Splunk Search Effects Quiz

Questions and Answers

Which search string would only return events from hostWWW3?

• host=*
• Host=WWW3
• host=WWW*
• host=WWW3 (correct)

By default, how long does Splunk retain a search job?

• 10 Minutes (correct)
• 15 Minutes
• 1 Day
• 7 Days

What must be done before an automatic lookup can be created? (Choose all that apply.)

• The lookup definition must be created. (correct)
• The lookup file must be verified using the inputlookup command.
• The lookup command must be used.
• The lookup file must be uploaded to Splunk.

Which of the following Splunk components typically resides on the machines where data originates?

Forwarder (B)

How can numerical statistics be computed on each field?

To partition the input data based on the split-by fields (D)

How do you add or remove fields from search results?

Use fields + to add and fields ג€"to remove (B)

What should you do if a field exists in search results but isn't being displayed in the fields sidebar?

Click All Fields and select the field to add it to Selected Fields (C)

Which character denotes alphanumeric field values in the fields sidebar?

a (A)

When configuring permissions for a report in Splunk, what are the options for the report to use at run time?

The User role or the owner's profile (B)

When writing searches in Splunk, which of the following is true about Booleans?

They must be uppercase (B)

Which search string would return events with failure in index netfw or warn or critical in index netops?

(index=netfw failure) OR (index=netops (warn OR critical)) (B)

Select the answer that displays the accurate placing of the pipe in the following search string: index=security sourcetype=access_* status=200 stats count by price

index=security sourcetype=access_* status=200 | stats count by price (A)

Which constraint can be used with the top command in Splunk?

limit (A)

When editing a dashboard in Splunk, which of the following are possible options? (Choose all that apply.)

Modify the chart type displayed in a dashboard panel (D)

When running searches in Splunk, command modifiers in the search string are displayed in what color?

Orange (C)

Which represents the Splunk recommended naming convention for dashboards?

Group_Object_Description (C)

How can search results be kept longer than 7 days in Splunk?

By changing the job settings (C)

Which of the following is a Splunk search best practice?

Filter as early as possible (A)

What effect does clicking and dragging across the timeline have after running a search in Splunk?

Moves to past or future events. (B)

Which command is used to review the contents of a specified static lookup file in Splunk?

inputlookup (A)

What must be done in order to use a lookup table in Splunk?

The lookup file must be uploaded to Splunk and a lookup definition must be created. (D)

When sorting on multiple fields with the sort command in Splunk, what delimiter can be used between the field names in the search?

, (B)

Which time range picker configuration would return real-time events for the past 30 seconds in Splunk?

Real-time - Earliest: 30-seconds ago, Latest: Now (D)

What is the correct syntax to count the number of events containing a vendor_action field in Splunk?

stats count (vendor_action) (B)

What is one benefit of creating dashboard panels from reports in Splunk?

It makes the dashboard more efficient because it only has to run one search string. (A)

By default, which of the following fields would be listed in the fields sidebar under interesting Fields in Splunk?

host (A)

Which of the following statements about case sensitivity is true in Splunk?

Field names ARE case sensitive; field values are NOT. (A)

What does the rare command do in Splunk?

Returns the least common field values of a given field in the results. (A)

Flashcards are hidden until you start studying