Module 4 Flashcards by Bradley Spooner

name/value pairs

Ex: index=main, source=eventgen, sourcetype=evntgen

How well did you know this?

Not at all

Perfectly

Field extractions (index time extractions)

Metadata field: host, source, sourcertype, index
internal field: _time, _raw
Custom fields

How well did you know this?

Not at all

Perfectly

Search time extractions

Delimiter based
RegEx Based

How well did you know this?

Not at all

Perfectly

Field Discovery

Splunk automatically discovers fields using key value pairs
When Fast search mode is active, this disables field discovery

How well did you know this?

Not at all

Perfectly

Default selected fields

host, source, sourcetype

How well did you know this?

Not at all

Perfectly

What are interesting fields

Fields that appear in atleast 20% of events

How well did you know this?

Not at all

Perfectly

Where do you go when a field that isnt in atleast 20% of data

All fields above the selected fields

How well did you know this?

Not at all

Perfectly

Syntax

field_name=field_value
Use “” for fields with spaces ex: “Jean Claude”
Splunk can use CIDR notation

How well did you know this?

Not at all

Perfectly

Are Field names case sensitive?

Yes
action=addtocart (Yes)
ACTION=addtocart (no)

How well did you know this?

Not at all

Perfectly

Are Field values case sensitive?

No
action=addtocart (Yes)
action=ADDTOCART (Yes)

How well did you know this?

Not at all

Perfectly

Comparison Operators

=. !=, >, <, >=, <=

How well did you know this?

Not at all

Perfectly

How well did you know this?

Not at all

Perfectly

Module 4 Flashcards

(12 cards)