use mvfilter(isnotnull(x))

Question 82

What function concatenates individual values from a mvfield and uses a delimiter as a separator?

Answer 82

mvjoin(fieldname, “delimiter”)

Question 83

What function takes 2 mvfields and concatenates the first values of each, the second values of each etc. with a delimiter to separate?

Answer 83

mvzip(mvfield1,mvfield2,”delimiter”)

Question 84

What does the mvcount function do?

Answer 84

Returns count of values in the specified mvfield returning null if no field values or field does not exist: mvcount(fieldname)

Question 85

What does the split function do?

Answer 85

Takes a single value field and a delimiter to split by and creates a new mvfield: split(fieldname, “delim”)

Question 86

What does the mvindex function do?

Answer 86

Take an mvfield and an integer to return a value at the specified integer index in the mv array - indexing starts at 0 NOT 1 : mvindex(fieldname, indexnum)

Question 87

What command converts an existing single value field to a mvfield based on delimiter or regex(referred to as a tokenizer)

Answer 87

makemv (delim=string | tokenizer=regex) fieldname

Question 88

What does the mvexpand command do?

Answer 88

Takes mvfield and creates separate event for each value in the mvfield:
|mvexpand fieldname

Question 89

Does mvexpand command create new events on disk/in index?

Answer 89

No, only created in memory for purposes of search at hand

Question 90

What is referred to as any group of conceptually related events?

Answer 90

A transaction via the | transaction command

Question 91

What does the |transaction command enable?

Answer 91

Enables you to specify criteria used to determine how to group events via ranges of time, # of events, text contained in events

Question 92

Is stats or transaction faster ?

Answer 92

Stats, as transaction is resource intensive and should be used only when stats is insufficient

Question 93

In what order do events need to be ingested for transactions to work?

Answer 93

Reverse chronological order

Question 94

In order to use |transaction, how do you correct events that are not coming in reverse cron order?

Answer 94

Use | sort -_time

Use right before |transaction

Question 95

How do you find events that occur before or after a specific event?

Answer 95

Use |transaction fieldname (endswith=() | startswith=() )

Question 96

What function is used to normalize field names by taking a number of arguments and returning first one that is not null and storing it as new field?

Answer 96

coalesce(field1,field2,…)

Question 97

What does the keepevicted=1 argument used for when dealing with transactions?

Answer 97

It is a setting used to retain any transactions where one or both of beginning/ending criteria are not satisfied (transaction did not complete successfully)

Question 98

What field is used to determine if a transaction is complete or incomplete?

Answer 98

closed_txn = 1 if transaction is a success or closed_txn = 0 if transaction is not a success

Question 99

What has to be met for a transaction to be closed?

Answer 99

One or more of these criteria are met: maxevents, maxpause, maxspan, startswith, endswith

Question 100

Where does |transaction execute?

Answer 100

Executes on the SH as it is a centralized streaming command

Question 101

Does |transaction require access to all the _raw data?

Answer 101

Yes, because search is forced to send all _raw data back from indexers to search head as transactions require all event data

Question 102

Can the timepicker be overridden during a search?

Answer 102

Yes through the earliest= & latest= time modifiers

Question 103

When snapping to a time, does the time round up or down?

Answer 103

Always rounds down (backward to a previous time)

Question 104

How do you define a search for the past 24 hours using earliest and latest modifiers?

Answer 104

Mainsearch earliest=-24h@h latest=@h

Question 105

What are default time fields?

Answer 105

date_* fields (time/date) stamps taken directly from raw events providing extra info for searching but these are not representative of time zone conversions or time value changes

Question 106

How would you exclude events from the current day?

Answer 106

latest=@d

Question 107

How would you include data beginning at the start of the day, 2 days ago?

Answer 107

earliest=-2d@d

Question 108

What does date_hour.=2 AND date_hour<5 represent?

Answer 108

Find events between 2am and 5am

Question 109

What function can be used to create a new field with adjusted time zones?

Answer 109

|eval new_time_field =strftime(_time, “%H”)

will get the hour from the event and convert the hour to you local time based on time zone setting