Brainscape's Knowledge GenomeTM


Top Flashcards (Certified)
All Flashcards

Splunk Power User 8.x > Module 1: Beyond Search Fundamentals > Flashcards

Module 1: Beyond Search Fundamentals Flashcards

1
Q

What is this an example of?

Search for a single word (e.g., error) or group of words (e.g., error password)

A

This is an example of Keywords

Page 14 Mod 1

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

NOT, OR, AND are what in the Splunk language?

A

Booleans

Page 14 Mod1

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Must NOT, OR, AND booleans be uppercase?

A

Yes, these Booleans are always uppercase

Page 14 Mod 1

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Are phrases like “web error” different from “web AND error”?

A

Yes, these examples are different

OR is implied not AND

Page 14 Mod 1

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are the rules for using Wildcards in Splunk’s search language?

A

Starting searches with a wildcard and adding Wildcards in the middle of the search string are inefficient ways to use Wildcards

Tailing wildcards are a best practice

Page 14 Mod 1

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are the comparisons used in Splunk’s search language?

A

=, !=, ,>=
=, != are used in alphanumeric searches

Page 14 Mod 1

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

This command returns a table containing only specified fields in result set.

A

table command

Page 15 Mod 1

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

This command renames a field in results.

A

rename command

Page 15 Mod 1

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

This command includes or excludes specified fields.

A

fields command

Page 15 Mod 1

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

This command removes duplicates from results

A

dedup command

Page 15 Mod 1

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

This command sorts results by specified field.

A

sort command

Page 15 Mod 1

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

This command adds field values from an external source (e.g., csv files)

A

lookup command

Page 15 Mod 1

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What are some of the key/values that are case sensitive in Splunk?

A 
Boolean operators (uppercase)
Field names
Field values from lookup (default, but configurable)
Regular expressions
eval and where commands
Tags

Page 16 Mod 1

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What are some of the key/values that are case insensitive in Splunk?

A 
Command names
Command clauses
Search terms
Statistical functions
Field values

Page 17 Mod 1

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

As events come in, where does Splunk place them?

A

Into an index’s hot bucket (only writable bucket)

Page 18 Mod 1

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is the transition that takes place as the buckets age in Splunk?

A

They roll from hot to warm to cold

Page 18 Mod 1

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What does each bucket have?

A

Its own raw data, metadata, and index files

Page 18 Mod 1

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What does the metadata keep track of?

A

Source, sourcetype and host

Page 18 Mod 1

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

When you search, Splunk uses what to choose which buckets to search?

A

Time Range

Page 19 Mod 1

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Splunk uses the bucket indexes to find what?

A

Qualifying events

Page 19 Mod 1

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

After time what are the most powerful keywords?

A

Host, source, and sourcetype

Page 20 Mod 1

22
Q

What makes searches more efficient?

A

Including as many search terms as possible

Page 20 Mod 1

23
Q

What are some of the things a transforming command can do in Splunk?

A
  • Massage raw data into a data table
  • ‘Transforms’ specified cell values for each event into numerical values that you can use for statistical purposes
  • Is required to ‘transform’ search results into visualizations

Commands Include

  • top
  • rare
  • chart
  • timechart
  • stats
  • geostats

Page 23 Mod 1

24
Q

What are the transforming commands in Splunk?

A
  • top
  • rare
  • stats
  • chart
  • timechart
  • geostats

Page 23 Mod 1

25
What do non-transforming searches return using the Fast Mode?
Events - fields sidebar displays only those fields required for the search - Patterns - No statistics or visualizations Page 24 Mod 1
26
What does Fast Mode focus on?
Emphasizes performance, returning only essential and required data Page 24 Mod 1
27
What kind of search results do you get when using transforming searches in Fast Mode?
- Statistics and visualizations - no Events - no Patterns Page 25 Mod 1
28
What is the default search mode in Splunk?
Smart Mode Page 26 Mod 1
29
When searching in Smart Mode what kind of search results do you get with non-transforming searches?
Events - fields sidebar displays all fields - Patterns - no Statistics or visualizations Page 26 Mod 1
30
Which search mode gives you the best results for your search?
Smart Mode Page 26 Mod 1
31
How does Verbose Mode function?
Emphasized completeness by returning all possible field and event data Page 27 Mod 1
32
For transforming searches, what kind of results do you get using Smart Mode?
Statistics or visualizations - no Events - no Patterns Page 26 Mod 1
33
For non-transforming searches, what results do you get using Verbose Mode?
Event - fields sidebar displays all fields Patterns - no Statistics or visualizations Page 27 Mod 1
34
Using transforming searches, what results do you get with Verbose Mode?
Events Patterns Statistics or visualizations Page 27 Mod 1
35
Search Job Inspector allows you to examine what Splunk?
- Overall stats of search (e.g., records processed and returned, processing time) - How the search was processed - Where Splunk spent its time Page 29 Mod 1
36
What is the Search Job Inspector used for?
Used to troubleshoot search's performance and understand the impact of knowledge objects on processing (e.g., event types, tags, lookups) Page 29 Mod 1
37
Can any search job be inspected?
Only those that are not expired Page 29 Mod 1
38
The search job inspector has how many components and what are they?
It has 3 components and they are: Header Execution costs Search job properties Page 30 Mod 1
39
Top of search job inspector provides what kind of info?
Basic info along with time to run and number of events scanned. Page 31 Mod 1
40
What does Execution Costs provide?
Details on cost to retrieve results, such as: - command.search.index - command.search.filter - command.search.rawdata Page 32 Mod 1
41
Time to search the index for the location to read in rawdata files
command.search.index Page 32 Mod 1
42
Time to filter out events that do not match
command.search.filter Page 32 Mod 1
43
Time to read events from the rawdata files
command.search.rawdata Page 32 Mod 1
44
The only efficient place for a wildcard?
tailing* - at the end of a string Page 21 Mod 1
45
When are wildcards tested?
After all other terms Page 21 Mod 1
46
Splunk only searches for whole words but ____ is allowed
wildcards Page 21 Mod 1
47
Which is better inclusion or exclusion?
Inclusion -Searching for "access denied" is faster than NOT "access granted" Page 22 Mod 1
48
When should you use filters if you need to?
As early in the search as possible Page 22 Mod 1
49
Performance over completeness
Fast mode Page 22 Mod 1
50
Default mode
Smart mode Page 22 Mod 1
51
Completeness over performance
Verbose mode Page 22 Mod 1

Splunk Power User 8.x (13 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions