Brainscape's Knowledge GenomeTM


Top Flashcards (Certified)
All Flashcards

Splunk > Splunk Fundamentals 2 > Flashcards

Splunk Fundamentals 2 Flashcards

1
Q

True or False. Tags, field values with “eval” and “where,” and “field values from lookup” are case insensitive.

A

False. They are case sensitive.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

True or False. Field names, regular expressions and Boolean operators are case sensitive.

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

As events come into Splunk, they are placed into an index’s ____ ___ (which is the only writable bucket).

A

hot bucket

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Which command returns tables containing only specified fields in a result set?

A

table

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which command renames a field in results?

A

rename

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Which command includes or excludes specified fields?

A

fields

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Which command sorts results by specified field?

A

sort

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Which command adds field values from an external source (e.g., csv files)?

A

lookup

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Are Boolean operators case sensitive?

A

yes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Are field names case sensitive?

A

yes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Using a ____ ____ in Splunk is a way to search through text to find pattern matches in your data.

Are they case sensitive?

A

regular expression

yes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

True or False. Field values from lookup, tags, and field values with “eval” and “where” commands are not case sensitive.

A

False. They are case sensitive.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Are command names (i.e. stats, STATS), command clauses (i.e. “as,” “by,” “with), statistical functions (i.e. avg, AVG, Avg), search terms (i.e. failed, FAILED) and field values (i.e. host=www1, host=WWW1) case sensitive or case insensitive?

A

case insensitive

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

As events age in Splunk, they move from the ____ bucket, to the ____ bucket and finally to the ____ bucket.

A

hot, warm, cold

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Who can configure settings and add more to buckets? Users, admins or power users?

A

admins

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is the most efficient filter to use when searching events? After time, the most powerful fields to filter are what?

A

time

index, host, source and sourcetype

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What command would you use in order to only extract (discover) the fields you need?

A

fields command

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

____ mode in Splunk = performance over completeness.

____ mode in Splunk balances speed and completeness.

____ mode in Splunk focuses on completeness over performance

A

fast
smart
verbose

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Removing duplicates then sorting is ____ (faster or slower) than sorting then removing duplicates?

A

faster

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

____ commands massage raw data in tables and transform specified cell values for each event into numerical values that you can use for statistical purposes.

A

transforming

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What commands are required to ‘transform’ search results into visualizations?

A

transforming

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What type of commands are the following?

top
rare
chart
timechart
stats
geostats
A

transforming

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

In fast mode, verbose mode, and smart mode what is not available for non-transforming searches?

A

statistics and visualizations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Only metadata fields (host, source and sourcetype) and fields specified in a search are available in ___ mode.

A

fast

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
In fast mode transforming searches, ____ and ___ are not available. However, statistics and visualizations are.
events, patterns
26
In ___ mode, events and patterns are available in non-transforming searches, but statistics and visualizations are not. Are events, patterns, statistics and visualizations available for transforming searches?
verbose | yes
27
In smart mode, events and patterns are NOT available. However ____ and ____ are.
statistics and visualizations
28
What tool allows you to examine the: Overall stats of search (e.g., records processed and returned, processing time) How search was processed Where Splunk spent its time
Search Job Inspector tool
29
What is used to troubleshoot a search’s performance and understand the impact of knowledge objects on processing (e.g., event types, tags, lookups)?
Search Job Inspector tool
30
Header, execution costs and search job properties are the 3 ____ of what tool?
components | Search Job Inspector tool
31
Which component of the Search Job Inspector tool provides basic information, including time to run and # of events scanned?
header
32
Which component of the Search Job Inspector tool provides details on the cost to retrieve results?
execution costs
33
command.search.index, command.search.filter, and command.search.rawdata are all ____ ___ shown in the Search Job Inspector tool.
execution costs
34
Which execution cost of the Search Job Inspector tool specifies the time that it took to filter out events that did not match? a. command.search.rawdata b. command.search.index c. command.search.filter
c. command.search.filter
35
Which execution cost of the Search Job Inspector tool specifies the time that it took to search the index for the location to read in rawdata files? a. command.search.rawdata b. command.search.index c. command.search.filter
b. command.search.index
36
Which execution cost of the Search Job Inspector tool specifies the time that it took to read events from the rawdata files? a. command.search.rawdata b. command.search.index c. command.search.filter
a. command.search.rawdata
37
As events are stored by time, ______ is the most efficient filter. a. _time b. _raw c. _introspection
a. _time
38
Select all that are considered case sensitive. a. Boolean operators b. tags c. keywords d. command functions
a. Boolean operators | b. tags
39
The Search Job Inspector has three components. Select all that apply. a. Header b. Health check c. Search job properties d. Execution costs
a. Header c. Search job properties d. Execution costs
40
For general search best practices, only use ________ wildcards to make efficient use of index. a. trailing b. beginning c. middle-of-string
a. trailing
41
When a search returns statistical values, results can be viewed in a table on the ___ tab or as a ____.
statistics | visualization
42
Lines, column charts, pie charts, single values, gauges, maps and many more are all examples of what?
visualizations
43
A ___ ____ is a sequence of related data points that are plotted in a visualization. They can generate various statistical or visualization results.
data series
44
Most visualizations require a ____ ___ table. A ___ ___ table consists of search results structured as a table with at least two columns.
single series
45
The leftmost column of a single series table provides x-axis values or y-axis values? What axis are subsequent columns on?
x-axis values | the y-axis
46
To get ___ ____ tables, you need to set up the underlying search with transforming commands such as "chart" and "timechart."
multi-series tables
47
___ ___ tables display statistical trends over time. They can be single-series or multi-series.
time series
48
What command do you have to use for a time series result?
timechart command
49
What type of chart shows trends in the relationships between discrete data values?
scatter charts
50
____ charts show discrete values that do not occur at regular intervals or belong to a series.
scatter
51
The ____ command can display any data series plotted across one or two dimensions.
chart
52
What chart command function is being used in the following search strings? (Note: The difference between the two are the "over" clause and the "by" clause in the second lines). index=security sourcetype=linux_secure | chart count over vendor_action index=security sourcetype=linux_secure | chart count by vendor_action
count function
53
When you use the ___ function in Splunk, a table is created with a column that tallies the number of events for each value in the result set.
count
54
With the ____ command, you can use the "by" clause with the "over" clause to split results (ie. over vendor_action by user). Or you can just use two "by" clauses (i.e. by vendor_action, user).
chart
55
You can only split chart results over a maximum | of how many dimensions using the chart command?
two
56
Chart and timechart commands automatically filter results to include the ____ highest values. Surplus values are grouped in "OTHER." Results can be skewed by "NULL" and "OTHER." a. five b. ten c. twenty d. fifteen
b. ten
57
What chart and timechart command values are shown by default?
NULL and OTHER
58
"useother=f" and "usenull=f" can be used to remove empty ____ and ____ values from display in a visualization using the chart command.
NULL and OTHER
59
What can be used to adjust the default number of plotted series (10) when using the chart command?
limit argument
60
The ____ command performs statistical aggregations against time. It also plots and trends data over time.
timechart command
61
"_time" using the timechart command is always on the x-axis or y-axis?
x-axis
62
Line or area charts are the best representation of what type of chart?
timecharts
63
With the timechart command,the default time intervals (or time ranges of a search) that can be used are span=1m which equals _____ minutes and span=30m which equals ____ hours.
60 minutes | 24 hours
64
You can adjust the time interval of a timechart by using what argument?
"span" argument
65
The ____ layout allows you to display multiple charts based on one result set and allows visual comparison between different categories.
trellis layout
66
Which command displays the output of the timechart command, so that each time period is a separate series? a. timechart command b. chart command c. timewrap command
c. timewrap command
67
Which command can compare data over a specific time period, such as day-over-day or month-over-month? a. timechart command b. timewrap command c. chart command
b. timewrap command
68
What command is being used here? index=security sourcetype=linux_secure | stats count by src_ip, user, vendor_action, app
stats command
69
What clause would you use to calculate statistics for two or more non time-based fields?
"by" clause
70
To get multi-series tables, you need to set up the underlying search with transforming commands. Select all that apply. a. chart b. abstract c. timechart
a. chart | c. timechart
71
When using the timechart command, what option is used to specify the _time interval? a. group b. trend c. span
c. span
72
Which of the three transforming commands below allows you to split results over a maximum of TWO dimensions? a. stats b. chart c. timechart
b. chart
73
Which of the three transforming commands below allows you to split results over a maximum of ONE dimension? a. stats b. chart c. timechart
c. timechart
74
Which of the three transforming commands below allows you to split results over MANY dimensions? a. stats b. chart c. timechart
a. stats
75
Which of the three transforming commands below does not allow you to limit the number of series shown, filter "other" and "null" series, and set value groups along the x-axis? a. stats b. chart c. timechart
a. stats
76
Which transforming commands allow you to use "span" in order to set value groups along the x-axis? a. stats b. chart c. timechart
b. chart | c. timechart
77
Which commands would you use to count the frequency of a field(s)? a. stats b. chart c. top/rare d. timechart
c. top/rare
78
Which command is non time-based and would be used to calculate statistics for two or more "by" fields? a. stats b. chart c. top/rare d. timechart
a. stats
79
Which command is used to calculate statistics using an arbitrary field as the x-axis? This command also allows you to use "over" or "by" to specify the x-axis, and WILL NOT allow you to use "_time" on the x-axis. a. stats b. chart c. top/rare d. timechart
b. chart
80
You would use the ____ command to calculate statistics with "_time" as the x-axis. a. stats b. chart c. top/rare d. timechart
d. timechart
81
If a "by" field is used for the timechart command, the output is a ____.
table
82
To get multi-series tables, you need to set up the underlying search with transforming commands. Select all that apply. a. chart b. abstract c. timechart
a. chart | c. timechart
83
When using the timechart command, what option is used to specify the _time interval? a. group b. trend c. span
c. span
84
____ are aliases to field values. For example, if two host names refer to the same computer, you could give both host values the same ___ (for example, hal9000). When you search for ___=hal9000, Splunk returns events involving both host name values. Note: Answers for all blanks are the same
tags
85
top, stats, chart, and timechart are all what type of commands? a. Sorting Results b. Filtering Results c. Grouping Results d. Reporting Results e. Filtering, Modifying, and Adding Fields
d. Reporting Results
86
Which transforming command returns the most frequently occurring typle of field values, along with their count and percent? a. stats b. chart c. top d. rare e. timechart
c. top
87
This command computes the moving averages of a field.
trendline
88
There are 3 ____ that must be included when using the trendline command. ____ (acronym for simple moving average), _____ (acronym for exponential moving average), and ____ (acronym for weighted moving average).
trendtypes sma ema wma
89
The ___ over which to compute a trend (which can be between whole numbers of 2 and 10,000) must be included when using the trend line command.
period
90
When displaying data on maps, there are two types that can be used: A ____ map (which shades areas based on metrics). A ____ map (which displays statistical grouping based on geo location).
Choropleth | Cluster
91
Which command is used to look up and add location information to an event (including city, country, region, latitude and longitude)? a. geostats b. iplocation c. stats d. chart e. timechart
b. iplocation
92
True or False. The iplocation command DOES NOT automatically define default lat and lon fields required by geostats.
False | The iplocation command AUTOMATICALLY defines default lat and lon fields required by geostats.
93
The ____ command is used to compute statistical functions and render a cluster map. Data must include latitude and longitude values. a. chart b. iplocation c. stats d. geostats e. timechart
d. geostats
94
When using the geostats command, you can control the column count, using the ______ argument.
globallimit
95
____ maps use shading to show relative metrics, such as sales, network intruders, etc. for predefined geographic regions.
Choropleth
96
To define regional boundaries for a choropleth map, you must have what type of files? Select all that apply. a. CSV b. KML (Keyhole Markup Language) c. JSON d. KMZ (compressed Keyhole Markup Language) e. XML
b. KML (Keyhole Markup Language) | d. KMZ (compressed Keyhole Markup Language)
97
The standard geo searches that Splunk ships with for the choropleth maps is: 1. geo_us_states (which for what country?) 2. geo_countries (which is for ____) and …| geom [featureCollection] [featureIdField=string] (Note: No answer needed for this one)
United States | countries of the world
98
With gauge visualizations, you can make adjustments to color by using UI or the ____ command.
gauge
99
____ layout displays multiple gauges when using a by clause in the stats command.
trellis
100
With the timechart command, you can add a _____ and a trend. A ____ is an inline chart and is designed to display time-based trends associated with the primary key. (Note: Same answer for both)
sparkline
101
The ____ command is used to compute the sum of all or selected columns, and place the total in the last row and last column. a. top b. stats c. chart d. addtotals e. timechart f. iplocation g. geostats
d. addtotals
102
When using the add totals command, ___=t counts the fields in each row under a column named, while ____=t counts the fields in each row in a row named.
row=t | column=t
103
The trendline command provides three trend types. Select all that apply. a. tma (time) b. sma (simple) c. ema (exponential) d. wma (weighted)
b. sma (simple) c. ema (exponential) d. wma (weighted)
104
By default, the iplocation command adds fields to the results. Select all that apply. a. City b. lon c. pid d. Region
b. lon
105
When using the addtotals command, the labelfield argument is valid only when _______. a. col=true b. row=true c. fieldname=f
a. col=true
106
This command calculates an expression and puts the resulting value into a new field. For instance if a user creates the following search string: … | eval velocity=distance/time The resulting table would have the value for distance in one column, the value for time in another column and the eval velocity column would be the result of the # for distance divided by the number for time.
eval command
107
When using the eval command, expressions must be separated by what character? a. >= b. , c. !=
b. ,
108
The ____ command allows you to: Calculate expressions Place the results in a field Use that field in searches or other expressions
eval
109
When using the eval command, the ____ function sets the value of a field to the number of decimals you specify. (ie. one number after the decimal, two numbers after the decimal, etc.)
round
110
Which type of eval command is represented by the following operators? + - * / % a. Boolean b. Comparison c. Arithmetic d. Concatenation
Arithmetic
111
Which type of eval command is represented by the following operators? NOT AND OR XOR a. Boolean b. Comparison c. Arithmetic d. Concatenation
a. Boolean
112
Which type of eval command is represented by the following operators? < > <= >= != = LIKE a. Boolean b. Comparison c. Arithmetic d. Concatenation
b. Comparison
113
Which type of eval command is represented by the following operators? + . a. Boolean b. Comparison c. Arithmetic d. Concatenation
d. Concatenation
114
When using the eval command, and the round function for results, If the number of decimals is unspecified, what is the result?
a whole number
115
When using the eval command, the ____ function converts a numeric field value to a string.
tostring
116
When using the eval command and tostring function, there are 3 options that you can use to format the numbers in the table that is created: a. _____ which apply commas to the numbers b. _____ which format the numbers as hh:mm:ss c. _____ which formats the number in a hexadecimal Place the following terms in the correct blank: "duration," "commas," "hex"
a. commas b. duration c. hex
117
Which eval command function is described below? 1. takes three arguments 2. the first argument, X, is a boolean expression 3. if argument X evaluates to TRUE, the result evaluates to the second argument, Y 4. if argument X evaluates to FALSE, the result evaluates to the third argument, Z
"if" function
118
When using the eval command "if" function, non numeric values must be enclosed in _______. Are field values case sensitive when using this function, or case insensitive?
double quotes | case sensitive
119
The eval command ____ function works similar to that of the "if" function. However, rather than the first argument being X, it's X1. The following arguments are Y1, X2, Y2, etc. Also, if none of the boolean expressions are true, the result evaluates to NULL.
case
120
If none of the boolean expressions were true using the eval command "case" function, what would the result be?
NULL
121
Identify the functions used in both search strings: Search string #1: ``` index=network sourcetype=cisco_wsa_squid | eval Risk = case(x_wbrs_score >= 5,"1 Very Safe", x_wbrs_score >= 3,"2 Safe", x_wbrs_score >= 0,"3 Neutral", x_wbrs_score >= -5,"4 Dangerous", x_wbrs_score < -5, "5 Very Dangerous") ``` Search string #2 index=sales sourcetype=vendor_sales | eval SalesTerritory = if ((VendorID >= 7000 AND VendorID < 8000), "Asia", "Rest of the World")
1. case function | 2. if function
122
The _____ command calculates an expression and puts the resulting value into a search results field.
eval
123
Unlike the eval "command" (which calculates an expression and puts the resulting value into a search results field), the eval "____" counts the number of events that have a specific field value. What function must be used along with the eval "____"? Note: Same answers for the blank spaces.
``` function count ```
124
True or False. Field values ARE case sensitive when using the eval "FUNCTION."
True
125
Which command is described below? The "search" command, or the "where" command? 1. Can be used at any point in the search pipeline 2. Allows searching on keywords 3. Treats field values in a "case insensitive" manner
search
126
Is the "search" command, or the "where" command being described below? 1. Functions are available, such as isnotnull() 2. Can’t appear before first pipe in search pipeline 3. Can’t filter with keywords 3. Treats field values in a "case-sensitive" manner 4. Can compare values from two different fields
where
127
Which command is used here? Also describe what is happening? source=job_listings | where salary > industry_average
"where" command retrieves jobs listings and discards those whose salary is not greater than the industry average
128
When using the "like" operator with the "where" command, you must use (_) for __ character and (%) for _____ characters. Note: The blank spaces should be filled with quantities (i.e. one, a couple, multiple)
one | multiple
129
What where command operator is being used in the following search string? index=security sourcetype=linux_secure | where like (user,"adm%") | dedup user | table user
like
130
When using the "where" command, use _____ to find events with an empty value for a specific field, and ____ to find events that contain a non-empty value for a particular field. On the other hand, _____ should be used to replace null values in fields. a. fillnull b. isnull c. isnotnull
b. isnull c. isnotnull a. fillnull
131
Create a new field called velocity in each event. Calculate the velocity by dividing the values in the distance field by the values in the time field. a. |eval {velocity} = Value, distance OVER time b. |eval velocity=distance/time c. |eval velocity=split(distance,time)
b. |eval velocity=distance/time
132
If you use the following eval command with the round() function, select a possible result: |eval bandwidth = round(Bytes/pow(1024,2), 2) a. 28 b. 124.032 c. 273.02
c. 273.02
133
The eval command supports comparison and conditional functions. Select all that apply. a. case (X1,"Y1",X2,"Y2",…) b. if (X,Y,Z) c. like (TEXT,PATTERN) d. tostring(X,Y)
a. case (X1,"Y1",X2,"Y2",…) | b. if (X,Y,Z)
134
If you want to use the fillnull command and show a specific text, which syntax would be correct? a. | fillnull value="nada" b. | fillnull NULL=nada c. | fillnull 0 as nada
a. | fillnull value="nada"
135
The ____ command groups related events that meet various constraints. The events are grouped into ____, which are collections of events, possibly from multiple sources. Note: Same answer for both blank spaces.
transaction
136
The following are common ____ that are used when the transaction command is used: maxspan maxpause startswith endswith
constraints
137
What command would you use at any point in the search pipeline to filter the transactions created by the transaction command?
search command
138
The transaction command produces two fields: 1. ____: difference between the timestamps for the first and last events in the transaction. 2. ____: number of events in the transaction.
duration | eventcount
139
When using the transaction command, you can define a max overall time span and max gap between events. Which definition describes maxspan, and which describes maxpause? _____ is the maximum total time between events _____ is the maximum total time between the earliest and latest events
maxpause | maxspan
140
What would the following indicate in an event where the transaction command is used? maxspan=5m
The maximum total time between the first and last event of all of the transactions combined should be no more than 5 minutes.
141
To form transactions based on terms, field values, or evaluations, use ____ and ___ options. For example, if you were determining how long it took for customers to complete a purchase online over the last 24 hours you might want the FIRST event in your transactions to include "addtocart" and the LAST event to include "purchase."
startswith | endswith
142
_____ can be useful when a single event does not provide enough information.
transactions
143
True or False. You can use statistics and transforming commands with transactions.
True
144
When you have a choice, would you use the transaction or stats command? Why?
stats | it's more efficient
145
Which of the following definitions describe the stats command? Which definition describes the transaction command? The ____ command when you: • Need to see events correlated together • Must define event grouping based on start/end values or segment on time The ____ command when you: • Want to see the results of a calculation • Can group events based on a field value (e.g., by src_ip)
transaction | stats
146
There is a limit of ____ events when using the ____ command. However there is no limit when using the ____ command. Note: first blank: # second and third blanks: pick transaction or stats
1,000 transaction stats
147
What’s the maximum number of events that can be grouped per transaction? a. 100 events b. 1,000 events c. 10,000 events
b. 1,000 events
148
What are the options that can be used to constrain transactions? Select all that apply. a. startswith b. endswith c. maxspan d. maxpause
c. maxspan | d. maxpause
149
Which fields are created by the transaction command? Select all that apply. a. duration b. memcontrol c. eventcount d. txn_definitions
a. duration | c. eventcount
150
What are tools you use to discover and analyze various aspects of your data?
knowledge objects
151
Data interpretation, data classification, data enrichment, normalization and data sets are all different types of what?
knowledge objects
152
Which knowledge object deals with fields and field extractions? a. data classification b. data sets c. data interpretation d. data enrichment
c. data interpretation
153
Which knowledge object deals with event types? a. data classification b. data sets c. data interpretation d. data enrichment
a. data classification
154
This type of knowledge object consists of lookups and workflow actions. a. data classification b. data sets c. data interpretation d. data enrichment
d. data enrichment
155
This type of knowledge object deals with tags and field aliases. a. data classification b. data sets c. data interpretation d. data enrichment e. normalization
e. normalization
156
This type of knowledge object contains data models. a. data classification b. data sets c. data interpretation d. data enrichment e. normalization
b. data sets
157
____ ___ are also persistent objects that can be used by multiple people or apps, such as macros and reports.
knowledge objects
158
A Knowledge Object Manager could be any of the 3 Splunk roles, but a person usually has to at least be a ______. a. user b. admin c. power user
c. power user
159
Select all knowledge objects. a. lookups b. field aliases c. users d. workflow actions
a. lookups b. field aliases d. workflow actions
160
Splunk knowledge objects are persistent objects that can be used by multiple ________. Select all that apply. a. users b. apps c. searches
a. users | b. apps
161
Search-time operations are always applied in the same order when generating knowledge objects. Use the following information to put search time operation in the correct order. a. Lookups b. Calculated fields c. Tags d. Extractions e. Field aliases f. Event types
d. Extractions e. Field aliases b. Calculated fields a. Lookups f. Event types c. Tags
162
Field aliases are applied after __________, before ___________. Select all that apply. a. lookups, field extractions b. field extractions, lookups c. field extractions, tags
b. field extractions, lookups | c. field extractions, tags
163
Prior to search time in Splunk, some fields are already stored with the event in the index. ____ fields, such as host, source, and sourcetype, and ____ fields such as _time and _raw are those fields. However at search time, ____ _____extracts fields from raw event data, including those directly related to the search’s results. Use the following answers to fill in the blanks. a. internal b. field discovery c. meta
c. meta a. internal b. field discovery
164
In addition to the many fields Splunk auto-extracts, you can also extract your own fields with the ____ ____.(FX)
Field Extractor
165
You can use ___ __ to extract fields that are static and that you use often in searches.
Field Extractor
166
You can extract fields in FX from events using ____ and ____.
regex, delimiter
167
The are two extraction methods in Splunk. The first, ____ is used when your event contains unstructured data like a system log file. The second, ____ is used when your event contains structured data like a .csv file.
regex, delimiter
168
You would use _____ field extractions when a consistently structured log has values that are separated by spaces, commas, or characters.
delimited
169
Use _________ field extractions when fields are separated by spaces, commas, or characters. a. delimited b. regex c. rename
a. delimited
170
There are three ways to get to the Field Extractor (FX). Select all that apply. a. Event Actions menu b. Fields sidebar c. Settings menu d. Auto-Extract Fields Workflow
a. Event Actions menu b. Fields sidebar c. Settings menu
171
Use ___ ____ to extract fields that are static and that you use often in searches including: - Graphical UI - Extract fields from events using regex or delimiter - Extracted fields persist as knowledge objects - Can be shared and re-used in multiple searches
Field Extractor
172
When using regex for field extraction, what's the first thing you have to do in the Field Extractor? a. Select a value to extract b. Provide a Field Name c. Edit the regular expression d. Set the Extractions Name
a. Select a value to extract
173
____ ___ are a way to associate an additional (new) name with an existing field name, like a nickname (possibly for normalization purposes), and are evaluated by the “search parser” after field extractions, before ____.
field aliases | lookups
174
Many source types contain some type of user name. In order to make data correlation and searching easier, you can normalize the username field by using a ____ ____.
field alias
175
Put the following steps for creating a field alias in Splunk in sequential order: a. Fields b. New Field Alias c. Settings d. Field Aliases
c. Settings a. Fields d. Field Aliases b. New Field Alias
176
True or False. A new field alias is required for each sourcetype.
True
177
True or False. When you create a field alias, the original field IS affected.
False. The original field is not affected.
178
True or False. When you create a field alias, both fields appear in the all fields and Interesting Fields lists, if they appear in at least 20% of events.
True
179
When you create a field alias, both fields appear in the all fields and Interesting Fields lists, if they appear in at least ____% of events.
20%
180
After you have defined your field aliases, you can reference them in a ____ table.
lookup
181
____ fields are shortcuts for performing repetitive, long, or complex transformations using the eval command. ____ fields must be based on an extracted field. Note: Answer for both blanks are the same.
calculated
182
When you create a field alias, the default behavior is that the original field is: a. overwritten b. not affected c. cached
b. not affected
183
When you create a calculated field, the field in the expression must be __________. a. an extracted field b. a lookup table c. field/column generated from within
a. an extracted field
184
____ fields reference field aliases. ___ ____ are created to rename an existing field extraction.
calculated fields, field aliases
185
Can you, or can't you do the following? 1. Create a field alias that references a calculated field 2. Create a calculated field that references a field added through a lookup operation
you CAN'T
186
A ___ is a knowledge object that enables you to search for events that contain specific field/value combinations. They are like labels that you create for field/value pairs, and make your data more understandable and less ambiguous.
tag
187
Are tags case sensitive or case insensitive?
case sensitive
188
To search for a tag associated with a value you would type: a. = b. Use (*) wildcard c. tag=
c. tag=
189
To search for a tag associated with a value on a specific field you would type: a. tag::= b. Use (*) wildcard c. tag=
a. tag::=
190
To search for a tag using a partial field value you would: a. = b. Use (*) wildcard c. tag=
b. Use (*) wildcard
191
In order to manage tags (such as edit permissions and disable all tags for pairs) you would use the _____ ___ ____ ___ ____ menu. Note: Answer contains 5 words.
List by Field Value Pair
192
How would you change a tag name? a. by editing permissions b. by first clicking on the field value pair c. by typing "tag="
b. by first clicking on the field value pair
193
An ___ type is a method of categorizing events based on a search.
event
194
Can event types be tagged?
Yes, to group similar type of events
195
What do you use to create event types?
Event Type Builder
196
These are the two ways that you can ____ event types: 1. Settings > Event types 2. Event details > Actions
tag
197
___ ____categorize events based on a search string.
Event types
198
If you tag the field value of your home office’s IP address as ‘homeoffice’, what events are returned when you search for tag=homeoffice? a. events with that IP address b. events from _internal c. field lookup table
a. events with that IP address
199
To search for a tag associated with a value on a specific field, select the correct search string. a. tag::user=privileged b. tag=user==privileged c. tag=user::privileged
a. tag::user=privileged
200
Which of the following are ways you can create an event type. Select all that apply. a. Settings > Event types b. Run a search, and save as Event Type c. From event details, select Event Actions > Build Event Type
b. Run a search, and save as Event Type
201
_____ are useful when you frequently run searches or reports with similar search syntax, and can be a full search string or a portion of a search that can be reused in multiple places.
macros
202
In order to use a basic macro, you need to do the following: 1. Type the macro name into the search bar 2. Surround the macro name with the ______ (or grave accent) character... NOT single quotes
backtick
203
monthly_sales(3) The Splunker that typed the above is trying to add an argument to a macro. What have they done first in order to get the process started?
added the number of arguments in parentheses after the macro name
204
Within a search, macro _____ should look like the following examples: $currency$ (which would be the argument for currency) $symbol$ (which would be the argument for symbol) $rate$ (which would be the argument for rate)
arguments
205
When using a macro with arguments, you have to include the argument(s) in _____ following the macro name and list them in the EXACT SAME order that you listed them when creating the macro.
parentheses
206
When working with macros, the time range is _____________. a. Always set to Last 24 hours b. Selected at search time c. Always set to All time
b. Selected at search time
207
When adding arguments to a macro, include the number of arguments in _____________. a. Parentheses after the macro name b. Parentheses before the macro name c. Dollar signs within the search definition
a. Parentheses after the macro name
208
Surround the macro name with the _______ when executing a macro. a. Dollar signs b. Backtick character c. Single quote character
b. Backtick character
209
You can execute ____ ____ from an event or field in your search results to interact with external resources or run another search.
workflow actions
210
______ workflow actions retrieve information from an external resource. a. POST b. GET c. Search
a. GET
211
______ workflow actions send field values to an external resource. a. POST b. GET c. Search
a. POST
212
______ workflow actions use field values to perform a secondary search. a. POST b. GET c. Search
c. Search
213
Do GET workflow actions have spaces or special characters?
No
214
In order to create GET and POST workflow actions, you have to enter the _____ (this is an acronym) for where the user will be directed. What does the acronym stand for?
URI (Uniform Resource Identifier)
215
To perform a secondary search, use a _______ workflow action. a. Search b. POST c. GET
a. Search
216
Which workflow actions require you to specify if the behavior should open in a new window or current window? Select all that apply. a. Search b. POST c. GET
a. Search b. POST c. GET
217
_____ is used for creating dashboards, and its reports are based on datasets.
Pivot
218
Hierarchically structured datasets used in Pivot that contain searches and fields are called _____ _____ (two words). Each event, search, or transaction is saved as a separate ______ (one word).
data models | data set
219
The following are the 3 types of ____ that a data model can consist of. Events Searches Transactions
datasets
220
Which type of dataset contains constraints and fields? a. Events b. Transactions c. Searches
a. Events
221
_____ in "event" datasets are essentially a search broken down into a hierarchy. ____ are associated with the events.
constraints | fields
222
Dataset fields are inherited from ____ ____. a. data models b. parent objects c. root events
a. parent objects
223
The inherited attributes in the root event of a data model are called _____ fields.
default
224
You can add fields to a dataset through the auto-extracted menu, eval expression, lookup, regular expression and Geo IP. Which of the following is described below? can be default fields or manually extracted fields... a. lookup b. auto-extracted c. Geo IP d. regular expression e. eval expression
b. auto-extracted
225
Which method of adding fields to a data set is described below? leverage an existing lookup table... a. lookup b. auto-extracted c. Geo IP d. regular expression e. eval expression
a. lookup
226
Which method of adding fields to a data set is described below? add geographical fields such as latitude/longitude, country, etc. ... a. lookup b. auto-extracted c. Geo IP d. regular expression e. eval expression
c. Geo IP
227
Which method of adding fields to a data set is described below? a new field based on an expression that you define... a. lookup b. auto-extracted c. Geo IP d. regular expression e. eval expression
e. eval expression
228
Which method of adding fields to a data set is described below? extract a new field based on regex... a. lookup b. auto-extracted c. Geo IP d. regular expression e. eval expression
d. regular expression
229
This tool in the Splunk platform allows you to examine the overall stats of your search, examine how your search was processed and see where Splunk spent its time. You can use this tool to troubleshoot a search’s performance and understand impact of knowledge objects on processing.
Search Job Inspector Tool
230
The 3 components of the Search Job Inspector tool are (select all that apply): a. Header b. Field Name c. Execution costs d. Search job properties e. Tags
a. Header c. Execution cost d. Search job properties
231
This component of the Job Search Inspector tool in Splunk provides basic information, including time to run and # of events scanned.
Header
232
This component of the Job Search Inspector tool provides details on cost to retrieve results, such as: command. search.index command. search.filter command. search.rawdata
Execution Costs
233
The chart and timechart commands automatically filter results to include how many of the highest values? a. fifteen b. ten c. five
b. ten
234
After the chart and timechart commands automatically filter results to include the ten highest values, surplus values are grouped into... a. other b. null c. not
a. other
235
A ____ allows you to overlay a computed moving average on a chart. An example of one of these are stock market visualizations.
trendline
236
____ reports are used for creating reports and dashboards. They are also based on datasets.
Pivot
237
___ ____ are hierarchically structured datasets containing searches and fields. Each event, search, or transaction is saved as a separate dataset.
data models
238
A data model can consist of 3 types of datasets. Select answers from below. a. events b. field values c. searches d. field names e. lookups f. transactions
a. events c. searches f. transactions
239
Which type of dataset that's used in Pivot contain constraints and fields? a. events b. field values c. searches d. field names e. lookups f. transactions
a. events
240
In data models events, ____ are search terms used to further narrow your search, while fields are associated with the events.
constraints
241
You can add more fields when creating a data model. There are four types of fields that you can add. Read the descriptions below and match the fields below with the correct description. 1. a new field based on an expression that you define 2. geographical fields such as latitude/longitude, country, etc. 3. default fields or manually extracted fields 4. a new field based on regex 5. leverage an existing lookup table a. Auto-Extracted b. Eval Expression c. Lookup d. Regular Expression e. Geo IP
b. Eval Expression e. Geo IP a. Auto-Extracted d. Regular Expression c. Lookup
242
Which type of Pivot dataset defines a dataset based on a search that includes transforming commands? a. event b. field value c. search d. field name e. lookup f. transaction
c. search
243
Which type of Pivot dataset defines a dataset based on a transaction? a. event b. field value c. search d. field name e. lookup f. transaction
f. transaction
244
A ___ event dataset represents a set of data that is defined by a constraint: a simple search that filters out events that aren't relevant to the dataset.
root
245
____ views allows you to create table datasets without using SPL.
table
246
The Splunk ______ _____ _____ (CIM) provides a methodology to normalize data
Common Information Model
247
____ is leveraged when creating field extractions, field aliases, event types, and tags to ensure: 1. Multiple apps can co-exist on a single Splunk deployment 2. Object permissions can be set to global for the use of multiple apps 3. Easier and more efficient correlation of data from different sources and source types
CIM (Common Information Model)
248
True or False. If other apps in a Splunk environment are CIM compliant, then data is normalized across apps, making it easier to search for similar data.
True
249
True or False. If other apps in a Splunk environment are NOT CIM compliant, then field aliases, tags, and event types can be used to normalize data
True
250
The Splunk CIM Add-on has a set of ___ pre-configured data models. Note: Answer is a number
26
251
The ____ should be leveraged so that knowledge objects in multiple apps can co-exist on a single Splunk deployment.
CIM or Common Information Model
252
What commands can be used to retrieve data from a specified data model dataset? Choose the answers below. a. fields b. transforming c. from d. datamodel
c. from | d. datamodel
253
The CIM ___ and ___ commands are generating commands, meaning that they have to be the first command in the pipeline. a. fields b. transforming c. from d. datamodel
c. from | d. datamodel
254
The Common Information Model ____ command retrieves data from a named dataset, saved search, report or lookup file. a. from b. datamodel
a. from
255
The Common Information Model ____ command allows users to examine data models and search data model datasets. a. from b. datamodel
b. datamodel
256
Select the available ways you can validate against a data model. Select all that apply. a. | datamodel b. Pivot c. | transaction d. Workflow actions
a. | datamodel
257
What are the primary knowledge objects the CIM includes or relies upon? Select all that apply. a. data models b. field aliases and tags c. event types d. field extractions
b. field aliases and tags c. event types d. field extractions
258
A data model can consist of the following three types of datasets. Select all that apply. a. events b. searches c. Pivot reports d. transactions
a. events b. searches d. transactions
259
To add a Root Event Dataset, what field is required to be manually added? a. Dataset Name b. Dataset ID c. Duration maxpause maxspan
c. Duration maxpause maxspan
260
2. Data models contain the following. Select all that apply. a. inherited and extracted fields b. constraints c. event object hierarchy
b. constraints | c. event object hierarchy
261
The transaction command produces additional fields such as: _____ which is the difference between the timestamps for the first and last event in a transaction and _____ which is the number of events in a transaction a. time b. duration c. evencount d. field
b. duration | c. evencount
262
What command creates a single correlated event from a group of events based on the same field value?
transaction command

Splunk (3 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions