Splunk Search Commands and Interesting Fields

Questions and Answers

What is the correct syntax to count the number of events containing a vendor_action field?

• count stats (vendor_action)
• stats vendor_action (count)
• stats count (vendor_action) (correct)
• count stats vendor_action

By default, which of the following fields would be listed in the fields sidebar under interesting Fields?

• sourcetype
• source
• host (correct)
• index

When looking at a dashboard panel that is based on a report, which of the following is true?

• You can modify the search string in the panel, and you can change and configure the visualization.
• You cannot modify the search string in the panel, but you can change and configure the visualization. (correct)
• You cannot modify the search string in the panel, and you cannot change and configure the visualization.
• You can modify the search string in the panel, but you cannot change and configure the visualization.

Which of the following is a best practice when writing a search string?

Include all formatting commands before any search terms (A)

What type of search can be saved as a report?

Only searches that generate statistics or visualizations (D)

What can be included in the All Fields option in the sidebar?

Non-interesting fields (D)

What syntax is used to link key/value pairs in search strings?

action=purchase (A)

When viewing the results of a search, what is an Interesting Field?

A field that appears in at least 20% of the events (C)

When a Splunk search generates calculated data that appears in the Statistics tab, in what formats can the results be exported?

Raw Events, CSV, XML, JSON (D)

Which of the following are functions of the stats command?

sum, avg, values (B)

In a deployment with multiple indexes, what will happen when a search is run and an index is not specified in the search string?

Events from every index searched by default to which the user has access will be returned. (C)

Which search matches the events containing the terms "error" and "fail"?

index=security Error Fail (B)

Which of the following is an option after clicking an item in search results?

Saving the item to a report (B)

When placed early in a search, which command is most effective at reducing search execution time?

dedup (B)

In the Splunk interface, the list of alerts can be filtered based on which characteristics?

App, Time Window, Type, and Severity (D)

When displaying results of a search, which of the following is true about line charts?

Line charts are optimal for multiple series with 3 or more columns. (C)

A collection of items containing things such as data inputs, Ul elements, and knowledge objects is known as what?

An app (C)

Which of the following fields is stored with the events in the index?

source (D)

Which of the following is the recommended way to create multiple dashboards displaying data from the same search?

Save the search as a report and use it in multiple dashboards as needed (A)

What must be done in order to use a lookup table in Splunk?

The lookup file must be uploaded to Splunk and a lookup definition must be created. (C)

What is a suggested Splunk best practice for naming reports?

Use a consistent naming convention so they are easily separated by characteristics such as group and object. (B)

Which of the following Splunk components typically resides on the machines where data originates?

Forwarder (B)

What does the following specified time range do? earliest=-72h@h latest=@d

Look back from 3 days ago up to the beginning of today (C)

Which of the following is true about user account settings and preferences?

Full name, time zone, and default app can be defined by clicking the login name in the Splunk bar. (A)

Which of the following are common constraints of the top command?

limit, showpercent (A)

What is the purpose of using a by clause with the stats command?

To group the results by one or more fields. (D)

Which events will be returned by the following search string? host=www3 status=503

All events with a host of www3 that also have a status of 503 (A)

Which of the following searches would return events with failure in index netfw or warn or critical in index netops?

(index=netfw failure) OR (index=netops (warn OR critical)) (D)

Select the answer that displays the accurate placing of the pipe in the following search string: index=security sourcetype=access_* status=200 stats count by price

index=security sourcetype=access_* status=200 | stats count by price (B)

What does the stats command do?

Calculates statistics on data that matches the search criteria (D)

Which is a primary function of the timeline located under the search bar?

To show peaks and/or valleys in the timeline, which can indicate spikes in activity or downtime (C)

Which statement is true about Splunk alerts?

Alerts are based on searches that are either run on a scheduled interval or in real-time. (D)

What can be configured using the Edit Job Settings menu?

Change Job Lifetime from 10 minutes to 7 days. (C)

Which command is used to validate a lookup file?

I inputlookup products.csv (B)

Which stats command function provides a count of how many unique values exist for a given field in the result set?

dc(field) (C)

What user interface component allows for time selection?

Time range picker (C)

When an alert action is configured to run a script, Splunk must be able to locate the script. Which is one of the directories Splunk will look in to find the script?

$SPLUNK_HOME/bin/scripts (B)

When editing a dashboard, which of the following are possible options? (select all that apply)

Drag a dashboard panel to a different location on the dashboard. (A)

Which of the following index searches would provide the most efficient search performance?

(index=web OR index=sales) (B)

At index time, in which field does Splunk store the timestamp value?

_time (A)

Which statement is true about the top command?

All of the above (D)

What determines the scope of data that appears in a scheduled report?

The owner of the report can configure permissions so that the report uses either the User role or the owner's profile at run time. (A)

What is the main requirement for creating visualizations using the Splunk UI?

Your search must transform event data into statistical data tables first. (B)

How can another user gain access to a saved report?

The owner of the report can edit permissions from the Edit dropdown (A)

What is the primary use for the rare command1?

To find the least common values of a field in a dataset (B)

What happens when a field is added to the Selected Fields list in the fields sidebar'?

The selected field and its corresponding values will appear underneath the events in the search results (D)

By default, which of the following is a Selected Field?

sourcetype (B)

According to Splunk best practices, which placement of the wildcard results in the most efficient search?

fail* (B)

Which command automatically returns percent and count columns when executing searches?

top (C)

Which of the following describes lookup files?

A set of key-value pairs used to enrich event data. (B)

Flashcards

stats count (vendor_action)

Counts events with a specific field.

Default Interesting Fields

host, source, and sourcetype are, by default.

Dashboard Panel Edits

Modify the visualization.

Best Practice for Search String

Formatting commands before search terms.

Report-Eligible Searches

Searches that generate statistics or visualizations.

All Fields option include:

Non-interesting fields.

Key/Value Pair Syntax

action=purchase

Interesting Field criteria

A field in at least 20% of events.

Linking Key/Value Pairs Syntax

Relational operators (=, <, >).

Exported Statistics

Raw Events, CSV, XML, JSON

Stats Command Functions

sum, avg, values

Searching Multiple Indexes

Events from every index searched by default.

Search for terms 'error' and 'fail'

index=security Error Fail

Clicking Search Result Item

Saving the item to a report

Reducing Search Time

dedup

Filtering Alerts (Splunk)

App, Time Window, Type, and Severity

Line Charts are optimal for

Multiple series with 3 or more columns.

Collection of items

An app

Fields Stored With Events

source

Multiple Dashboards (Same Data)

Save the search as a report.

Lookup Table (Splunk)

Upload lookup file and create definition.

Splunk Report Naming

Consistent naming convention.

Splunk Component (Data Origin)

Forwarder

Time Range

Look back from 3 days ago to the beginning of today.

Defined by clicking Login Name

Full name, time zone, and default app

Top Command Constraints.

limit, showpercent

By Clause (Stats Command)

To group the results by one or more fields.

host=www3 status=503

All events with matching host and status.

Return events failure or warn or critical error

(index=netfw failure) OR (index=netops (warn OR critical))

Place the pipe to display accurate listing

index=security sourcetype=access_* status=200 | stats count by price

Stats Command

Calculates statistics on data that matches the search criteria

Splunk main timeline

D. To show peaks and/or valleys

Are Splunk alerts based on searches?

Alerts are based on searches

How long should a Job live?

Change Job Lifetime from 10 minutes to 7 days.

Validating Lookup File

| inputlookup products.csv

How many counts from a result set?

dc(field)

What user tool allows for time selecting?

Time Range Picker

Splunk will auto-discover for scripts in.

$SPLUNK_HOME/bin/scripts

What do you get when editing dashboards

Drag a dashboard panel to a different location.

Which is most efficient search performance

(index=web OR index=sales)

Study Notes

• Counting events with a vendor_action field requires the syntax: stats count (vendor_action)

• The "interesting Fields" section in the Search & Reporting app lists host, source, and sourcetype by default.

• The index field is not listed by default but can be manually added.

• For a dashboard panel based on a report, the search string cannot be modified, but the visualization can be changed and configured.

• When writing a search string, including all formatting commands before any search terms is a best practice.

• Only searches that generate statistics or visualizations can be saved as a report.

• The All Fields option in the sidebar can include non-interesting fields.

• Key/value pairs in search strings are linked using the "=" syntax, like action=purchase

• An Interesting Field is one that appears in at least 20% of the events when viewing search results.

• Relational operators (=, <, >) link key/value pairs in search strings.

• When Splunk search generates calculated data in the Statistics tab, the results can be exported in Raw Events, CSV, XML, and JSON formats.

• Functions of the stats command include sum, avg, values.

• In deployments with multiple indexes, events from every index searched by default to which the user has access will be returned when a search is run without a specified index.

• To match events containing "error" and "fail" in the security index, use: index=security Error Fail

• After clicking an item in the search results, saving the item to a report is an available option.

• dedup is effective at reducing search execution time when placed early in a search.

• The list of alerts can be filtered by App, Time Window, Type, and Severity.

• Line charts are optimal for multiple series with 3 or more columns when displaying search results.

• A collection of items containing data inputs, UI elements, and knowledge objects is referred to as an app.

• The source field is stored with the events in the index.

• Saving a search as a report and using it in multiple dashboards is the recommended way to create multiple dashboards displaying data from the same search.

• To use a lookup table in Splunk, the lookup file must be uploaded, and a lookup definition must be created.

• A suggested best practice for naming reports is to use a consistent naming convention, easily separated by characteristics such as group and object.

• The Forwarder component typically resides on machines where data originates.

• The specified time range earliest=-72h@h latest=@d looks back from 3 days ago up to the beginning of today.

• Full names can only be changed by accounts with a Power User or Admin role.

• limit, showpercent are common constraints of the top command.

• The purpose of using a by clause with the stats command is to group the results by one or more fields.

• The search string host=www3 status=503 returns events with host=www3 that also have a status=503.

• (index=netfw failure) OR (index=netops (warn OR critical)) would return events with failure in index netfw or warn or critical in index netops.

• The correct placement of the pipe in the search string is: index=security sourcetype=access_* status=200 | stats count by price

• The stats command calculates statistics from data that matches the search criteria.

• The timeline located under the search bar shows peaks and/or valleys, indicating spikes in activity or downtime.

• Splunk alerts are based on searches that run on a scheduled interval or in real-time.

• Changing Job Lifetime from 10 minutes to 7 days can be configured using the Edit Job Settings menu.

• | inputlookup products.csv validates a lookup file.

• The dc(field) stats command function provides a count of how many unique values exist for a specified field.

• The time range picker user interface component allows for time selection.

• When an alert action is configured to run a script, Splunk will look look in $SPLUNK_HOME/bin/scripts.

• When editing a dashboard, dragging a dashboard panel to a different location on the dashboard is a possible option.

• index=web OR index=sales provides a more efficient search performance.

• Splunk stores the timestamp value in the _time field at index time.

• The top command returns the top 10 results, displays the output in table format, and returns the count and percent columns per row.

• The scope of data in a scheduled report is determined by the owner's ability to configure permissions, so it uses either the User role or the owner's profile at run time.

• The main requirement for creating visualizations using the Splunk UI is that your search must transform event data into statistical data tables first.

• The owner of the report can edit permissions from the Edit dropdown so another user can gain access to a saved report.

• The primary use for the rare command is to find the least common values of a field in a dataset.

• When a field is added to the Selected Fields list in the fields sidebar, the selected field and its corresponding values will appear underneath the events in the search results.

• By default, sourcetype is a Selected Field.

• According to Splunk best practices, placing the wildcard as fail* results in the most efficient search.

• The top command automatically returns percent and count columns when executing searches.

• Lookup files add more fields to results returned by a search.

• Modifiers in the search string are displayed in blue when running searches.

• Fields are added or removed from search results using fields +to add and fields -to remove.

• The steps to schedule a report: After saving the report, click Schedule.

• By default, Splunk retains a search job for 10 Minutes.

• The implied Boolean operator between search terms, unless otherwise specified, is AND.

• One primary function of a scheduled report is triggering an alert in a Splunk instance when certain conditions are met.

• When sorting on multiple fields with the sort command, a comma (,) can delimit the field names in the search.

• index=security "failed password" is the most efficient search string.

• The stdev function of the stats command returns the sample standard deviation of a field.

• sourcetype=access_* | stats max(bytes) shows the maximum bytes.

• This search will return 20 results. SEARCH: error | top host limit = 20, this statement is True.

• Sourcetype=access_* |stats sum(categoryID) by host will show the number of categoryId used by each host.

• The BY clause is used to group the output of a stats command.

• The Median(X) function of the stats command allows you to return the middle-most value of field X.

• When a search returns statistical values, you can view the results as a list.

• Clicking a SEGMENT on a chart, adds the highlighted value to the search criteria.

• Use the lookup command to use lookup fields in a search and see the lookup fields in the field sidebar.

• Lookups can be private for a user.

• In automatic lookup definitions, the output fields are those that are not in the event data.

• The correct order of steps of creating a new lookup are: 2. Create the lookup table, 3. Define the lookup, 1. Configure the lookup to run automatically.

• The command shown here does which of the following: Command: |outputlookup products.csv, writes search results to a file named products.csv.

• Lookup that is not true, lookups have maximum of 10mg size limit.

• Lookups allow you to overwrite event raw.

• The lookup file must have input filed for an automatic lookup to be done.

• By default, all users have DELETE permission to ALL knowledge objects, false.

• These users can create global knowledge objects (Select that apply. administrator, power users.

• All users by default have WRITE permission to ALL knowledge objects, false

• Object ATTRIBUTES do not define base search for object in creating Data Models.

• Attributes are associated with data set in creating Data Models.

• Indexers are responsible for reducing search results in splunk components.

• Indexers - parsing and storing data on disc in splunk components.

• categorizing indexed data with sourcetype.

• It is false for a single instance of Splunk to manage the input, parsing and indexing of machine data..

• By default search results are not returned alphabetical order.

• stats command returns by Table

• ?= is not an comparison operator

• host=WWW*, which search string only returns events from hostWWW3

• the lookup definition must be created, what must be done before an automatic lookup can be created

• (Select all that apply)

• Booleans has to be upper case

• Constraints can be used with the top command is limit

• Group_Object_Description the Splunk recommended naming convention for dashboards.

• By scheduling a report. how can search results be kept longer than 7 days?

• filter as early as possible. a Splunk search best practice

• backwards. Display after search

• Filter: Click and drag

• lookup command is used must be done before an automatic lookup can be created?

• Contents review command used = inputLookup

• 30 sec - realtime -Earlist configuration will return real time events.

• making the dashboard more efficient from reports benefit

• Which statement about case sensitivity is true?; Field names are case sensitive; field values are not

• (Rare ) Returns the least common occurrences

• AND operation implied between two terms?

• values function of stats command does what? Answers all values of given event

• click all fields

• #= char is alphanumeric

• AND/OR logic correct is: error AND (fail OR 400)

• timeline most efficient

• determine fields = auto keys are discovered

• file = json

• count as is corect answer

• combined sourcetype uses mixed case

• statistics drill down has the events

• Numeric.is # =.

• minimum results that are common is primary for rare

• Transforms data indexer

• splunk dot com = documentation true

• core is indexer

• heavy forwarder correct one

• scalable

• all components

• can be installed

• HE can be log

• security

• what log does splunk take: All

• portal is false

• reverse chronological

• wild card is *

• what result with the correct test = the q pedia

• mighttrue. true

• data is both true

• is case matters = true

• contains underscroll information =true

• 3

• user behaviour

• fields are true

• searches are true

• false are not

• Default webport use in Splunk. Answer:B. 8000

• which the app or reporting app? Answer: A,B,C

• HF or indexer =yes answer is C

• data provides =both D answer

• forward means =true

• Means can you on-board data Splunk. Answer: B C,E,G

• data sources - phase input? Answer: D.

• Index E input. Select the correct in next time processing Answer:A,C,E.

• determines auto data=correct

• heavy and you have to parse, true.

• time process how = 3 in process.

• Option select GUI. TCP script. And files.

• Index the one. upload yes or no/answer=A

• Index .

• search A yes or no

• begin what? No not false: B

• Zooms in search. B

• job = job is the every search

• Feature yes = B

• enable=true.

• Time = real time

• options are start . correct e=f f

• default can or not:

• Data and time.

• segregated = y.

• Setting yes.

• true data is.

• click timeline =

• is A correct.

• correct.

• correct

• result: yes

• are true.

• specified y.

• 8