Splunk Power User 1002 Flashcards
1
Q
Search Terms are not Case Sensitive? T or F
A
True
2
Q
Command names are not Case Sensitive? T or F
A
True
3
Q
Clauses and Functions are not case sensitive? T or F
A
True
4
Q
If a command references a specific value, that value (Is / Is Not) case sensitive?
A
IS
5
Q
What values from lookup tables ARE case-sensitive by default?
A
Field. Users with Admin Roles can set field values to not be case sensitive.
6
Q
Booleans ARE Case Sensitive. T or F
A
True
7
Q
Tag Values ARE case sensitive. T or F
A
True
8
Q
Buckets have directories containing sets of:
A
Raw Data and indexing data
9
Q
Buckets have configurable what set by admin users?
A
max size & max time span
10
Q
What are the 3 searchable buckets in Splunk?
A
Hot, Warm, and Cold
11
Q
When are “Hot” buckets rolled into “warm” buckets?
A
when it reaches max size, max time span, or indexer is restarted
12
Q
When Splunk search is run, Splunk uses what on bucket directories to determine if it needs to open the bucket, uncompress raw data, and search content inside?
A
Timestamps
13
Q
Wildcards are tested after all other search terms. T or F
A
True
14
Q
Only ____ wildcards make efficient use of index
A
trailing
15
Q
What happens when there is a wildcard at the beginning of a string?
A
Splunk searches all events in that time frame.
16
Q
Wildcards ______ of string can cause inconsistent results
A
in the middle
17
Q
Should you use wildcards to match punctuation?
A
No
18
Q
What are the 3 search modes in Splunk?
A
Fast, Smart, and Verbose
19
Q
As events are stored by time, what is the most efficient filter?
A
Time
20
Q
After time, the default fields for _______ are most powerful.
A
index, source, host, and sourcetype.
o These fields are extracted at index time and do not need to be extracted for each search
o Use these fields to filter as early as possible in a search so processing is done on a minimum amount of data
21
Q
Use _____ command to extract only the fields you will need for your search
A
“fields”
22
Q
When should you apply filtering commands?
A
As early as possible
23
Q
Helps determine which phase of a search is taking up the most time
A
Search Job Inspector
24
Q
Search Job Inspector dissects the behavior of searches to help understand execution costs of ____ within a search.
A
knowledge objects, search commands, & other components
25
Any search job that has not expired can be inspected. T or F
True
26
Open job inspector by:
running a search, clicking “Job” dropdown menu, and then “Inspect Job”
27
The _______ component displays the time Splunk took when searching the index for the location of the raw data files
“Command Search Index”
28
The ______ component displays time Splunk took to filter out events that did not match
“Command Search Filter”
29
The ______ component is the time it took to read the events from the raw data files
“Command Search Raw Data”
30
Where do you find the “Search Job Properties” tab?
Under “Execution Costs”
31
Any search that returns ______ can be viewed as a chart
statistical values
32
Most visualizations require results structured as tables with at least __ columns
2
33
Looking at Statistics tab, if you see 2 columns, what values do the first column represent and what do the second column values represent?
First column = x-axis values
| Second Column = y-axis values
34
Any stats function can be applied to the chart command. T or F
True
35
y-axis should always be numeric so that it can be charted. T or F
True
36
can remove NULL values by adding argument ______ to chart command
“usenull=f”
37
can remove OTHER column by adding argument ______
“usenull=f”
38
What do you use to show all of the plotted series?
limit=0
39
Performs stats aggregations against time
Timechart Command
40
_____ is always the x axis
Time
41
Timechart Command can split data with a ______ clause
“by”
42
Any stats function can be applied to timechart command. T or F
True
43
Only one value can be specified after the “by” modifier. T or F
True
44
Timechart command intelligently clusters data in time intervals dependent on ______.
time range selected
45
To change the span of the time of the cluster, you can use the ______ argument.
"span"
46
What command compares data over specific time periods?
Timewrap
47
To use timewrap command, we specify a period of time from the results of the:
timechart command
48
In a Line Graph, you can zoom in by clicking and dragging over a time period? T or F
True
49
Chart Overlay will allow you to lay a line chart of one series of data over another visualization. T or F
True
50
Area chart gives ability to show the data stacked. T or F
True
51
Can zoom into sections of the graph by clicking and dragging
Column chart
52
Uses horizontal bars to show comparisons, and can be stacked
Bar Graph
53
Takes the data and visualizes the percentage for each slice and can drill down to the events for a slice by clicking on the slice
Pie Chart
54
Shows the relationship between two discrete data values plotted on an x- and y-axis and is useful for values that do not occur at regular intervals or belong to a series
Scatter Chart
55
Provides a visual way to view a third dimension of data.
Each chart plots against 2-dimensions on the x and y axes and the size represents the value for the 3rd dimension. 3rd field in the table command will determine the size of the bubbles in our chart.
Bubble Chart
56
Trellis layout link allows us to split our visualizations by a selected field or aggregation. It has multiple visualizations, but originating search is only run ONCE. T or F
True
57
Can Transforming commands be used with visualizations?
yes
58
Top/rare – counts the frequency of fields. T or F
True
59
Calculates statistics between two or more fields when you do not need the data to be time-based
Stats
60
Calculates statistics with an arbitrary field as your x-axis that is not time
Chart
61
Calculates statistics with time as the x-axis
Timechart
62
Plots geographic coordinates as interactive markers on a world map
Marker Maps
63
Uses shading to show relative metrics for predefined geographic regions
Choropleth
64
Lookup and add location information to events. Data such as city, country, region, latitude, and longitude can be added to events that include external IP addresses
iplocation
65
Aggregates geographical data for use on a map visualization and uses the same functions as the stats command
Geostats Command
66
The Geostats command only accepts ___ “by” argument or arguments
1
67
To control column count, what argument can be used?
"globallimit"
68
Geostats can be used with iplocation. T or F
True
69
View data as a geographical location, uses shading to show relative metrics over predefined locations of a map
Choropleth Maps
70
To use choropleth you will need a ______ file that defines region boundaries
KMZ (Keyhold Markup Language) (.kml)
71
Used to prepare our events for use in a choropleth and
| adds a field that includes geographical data structures that match polygons on our map
Geom Command
| geom featureIdField=, or
sourcetype=crime_data cc=USA | lookup geo_us_states latitude, longitude | stats count by featureId | geom
72
2 different types of visualizations you can use to display
Single Value, Gauges
73
What computes moving averages of field values?
Trendline command
74
What 3 arguments are required in a Trendline command?
trendtype, time period, field
75
What options does the Field Format give you?
o Wrap results
o Show row numbers
o Change click selection from cell to row
o Add a data overlay – can be a heat map of values or highlight the high and low values in the table
76
Computes the sum of all numeric fields for each event/row and create a total column
Addtotals Command
77
Used to calculate and manipulate field values
Eval Command
78
Arithmetic, concatenation, and Booleans are supported by the Eval command. T or F
True
79
In the Eval Command, newly created field values are case-sensitive. T or F
True
80
Converts numerical values to strings so that they can be joined with other strings
Tostring Function. After using tostring, fields may not sort numerically because the field values are now ASCII values
81
Can be used if you want to format values without changing characteristics of underlying values
Fieldformat
82
Allows you to evaluate arguments and create values depending on the results
Eval command IF Function.
• takes 3 arguments [ “if(x, y, z)” ]
o x – a Boolean expression
o y – used if Boolean expression evaluates to true
o z – used if Boolean expression evaluates to false
o y & z must be in double quotes if not numerical
83
Can be used to filter results at any time in the search and allows you to use search terms further down the pipeline
Search Command
84
A Search command cannot compare values from 2 different fields. T or F
True
85
Filters events to only keep the results that evaluate as true
Where Command
86
Asterisks cannot be used as a wildcard inside eval or where commands. T or F
True
87
What replaces any null values in your events
Fillnull Command
88
Maximum total time between earliest and latest
maxspan
89
maximum total time between events
maxpause
90
Use Transactions when
o You need to see events correlated together
| o When events need to be grouped on start and end values
91
Use stats when
o You want to see results of a calculation
| o When events need to be grouped on a field value
92
Transaction has a limit of how many events?
1000
93
What is the limit for Stats?
no limit
94
If given a choice between stats and transactions, which should you use?
stats
95
What are tools that help you and your users discover and analyze your data?
Knowledge Objects
96
Knowledge objects are used for:
```
o Data interpretation
o Classification
o Enrichment
o Normalization
o Search time mapping
```
97
Properties of knowledge objects are that it:
o Can be created by one user and shared with other users based on permission settings
o Can be saved and reused by multiple people or in multiple apps
o Can be used in a search
98
Name 5 types of knowledge objects:
1. data interpretation
2. data classification
3. data enrichment
4. normalization
5. datasets
99
What is the order for common naming convention of objects?
group, type, platform, category, time, and description
100
What are three predefined ways that knowledge objects can be displayed to users?
Private
Specific apps
all apps
101
What does CIM stand for?
Common Information Model
102
The _____ allows you to use a graphical user interface to extract fields that persist as knowledge objects making them reusable in searches
Field Extractor
103
2 different methods the field extractor can use to extract data
o Regular expressions – work well when you have unstructured data and events that you want to extract fields from
o Delimiters – used when your events contain fields separated by a character
104
_____ will display events that do not contain extracted fields
Non-matches
105
After manually editing a regular expression, you cannot go back to the Field Extractor UI. T or F
True
106
Delimiter can be a:
space, comma, tab, other
107
To be able to select a value from an already extracted field, you must open the “Existing Fields” menu, and turn off the highlight for the field that includes the value. T or F
True
108
_____ give you a way to normalize data over any default field.
Field Aliases
109
_____ are applied after field extractions, before lookups.
Field Aliases
110
How do you create a field alias?
“Settings” -> “Fields” -> “Field aliases”
111
Can apply aliases based on?
Sourcetype, source, host
112
Old fields are still available to search? T or F
True
113
Once a field alias is defined, they can be referenced in?
A lookup table
114
What are calculated fields used for?
repetitive, long, and complex eval commands
115
Calculated fields must be based on an extracted field? T or F
True
116
Select destination app and then which sourcetype, source, or host to apply the _____ to.
calculated field
117
Calculated fields must or must not be based on extracted or discovered fields?
MUST
118
Allows you to designate descriptive names for key-value pairs and enables you to search for events that contain particular field values
Tags
119
Are Tag values(names) case sensitive?
Yes
120
What are 3 ways to search for tags?
tag=privileged
tag::user=privileged
tag=p*
121
Allows you to categorize events based on search terms
Event Type
122
What do event types help with?
simplify searches
| give quick visual feedback
123
Do event types show up in fields list?
yes
124
What does a word in Blue in a Splunk search mean?
command
125
What does a word in green in a Splunk search mean?
command argument
126
What does a word in pink in a Splunk search mean?
function
127
What does a word in orange in a Splunk search mean?
boolean or keyword modifier
128
What does a word in gray in a Splunk search mean?
inline comment (e.g. ```Plot the count of results over the past 24 hours.``)
129
In which is a time range not included? Event Type or Saved Reports
Event Type
130
Can you share saved reports with other Splunk users?
Yes
131
_____ are search strings, or portions of search strings, that can be reused in multiple places within Splunk
Macros
132
When are Macros useful
frequent searches with complicated search syntax
133
What are 3 features that distinguish macros from other knowledge objects?
Store entire search strings
They are time range independent
Can pass arguments to the search
134
How do you create a macro?
“Settings” > “Advanced Search” > “Search macros”
135
What is the syntax for a macro? (Flip card for reference)
o Ex: “… | `convertUSD` “
| o Need to use backtick character (`)
136
How do you change the definition of a macro to accept an argument?
by adding the name of the argument surrounded by dollar signs ($)
o Required to name the macro with how many arguments it requires [ex: “us_sales(2)” ]
o Ex: “… eval $moolah$ = … “
137
What key combination allows you to preview your search without running it?
CTRL + SHIFT + E
138
What is a collection of hierarchically structured datasets?
Data Model
139
A data model consists of 3 types of datasets. What are they?
Events, Searches, & Transactions
140
Any field can be made available to the data model. T or F
True
141
Data models provide the datasets for what?
Pivots
142
_____ data models cannot be edited.
Accelerated
143
_____ data models cannot be accelerated.
Private
144
How do you add fields?
"Add field" Dropdown
145
What are the fields Splunk extracts from our data? These can be default fields or manually extracted fields.
Auto-Extracted Fields
146
What does selecting the type of data allow us to do?
allows us to decide how the data should be recognized (String, number, Boolean, IP data)
147
What does selecting a flag allow us to do?
allows us to choose what attributes are shown or required
148
What are the four settings for Flags?
Optional
Required
Hidden
Hidden & Required
149
What represents transactions using fields that have already been added to the data model?
Root Transactions
150
Root Transactions do not benefit from data model _____.
acceleration
151
What is the recommended way to use Pivot? UI or Pivot Command
UI
152
What does CIM stand for?
Common Information Model
153
What maps all data to a defined method and normalizes to common language for field values?
CIM
154
Data can be normalized at _____ time or at _____ time using knowledge objects.
Index, search
155
```
_____ should be used for:
o Field extractions
o Aliases
o Event types
o Tags
```
CIM schema
156
_____ _____ can be shared globally across all apps.
Knowledge objects
157
_____ is a methodology for normalizing data and can correlate data from different sources.
CIM
158
CIM is an app that can coexist with other apps on a _____ Splunk deployment
Single
159
By default, CIM datasets search across all _____
indexes
160
Where would you download the CIM app?
Splunkbase
161
What are the included data models in the CIM addon?
Alerts, Email, Database
162
CIM data models are/are not accelerated by default?
are not
163
Data model name and dataset name ARE/ARE NOT case-sensitive
Are
164
Fields used in Data Models do not have to be extracted before creating the datasets. T or F
T
165
It is suggested that you name your knowledge objects using _____ segmented keys.
6
166
_____ are knowledge objects that can be scheduled and run a script.
Reports
167
What is the only writeable bucket type?
The hot bucket
168
By what filter are indexes divided into buckets?
By time
169
What are the 4 types of searches in Splunk (by performance)
Dense, Sparse, Super Sparse, Rare
170
In searches, what is the scanCount?
The number of events scanned for that particular search
171
What are the requirement of the underlying search in order to get multi-series table?
The underlying search must use reporting search commands like chart or timechart
172
What are the seven chart types?
Line, Area, Column, Bar, Bubble, Scatter and Pie
173
What is a trait of scatter charts?
Can only show two dimensions. Shows trends in the relationship between discrete data values
174
What is a trait of bubble charts?
Provides a visual way to view a three dimensional series
175
What are two commonly used clauses for chart?
over and by
176
(True/False) Null values are not shown by default by chart and timechart
false
177
What is a workflow action
Execute workflow actions from an event in your search results to interact with external resources or run another search
178
What does the over and by clauses do when used with chart?
divides the data into sub-groupings
179
(True/False) You can only split chart results over two dimensions
True
180
Chart and timechart commands automatically filter results to include how many values?
10
181
What happens to surplus resulting values of chart and timechart commands?
They are grouped into other
182
What is always the value on the x-axis for timechart?
_time
183
(True/False) Functions and arguments used with stats and chart can not be used with timechart
False
184
(True/False) As with chart, it is possible to split timechart by two fields
False. It is only possible to split by one field
185
What is the argument for adjusting sampling interval of timechart?
span
186
What does the trendline command do?
allows you to overlay a computed moving average on a chart
187
What is the syntax of the trendline command?
trendline (field) [AS newfield]
188
What command can be used to look up and add location information to an event?
iplocation
189
What information does the iplocation command include?
city, country, region, latitude and longitude
190
What is the data-requirement for the geostats command?
Data must include latitude and longitude values
191
These arguments are used to control column counts when using the geostats command
globallimit and locallimit
192
This command is used to compute statistical functions and render a cluster map
geostats
193
What command can be used to show relative metrics for predefined geographic regions?
geom
194
(True/False) A sparkline is an inline chart, that can be added to timechart
True
195
(True/False) Automatically totaling of every columns can be done by using the Format option
True
196
This command can be used to add total of all or selected fields
addtotals
197
The row option for addtotals does what?(if enabled)
creates a column that contains numeric totals for each row
198
The column option for addtotals does what?(if enabled)
creates a row that contains numeric totals for each column
199
What does the labelfield option for addtotals specify?
What field the label should be placed in (in general, this should be the leftmost and first field)
200
The eval command can be used to
perform calculations, convert, round and format values, use conditional statements
201
This command allows you to calculate and manipulate field values in your report
eval
202
(True/false) Results of eval can be written to existing field
True
203
What happens with a destination field value if the field is the same as the resulting field of the eval command?
The field value gets overwritten by the resulting value outputted from the eval command
204
(True/False) Indexed data get modified after field values are overwritten by the eval command.
false
205
This operator is used for concatenation
+
206
This function can be used to set the value of a field to the number of decimals you specify
round
207
(True/False) The tostring function can be used with eval
True
208
How can you use eval to format numeric field values to strings?
By adding characters to the field values
209
What separator is used when having multiple expressions used with eval command?
comma
210
If function used with eval: What is field value of SalesTerritory for a VendorID of 80000 in the following evaluation?:
| eval SalesTerritory = if((VendorID >= 7000 AND VendorID <8000), "Asia", "Rest of the World")
Rest of the World
211
(True/False) The search command treats field values in a case-insensitive manner
True
212
(True/False) The where command treats field values in a case-insensitive manner
False
213
(True/False) Unqouted or single-quoted strings are treated as fields.
True
214
To be able to do wildcard searches with the where command, this operator must be used
like
215
What is the fillnull value used for?
To replace null values in fields. Default replacement value is 0.
216
What is a transaction?
A transaction is any group of related events that span time
217
What is the syntax of the transaction command?
transaction field-list. field-list argument is a list of one or multiple fields.
218
(True/False) Transaction command creates a single event from a group of events
True
219
This field is produced by running the transaction command
duration - difference between timestamp of first and last event in the transaction
