Fundamentals 3

Question 1

What command enables you to calculate stats on data that matches your search criteria?

Answer 1

stats command

Question 2

What does the | fieldsummary command do?

Answer 2

Calculates summary stats for all/subset of fields and displays in table form:
| fieldsummary [maxvals=num] [field-list]
- maxval: max distinct vals to return for the values stat of each field
- field-list: fields to calc stats for

Question 3

What does the is_exact boolean indicate in the |fieldsummary results?

Answer 3

is_exact represents whether the distinct_count is exact

Question 4

What does the |appendpipe command do?

Answer 4

• Takes existing results and pushes them into sub pipeline

- Appends sub pipeline results as new lines to the outer search

Question 5

How do you name the appendpipe subtotals field after appending?

Answer 5

Use |eval column_name= “subtotals name”

Question 6

How do you create a grandtotal field when using the |appendpipe command?

Answer 6

Use another |appendpipe command to search for and total only the subtotals fields

Question 7

How do you use count and list functions to remove duplicates for info in tabular form?

Answer 7

• Use |stats count as normal
• Use |stats list(columnBfield), list(columnCfield) … by columnAfield
• Column A is no longer duplicated

Question 8

What does the |eventstats command do?

Answer 8

Generates summary stats of all existing fields in search results and saves as new fields
- Works on entire results

Question 9

What does |streamstats do

Answer 9

Generates stats on fields and compiles to previous data

• Works on entire results but calculates stats for each result row at the time command encounters it
• index order matters

Question 10

What are two arguments that can be used with |streamstats

Answer 10

• current= t or f :include or not include current event in summary calc
• window=# : calc over past # of events

Question 11

What does the |eval command do

Answer 11

Manipulate and calculate expression and creates a new field or overwrites existing one
|eval fieldname1=expression1, fieldname2=expression2

Question 12

What are the |eval command conversion functions

Answer 12

tostring
tonumber
printf

Question 13

What are the options for and syntax of the tostring function

Answer 13

tostring(field, “option”)

Options being: commas(also rounding to 2 decimals), duration(hh:mm:ss), hex

Question 14

What are the options for and syntax of the tonumber function

Answer 14

tonumber(numstr,base)

Where numstr can be a field name or a number and base is optional

Question 15

What are the options for and syntax of the printf function

Answer 15

printf(“format”,arguments)

Where format is conversion specifiers(%d,%f%s…) and arguments are optional

Question 16

What does the eval now() function return

Answer 16

Time a search was started

Question 17

What does the eval time() function return

Answer 17

Time event was processed by the eval command

Question 18

What does the eval strftime function do

Answer 18

Converts timestamp to string format using strftime(X,Y) to convert epoch time to a readable format. Where x is UNIX time in seconds to be converted to a string
EX: Y= “%B-%d-%Y” yields format example February-19-2018

Question 19

What does the eval strptime function do

Answer 19

Converts time in string format and parses it into a timestamp using strptime(x,y) where x is a time in string format and y is a timestamp format defined by variables

Question 20

What does the eval relative_time function return

Answer 20

Returns timestamp relative to a supplied time as if asking for data a day prior to a certain event

Question 21

What do the lower() and upper() functions of the eval command return

Answer 21

Conversion of string to lower or upper case

Question 22

What does the eval substr(X,Y,Z) command return

Answer 22

Returns substring of X, according to the starting index Y and the length of Z

Question 23

What does the eval replace(X,Y,Z) command do

Answer 23

Where X,Y,Z are all strings and Y is a regex, return a string where Z replaces each occurrence of Y in X
Note: eval commands do not alter the indexed data or write new data to index

Question 24

Do non-numeric values need to be in quotations when using the if() function?

Answer 24

yes

Question 25

What does the eval cidrmatch(X,Y) function return

Answer 25

Returns t/f based on whether provided IP address Y matches subnet specified in X

Question 26

What does the eval match(subject,regex) function return

Answer 26

Returns t/f depending on whether subject matches defined regex

Question 27

What does the eval coalesce(X1,X2…) function do

Answer 27

Retrieves the first value from the first field defined in the current event - used to normalize field names from results sets where two or more field names represent the same data field
Ex: combining fields with different names, but representing same data field, into one normalized field

Question 28

What does the eval isnull() function return

Answer 28

Returns t/f if field is null

Question 29

What does the eval typeof() function return

Answer 29

Returns a string that represents the data type of the argument (number, string, boolean etc)

Question 30

Are strings or numbers considered greater than when dealing with min() and max() functions?

Answer 30

Strings are greater

Question 31

What do the eval ceiling() and floor() functions return

Answer 31

Rounded up or down to the nearest whole integer

Question 32

What are the eval cryptographic functions used for?

Answer 32

Used to compute and return secure, encrypted hash values of a string: md5, sha1, sha256, sha512

Question 33

What does the | makeresults command return

Answer 33

By itself, generates one result with only _time field
Must be first command in search
Can be used with one or more eval commands

Question 34

What is the default case sensitivity for Lookups

Answer 34

Default is case insensitive but this can be changed in advanced options when creating a lookup

Question 35

What kind of lookup should be used for large tables or ones that are updated often?

Answer 35

KV(Key Value) Store

Question 36

Where do KV Stores and CSV files live?

Answer 36

KV Store collections are on the SH.

CSV files are replicated to indexer.

Question 37

Which type of lookup provides REST API access, multiuser access locking, and per-record insert and updates?

Answer 37

KV Store

Question 38

Why would you use a CSV lookup over KV store?

Answer 38

Small csv table performs well, need case insensitive lookups, or integrating with other apps

Question 39

Where is a KV Store collection defined?

Answer 39

Admin defines in configuration stanza in the collections.conf

Question 40

Can you add results to a KV Store collection from SPL

Answer 40

Yes, use the outputlookup command to write results from a search to the collection provided data is shared and field names do not have . or $

Question 41

What are scripted(external) lookups?

Answer 41

Lookup facilitated through use of a script used to populate events with field values from an external source

Question 42

What language must the scripted lookup be written in?

Answer 42

Python script or binary executable

Question 43

What are the arguments passed to the script when creating a new external lookup?

Answer 43

Arguments are the field headers from the input/output CSV files

Question 44

What are geospatial lookups used for?

Answer 44

To create chloropleth map visualizations by matching coordinates from events to geographic feature collections in a KMZ or KML file

Question 45

What command is used to access a geospatial lookup?

Answer 45

|geom featurecollectionname

Question 46

What does the DB Connect (DBX) app do?

Answer 46

Allows you to use lookups to reference fields in an external SQL db; import data, export machine data to external db, or use SQL to build dashboard mixing splunk and db data

Question 47

How are database lookups completed?

Answer 47

Through the DBX app via Data Lab and New lookup options

Question 48

What command is used to access DBX lookups?

Answer 48

|dbxlookup lookup=”lookup name”

Question 49

When using |dbxlookup do you need to reference input fields in your search?

Answer 49

Yes, to get results you must explicitly refer to input fields in search via |fields command or running search in Verbose mode

Question 50

Can alerts contain lookups?

Answer 50

Yes - run a search that contains a lookup command and save as alert

Question 51

How can alert results be output to a lookup?

Answer 51

‘Output results to lookup’ is one of the action options when creating an alert OR you can use: | outputlookup filename. OR tablename

Question 52

What do search metadata tokens provide?

Answer 52

Metadata about the alert and associated search:

$name$ $description$ $app$ $owner$ $trigger_date$ etc

Question 53

What do results tokens provide?

Answer 53

Field values from first row returned by the search associated with the alert - taking the form: $result.fieldname$

Question 54

What do server tokens provide?

Answer 54

Details about your splunk deployment:

$splunk.version$ $splunk.build$ etc

Question 55

What do job info tokens provide?

Answer 55

Data specific to a job search:

$job.eventSearch$ $job.messages$ $job.resultCount& etc

Question 56

What is a webhook alert action?

Answer 56

Action allows you to define custom callbacks on web resource via generation of JSON formatted info about alert and sending of HTTP POST request to specified URL

Question 57

What are ways of extracting fields?

Answer 57

Field Extractor using GUI (persistent and easy to use)
Manually coding a REGEX (precise and persistent)
Using erex SPL command (temporary and easy to use)
Using rex SPL command (temporary and precise)

Question 58

What is a regular expression (regex)?

Answer 58

Case sensitive sequence of characters, either regular with literal meaning or a metacharacter with special meaning, to define a pattern

Question 59

What regex type does splunk use?

Answer 59

Perl compatible

Question 60

What do \d \w \s match in regex

Answer 60

Any digit, word, or white space

Question 61

What to \D \W \S match in regex

Answer 61

Any NON digit word or whitespace

Question 62

What do ? * + match in regex

Answer 62

0 or 1 ; 0 or more ; 1 or more occurrences of the previous character

Question 63

What does . match in a regex

Answer 63

. is a wild card matching one character → so

.* would match anything

Question 64

How do you specify exactly n occurrences in regex

Answer 64

{n} after the character

Question 65

How do you turn a match into nongreedy matching as few characters as possible

Answer 65

Adding ? after the count

Question 66

How do perform a capture group in regex?

Answer 66

Parenthesis create a capture group which can be named using ? and references using $1, $2 …

Question 67

IF you want to group something, but not capture it, how do you write that in regex

Answer 67

(?:)

Question 68

How do you write an OR statement in regex

Answer 68

Pipe | character represents OR:

?: invalid|wrong

Question 69

What are the two search time extraction commands?

Answer 69

|erex just requires an example

|rex requires a regex

Question 70

What is the |erex syntax

Answer 70

|erex temp_fieldname examples=”ex1,ex2…”

Question 71

What is the |rex syntax

Answer 71

|rex field=fieldname “regex”
Where field is optional and used if you want to narrow down where the regex is going to search rather than all data with the default field of _raw

Question 72

How do you name a field while searching to match a regex with the |rex command?

Answer 72

( ? < field_name > regex )

Question 73

Which regex command should be used in saved reports?

Answer 73

|rex command

Question 74

What can be done to avoid backtracking and making multiple passes through the data when using regex

Answer 74

Limit use of quantifiers such as * and alternation constructs such as |

Question 75

What are regex best practices?

Answer 75

Avoid multiple .* matches; use + instead of *; use simple ungreedy expressions; use parentheses to multiple extractions

Question 76

What is self describing data?

Answer 76

Schema or structure is embedded in data and comprised of metadata (element names, data types…). Include JSON, XML and tabular files

Question 77

Can splunk automatically interpret self describing data?

Answer 77

Splunk recognized JSON so data will be accessible as fields. Additional steps are needed to interp XML

Question 78

If fields show up with a format of name{}.fieldname, what type of data has been ingested

Answer 78

JSON data

Question 79

What command interprets XML format to have access to data as splunk fields

Answer 79

spath command

Question 80

What is the syntax for the |spath command

Answer 80

|spath input=field_extract_from output=field_extract_to path=datapath_value_to_extract

Where all arguments are optional

Question 81

How is the |spath path argument defined?

Answer 81

Contains one or more location steps separated by periods and position of data in array is specified by digit in {}
Ex: entities.hashtags{3}.text

Question 82

Does numbering in path steps {} begin with 0 or 1

Answer 82

Begins with 0 for JSON and 1 for XML

Question 83

Can spath be used with |eval?

Answer 83

Yes, spath becomes the function spath(X,Y) where x is input and y is path

Question 84

How can you automatically extract data from XML at search time?

Answer 84

Set KV_MODE=XML in props.conf

Question 85

What does the |multikv command do?

Answer 85

Creates an event for each row of tabular data (headers at top row, values as the rest)

Question 86

When creating nested macros, the outer macro should be created before or after the inner

Answer 86

Create inner macro first

Question 87

What command allows you to check contents of search macros before executing?

Answer 87

Control/Command Shift E

Question 88

What are the three types of data summary creation methods

Answer 88

Report accel, summary indexing, data model accel

Question 89

What is the easiest and most efficient acceleration option and should be first choice?

Answer 89

Data Model Accel

Question 90

What is acceleration?

Answer 90

Using auto created accel summaries to improve search time completion

Question 91

What is report accelerations

Answer 91

Saving a qualifying report as accelerated then creates an acceleration summary that can be used to efficiently run future searches/reports on large volumes of data

Question 92

What search mode and user privileges are needed to accelerate a report?

Answer 92

Search in smart or fast mode with the scheduled_search privilege (power has by default)

Question 93

What happens to an acceleration summary if all reports that use it are deleted?

Answer 93

The summary is auto deleted

Question 94

What are the requirements for a report to accelerate?

Answer 94

Search must have a transforming command; commands before must be streaming, commands after non-streaming

Question 95

What is a streaming command?

Answer 95

Operate on each event as the event is returned by the search: eval, search, fields, rex, rename, replace etc

Question 96

What is a transforming command?

Answer 96

Commands massage raw data into a table transforming cell values for each event into numerical values: stats, chart, timechart, top, rare

Question 97

What is a non-streaming command?

Answer 97

Commands wait until all events are gathered from indexers before command gets executed: eval and rename become non streaming after a transforming command

Question 98

When do searches run faster without an acceleration summary?

Answer 98

<100K events in hot buckets or summary size projected to be too big

Question 99

What is the automatic backfill feature?

Answer 99

Report acceleration feature allowing automatic update/rebuild of summaries as needed during a data interruption

Question 100

When should you consider deleting an acceleration summary?

Answer 100

When the summarization load (effort to update summary) is high and the access count is low

Question 101

What is summary indexing?

Answer 101

An alternative to unqualified report acceleration where you schedule frequently running reports to extract only needed info into a summary index and run subsequent searches against that summary

Question 102

What type of transforming commands must be used in the report to create a summary index?

Answer 102

si commands: sichart, sitimechart, sistats, sitop, sirare

Question 103

Does a scheduled report automatically create a summary index?

Answer 103

No, you have to save a search as a scheduled report -> edit via edit summary indexing -> check enable summary indexing

Question 104

When do gaps occur in a summary index?

Answer 104

Populating reports run too long past next scheduled runtime
Forced real time scheduling
Splunk is down

Question 105

How do you backfill gaps in summary indexes?

Answer 105

Run the fill_summary_index.py script

Question 106

How do overlaps in summary indexes occur?

Answer 106

Setting report time range to be longer than frequency of report schedule

Question 107

What are data models?

Answer 107

Hierarchical structured datasets generating searches and driving pivots

Question 108

What does the |datamodel command do?

Answer 108

Returns description of all(or specified) data model and objects Ex: |datamodel [datamodel_name] [object_name] [search]
-Also used to search against data model

Question 109

Is |datamodel a generating command?

Answer 109

Yes, so it must be first command in pipe

Question 110

What is an acceleration summary built on the search head after user selects dataset and enters pivot editor?

Answer 110

Ad Hoc data model acceleration

Question 111

When are ad hoc acceleration summaries available to use?

Answer 111

Only while working in the pivot editor - not on reports or dashboards based on pivot

Question 112

What is a persistent data model acceleration?

Answer 112

Acceleration summary composed of multiple time-series index files optimized for speed to be used with pivot editor or tstats command

Question 113

Can ad hoc data model accelerations run for particular time ranges?

Answer 113

No they run over all time, only persistent acceleration can be scoped to time ranges

Question 114

What user privileges are needed to accelerate a data model?

Answer 114

Admin permissions or accelerate_datamodel privilege

Question 115

What type of events and datasets can be accelerated through Persistent acceleration?

Answer 115

Only root events can be accelerated - if multiple root events only the first is accelerated

Question 116

How often are the underlying data model acceleration tsidx files updated and removed?

Answer 116

Updated every 5 minutes and outdated items removed every 30min

Question 117

What does a tsidx file consist of?

Answer 117

A lexicon: alpha-numeric term list pointing to posting list

Posting list: array containing seek address, _time, etc mapping each term to events in the rawdata files containing term

Question 118

What files make up an index?

Answer 118

rawdata files and corresponding tsidx files

Question 119

How do you perform stats on indexed fields in the tsidx file?

Answer 119

By using the |tstats stat_function command

Question 120

Can you use |tstats with data models and summary indexes?

Answer 120

Yes use |tstats from datamodel = name OR summariesonly=t

Question 121

Does stats or tstats work best with massive amounts of data using indexed fields?

Answer 121

tstats

Question 122

How does tstats search an accelerated data model object?

Answer 122

Use FROM |datamodel to return model and its objects -> find field and its owner and use dot notation to input into | tstats sum(owner.field)