Module 3 Flashcards
(16 cards)
When no Index is specified on a search which one is used?
Every index the user has access to.
Keyword vs Phrase
EX: Invalid, user ubuntu
(Searchable word without “”)
EX: “Failed password”
Searches any matching phrase
Wildcards (*)
Ex: pass, fail
Scans all events
Dont do:
*fail, word, httpbuttercupgames.com
Boolean
AND, OR, NOT
Search Assistant
Helps with writing searches by providing selections to complete strings
Search Assistant Modes
Compact (Default)
Full - shoes more info and how many terms appears in data
None (Disabled)
Drilldowns
Add to search
Exclude from Search
New Search
Events viewer options
Raw
List (Default)
Table
Time modifiers
earliest=
latest=
Can also be used in time range picker under the advanced section
Relative time examples
Absolute Time examples
earliest=-24h latest=now
earliest=09/03/2023:00:00:00 latest=09/04/2023:00:00:00
Time range abbreviations
Use the @ to “snap” time to specific unit, snapping always rounds down to nearest unit specified
s=seconds
m=minuutes
h=hours
d=days
w=weeks
mon=months
y=years
Ex: if current time is 10:42:07, -4h@h = 06:00:00
current time 15:38:12 -30m@h = 15:00:00
Events timeline
Bars at top of screen that indicate the amount of data for that time block
Legend: shows bin size (block of time for each bar)
Job Menu
Edit job settings (permissions, job lifetime) - by default job is private (only owner can view) - default job lifetime is 10 mins, to keep longer than 7 days you must make it a report
Send job to background
Inspect Job
Delete Job
By default what is the default job lifetime?
10 min
Which of the following file types is an option for exporting splunk search results?
Raw(test file), JSON, CSV, XML
Where do you manage saved jobs?
Activity drop down > jobs
