The document is a set of multiple choice questions about Splunk concepts and functionality. It tests knowledge in areas like search syntax, dashboard and report creation, field and event processing, and Splunk architecture components. Correct answers are provided for each question to check understanding of topics like search processing, field selection, lookup configuration, and the roles of indexers, search heads and forwarders.
The document is a set of multiple choice questions about Splunk concepts and functionality. It tests knowledge in areas like search syntax, dashboard and report creation, field and event processing, and Splunk architecture components. Correct answers are provided for each question to check understanding of topics like search processing, field selection, lookup configuration, and the roles of indexers, search heads and forwarders.
The document is a set of multiple choice questions about Splunk concepts and functionality. It tests knowledge in areas like search syntax, dashboard and report creation, field and event processing, and Splunk architecture components. Correct answers are provided for each question to check understanding of topics like search processing, field selection, lookup configuration, and the roles of indexers, search heads and forwarders.
The document is a set of multiple choice questions about Splunk concepts and functionality. It tests knowledge in areas like search syntax, dashboard and report creation, field and event processing, and Splunk architecture components. Correct answers are provided for each question to check understanding of topics like search processing, field selection, lookup configuration, and the roles of indexers, search heads and forwarders.
Download as DOCX, PDF, TXT or read online from Scribd
Download as docx, pdf, or txt
You are on page 1/ 11
When viewing the results of a search, what is an Interesting
Field?
A. A field that appears in any event.
B. A field that appears in every event.
C. A field that appears in the top 10 events.
D. A field that appears in at least 20% of the events.
When a Splunk search generates calculated data that appears in
the Statistics tab, in what formats can the results be exported?
A. CSV, JSON, PDF
B. CSV, XML, JSON
C. Raw Events, XML, JSON
D. Raw Events, CSV, XML, JSON
Which search matches the events containing the terms `error`
and `fail`?
A. index=security Error Fail
B. index=security error OR fail
C. index=security ג€error failureג€
D. index=security NOT error NOT fail
Which of the following is an option after clicking an item in search results?
A. Saving the item to a report.
B. Adding the item to the search.
C. Adding the item to a dashboard.
D. Saving the Search to a JSON file.
Which of the following fields is stored with the events in the
index?
A. user
B. source
C. location
D. sourceIp
Which of the following is the recommended way to create
multiple dashboards displaying data from the same search?
A. Save the search as a report and use it in multiple dashboards as needed.
B. Save the search as a dashboard panel for each dashboard that needs the data.
C. Save the search as a scheduled alert and use it in multiple dashboards as needed.
D. Export the results of the search to an XML file and use the file as the basis of the dashboards. What does the following specified time range do? earliest=- 72h@h latest=@d
A. Look back 3 days ago and prior.
B. Look back 72 hours, up to one day ago.
C. Look back 72 hours, up to the end of today.
D. Look back from 3 days ago, up to the beginning of today.
Which events will be returned by the following search string?
host=www3 status=503
A. All events that either have a host of www3 or a status of 503.
B. All events with a host of www3 that also have a status of 503.
C. We need more information; we cannot tell without knowing the time range.
D. We need more information; a search cannot be run without specifying an index.
What does the stats command do?
A. Automatically correlates related fields.
B. Converts field values into numerical values.
C. Calculates statistics on data that matches the search criteria.
D. Analyzes numerical fields for their ability to predict another discrete field. Which is primary function of the timeline located under the search bar?
A. To differentiate between structured and unstructured events in the data.
B. To sort the events returned by the search command in chronological order.
C. To zoom in and zoom out, although this does not change the scale of the chart.
D. To show peaks and/or valleys in the timeline, which can indicate spikes in activity or downtime.
What can be configured using the Edit Job Settings menu?
A. Export the result to CSV format.
B. Add the Job results to a dashboard.
C. Schedule the Job to re-run in 10 minutes.
D. Change Job Lifetime from 10 minutes to 7 days.
Which command is used to validate a lookup file?
A. | lookup products.csv
B. inputlookup products.csv
C. | inputlookup products.csv
D. | lookup_definition products.csv Which statement is true about the top command?
A. It returns the top 10 results.
B. It displays the output in table format.
C. It returns the count and percent columns per row.
D. All of the above.
How can another user gain access to a saved report?
A. The owner of the report can edit permissions from the Edit dropdown.
B. Only users with an Admin or Power User role can access other users' reports.
C. Anyone can access any reports marked as public within a shared Splunk deployment.
D. The owner of the report must clone the original report and save it to their user account.
What is the primary use for the rare command?
A. To sort field values in descending order.
B. To return only fields containing five of fewer values.
C. To find the least common values of a field in a dataset.
D. To find the fields with the fewest number of values across a dataset. What happens when a field is added to the Selected Fields list in the fields sidebar?
A. Splunk will re-run the search job in Verbose Mode to prioritize the new Selected Field.
B. Splunk will highlight related fields as a suggestion to add them to the Selected Fields list.
C. Custom selections will replace the Interesting Fields that Splunk populated into the list at search time.
D. The selected field and its corresponding values will appear underneath the events in the search results.
By default, which of the following is a Selected Field?
A. action
B. clientip
C. categoryId
D. sourcetype
According to Splunk best practices, which placement of the
wildcard results in the most efficient search?
A. f*il
B. *fail
C. fail*
D. *fail* Which command automatically returns percent and count columns when executing searches?
A. top
B. stats
C. table
D. percent
Which of the following describes lookup files?
A. Lookup fields cannot be used in searches.
B. Lookups contain static data available in the index.
C. Lookups add more fields to results returned by a search.
D. Lookups pull data at index time and add them to search results.
Which search string is the most efficient?
A. ג€failed passwordג€
B. ג€failed passwordג€*
C. index=* ג€failed passwordג€
D. index=security ג€failed passwordג€
Which search string matches only events with the status_code of 404?
A. status_code!=404
B. status_code>=400
C. status_code<=404
D. status_code>403 status_code<405
_____transforms raw data into events and distributes the results
into an index.
A. Index
B. Search Head
C. Indexer
D. Forwarder
Documentations for Splunk can be found at docs.splunk.com
A. True
B. False Which component of Splunk is primarily responsible for saving data?
A. Search Head
B. Heavy Forwarder
C. Indexer
D. Universal Forwarder
Universal forwarder is recommended for forwarding the logs to
indexers.
A. False
B. True
Splunk apps are used for following (Choose three.):
A. Designed to cater numerous use cases and empower Splunk.
B. We can not install Splunk App.
C. Allows multiple workspaces for different use cases/user roles.
D. It is collection of different Splunk config files like data inputs, UI and Knowledge Object. Three basic components of Splunk are (Choose three.):
A. Forwarders
B. Deployment Server
C. Indexer
D. Knowledge Objects
E. Index
F. Search Head
What is Splunk?
A. Splunk is a software platform to search, analyze and visualize the machine-generated data.
B. Database management tool.
C. Security Information and Event Management (SIEM).
D. Cloud based application that help in analyzing logs.
We should use heavy forwarder for sending event-based data to
Indexers.
A. False
B. True
Splunk Enterprise is used as a Scalable service in Splunk Cloud.
