PASSYOURCERTIFICATION-SplunkCoreCertifiedUserQnA.pdf

1.Which search string only returns events from hostWWW3? A. host=* B. host=WWW3 C. host=WWW* D. Host=WWW3 Correct answer is B, host=WWW3 This search string uses the "host" field to filter events and only returns events where the value of the "host" field is exactly "hostWWW3". The double quotes around the value are used to ensure that Splunk treats it as a string literal and not as a regular expression or other special pattern. Option A, host=* , would match all events, including those with a host value other than "hostWWW3". Option C, host=WWW* , would match events with a host value starting with "WWW", but it would also match other hosts that start with "WWW" and have different endings. Option D, Host=WWW3 , would not work as the "host" field in Splunk is case sensitive, and "Host" is not the correct field name. 2.By default, how long does Splunk retain a search job? A. 10 Minutes B. 15 Minutes C. 1 Day D. 7 Days Correct answer is A, 10 Minutes By default, Splunk retains search job results for 10 minutes after the search job has completed. This means that if you run a search and then close the search page or navigate away from it, you can still access the results of that search for up to 10 minutes before they are automatically deleted. This default retention time can be changed by the system administrator through the "search_job_ttl" setting in the "limits.conf" configuration file. Reference: https://docs.splunk.com/Documentation/Splunk/7.2.6/Search/Extendjoblifetimes 3.What must be done before an automatic lookup can be created? (Choose all that apply.) A. The lookup command must be used. B. The lookup definition must be created. C. The lookup file must be uploaded to Splunk. D. The lookup file must be verified using the inputlookup command. Correct answer is B&C. B. The lookup definition must be created: Before an automatic lookup can be created, you need to create a lookup definition that specifies the name and location of the lookup file, the fields to use for the lookup, and how to match the lookup fields to the search fields. C. The lookup file must be uploaded to Splunk: You need to create a CSV file that contains the lookup table with the fields you want to use for the lookup and upload it to Splunk. The first row of the CSV file must contain the field names, and each subsequent row should contain the corresponding values for each field. A. The lookup command is not necessary to create an automatic lookup. The lookup command is used to perform a lookup during a search, but it is not necessary for creating an automatic lookup. D. The inputlookup command is used to read data from a lookup table, but it is not necessary to verify the lookup file before creating an automatic lookup. However, it can be useful to test the lookup table to ensure that it contains the correct data before using it in a search. Reference: https://docs.splunk.com/Documentation/Splunk/7.2.6/Knowledge/Defineanautomaticl ookupinSplunkWeb 4.Which of the following Splunk components typically resides on the machines where data originates? A. Indexer B. Forwarder C. Search head D. Deployment server The correct answer is B, Forwarder. Splunk forwarders are lightweight components that typically reside on the machines where data originates. Their purpose is to collect data from various sources on the local machine and forward it to the Splunk indexers or other forwarders for further processing and indexing. The Splunk indexer is responsible for indexing the data and making it searchable, while the search head is used to search and analyse the indexed data. The deployment server is used to manage configurations and settings across distributed Splunk environments. Therefore, the forwarder is the component that typically resides on the machines where data originates, and it is responsible for forwarding data to the indexer for processing and indexing. 5.What determines the scope of data that appears in a scheduled report? A. All data accessible to the User role will appear in the report. B. All data accessible to the owner of the report will appear in the report. C. All data accessible to all users will appear in the report until the next time the report is run. D. The owner of the report can configure permissions so that the report uses either the User role or the owner's profile at run time. Correct answer is D, The owner of the report can configure permissions so that the report uses either the User role or the owner's profile at run time. When you share a report with other users, you have the option of having it run with the permissions of the report "owner" (the person who created the report) or the report "user" (the person who is running the report). Scheduled reports and alerts can only run as Owner. If you share a report so that it runs as User and then schedule that report, its permissions change to run as Owner. Reference: https://docs.splunk.com/Documentation/Splunk/7.2.6/Report/Managereportpermissio ns 6.When writing searches in Splunk, which of the following is true about Booleans? A. They must be lowercase. B. They must be uppercase. C. They must be in quotations. D. They must be in parentheses. In Splunk, Booleans must be written in uppercase letters. Therefore, the correct answer is B. For example, to search for events that contain both the terms "error" and "server", you would write the following search: 1. error AND server The use of uppercase "AND" indicates that both terms must be present in the events to match the search criteria. Option A, "They must be lowercase", is incorrect. Option C, "They must be in quotations", is incorrect. Quotations are used in Splunk to indicate that a string of characters is a single term, but they are not required for Booleans. Option D, "They must be in parentheses", is also incorrect. Parentheses can be used in Splunk to group search terms and control the order of evaluation, but they are not required for Booleans. 7.Which of the following searches would return events with failure in index netfw or warn or critical in index netops? A. (index=netfw failure) AND index=netops warn OR critical B. (index=netfw failure) OR (index=netops (warn OR critical)) C. (index=netfw failure) AND (index=netops (warn OR critical)) D. (index=netfw failure) OR index=netops OR (warn OR critical) Correct answer is B. (index=netfw failure) OR (index=netops (warn OR critical)) To combine multiple search conditions in Splunk, parentheses should be used to group them together based on their intended order of execution. In this case, we want to search for events that contain the term "failure" in the "netfw" index, or the terms "warn" or "critical" in the "netops" index. The correct search string that meets these criteria is: 1. (index=netfw failure) OR (index=netops (warn OR critical)) Option A is incorrect because the "OR" operator is evaluated before the "AND" operator. This means that the search would return events with "failure" in index "netfw" and any events in index "netops" with "warn", "critical", or any other term. Option C is also incorrect because it uses the "AND" operator between the two indexes, which would only return events that contain both "failure" in index "netfw" and either "warn" or "critical" in index "netops". Option D is incorrect because it uses "OR" to combine all the search conditions without grouping them together. This means that it would return events with "failure" in index "netfw", events in index "netops" with any term, and any events in any index with the terms "warn" or "critical". Reference: https://docs.splunk.com/Documentation/Splunk/7.2.6/Search/Aboutsubsearches 8.Select the answer that displays the accurate placing of the pipe in the following search string: index=security sourcetype=access_* status=200 stats count by price A. index=security sourcetype=access_* status=200 stats | count by price B. index=security sourcetype=access_* status=200 | stats count by price C. index=security sourcetype=access_* status=200 | stats count | by price D. index=security sourcetype=access_* | status=200 | stats count by price Correct answer is B. index=security sourcetype=access_* status=200 | stats count by price In Splunk, the "|" (pipe) character is used to connect search commands together. This allows you to build more complex searches that filter, transform, and summarize data. In the given search string, the "stats" command is used to count the number of events in the result set by the "price" field. To connect this command to the previous search conditions, we need to use the pipe operator. Option A is incorrect because it places the pipe before the "stats" command, which would result in a syntax error. Option C is incorrect because it uses the "by" clause before the pipe character, which would also result in a syntax error. Option D is incorrect because it uses the pipe operator incorrectly and also applies the "status=200" condition to the wrong field. 9.Which of the following constraints can be used with the top command? A. limit B. useperc C. addtotals D. fieldcount Correct answer is: A, limit In Splunk, the "top" command is used to generate a summary of the most frequent or highest values in a specific field. This command can be used with various constraints to further refine the results. The "limit" constraint is used to limit the number of results returned by the "top" command. For example, "top 10" will return only the top 10 results. The "useperc" constraint can be used to display the percentage of occurrences for each result. The "addtotals" constraint can be used to add a row to the output that displays the total count or sum of the values in the selected field. The "fieldcount" constraint is not a valid constraint for the "top" command. Reference: https://answers.splunk.com/answers/339141/how-to-use-top-command-or-stats-with- sort-results.html 10.When editing a dashboard, which of the following are possible options? (Choose all that apply.) A. Add an output. B. Export a dashboard panel. C. Modify the chart type displayed in a dashboard panel. D. Drag a dashboard panel to a different location on the dashboard. Answer is C&D. Splunk dashboards are visual representations of data that allow users to easily monitor and analyze their data in real-time. When editing a dashboard in Splunk, users can make several modifications to the layout and content of the dashboard. For example, users can add new objects or outputs to the dashboard, such as new charts, tables, or panels. They can modify the chart type displayed in a dashboard panel, change the visualization options, or adjust the search queries used to generate the data. Users can drag and drop panels to different locations on the dashboard to customize the layout and optimize the display of the data. You can't "Add an output" OR "Export a dashboard panel" while editing. You only can when you are not editing. 11.When running searches, command modifiers in the search string are displayed in what color? A. Red B. Blue C. Orange D. Highlighted Correct answer is C, Orange BOOLEAN OPERATORS and COMMAND MODIFIERS are always in orange. 12.Which of the following represents the Splunk recommended naming convention for dashboards? A. Description_Group_Object B. Group_Description_Object C. Group_Object_Description D. Object_Group_Description Correct answer is C, Group_Object_Description In Splunk, a dashboard is a collection of panels that display visualizations and data. When creating a new dashboard, it is recommended to use a naming convention that is both descriptive and consistent. The recommended naming convention for dashboards in Splunk is Group_Object_Description, where:  Group: Refers to the team or department responsible for the dashboard.  Object: Refers to the data source or system being monitored by the dashboard.  Description: Provides a brief description of the dashboard's purpose. By following this naming convention, dashboards can be easily identified and grouped together by their function, making them more manageable and user-friendly. Reference: https://docs.splunk.com/Documentation/Splunk/7.2.6/Knowledge/Developnamingcon ventionsforknowledgeobjecttitles 13.How can search results be kept longer than 7 days? A. By scheduling a report. B. By creating a link to the job. C. By changing the job settings. D. By changing the time range picker to more than 7 days. Correct answer is A, By scheduling a report. When you run a new search job, the job is retained in the system for a period of time, called the job lifetime. During the lifetime, you can access the job and view the data returned by the job. If the job is not accessed within the specified lifetime, the job expires and is removed from the system. There are two lifetime settings, 10 minutes and 7 days. The lifetime starts from the moment the job is run. Here keyword is longer than 7 days, changing job settings will allow only up to 7 days so if you want to go more than that then you have to schedule a report. Reference: https://docs.splunk.com/Documentation/Splunk/7.2.6/Search/Extendjoblifetimes 14.Which of the following is a Splunk search best practice? A. Filter as early as possible. B. Never specify more than one index. C. Include as few search terms as possible. D. Use wildcards to return more search results. Correct answer is A, Filter as early as possible is a Splunk search best practice. Filtering as early as possible means applying filters or restrictions to your search as soon as you can, so that Splunk searches only the events that meet your search criteria. This can help reduce the amount of data Splunk needs to search through, which can lead to faster and more efficient searches. B. It's generally best to specify the minimum number of indexes required to complete your search, as this can help improve performance. However, there may be situations where searching multiple indexes is necessary to get the desired results. C. While including fewer search terms can help speed up your search, it's important to ensure that your search terms are specific enough to return the data you need. Using too few search terms can result in incomplete or inaccurate results. D. Using wildcards can be useful in certain situations, but it's generally best to use them sparingly and only when necessary. Using too many wildcards can slow down your search and return irrelevant results. 15.When looking at a dashboard panel that is based on a report, which of the following is true? A. You can modify the search string in the panel, and you can change and configure the visualization. B. You can modify the search string in the panel, but you cannot change and configure the visualization. C. You cannot modify the search string in the panel, but you can change and configure the visualization. D. You cannot modify the search string in the panel, and you cannot change and configure the visualization. Correct answer is C, You cannot modify the search string in the panel, but you can change and configure the visualization. When using a panel from a report, you cannot modify the search string in the panel, but you can change and configure the visualization. If the report search changes, the panel using that report updates accordingly. Reference: https://docs.splunk.com/Documentation/Splunk/7.2.6/Viz/WorkingWithDashboardPan els 16.Which of the following are common constraints of the top command? A. limit, count B. limit, showpercent C. limits, countfield D. showperc, countfield Correct answer is D, showperc, countfield Top Command has command constraints that can be remembered as LCS (Limit, Countfield, Showperc). 17.When displaying results of a search, which of the following is true about line charts? A. Line charts are optimal for single and multiple series. B. Line charts are optimal for single series when using Fast mode. C. Line charts are optimal for multiple series with 3 or more columns. D. Line charts are optimal for multiseries searches with at least 2 or more columns. Correct answer is A, Line charts are optimal for single and multiple series. Typically, line or area charts represent multiple series. Line charts can also be used for a single data series, but area charts cannot. Reference: https://docs.splunk.com/Documentation/Splunk/7.2.6/Viz/LineAreaCharts 18.How are events displayed after a search is executed? A. In chronological order. B. Randomly by default. C. In reverse chronological order. D. Alphabetically according to field name. Correct answer is C, In reverse chronological order. When a search is executed in Splunk, the events that match the search criteria are displayed in the search results. By default, these events are displayed in reverse chronological order, with the most recent events displayed first. This is because Splunk is often used to analyze time-series data, and it is most useful to start with the most recent events. It's worth noting that the order in which events are displayed can be customized using various sorting options in Splunk. For example, you can sort events alphabetically by a particular field or by the order in which they were indexed. However, the default behavior is to display events in reverse chronological order. 19.Which of the following is true about user account settings and preferences? A. Search & Reporting is the only app that can be set as the default application. B. Full names can only be changed by accounts with a Power User or Admin role. C. Time zones are automatically updated based on the setting of the computer accessing Splunk. D. Full name, time zone, and default app can be defined by clicking the login name in the Splunk bar. Correct answer is D,Full name, time zone, and default app can be defined by clicking the login name in the Splunk bar. User account settings and preferences can be customized in Splunk by clicking on the user's login name in the Splunk bar. From there, you can change your full name, time zone, and default app. These changes can be made by any user, regardless of their role or permissions. While the Search & Reporting app is a key component of Splunk, it is not the only app that can be set as the default application. Users can select any app they have access to as their default app. Time zones are not automatically updated based on the setting of the computer accessing Splunk. Users must manually set their preferred time zone in their user preferences 20.What is a primary function of a scheduled report? A. Auto-detect changes in performance. B. Auto-generated PDF reports of overall data trends. C. Regularly scheduled archiving to keep disk space use low. D. Triggering an alert in your Splunk instance when certain conditions are met. Correct answer is D, Triggering an alert in your Splunk instance when certain conditions are met. The primary function of a scheduled alert in Splunk is to monitor data in real-time and trigger an alert when certain conditions are met. An alert is a notification triggered by a search when it finds events that match specific criteria. The alert can be configured to send an email, a web service request, or an SNMP trap, among other actions. Scheduled alerts can be configured to run on a regular basis, such as every minute, hour, or day, depending on the requirements. When the search condition specified in the alert is met, Splunk can notify users or take other actions, such as running a script or sending a message to an external system. While Splunk can be used for a variety of data analysis tasks, scheduled alerts are specifically designed to monitor data and notify users in real-time when specific conditions are met. Reference: https://docs.splunk.com/Documentation/Splunk/7.2.6/Report/Schedulereports 21.After running a search, what effect does clicking and dragging across the timeline have? A. Executes a new search. B. Filters current search results. C. Moves to past or future events. D. Expands the time range of the search. Correct answer is B, Filters current search results. To select a narrower time range, click and drag across a series of bars. This action filters the current search results ,does not re-execute the search. Reference: https://docs.splunk.com/Documentation/Splunk/7.2.6/Search/Usethetimeline 22.Which command is used to review the contents of a specified static lookup file? A. lookup B. csvlookup C. inputlookup D. outputlookup Correct answer is C, inputlookup The inputlookup command is used to review the contents of a specified static lookup file in Splunk. The command reads data from the lookup file and returns the results as search results, which can then be analyzed and further processed using other Splunk commands. To use the inputlookup command, you specify the name of the lookup file as an argument. For example, to review the contents of a lookup file named "mylookup.csv", you would use the following command: 1. | inputlookup mylookup.csv This command would return the contents of the "mylookup.csv" file as search results. Other lookup-related commands in Splunk include lookup , which can be used to combine fields from an external lookup file with events in a search, and outputlookup , which can be used to write search results to a new or existing lookup file. However, for the specific task of reviewing the contents of a static lookup file, inputlookup is the appropriate command to use. 23.What must be done in order to use a lookup table in Splunk? A. The lookup must be configured to run automatically. B. The contents of the lookup file must be copied and pasted into the search bar. C. The lookup file must be uploaded to Splunk and a lookup definition must be created. D. The lookup file must be uploaded to the etc/apps/lookups folder for automatic ingestion. Correct answer is C, The lookup file must be uploaded to Splunk and a lookup definition must be created. To use a lookup table in Splunk, you need to upload the lookup file to Splunk and create a lookup definition. The lookup definition specifies how the lookup table should be used in a search and how it should be combined with other data in your Splunk instance. The process for creating a lookup definition depends on whether the lookup table is a static lookup or a dynamic lookup. Static lookups are used to associate data with a fixed set of values, while dynamic lookups are used to look up data based on field values in the events being searched. To create a lookup definition for a static lookup, you can use the "Settings" menu in Splunk Web to define the lookup, specify the lookup file, and map the fields in the lookup file to the corresponding fields in your search results. For dynamic lookups, you can use the lookup command in your search to specify the lookup table and the fields to use for the lookup. You can also use the inputlookup command to read data from a lookup table and use it as part of your search. Once you have created the lookup definition, you can use the lookup table in your search queries to enrich your data with additional information or to perform complex searches across multiple datasets. 24.When sorting on multiple fields with the sort command, what delimiter can be used between the field names in the search? A. | B. $ C. ! D. , Correct answer is D, "," List of fields to sort by and the sort order. Use a minus sign (-) for descending order and a plus sign (+) for ascending order. When specifying more than one field, separate the field names with commas. Reference: https://docs.splunk.com/Documentation/Splunk/7.2.6/SearchReference/Sort 25.Which time range picker configuration would return real-time events for the past 30 seconds? A. Preset - Relative: 30-seconds ago B. Relative - Earliest: 30-seconds ago, Latest: Now C. Real-time - Earliest: 30-seconds ago, Latest: Now D. Advanced - Earliest: 30-seconds ago, Latest: Now Correct answer is C, Real-time - Earliest: 30-seconds ago, Latest: Now To return real-time events for the past 30 seconds, you would use the Real-time option in the time range picker. The Real-time option is located on the right side of the time range picker, and looks like a clock icon with an arrow pointing to the right. Once you select the Real-time option, you can set the Earliest time to 30 seconds ago by selecting the dropdown menu and choosing the "30 seconds ago" option. You would leave the Latest time set to "Now" to ensure that you're viewing events in real time. The other options listed in the question would not return real-time events for the past 30 seconds. Preset - Relative: 30-seconds ago would return events that occurred exactly 30 seconds ago, while Relative - Earliest: 30-seconds ago, Latest: Now would return events that occurred between 30 seconds ago and the current time (but not in real time). Advanced - Earliest: 30-seconds ago, Latest: Now is a valid configuration, but it would not be necessary to use the Advanced option to set the time range for real-time events. Reference: https://docs.splunk.com/Documentation/Splunk/7.2.6/Search/Selecttimerangestoappl y 26.What is the correct syntax to count the number of events containing a vendor_action field? A. count stats vendor_action B. count stats (vendor_action) C. stats count (vendor_action) D. stats vendor_action (count) Correct answer is C, stats count(vendor_action) To count the number of events containing a vendor_action field, you would use the stats command with the count function and specify the field you want to count in parentheses. The correct syntax for this would be: 1. stats count(vendor_action) This will return a single row with a count of the number of events that contain a vendor_action field. If you want to see a breakdown of the values of the vendor_action field, you could add the by keyword followed by the field name, like this: 1. stats count by vendor_action This would return a table with a count of the number of events for each unique value of the vendor_action field. 27.What is one benefit of creating dashboard panels from reports? A. Any newly created dashboard will include that report. B. There are no benefits to creating dashboard panels from reports. C. It makes the dashboard more efficient because it only has to run one search string. D. Any change to the underlying report will affect every dashboard that utilizes that report. Correct answer is D, Any change to the underlying report will affect every dashboard that utilizes that report. One benefit of creating dashboard panels from reports is that any change made to the underlying report will affect every dashboard that utilizes that report. This is because the report serves as the data source for the dashboard panel, so any updates made to the report will be reflected in the panel automatically. This can save time and effort when creating and maintaining dashboards because you can make changes to the underlying report and those changes will be reflected in all of the panels that use that report. Additionally, it can help ensure consistency across multiple dashboards that use the same data by allowing you to update the data in one central location. 28.By default, which of the following fields would be listed in the fields sidebar under interesting Fields? A. host B. index C. source D. sourcetype Correct answer is B, index host, source & sourcetype are displayed, by default, under Selected Fields, so these answers are incorrect. Index is the correct answer, because it's the only one that is left and also because under Interesting Fields, all the fields are displayed that are present in at least 20% of the results. This would be the case for index, because all events are always part of an index. Reference: https://answers.splunk.com/answers/185864/selected-fields-in-fields-side-bar.html 29.Which of the following statements about case sensitivity is true? A. Both field names and field values ARE case sensitive. B. Field names ARE case sensitive; field values are NOT. C. Field values ARE case sensitive; field names ARE NOT. D. Both field names and field values ARE NOT case sensitive. Correct answer is B, Field names ARE case sensitive; field values are NOT. Field names ARE case sensitive; field values are NOT Reference: https://answers.splunk.com/answers/65/are-field-values-case-sensitive.html 30.What does the rare command do? A. Returns the least common field values of a given field in the results. B. Returns the most common field values of a given field in the results. C. Returns the top 10 field values of a given field in the results. D. Returns the lowest 10 field values of a given field in the results. Correct answer is A, Returns the least common field values of a given field in the results. The rare command returns the least common field values of a given field in the results. It is the opposite of the top command which returns the most common field values. 31.When an alert action is configured to run a script, Splunk must be able to locate the script. Which is one of the directories Splunk will look in to find the script? A. $SPLUNK_HOME/bin/scripts B. $SPLUNK_HOME/etc/scripts C. $SPLUNK_HOME/bin/etc/scripts D. $SPLUNK_HOME/etc/scripts/bin Correct answer is A, $SPLUNK_HOME/bin/scripts The script or batch file that an alert triggers must be at either of the following locations: $SPLUNK_HOME/bin/scripts $SPLUNK_HOME/etc/apps//bin/scripts Reference: https://docs.splunk.com/Documentation/Splunk/7.2.6/Alert/Configuringscriptedalerts 32.Which Boolean operator is always implied between two search terms, unless otherwise specified? A. OR B. NOT C. AND D. XOR Correct answer is C, "AND" The Boolean operator that is always implied between two search terms, unless otherwise specified in Splunk, is "AND". Reference: https://docs.splunk.com/Documentation/Splunk/7.2.6/Search/Booleanexpressions 33.What does the values function of the stats command do? A. Lists all values of a given field. B. Lists unique values of a given field. C. Returns a count of unique values for a given field. D. Returns the number of events that match the search. Correct answer is B, Lists unique values of a given field. The values function of the stats command lists the unique values of a given field. 34.Which stats command function provides a count of how many unique values exist for a given field in the result set? A. dc(field) B. count(field) C. count-by(field) D. distinct-count(field) Correct answer is A, dc(field) dc(field) provides a count of how many unique values exist for a given field in the result set. Reference: https://docs.splunk.com/Documentation/Splunk/7.2.6/Search/Usethestatscommanda ndfunctions 35.A collection of items containing things such as data inputs, UI elements, and knowledge objects is known as what? A. An app B. JSON C. A role D. An enhanced solution Answer is A, An app An App is a self-contained set of configurations that is used to address a particular set of requirements or solve a specific use case. Apps are designed to be portable and can be easily shared between Splunk instances. They can contain saved searches, event types, field extractions, custom visualizations, and many other configurations that allow users to analyze and understand their data in a meaningful way. 36.Which statement is true about Splunk alerts? A. Alerts are based on searches that are either run on a scheduled interval or in real- time. B. Alerts are based on searches and when triggered will only send an email notification. C. Alerts are based on searches and require cron to run on scheduled interval. D. Alerts are based on searches that are run exclusively as real-time. Correct answer is A, Alerts are based on searches that are either run on a scheduled interval or in real-time. Splunk alerts can be configured to run on a schedule or in real-time and can trigger actions such as sending an email, running a script, or writing to a lookup table when specific conditions are met in the search results. 37.What is the purpose of using a by clause with the stats command? A. To group the results by one or more fields. B. To compute numerical statistics on each field. C. To specify how the values in a list are delimited. D. To partition the input data based on the split-by fields. Correct answer is A, To group the results by one or more fields. The purpose of using a by clause with the stats command in Splunk is to group the results by one or more fields. This allows you to compute statistics or apply functions to each group separately, and is particularly useful when you want to analyze data across multiple dimensions or categories. By using the by clause, you can break down large result sets into more manageable groups that are easier to analyze and interpret. Reference: https://docs.splunk.com/Documentation/Splunk/7.2.6/SearchReference/Stats#1._Co mpare_the_difference_between_using_the_stats_and_chart_commands 38.How do you add or remove fields from search results? A. Use field +to add and field -to remove. B. Use table +to add and table -to remove. C. Use fields +to add and fields ""to remove. D. Use fields Plus to add and fields Minus to remove. The Correct answer is C, Use fields + to add and fields - to remove. Reference: https://docs.splunk.com/Documentation/Splunk/7.2.6/SearchReference/Fields 39.A field exists in search results, but isn't being displayed in the fields sidebar. How can it be added to the fields sidebar? A. Click All Fields and select the field to add it to Selected Fields. B. Click Interesting Fields and select the field to add it to Selected Fields. C. Click Selected Fields and select the field to add it to Interesting Fields. D. This scenario isn't possible because all fields returned from a search always appear in the fields sidebar. The Correct answer is A, Click All Fields and select the field to add it to Selected Fields. Click All Fields and select the field to add it to Selected Fields is the correct way to add a field to the fields sidebar in Splunk 40.In the fields sidebar, which character denotes alphanumeric field values? A. # B. % C. a D. a# The Correct answer is B, % a = string # = numeric % = alphanumeric 41.What is the main requirement for creating visualizations using the Splunk UI? A. Your search must transform event data into Excel file format first. B. Your search must transform event data into XML formatted data first. C. Your search must transform event data into statistical data tables first. D. Your search must transform event data into JSON formatted data first. The Correct answer is C, Your search must transform event data into statistical data tables first. To create charts visualizations, your search must transform event data into statistical data tables. These statistical tables are required for charts and other kinds of data visualizations 42.What syntax is used to link key/value pairs in search strings? A. action+purchase B. action=purchase C. action | purchase D. action equal purchase The Correct answer is B, action=purchase The correct syntax used to link key/value pairs in search strings is: action=purchase For example: "sourcetype=access_combined". 43.What user interface component allows for time selection? A. Time summary B. Time range picker C. Search time picker D. Data source time statistics The Correct answer is B, Time range picker The interface component for time selection in Splunk is called the "time range picker". 44.Which of the following searches will return results where fail, 400, and error exist in every event? A. error AND (fail AND 400) B. error OR (fail and 400) C. error AND (fail OR 400) D. error OR fail OR 400 The correct answer is A, error AND (fail AND 400) The search "error AND (fail AND 400)" will return results where the term "error" exists in every event along with both "fail" and "400". The parentheses are used to group the "fail AND 400" expression together so that it is evaluated as a single unit. Option B will return results where "error" exists in every event or where both "fail" and "400" exist in an event. Option C will return results where "error" exists in every event and either "fail" or "400" exists in an event. Option D will return results where "error", "fail", or "400" exists in an event. 45.When placed early in a search, which command is most effective at reducing search execution time? A. dedup B. rename C. sort - D. fields + The Correct answer is A, dedup In Splunk, dedup is a search command that is used to remove duplicate events from the search results based on the values in one or more fields. It keeps the first occurrence of an event with a unique field value and discards all subsequent occurrences of events with the same field value. The dedup command can be used in combination with other search commands to further refine and filter search results. 46.Which of the following is the most efficient filter for running searches in Splunk? A. Time B. Fast mode C. Sourcetype D. Selected Fields The correct answer is A, Time Time is the most efficient filter for running searches in Splunk. By specifying a time range for the search, Splunk will only search through the events that fall within that time range, which reduces the amount of data that needs to be processed and can improve search performance. 47.How does Splunk determine which fields to extract from data? A. Splunk only extracts the most interesting data from the last 24 hours. B. Splunk only extracts fields users have manually specified in their data. C. Splunk automatically extracts any fields that generate interesting visualizations. D. Splunk automatically discovers many fields based on sourcetype and key/value pairs found in the data. The correct answer is D, Splunk automatically discovers many fields based on sourcetype and key/value pairs found in the data Splunk automatically discovers many fields based on sourcetype and key/value pairs found in the data 48.Which of the following file types is an option for exporting Splunk search results? A. PDF B. JSON C. XLS D. RTF The correct answer is B, JSON You can export search results to Raw Events (text file), CSV, XML or JSON format. But if the search is a saved search, such as a Report, you can export using the PDF format. 49.What syntax is used to link key/value pairs in search strings? A. Parentheses B. @ or # symbols C. Quotation marks D. Relational operators such as =, The correct answer is D, Relational operators such as =, The syntax used to link key/value pairs in search strings in Splunk is relational operators such as =,. For example, action=purchase would search for events where the field action has a value of purchase. 50.Which search string returns a filed containing the number of matching events and names that field Event Count? A. index=security failure | stats sum as "Event Count" B. index=security failure | stats count as "Event Count" C. index=security failure | stats count by "Event Count" D. index=security failure | stats dc(count) as "Event Count" The correct answer is B, index=security failure | stats count as "Event Count" The "stats" command in Splunk is used to summarize the search results and create summary statistics. The "count" function counts the number of matching events in the search results, and the "as" keyword is used to name the resulting field "Event Count". 51.Which search would return events from the access_combined sourcetype? A. Sourcetype=access_combined B. Sourcetype=Access_Combined C. sourcetype=Access_Combined D. SOURCETYPE=access_combined The Correct answer is C, sourcetype=Access_Combined Field name (sourcetype) is case sensitive but not values. 52.Which of the following index searches would provide the most efficient search performance? A. index=* B. index=web OR index=s* C. (index=web OR index=sales) D. *index=sales AND index=web* The Correct answer is C,(index=web OR index=sales) To improve performance in searches you have to be specific, wildcards makes searches more expensive 53.What is a suggested Splunk best practice for naming reports? A. Reports are best named using many numbers so they can be more easily sorted. B. Use a consistent naming convention so they are easily separated by characteristics such as group and object. C. Name reports as uniquely as possible with no overlap to differentiate them from one another. D. Any naming convention is fine as long as you keep an external spreadsheet to keep track. The Correct answer is B, Use a consistent naming convention so they are easily separated by characteristics such as group and object. Use a consistent naming convention so they are easily separated by characteristics such as group and object, is a suggested Splunk best practice for naming reports. This helps users easily identify and find the reports they need, and can also aid in organizing and categorizing reports. 54.In a deployment with multiple indexes, what will happen when a search is run and an index is not specified in the search string? A. No events will be returned. B. Splunk will prompt you to specify an index. C. All non-indexed events to which the user has access will be returned. D. Events from every index searched by default to which the user has access will be returned. The correct answer is D, Events from every index searched by default to which the user has access will be returned. Events from every index searched by default to which the user has access will be returned. When an index is not specified in a search, by default Splunk will search across all indexes to which the user has access. If a user only has access to a subset of the indexes, the search results will be limited to those indexes. 55.When looking at a statistics table, what is one way to drill down to see the underlying events? A. Creating a pivot table. B. Clicking on the visualizations tab. C. Viewing your report in a dashboard. D. Clicking on any field value in the table. The correct answer is D, Clicking on any field value in the table. Clicking on a specific value in a statistics table in Splunk will trigger a search that includes that value as a filter, allowing you to drill down and see the underlying events that contributed to that value. 56.In the Splunk interface, the list of alerts can be filtered based on which characteristics? A. App, Owner, Severity, and Type B. App, Owner, Priority, and Status C. App, Dashboard, Severity, and Type D. App, Time Window, Type, and Severity The correct answer is A, App, Owner, Severity, and Type Filter any displayed alerts according to App, Owner, Severity, and Alert (alert name). 57.What are the steps to schedule a report? A. After saving the report, click Schedule. B. After saving the report, click Event Type. C. After saving the report, click Scheduling. D. After saving the report, click Dashboard Panel. The correct answer is A, After saving the report, click Schedule. The correct steps to schedule a report in Splunk are: 1. Run the report and ensure that it is displaying the data you want to schedule. 2. Save the report by clicking on "Save As" or "Save" if you have already saved the report before. 3. After saving the report, click on "Edit" to open the report settings. 4. Click on "Scheduling" to set up the schedule options. 5. Choose the frequency and timing of the report. 6. Select the format for the report, such as PDF or CSV. 7. Choose the destination for the report, such as email or file. 8. Save the schedule. Once the schedule is set up, Splunk will automatically run the report at the specified intervals and send the output to the chosen destination. 58.In the fields sidebar, what indicates that a field is numeric? A. A number to the right of the field name. B. A # symbol to the left of the field name. C. A lowercase n to the left of the field name. D. A lowercase n to the right of the field name. The correct answer is B, A # symbol to the left of the field name. 59. Which of the following are functions of the stats command? A. count, sum, add B. count, sum, less C. sum, avg, values D. sum, values, table The correct answer is C, sum, avg, values The functions of the stats command in Splunk are: A. count - returns the number of events B. sum - returns the total of a numeric field C. avg - returns the average of a numeric field D. values - returns a list of unique values for a field E. max - returns the maximum value of a field F. min - returns the minimum value of a field G. list - returns a list of values for a field H. dc - returns the count of unique values for a field I. first - returns the first value of a field J. last - returns the last value of a field K. range - returns the difference between the maximum and minimum values of a field L. stdev - returns the standard deviation of a field 60.At index time, in which field does Splunk store the timestamp value? A. time B. _time C. EventTime D. timestamp The correct answer is B, _time At index time, Splunk stores the timestamp value in the _time field. 61.Which of the following is a best practice when writing a search string? A. Include all formatting commands before any search terms. B. Include at least one function as this is a search requirement. C. Include the search terms at the beginning of the search string. D. Avoid using formatting clauses, as they add too much overhead. The correct answer is C, Include the search terms at the beginning of the search string. 62.Splunk suggest that you should apply filtering commands as early as possible in your search. What type of search can be saved as a report? A. Any search can be saved as a report. B. Only searches that generate visualizations. C. Only searches containing a transforming command. D. Only searches that generate statistics or visualizations. The correct answer is A, Any search can be saved as a report. 63.What can be included in the All Fields option in the sidebar? A. Dashboards B. Metadata only C. Non-interesting fields D. Field descriptions The correct answer is C, Non-interesting fields The "All Fields" option in the sidebar in Splunk is used to display a list of all fields that exist in the search results, including those that may not be displayed in the search output. This option can be helpful when exploring new data sets or trying to identify unknown fields that may contain useful information. The All Fields list can be accessed by clicking on the "All Fields" tab in the Fields sidebar panel. 64.When viewing the results of a search, what is an Interesting Field? A. A field that appears in any event. B. A field that appears in every event. C. A field that appears in the top 10 events. D. A field that appears in at least 20% of the events. The correct answer is D, A field that appears in at least 20% of the events. In Splunk, an interesting field is a field that has a high information content and is relevant to the search being performed. Splunk automatically identifies interesting fields in search results and highlights them in the Fields sidebar, making it easier for users to quickly identify the most relevant fields in their data. Interesting fields are based on statistical analysis of the data and are dynamically updated based on the results of the search. By focusing on the most relevant fields, users can more quickly analyze their data and gain insights that might otherwise be hidden in the noise. 65.When a Splunk search generates calculated data that appears in the Statistics tab, in what formats can the results be exported? A. CSV, JSON, PDF B. CSV, XML, JSON C. Raw Events, XML, JSON D. Raw Events, CSV, XML, JSON The correct answer is B, CSV, XML, JSON. If the search generates calculated data that appears on the Statistics tab, you cannot export using the Raw Events format." PDF is only available for saved searche 66.Which search matches the events containing the terms "error" and "fail"? A. index=security Error Fail B. index=security error OR fail C. index=security "error failure" D. index=security NOT error NOT fail The correct answer is A, index=security Error Fail As "AND" is implied so only A can be the answer. 67.Which of the following is an option after clicking an item in search results? A. Saving the item to a report. B. Adding the item to the search. C. Adding the item to a dashboard. D. Saving the Search to a JSON file. The correct answer is B, Adding the item to the search. 68.Which of the following fields is stored with the events in the index? A. user B. source C. location D. sourceIp The correct answer is B, source Splunk stores a number of fields with events in the index, including:  _time: The timestamp of the event.  _raw: The raw data of the event.  source: The source of the data that generated the event.  sourcetype: The type of the source data that generated the event.  host: The host or system where the event occurred.  eventtype: The type of the event.  fields: Any extracted fields from the event data 69.Which of the following is the recommended way to create multiple dashboards displaying data from the same search? A. Save the search as a report and use it in multiple dashboards as needed. B. Save the search as a dashboard panel for each dashboard that needs the data. C. Save the search as a scheduled alert and use it in multiple dashboards as needed. D. Export the results of the search to an XML file and use the file as the basis of the dashboards. The correct answer is A, Save the search as a report and use it in multiple dashboards as needed. 70.What does the following specified time range do? earliest=-72h@h latest=@d A. Look back 3 days ago and prior. B. Look back 72 hours, up to one day ago. C. Look back 72 hours, up to the end of today. D. Look back from 3 days ago, up to the beginning of today. The correct answer is D, Look back from 3 days ago, up to the beginning of today The specified time range earliest=-72h@h latest=@d means to look back 72 hours from the beginning of today up to the end of today and It's always beginning of the day, not end of the day. 71.Which events will be returned by the following search string? host=www3 status=503 A. All events that either have a host of www3 or a status of 503. B. All events with a host of www3 that also have a status of 503. C. We need more information; we cannot tell without knowing the time range. D. We need more information; a search cannot be run without specifying an index. The correct answer is B, All events with a host of www3 that also have a status of 503. 72.What does the stats command do? A. Automatically correlates related fields. B. Converts field values into numerical values. C. Calculates statistics on data that matches the search criteria. D. Analyzes numerical fields for their ability to predict another discrete field. The correct answer is C, calculates statistics on data that matches the search criteria. The stats command in Splunk is used to calculate statistics on the search results, such as the count, sum, average, minimum, and maximum of specific fields. It can also be used to group the search results by one or more fields and to create new calculated fields based on existing fields. The stats command is often used in combination with other commands, such as search , eval , sort , and table , to produce meaningful reports and visualizations of the search results. Here's an example of a stats command that calculates the count and sum of bytes by host: 1. sourcetype=access_combined | stats count, sum(bytes) by host This command searches for events of the access_combined sourcetype and calculates the count and sum of bytes for each unique value of the host field. The results are displayed in a table with two columns, host and count, sum(bytes). 73.Which is primary function of the timeline located under the search bar? A. To differentiate between structured and unstructured events in the data. B. To sort the events returned by the search command in chronological order. C. To zoom in and zoom out, although this does not change the scale of the chart. D. To show peaks and/or valleys in the timeline, which can indicate spikes in activity or downtime. The correct answer is D, To show peaks and/or valleys in the timeline, which can indicate spikes in activity or downtime. 74.What can be configured using the Edit Job Settings menu? A. Export the result to CSV format. B. Add the Job results to a dashboard. C. Schedule the Job to re-run in 10 minutes. D. Change Job Lifetime from 10 minutes to 7 days. The correct answer is D ,Change Job Lifetime from 10 minutes to 7 days. The Edit Job Settings menu in Splunk allows users to modify the settings of a search job that is currently running or has completed. The menu allows users to adjust various settings related to the job, including the job's priority, time range, and lifespan. One of the settings that can be configured is the job's lifespan, which can be extended to up to 7 days. 75.Which command is used to validate a lookup file? A. | lookup products.csv B. inputlookup products.csv C. | inputlookup products.csv D. | lookup_definition products.csv The correct answer is C, | inputlookup products.csv This command is used to display the contents of a lookup file and ensure that it is properly formatted and contains the expected data. 76.Which statement is true about the top command? A. It returns the top 10 results. B. It displays the output in table format. C. It returns the count and percent columns per row. D. All of the above. The correct answer is D, All of the above. The top command is used to find the most common values in a field or set of fields, and by default it returns the top 10 results. The output is displayed in a tabular format, and it includes the count and percentage columns per row. 77.How can another user gain access to a saved report? A. The owner of the report can edit permissions from the Edit dropdown. B. Only users with an Admin or Power User role can access other users' reports. C. Anyone can access any reports marked as public within a shared Splunk deployment. D. The owner of the report must clone the original report and save it to their user account. The correct answer is A, The owner of the report can edit permissions from the Edit dropdown. The owner of a saved report can control who has access to it and what they can do with it. They can edit the report permissions by going to the report page and clicking the Edit dropdown, then selecting "Permissions". From there, they can add other users or groups and specify the level of access they should have. 78.What is the primary use for the rare command? A. To sort field values in descending order. B. To return only fields containing five of fewer values. C. To find the least common values of a field in a dataset. D. To find the fields with the fewest number of values across a dataset. The correct answer is C, To find the least common values of a field in a dataset. It is typically used to identify rare or unusual events in the data. The syntax of the command is as follows: 1. rare [field-list] [count=] [limit=] [where ]  field-list : A comma-separated list of fields to analyze. This is optional, and if not specified, the command will analyze all fields in the search results.  count : The number of rare values to return. This is optional, and the default is 10.  limit : The maximum number of results to return. This is optional, and the default is 10.  where : An optional expression that filters the search results before the rare command is applied. Here's an example of how to use the rare command to find the least common values of the dest_ip field: 1. sourcetype=firewall | rare count=15 dest_ip This will return the 15 least common values of the dest_ip field in the search results. 79.What happens when a field is added to the Selected Fields list in the fields sidebar? A. Splunk will re-run the search job in Verbose Mode to prioritize the new Selected Field. B. Splunk will highlight related fields as a suggestion to add them to the Selected Fields list. C. Custom selections will replace the Interesting Fields that Splunk populated into the list at search time. D. The selected field and its corresponding values will appear underneath the events in the search results. The correct answer is D, the selected field and its corresponding values will appear underneath the events in the search results. When a field is added to the Selected Fields list in the fields sidebar, the search results table will display the selected field and its corresponding values underneath the events in the search results. The Selected Fields list is used to choose which fields to display in the search results table, allowing the user to focus on the most relevant data for their analysis. The Interesting Fields list, which is automatically generated by Splunk, displays fields that are frequently mentioned in the search results and can be used as a starting point for selecting fields to add to the Selected Fields list. 80.By default, which of the following is a Selected Field? A. action B. clientip C. categoryId D. sourcetype The correct answer is D, sourcetype 81.According to Splunk best practices, which placement of the wildcard results in the most efficient search? A. f*il B. *fail C. fail* D. *fail* The correct answer is C, fail* According to Splunk best practices, placing the wildcard at the end of a search term results in the most efficient search. Therefore, option C fail* would be the most efficient in this case. 82.Which command automatically returns percent and count columns when executing searches? A. top B. stats C. table D. percent The correct answer is A, top The top command is used in Splunk to find the most common values for a specific field in the search results. The syntax for the top command is as follows: 1. 2. | top [] where is the search string, is the name of the field for which to find the most common values, and (optional) is the number of top values to return (the default is 10). For example, the following search will find the top 5 values for the host field in the access_combined sourcetype: 1. sourcetype=access_combined 2. | top host 5 83.Which of the following describes lookup files? A. Lookup fields cannot be used in searches. B. Lookups contain static data available in the index. C. Lookups add more fields to results returned by a search. D. Lookups pull data at index time and add them to search results. The correct answer is C, Lookups add more fields to results returned by a search. Lookup table data is not indexed Lookup table files are files that contain a lookup table. A standard lookup pulls fields out of this table and adds them to your events when corresponding fields in the table are matched in your events. 84.Which search string is the most efficient? A. "failed password" B. "failed password"* C. index=* "failed password" D. index=security "failed password" The correct answer is D, index=security "failed password" The most efficient search string would be option D. index=security "failed password" because it limits the search to a specific index, thereby reducing the amount of data to be searched. Options A and B do not specify an index, so the search would run across all indexes, which can be time-consuming and inefficient. Option C also searches across all indexes, but with the added inefficiency of using a wildcard at the end of the search term 85.Which search string matches only events with the status_code of 404? A. status_code!=404 B. status_code>=400 C. status_code403 status_code403 status_code C. ! D. * In Splunk, you can use the asterisk (*) as a wildcard character in search queries to represent any number of characters. For example, to search for all events that contain the word "error" in the "message" field, you can use the following search query: 1. index=web_logs message=*error* This will match events with messages such as "404 error", "server error", "database error", etc. 103.What result will you get with following search index=test sourcetype="The_Questionnaire_P*" ? A. the_questionnaire _pedia B. the_questionnaire pedia C. the_questionnaire_pedia D. the_questionnaire Pedia The correct answer is C, the_questionnaire_pedia The search index=test sourcetype="The_questionnaire_p*" will return events where the sourcetype starts with "The_questionnaire_p", followed by any character(s). For example, "The_questionnaire_pedia" or "The_questionnaire_Premium". 104.Prefix wildcards might cause performance issues. A. False B. True The correct answer is B, True Prefix wildcards in Splunk can lead to poor performance because they force Splunk to search through all the possible matches in the index. This can be particularly problematic when the search is performed over a large volume of data, as it can significantly slow down search performance and increase the load on the system. It is generally recommended to avoid prefix wildcards whenever possible, and to use other techniques such as partial string matching or regular expressions to narrow down the search results. 105.Machine data can be in structured and unstructured format. A. False B. True The correct answer is B, True 106.Field names are case sensitive. A. True B. False The correct answer is A, True It is important to be aware of field name sensitivity in Splunk, as it can impact search results and report generation. In particular, if field names are not consistently cased, searches may not return all the expected results, and reports may not accurately reflect the data being analyzed. As such, it is recommended to standardize field naming conventions to avoid confusion and ensure accurate analysis of data. 107.Splunk internal fields contains general information about events and starts from underscore i.e. _. A. True B. False The correct answer is A, True 108.How many main user roles do you have in Splunk? A. 2 B. 4 C. 1 D. 3 The correct answer is D, 3 There are 3 main user roles: Power, Admin, User 109.Which of the following are Splunk premium enhanced solutions? (Choose three.) A. Splunk User Behavior Analytics (UBA) B. Splunk IT Service Intelligence (ITSI) C. Splunk Enterprise Security (ES) D. Splunk Analytics Security (AS) The correct answer is ABC, 110.Fields are searchable name and value pairings that differentiates one event from another. A. False B. True The correct answer is B, True 111.Splunk extracts fields from event data at index time and at search time. A. True B. False The correct answer is A, True 112.Field values are case sensitive. A. True B. False The correct answer is B, False Field Names are case sensitive: sourcetype is correct, Sourcetype is incorrect Field Values are case insensitive: access_combined, Access_combined and Access_Combined would work equally well. 113.Splunk indexes the data on the basis of timestamps. A. True B. False The correct answer is A, True 114.______________ is the default web port used by Splunk. A. 8089 B. 8000 C. 8080 D. 443 The correct answer is B, 8000 115.Which of the following statements are correct about Search & Reporting App? (Choose three.) A. Can be accessed by Apps > Search & Reporting. B. Provides default interface for searching and analyzing logs. C. Enables the user to create knowledge object, reports, alerts and dashboards. D. It only gives us search functionality. The correct answer is ABC 116.Parsing of data can happen both in HF and Indexer. A. Only HF B. No C. Yes The correct answer is C, Yes Parsing of data can be done both in Heavy Forwarders (HF) and Indexers. 117.Monitor option in Add Data provides _______________. A. Only continuous monitoring. B. Only One-time monitoring. C. None of the above. D. Both One-time and continuous monitoring. The correct answer is D, Both One-time and continuous monitoring. In Splunk, one-time monitoring means that you run a search one time to collect data from a specific data source, such as a log file, and you don't continue to monitor that source for new data. This type of monitoring is typically used when you want to investigate a specific issue or event. Continuous monitoring, on the other hand, means that you set up a data input to continuously collect data from a source, such as a network port or directory of log files. This type of monitoring is used when you want to monitor a system or application for ongoing events or issues. Splunk can continuously monitor data inputs, and you can set up alerts and reports to notify you when specific events occur. 118.License Meter runs before data compression. A. No B. Yes The correct answer is A, No Splunk calculates your license volume based on raw data ingested. License Meter runs after data compression in order to accurately calculate the amount of data being indexed. 119.Forward Option gather and forward data to indexers over a receiving port from remote machines. A. False B. True The correct answer is B, True 120.You can on-board data to Splunk using following means (Choose four.): A. Props B. CLI C. Splunk Web D. savedsearches.conf E. Splunk apps and add-ons F. indexes.conf G. inputs.conf H. metadata.conf The correct answer is BCEG , B-CLI ,C-Splunk Web, E-Splunk apps and add-ons , G- inputs.conf "On-board" is a slang in businesses to mean that the goal is to have the specific data/technology/devices/things into your corporate environment, which is splunk in this case. B,C,E,G are correct. B - you can run a command to ingest data C - you can use splunk web to ingest data E - you can install Splunk add ons that have scripts (inputs.conf) to ingest data G - you can make your own inputs.conf to ingest data 121.Data sources being opened and read applies to: A. None of the above B. Indexing Phase C. Parsing Phase D. Input Phase E. License Metering The correct answer is C, Input Phase The Splunk data pipeline has phases: Input Parsing Indexing Search 122.Select the correct option that applies to Index time processing (Choose three.). A. Indexing B. Searching C. Parsing D. Settings E. Input The correct answer is ACE - A. Indexing, C. Parsing, E. Input 123.Splunk automatically determines the source type for major data types. A. False B. True The correct answer is B, True 124.Parsing of data can happen both in HF and UF. A. Yes B. No The correct answer is B, No Parsing phase handled by indexers or heavy forwarders (HF). 125.Upload option creates inputs.conf A. Yes B. No The correct answer is B, No inputs.conf is a configuration file in Splunk that is used to specify data inputs for a Splunk instance or forwarder. The file is located in the $SPLUNK_HOME/etc/system/local directory and contains information about the types of data that the instance or forwarder should monitor and how to monitor it. Some examples of data inputs that can be configured in inputs.conf include log files, network ports, scripts, and APIs. The file can also be used to set parameters for data monitoring, such as the sourcetype, index, and source host. Overall, inputs.conf is an important file in configuring data inputs for Splunk, allowing users to easily monitor and analyze machine data from various sources. 126.Splunk index time process can be broken down into __________ phases. A. 3 B. 2 C. 4 D. 1 The correct answer is A, 3 Input Parsing Indexing 127.In monitor option you can select the following options in GUI. A. Only HTTP Event Collector (HEC) and TCP/UDP B. None of the above C. Only TCP/UDP D. Only Scripts E. Filed & Directories, HTTP Event Collector (HEC), TCP/UDP and Scripts The correct answer is E, Filed & Directories, HTTP Event Collector (HEC), TCP/UDP and Scripts Monitor option provides one-time or continuous monitoring of files, directories, HTTP events, network ports, or data gathering scripts located on Splunk Enterprise instances. 128. Uploading local files though Upload options index the file only once. A. No B. Yes The correct answer is B, Yes When you upload local files using the Splunk UI, the file is indexed only once in Splunk, even if you upload it multiple times. This is because Splunk uses the file's inode to determine if the file has already been indexed, and uploading the same file multiple times does not change its inode. However, if you modify the file and then upload it again, Splunk will index it as a new file. 129.Which of the statements are correct about HF? (Choose three.) A. Parsing B. Masking C. Searching D. Forwarding The correct answer is ABD, A. Parsing, C. Searching, D. Forwarding Heavy forwarders are used for parsing and forwarding data to indexers, as well as searching the data that passes through them. Although Masking is not a primary function of the heavy forwarder. 130.Where does Licensing meter happen? A. Indexer B. Parsing C. Heavy Forwarder D. Input The correct answer is A, Indexer The License Meter runs on the Indexer after Parsing and before Indexing. 131.Matching search terms are highlighted. A. Yes B. No The correct answer is A, Yes When you run a search in Splunk, the search terms in the search bar are highlighted in the search results. This makes it easy to quickly see where the search terms are located within the events that match your search criteria. The highlighting is done by default, but you can turn it off by clicking on the "Highlight" button in the search bar. 132.Beginning parentheses is automatically highlighted to guide you on the presence of complimenting parentheses. A. No B. Yes The correct answer is B, Yes Parentheses in Splunk can be used for grouping search terms and changing the order of operations in a search string. When parentheses are used, the search terms inside the parentheses are evaluated first. For example, the following search string will first look for events with the "error" keyword in the "message" field, and then filter those results to only show events where the "host" field contains "webserver": 1. index=logs sourcetype=access_combined_wcookie (message="error" AND host="webserver") Without parentheses, the search would evaluate as "(message="error" AND host="webserver") OR index=logs sourcetype=access_combined_wcookie", which may not give the desired results. 133.Zoom Out and Zoom to Selection re-executes the search. A. No B. Yes The correct answer is B, Yes Zoom out - Expands the time focus and re-executes the search. Zoom to Selection - Narrows the time range and re-executes the search. 134.Every Search in Splunk is also called _____________. A. None of the above B. Job C. Search Only The correct answer is B, Job 135.Matching of parentheses is a feature of Splunk Assistant. A. No B. Yes The correct answer is B, Yes 136.Search Assistant is enabled by default in the SPL editor with compact settings. A. No B. Yes The correct answer is B, Yes Search assistant is enabled by default in the SPL Editor user preferences. By default, compact is selected. 137.What is Search Assistant in Splunk? A. It is only available to Admins. B. Such feature does not exist in Splunk. C. Shows options to complete the search string. The correct answer is C,Shows options to complete the search string. The Search Assistant in Splunk is a feature that assists users in building search queries by suggesting auto-completions and providing contextual help. It appears as a dropdown menu when you start typing in the search bar and offers suggestions for commands, keywords, and field names based on what you've typed so far. The Search Assistant is available to all users, not just admins. 138.@ Symbol can be used in advanced time unit option. A. No B. Yes The correct answer is B, Yes The "@" symbol is used to specify advanced time units in Splunk. For example, you can use "@d" to represent days, "@h" for hours, "@m" for minutes, "@s" for seconds, and so on. 139. The new data uploaded in Splunk are shown in ________________. A. Real-time B. 10 Minutes C. Overnight Download D. 30 Minutes The correct answer is A, Real-Time 140.The new data uploaded in Splunk is shown in real-time as soon as it is indexed. You can use the following options to specify start and end time for the query range: A. earliest= B. latest= C. beginning= D. ending= E. All the above F. Only 3rd and 4th The correct answer is A&B, earliest= ,latest= o specify the start and end time for the query range in Splunk, you can use the following time range picker or specify it manually in the search bar: 1. Time range picker:  Click on the time range picker located on the upper right corner of the screen  Select the desired time range, such as Last 15 minutes, Last 24 hours, or Custom.  If selecting Custom, specify the start and end time in the fields provided. 2. Manually specify time range in the search bar:  In the search bar, add "earliest" and "latest" commands to specify the start and end time, respectively.  Use the following syntax: "index=your_index earliest=-24h latest=now" to search for data in your_index for the last 24 hours.  You can adjust the time range by changing the values of earliest and latest to fit your desired search criteria. 141.You can change the App context in Input setting. A. No B. Yes The correct answer is B, Yes In Splunk, an app context refers to the specific app in which the input settings are defined. When setting up inputs for data ingestion, the input settings can be defined at the system level, but it is often more practical to define them at the app level to keep the settings organized and easily accessible. For example, if you are ingesting data from a specific source and want to define the settings for that data, you would do so within the app that is dedicated to that data source. By defining the input settings at the app level, you can easily manage the data ingestion process and avoid conflicts with other data sources. The app context is defined in the inputs.conf file, which is located in the local directory of the app. The inputs.conf file contains the configuration settings for the inputs, including the source type, source location, and other parameters specific to the data source being ingested. 142.The default host name used in Inputs general settings can not be changed. A. False B. True The correct answer is A, False The default host name used in Inputs general settings can be changed in Splunk. To change the default hostname in Splunk, follow these steps: 1. Open the Splunk web interface and log in to the instance you want to change the hostname for. 2. Click on the "Settings" menu and select "Server settings". 3. Scroll down to the "General settings" section and locate the "Hostname" field. 4. Click on the "Edit" button next to the "Hostname" field. 5. Enter the new hostname in the "Hostname" field. 6. Click the "Save" button to save the new hostname. Once you have saved the new hostname, you will need to restart the Splunk instance for the changes to take effect. 143.Events in Splunk are automatically segregated using data and time. A. Yes B. No The correct answer is A, Yes Eevents in Splunk are automatically segregated using data and time, which are indexed and stored in the Splunk index. This allows for easy searching, filtering, and analysis of events based on their timestamps. 144.You are able to create new Index in Data Input settings. A. No B. Yes The correct answer is A, Yes To create a new index in the data input settings in Splunk, follow these steps: 1. Log in to the Splunk web interface. 2. Click on "Settings" in the upper-right corner of the screen. 3. Under "Data", click on "Indexes". 4. Click the "New index" button. 5. Enter a name for the new index in the "Name" field. 6. (Optional) Enter a description for the new index in the "Description" field. 7. (Optional) Configure the retention and search factor settings for the new index. 8. Click "Save" to create the new index. Once the new index has been created, it can be selected as an option in the data input settings for any relevant data inputs. 145.Splunk Parses data into individual events, extracts time, and assigns metadata. A. False B. True The correct answer is B, True Splunk parses incoming data into individual events, extracts timestamps, and assigns metadata such as host, source, and sourcetype. This metadata is used to organize and search the data efficiently. 146.Which of the statements is correct regarding click and drag option in timeline? A. The new result after selecting the range by dragging filters the events and displays the most recent first. B. There is no functionality like click and drag in Splunk's timeline. C. Using this option executes a new query. D. This doesn't execute a new query. The correct answer is D, This doesn't execute a new query. The "click and drag" option in the timeline in Splunk allows users to select a specific time range for their search. By clicking on the timeline and dragging the mouse cursor to the desired end time, users can quickly and easily narrow down their search results to the specific time period of interest. This is a helpful feature when working with large datasets or when trying to pinpoint a specific event or issue within a certain time frame. 147.Which symbol is used to snap the time? A. @ B. & C. * D. # The correct answer is A, @ 148.Which of the statements are correct? (Choose three.) A. Zoom to selection: Narrows the time range and re-executes the search. B. Zoom to selection: Narrows the time range and doesn't re-executes the search. C. Format Timeline: Hides or shows the timeline in different views. D. Zoom-Out: Expands the time focus and doesn't re-executes the search. E. Zoom-out: Expands the time focus and re-executes the search. The correct statements are: A. Zoom to selection: Narrows the time range and re-executes the search. C. Format Timeline: Hides or shows the timeline in different views. E. Zoom-out: Expands the time focus and re-executes the search. 149.There are three different search modes in Splunk (Choose three.): A. Automatic B. Smart C. Fast D. Verbose The correct answer are BCD 150. Smart , Fast and Verbose are the oy three search modes in Splunk. Select the statements that are true for timeline in Splunk (Choose four.): A. Timeline shows distribution of events specified in the time range in the form of bars. B. Single click to see the result for particular time period. C. You can click and drag across the bar for selecting the range. D. This is default view and you can't make any changes to it. E. You can hover your mouse for details like total events, time and date. The correct answers are ABCE, D is not true because you can customize the timeline view using the "Format" option. 151.Keywords are highlighted when you mouse over search results and you can click this search result to (Choose three.): A. Open new search. B. Exclude the item from search. C. None of the above. D. Add the item to search. The correct answer is ABD. 152.You can view the search result in following format (Choose three.): A. Table B. Raw C. Pie Chart D. List The correct answer is ABD, Table, Raw and list are only three options you can choose from. 153. Snapping rounds down to the nearest specified unit. A. Yes B. No The correct answer is A, Yes 154.Data summary button just below the search bar gives you the following (Choose three.): A. Hosts B. Sourcetypes C. Sources D. Indexes The correct answer is ABC, The data summary button just below the search bar gives you the following three options in Splunk: A. Hosts B. Sourcetypes C. Sources 155.What options do you get after selecting timeline? (Choose four.) A. Zoom to selection B. Format Timeline C. Deselect D. Delete E. Zoom Out The correct answer is ABCE, After selecting timeline in Splunk, the options you get are: A. Zoom to selection B. Format Timeline C. Deselect D. Zoom Out 156.At the time of searching the start time is 03:35:08. Will it look back to 03:00:00 if we use -30m@h in searching? A. Yes B. No The correct answer is A, Yes If you use -30m@h in searching, it will look back to 03:00:00 from the current hour. 157.Can you stop or pause the searching? A. No B. Yes The correct answer is B, Yes 158.You can also specify a time range in the search bar. You can use the following for beginning and ending for a time range (Choose two.): A. Not possible to specify time manually in Search query B. end= C. start= D. earliest= E. latest= The correct answers are DE, D. earliest= E. latest= 159.Which all time unit abbreviations can you include in Advanced time range picker? (Choose seven.) A. h B. day C. mon D. yr E. y F. w G. week H. d I. s J. m The correct answers are - s, m, h, d, w, mon, y Time unit Valid unit abbreviations subseconds microseconds (us), milliseconds (ms), centiseconds (cs), or deciseconds (ds) second s, sec, secs, second, seconds minute m, min, minute, minutes hour h, hr, hrs, hour, hours day d, day, days week w, week, weeks month mon, month, months quarter q, qtr, qtrs, quarter, quarters year y, yr, yrs, year, years 160.Interesting fields are the fields that have at least 20% of resulting fields. A. True B. False The correct answer is A, True 161.How to make Interesting field into a selected field? A. Click field in field sidebar -> click YES on the pop-up dialog on upper right side -> check now field should be visible in the list of selected fields. B. Not possible. C. Only CLI changes will enable it. D. Click Settings -> Find field option -> Drop down select field -> enable selected field -> check now field should be visible in the list of selected fields. The correct answer is A, Click field in field sidebar -> click YES on the pop-up dialog on upper right side -> check now field should be visible in the list of selected fields. 162.Field names are case sensitive and field value are not. A. True B. False The correct answer is A, True 163.!= and NOT are same arguments. A. True B. False The correct answer is B, False !=means NOT equal to. 164.Query - status != 100: A. Will return event where status field exist but value of that field is not 100. B. Will return event where status field exist but value of that field is not 100 and all events where status field doesn't exist. C. Will get different results depending on data. The correct answer is A, != 100 Will return event where status field exist but value of that field is not 100. 165.NOT status = 100: A. Will display result depending on the data. B. Will return event where status field exist but value of that field is not 100. C. Will return event where status field exist but value of that field is not 100 and all events where status field doesn't exist. The correct answer is C, NOT status = 100 Will return event where status field exist but value of that field is not 100 and all events where status field doesn't exist. 166.Will the queries following below get the same result? 1. index=log sourcetype=error_log status !=100 2. index=log sourcetype=error_log NOT status =100 A. Yes B. No The correct answer is A, Yes If you know the field you’re evaluating always exists in the data you’re searching – For example: index=web sourcetype=access_combined status!=200 index=web sourcetype=access_combined NOT status=200 yields same results because status field always exists in access_combined sourcetype 167.Select the best options for "search best practices" in Splunk: (Choose five.) A. Select the time range always. B. Try to specify index values. C. Include as many search terms as possible. D. Never select time range. E. Try to use * with every search term. F. Inclusion is generally better than exclusion. G. Try to keep specific search terms. The correct answer is A,BC,F,G 168.The better way of writing search query for index is: A. index=a index=b B. (index=a OR index=b) C. index=(a & b) D. index = a, b The correct answer is B, (index=a OR index=b) This search query uses logical operators to search for events in multiple indexes. The OR operator is used to specify that the events can be in either index "a" or index "b". This is a more efficient and concise way to search across multiple indexes than using multiple "index=" statements separated by spaces. 169.Put query into separate lines where | (Pipes) are used by selecting following options. A. CTRL + Enter B. Shift + Enter C. Space + Enter D. ALT + Enter The correct answer is B, Shift + Enter 170.Fields are searchable key value pairs in your event data. A. True B. False The correct answer is A, True 171.Selected fields are a set of configurable fields displayed for each event. A. True B. False The correct answer is A, True 172.Following are the time selection option while making search: (Choose all that apply.) A. Date & Time Range B. Advanced C. Date Range D. Presets E. Relative The correct answer is Every option 173.Search Language Syntax in Splunk can be broken down into the following components. (Choose all that apply.) A. Search term B. Command C. Pipe D. Functions E. Arguments F. Clause The correct answer is All of the options 174.When saving a search directly to a dashboard panel instead of saving as a report first, which of the following is created? A. Cloned panel B. Inline panel C. Report panel D.Prebuilt panel The correct answer is B, Inline Panel You can save as a dashboard panel and then convert from a inline panel to a pre-built panel. 175.Which of the following statements describes a search job? A. Once a search job begins, it cannot be stopped B. A search job can only be paused when less than 50% of events are returned C. A search job can only be stopped when less than 50% of events are returned D. Once a search job begins, it can be stopped or paused at any point in time The correct answer is D, Once a search job begins, it can be stopped or paused at any point in time. 176.Which search will return only events containing the word "error" and display the results as a table that includes the fields named action, src, and dest? A. error | table action, src, dest B. error | tabular action, src, dest C. error | stats table action, src, dest D. error | table column=action column=src column=dest The correct answer is A, error | table action, src, dest 177.Which of the following reports is available in the Fields window? A. Top values by time B. Rare values by time C. Events with top value fields D. Events with rare value fields The correct answer is A, Top values by time 178.In the Search and Reporting app, which tab displays timecharts and bar charts? A. Events B. Patterns C. Statistics D. Visualization The correct answer is D, Visualization 179.What will always appear in the Selected Fields list? A. index B. action C. clientip D. sourcetype The correct answer is D, sourcetype 180.What is the correct way to use a time range specifier in the search bar so that the search looks back 2 hours? A. latest=-2h B. earliest=-2h C. latest=-2hour@d D. earliest=-2hour@d The correct answer is B The correct way to use a time range specifier in the search bar so that the search looks back 2 hours is earliest=-2h. 181.Which of the following is a Splunk internal field? A. _raw B. host C. _host D. index The correct answer is A, _raw Splunk internal fields are fields that are automatically added to indexed events by Splunk during the indexing process. They are used for various purposes, such as metadata, source tracking, and event management. Some examples of Splunk internal fields include _raw, _time, _indextime, _source, _sourcetype, and index. These fields are prefixed with an underscore () to distinguish them from user-defined fields. 182.Which command will rename action to Customer Action? A. | rename action = CustomerAction B. | rename Action as "Customer Action" C. | rename Action to "Customer Action" D. | rename action as "Customer Action" The correct answer is D, | rename action as "Customer Action" 183.Which of the following is the most efficient search? A. index=* "failed password" B. "failed password" index=* C. (index=* OR index=security) "failed password" D. index=security "failed password" The correct answer is D, index=security "failed password" index=security "failed password" is the most efficient search because it limits the search to the specific security index, reducing the amount of data that needs to be searched. The other searches would search all indexes, which could be significantly more data to process. 184.Which of the following is a correct way to limit search results to display the 5 most common values of a field? A. | rare top=5 B. | top rare=5 C. | top limit=5 D. | rare limit=5 The correct answer is C, | top limit=5 185.When viewing results of a search job from the Activity menu, which of the following is displayed? A. New events based on the current time range picker B. The same events based on the current time range picker C. The same events from when the original search was executed D. New events in addition to the same events from the original search The correct answer is C, When viewing results of a search job from the Activity menu, the same events from when the original search was executed are displayed. 186.What is a quick, comprehensive way to learn what data is present in a Splunk deployment? A. Review Splunk reports B. Run./splunk show C. Click Data Summary in Splunk Web D. Search index=* sourcetype=* host=* The correct answer is C, Click Data Summary in Splunk Web 187.Assuming a user has the capability to edit reports, which of the following are editable? A. Acceleration, schedule, permissions B. The report's name, schedule, permissions C. The report's name, acceleration, schedule D.The report's name, acceleration, permissions The correct answer is A, Acceleration, schedule, permissions 188.Which of the following is a metadata field assigned to every event in Splunk? A. host B. owner C. bytes D. action The correct answer is A, Host 189.What are the two most efficient search filters? A. _time and host B. _time and index C. host and sourcetype D. index and sourcetype The correct answer is B, _time and index are the two most efficient search filters, as they are indexed fields and can be quickly searched by Splunk. 190.Which of the following is the best way to create a report that shows the last 24 hours of events? A. Use earliest=-1d@d latest=@d B. Set a real-time search over a 24-hour window C. Use the time range picket to select "Yesterday" D. Use the time range picker to select "Last 24 hours" The correct answer is D, Use the time range picker to select "Last 24 hours" is the best way to create a report that shows the last 24 hours of events. 191.When is the pipe character, I, used in search strings? A. Before clauses. For example: stats sum(bytes) | by host B. Before commands. For example: | stats sum(bytes) by host C. Before arguments. For example: stats sum| (bytes) by host D. Before functions. For example: stats |sum(bytes) by host The correct answer is B, The pipe character, |, is used before commands in search strings to specify that the output of one command should be used as the input to the next command. For example: | stats sum(bytes) by host means "take the search results, run them through the stats command to calculate the sum of the bytes field, and then group the results by the host field". 192.How can results from a specified static lookup file be displayed? A. lookup command B. inputlookup command C. Settings > Lookups > Input D. Settings > Lookups > Upload The correct answer is B, inputlookup command. 193.In the Fields sidebar, what does the number directly to the right of the field name indicate? A. The value of the field B. The number of values for the field C. The number of unique values for the field D. The numeric non-unique values of the field The correct answer is C, The number directly to the right of the field name in the Fields sidebar indicates the number of unique values for the field. This information can be useful in understanding the distribution of values within the field and in identifying potential outliers or anomalies. 194.What is the default lifetime of every Splunk search job? A. All search jobs are saved for 10 days B. All search jobs are saved for 10 hours C. All search jobs are saved for 10 weeks D. All search jobs are saved for 10 minutes The correct answer is D, All search jobs are saved for 10 minutes The default lifetime of every Splunk search job is 10 minutes. After 10 minutes, the search job is deleted and cannot be viewed again. 195.Which search will return the 15 least common field values for the dest_ip field? A. sourcetype=firewall | rare num=15 dest_ip B. sourcetype=firewall | rare last=15 dest_ip C. sourcetype=firewall | rare count=15 dest_ip D. sourcetype=firewall | rare limit=15 dest_ip The correct answer is D, sourcetype=firewall | rare limit=15 dest_ip 196.When is an alert triggered? A. When Splunk encounters a syntax error in a search B. When a trigger action meets the predefined conditions C. When an event in a search matches up with a data model D. When results of a search meet a specifically defined condition The correct answer is D, When results of a search meet a specifically defined condition. Splunk alerts are triggered when search results match specified criteria or thresholds. These criteria can include specific field values, patterns or trends in the data, or other conditions specified by the user. 197.What are the three main Splunk components? A. Search head, GPU, streamer B. Search head, indexer, forwarder C. Search head, SQL database, forwarder D. Search head, SSD, heavy weight agent The correct answer is B, Search head, indexer, forwarder. 198.Which statement describes field discovery at search time? A. Splunk automatically discovers only numeric fields B. Splunk automatically discovers only alphanumeric fields C. Splunk automatically discovers only manually configured fields D. Splunk automatically discovers only fields directly related to the search results The correct answer is D, Splunk automatically discovers only fields directly related to the search results 199.Which Field/Value pair will return only events found in the index named security? A. Index=Security B. index=Security C. Index=security D. index!=Security The correct answer is B, index=Security Note that field names in Splunk are case-sensitive, so "index" must be in lowercase.

PASSYOURCERTIFICATION-SplunkCoreCertifiedUserQnA.pdf

Document Details

Related

Full Transcript

Upgrade to continue