Module 1: Beyond Search Fundamentals

Question 1

What is this an example of?

Search for a single word (e.g., error) or group of words (e.g., error password)

Answer 1

This is an example of Keywords

Page 14 Mod 1

Question 2

NOT, OR, AND are what in the Splunk language?

Answer 2

Booleans

Page 14 Mod1

Question 3

Must NOT, OR, AND booleans be uppercase?

Answer 3

Yes, these Booleans are always uppercase

Page 14 Mod 1

Question 4

Are phrases like “web error” different from “web AND error”?

Answer 4

Yes, these examples are different

OR is implied not AND

Page 14 Mod 1

Question 5

What are the rules for using Wildcards in Splunk’s search language?

Answer 5

Starting searches with a wildcard and adding Wildcards in the middle of the search string are inefficient ways to use Wildcards

Tailing wildcards are a best practice

Page 14 Mod 1

Question 6

What are the comparisons used in Splunk’s search language?

Answer 6

=, !=, ,>=
=, != are used in alphanumeric searches

Page 14 Mod 1

Question 7

This command returns a table containing only specified fields in result set.

Answer 7

table command

Page 15 Mod 1

Question 8

This command renames a field in results.

Answer 8

rename command

Page 15 Mod 1

Question 9

This command includes or excludes specified fields.

Answer 9

fields command

Page 15 Mod 1

Question 10

This command removes duplicates from results

Answer 10

dedup command

Page 15 Mod 1

Question 11

This command sorts results by specified field.

Answer 11

sort command

Page 15 Mod 1

Question 12

This command adds field values from an external source (e.g., csv files)

Answer 12

lookup command

Page 15 Mod 1

Question 13

What are some of the key/values that are case sensitive in Splunk?

Answer 13

Boolean operators (uppercase)
Field names
Field values from lookup (default, but configurable)
Regular expressions
eval and where commands
Tags

Page 16 Mod 1

Question 14

What are some of the key/values that are case insensitive in Splunk?

Answer 14

Command names
Command clauses
Search terms
Statistical functions
Field values

Page 17 Mod 1

Question 15

As events come in, where does Splunk place them?

Answer 15

Into an index’s hot bucket (only writable bucket)

Page 18 Mod 1

Question 16

What is the transition that takes place as the buckets age in Splunk?

Answer 16

They roll from hot to warm to cold

Page 18 Mod 1

Question 17

What does each bucket have?

Answer 17

Its own raw data, metadata, and index files

Page 18 Mod 1

Question 18

What does the metadata keep track of?

Answer 18

Source, sourcetype and host

Page 18 Mod 1

Question 19

When you search, Splunk uses what to choose which buckets to search?

Answer 19

Time Range

Page 19 Mod 1

Question 20

Splunk uses the bucket indexes to find what?

Answer 20

Qualifying events

Page 19 Mod 1

Question 21

After time what are the most powerful keywords?

Answer 21

Host, source, and sourcetype

Page 20 Mod 1

Question 22

What makes searches more efficient?

Answer 22

Including as many search terms as possible

Page 20 Mod 1

Question 23

What are some of the things a transforming command can do in Splunk?

Answer 23

• Massage raw data into a data table
• ‘Transforms’ specified cell values for each event into numerical values that you can use for statistical purposes
• Is required to ‘transform’ search results into visualizations

Commands Include

• top
• rare
• chart
• timechart
• stats
• geostats

Page 23 Mod 1

Question 24

What are the transforming commands in Splunk?

Answer 24

• top
• rare
• stats
• chart
• timechart
• geostats

Page 23 Mod 1

Question 25

What do non-transforming searches return using the Fast Mode?

Answer 25

Events - fields sidebar displays only those fields required for the search

• Patterns
• No statistics or visualizations

Page 24 Mod 1

Question 26

What does Fast Mode focus on?

Answer 26

Emphasizes performance, returning only essential and required data

Page 24 Mod 1

Question 27

What kind of search results do you get when using transforming searches in Fast Mode?

Answer 27

• Statistics and visualizations
• no Events
• no Patterns

Page 25 Mod 1

Question 28

What is the default search mode in Splunk?

Answer 28

Smart Mode

Page 26 Mod 1

Question 29

When searching in Smart Mode what kind of search results do you get with non-transforming searches?

Answer 29

Events - fields sidebar displays all fields

• Patterns
• no Statistics or visualizations

Page 26 Mod 1

Question 30

Which search mode gives you the best results for your search?

Answer 30

Smart Mode

Page 26 Mod 1

Question 31

How does Verbose Mode function?

Answer 31

Emphasized completeness by returning all possible field and event data

Page 27 Mod 1

Question 32

For transforming searches, what kind of results do you get using Smart Mode?

Answer 32

Statistics or visualizations

• no Events
• no Patterns

Page 26 Mod 1

Question 33

For non-transforming searches, what results do you get using Verbose Mode?

Answer 33

Event - fields sidebar displays all fields
Patterns
- no Statistics or visualizations

Page 27 Mod 1

Question 34

Using transforming searches, what results do you get with Verbose Mode?

Answer 34

Events
Patterns
Statistics or visualizations

Page 27 Mod 1

Question 35

Search Job Inspector allows you to examine what Splunk?

Answer 35

• Overall stats of search (e.g., records processed and returned, processing time)
• How the search was processed
• Where Splunk spent its time

Page 29 Mod 1

Question 36

What is the Search Job Inspector used for?

Answer 36

Used to troubleshoot search’s performance and understand the impact of knowledge objects on processing (e.g., event types, tags, lookups)

Page 29 Mod 1

Question 37

Can any search job be inspected?

Answer 37

Only those that are not expired

Page 29 Mod 1

Question 38

The search job inspector has how many components and what are they?

Answer 38

It has 3 components and they are:
Header
Execution costs
Search job properties

Page 30 Mod 1

Question 39

Top of search job inspector provides what kind of info?

Answer 39

Basic info along with time to run and number of events scanned.

Page 31 Mod 1

Question 40

What does Execution Costs provide?

Answer 40

Details on cost to retrieve results, such as:

• command.search.index
• command.search.filter
• command.search.rawdata

Page 32 Mod 1

Question 41

Time to search the index for the location to read in rawdata files

Answer 41

command.search.index

Page 32 Mod 1

Question 42

Time to filter out events that do not match

Answer 42

command.search.filter

Page 32 Mod 1

Question 43

Time to read events from the rawdata files

Answer 43

command.search.rawdata

Page 32 Mod 1

Question 44

The only efficient place for a wildcard?

Answer 44

tailing* - at the end of a string

Page 21 Mod 1

Question 45

When are wildcards tested?

Answer 45

After all other terms

Page 21 Mod 1

Question 46

Splunk only searches for whole words but ____ is allowed

Answer 46

wildcards

Page 21 Mod 1

Question 47

Which is better inclusion or exclusion?

Answer 47

Inclusion

-Searching for “access denied” is faster than NOT “access granted”

Page 22 Mod 1

Question 48

When should you use filters if you need to?

Answer 48

As early in the search as possible

Page 22 Mod 1

Question 49

Performance over completeness

Answer 49

Fast mode

Page 22 Mod 1

Question 50

Default mode

Answer 50

Smart mode

Page 22 Mod 1

Question 51

Completeness over performance

Answer 51

Verbose mode

Page 22 Mod 1