Splunk Search Effects Quiz

Questions and Answers

Which search string would only return events from hostWWW3?

host=*

Host=WWW3

host=WWW*

host=WWW3 (correct)

By default, how long does Splunk retain a search job?

10 Minutes (correct)

15 Minutes

1 Day

7 Days

What must be done before an automatic lookup can be created? (Choose all that apply.)

The lookup definition must be created. (correct)

The lookup file must be verified using the inputlookup command.

The lookup command must be used.

The lookup file must be uploaded to Splunk.

Which of the following Splunk components typically resides on the machines where data originates?

Forwarder

How can numerical statistics be computed on each field?

To partition the input data based on the split-by fields

How do you add or remove fields from search results?

Use fields + to add and fields ג€"to remove

What should you do if a field exists in search results but isn't being displayed in the fields sidebar?

Click All Fields and select the field to add it to Selected Fields

Which character denotes alphanumeric field values in the fields sidebar?

a

When configuring permissions for a report in Splunk, what are the options for the report to use at run time?

The User role or the owner's profile

When writing searches in Splunk, which of the following is true about Booleans?

They must be uppercase

Which search string would return events with failure in index netfw or warn or critical in index netops?

(index=netfw failure) OR (index=netops (warn OR critical))

Select the answer that displays the accurate placing of the pipe in the following search string: index=security sourcetype=access_* status=200 stats count by price

index=security sourcetype=access_* status=200 | stats count by price

Which constraint can be used with the top command in Splunk?

limit

When editing a dashboard in Splunk, which of the following are possible options? (Choose all that apply.)

Modify the chart type displayed in a dashboard panel

When running searches in Splunk, command modifiers in the search string are displayed in what color?

Orange

Which represents the Splunk recommended naming convention for dashboards?

Group_Object_Description

How can search results be kept longer than 7 days in Splunk?

By changing the job settings

Which of the following is a Splunk search best practice?

Filter as early as possible

What effect does clicking and dragging across the timeline have after running a search in Splunk?

Moves to past or future events.

Which command is used to review the contents of a specified static lookup file in Splunk?

inputlookup

What must be done in order to use a lookup table in Splunk?

The lookup file must be uploaded to Splunk and a lookup definition must be created.

When sorting on multiple fields with the sort command in Splunk, what delimiter can be used between the field names in the search?

,

Which time range picker configuration would return real-time events for the past 30 seconds in Splunk?

Real-time - Earliest: 30-seconds ago, Latest: Now

What is the correct syntax to count the number of events containing a vendor_action field in Splunk?

stats count (vendor_action)

What is one benefit of creating dashboard panels from reports in Splunk?

It makes the dashboard more efficient because it only has to run one search string.

By default, which of the following fields would be listed in the fields sidebar under interesting Fields in Splunk?

host

Which of the following statements about case sensitivity is true in Splunk?

Field names ARE case sensitive; field values are NOT.

What does the rare command do in Splunk?

Returns the least common field values of a given field in the results.