SPLK-1001 Questions and Answers

PDF

JSON

XLS

RTF

3

2

4

1

Filter as early as possible.

Never specify more than one index.

Include as few search terms as possible.

Use wildcards to return more search results.

Dashboards

Searches

Webhooks

Reports

True

False

Any search can be saved as a report

Only searches that generate visualizations

Only searches containing a transforming command

Only searches that generate statistics or visualizations

They must be lowercase.

They must be uppercase.

They must be in quotations.

They must be in parentheses.

$SPLUNK_HOME/bin/scripts

$SPLUNK_HOME/etc/scripts

$SPLUNK_HOME/bin/etc/scripts

$SPLUNK_HOME/etc/scripts/bin

inputlookup

lookup

True

False

No

Yes

The owner of the report can edit permissions from the Edit dropdown

Only users with an Admin or Power User role can access other users' reports

Anyone can access any reports marked as public within a shared Splunk deployment

The owner of the report must clone the original report and save it to their user account

sourcetype=firewall | rare num=15 dest_ip

sourcetype=firewall | rare last=15 dest_ip

sourcetype=firewall | rare count=15 dest_ip

sourcetype=firewall | rare limit=15 dest_ip

index

action

_time

host

False

True

True

False

True

False

To differentiate between structured and unstructured events in the data

To sort the events returned by the search command in chronological order

To zoom in and zoom out. although this does not change the scale of the chart

To show peaks and/or valleys in the timeline, which can indicate spikes in activity or downtime

False

True

Indexer

Forwarder

Search head

Deployment server

Line charts are optimal for single and multiple series.

Line charts are optimal for single series when using Fast mode.

Line charts are optimal for multiple series with 3 or more columns.

Line charts are optimal for multiseries searches with at least 2 or more columns.

True

False

sourcetype

index

source

host

Index=Security

index=Security

Index=security

index!=Security

@

&

*

#

h

day

mon

yr

y

w

week

Select the time range always.

Try to specify index values.

Include as many search terms as possible.

Never select time range.

Try to use * with every search term.

Inclusion is generally better than exclusion.

Try to keep specific search terms.

Events

Patterns

Statistics

Visualization

2

4

1

3

No

Yes

Review Splunk reports

Run ./splunk show

Click Data Summary in Splunk Web

Search index=* sourcetype=* host=*

Yes

No

Lists all values of a given field.

Lists unique values of a given field.

Returns a count of unique values for a given field.

Returns the number of events that match the search.

| lookup products.csv

inputlookup products.csv

I inputlookup products.csv

| lookup definition products.csv

Use earliest=-1d@d latest=@d

Set a real-time search over a 24-hour window

Use the time range picket to select “Yesterday”

Use the time range picker to select “Last 24 hours”

False

True

True

False

Automatic

Smart

Fast

Verbose

Only A, B

Router and Switch Logs

Firewall and Web Server Logs

Only C

Database logs

All firewall, web server, database, router and switch logs

True

False

Click All Fields and select the field to add it to Selected Fields.

Click Interesting Fields and select the field to add it to Selected Fields.

Click Selected Fields and select the field to add it to Interesting Fields.

This scenario isn’t possible because all fields returned from a search always appear in the fields sidebar.

Search & Reporting is the only app that can be set as the default application.

Full names can only be changed by accounts with a Power User or Admin role.

Time zones are automatically updated based on the setting of the computer accessing Splunk.

Full name, time zone, and default app can be defined by clicking the login name in the Splunk bar.

action+purchase

action=purchase

action | purchase

action equal purchase

| rare top=5

| top rare=5

| top limit=5

| rare limit=5

Your search must transform event data into Excel file format first.

Your search must transform event data into XML formatted data first.

Your search must transform event data into statistical data tables first.

Your search must transform event data into JSON formatted data first.

Dashboards must have a unique dashboard ID within a permission's context.

Splunk dashboards consist of one or more panels displaying data visually in a useful way.

Splunk dashboards may not be directly created from search results without first creating a report.

Splunk dashboard panels can be populated by reports.

Not possible to specify time manually in Search query

end=

start=

earliest=

latest=

Password

Port number

Username

Data access

Built only by Splunk employees.

A collection of files.

Only available for download on Splunkbase.

Available on iOS and Android.

earliest=

latest=

beginning=

ending=

All the above

Only 3rd and 4th

ASCII Character order.

Reverse chronological order.

Alphanumeric order.

Chronological order.

To group the results by one or more fields.

To compute numerical statistics on each field.

To specify how the values in a list are delimited.

To partition the input data based on the split-by fields.

A number to the right of the field name.

A # symbol to the left of the field name.

A lowercase n to the left of the field name.

A lowercase n to the right of the field name.

True

False

No

Yes

All events that either have a host of www3 or a status of 503.

All events with a host of www3 that also have a status of 503

We need more information: we cannot tell without knowing the time range

We need more information a search cannot be run without specifying an index

Saving the item to a report

Adding the item to the search.

Adding the item to a dashboard

Saving the search to a JSON file.

Index Forwarders (IF)

Universal Forwarders (UF)

Super Forwarder (SF)

Heavy Forwarders (HF)

Only data where the error field is present and does not contain a value will be displayed.

Only data with a value in the field error will be displayed.

Only data that does not contain the error field will be displayed.

Only data where the value of the field error does not equal an asterisk (*) will be displayed.

user

source

location

sourcelp

Dashboards

Metadata only

Non-interesting fields

Field descriptions

In descending order by action, then descending order by file, and lastly by ascending order of bytes.

In ascending order by action, then descending order by file, and lastly by ascending order of bytes.

In descending order by action if it exists. If not, then in descending order by file, and if both action and file do not exist, by ascending order of bytes.

In ascending order by action if it exists. If not, then in descending order by file, and if both action and file do not exist, by ascending order of bytes.

None of the above

Indexing Phase

Parsing Phase

Input Phase

License Metering

True

False

Only continuous monitoring.

Only One-time monitoring.

None of the above.

Both One-time and continuous monitoring

Indexing

Searching

Parsing

Settings

Input

Index

Search Head

Indexer

Forwarder

Date & Time Range

Advanced

Date Range

Presets

Relative