Splunk Search Queries and Job Lifetimes Quiz

Questions and Answers

What is the correct search string to only return events from hostWWW3?

• host=*
• Host=WWW3
• host=WWW3 (correct)
• host=WWW*

How long does Splunk retain a search job by default?

• 15 Minutes
• 7 Days
• 10 Minutes (correct)
• 1 Day

What must be done before an automatic lookup can be created? (Choose all that apply.)

• The lookup file must be verified using the inputlookup command.
• The lookup definition must be created. (correct)
• The lookup command must be used.
• The lookup file must be uploaded to Splunk.

Which of the following Splunk components typically resides on the machines where data originates?

Forwarder (A)

What determines the scope of data that appears in a scheduled report?

All data accessible to the owner of the report will appear in the report. (A)

What effect does clicking and dragging across the timeline have after running a search in Splunk?

Moves to past or future events. (D)

Which command is used to review the contents of a specified static lookup file in Splunk?

inputlookup (B)

What must be done in order to use a lookup table in Splunk?

The lookup file must be uploaded to Splunk and a lookup definition must be created. (A)

When sorting on multiple fields with the sort command in Splunk, what delimiter can be used between the field names in the search?

, (B)

Which time range picker configuration would return real-time events for the past 30 seconds in Splunk?

Real-time - Earliest: 30-seconds ago, Latest: Now (D)

Which of the following is true about Booleans when writing searches in Splunk?

They must be uppercase. (B)

In Splunk, which search string would return events with failure in index netfw or warn or critical in index netops?

(index=netfw failure) OR (index=netops (warn OR critical)) (B)

Select the answer that displays the accurate placing of the pipe in the following search string: index=security sourcetype=access_* status=200 stats count by price

index=security sourcetype=access_* status=200 | stats count by price (C)

Which of the following constraints can be used with the top command in Splunk?

limit (B)

When editing a dashboard in Splunk, which of the following are possible options? (Choose all that apply.)

Modify the chart type displayed in a dashboard panel. (D)

When running searches, command modifiers in the search string are displayed in what color?

Orange (D)

How can search results be kept longer than 7 days in Splunk?

By changing the job settings. (B)

Which of the following is a Splunk search best practice?

Filter as early as possible. (A)

'When looking at a dashboard panel that is based on a report, which of the following is true?'

You cannot modify the search string in the panel, but you can change and configure the visualization. (D)

Which of the following represents the Splunk recommended naming convention for dashboards?

Group_Object_Description (B)

What is a primary function of a scheduled report in Splunk?

Auto-generated PDF reports of overall data trends. (D)