SPLK-1001 Splunk Core Certified User Questions and Answers

Date & Time Range

Advanced

Date Range

Presets

Relative

True

False

Forwarders

Indexer

Heavy Forwarders

Search head

Time

Fast mode

Sourcetype

Selected Fields

Splunk Enterprise Security Suite

Searching and Reporting

Reporting and Searching

Splunk apps for Security

Yes

No

#

%

a

a#

status_code !=404

status_code>=400

status_code<=404

status code>403 status_code<405

Indexer

Forwarder

Search head

Deployment server

10

50

100

20

<=

=

!=

>

?=

(index=netfw failure) AND index=netops warn OR critical

(index=netfw failure) OR (index=netops (warn OR critical))

(index=netfw failure) AND (index=netops (warn OR critical))

(index=netfw failure) OR index=netops OR (warn OR critical)

index==main status!==200

index=main NOT status=200

index==main NOT status==200

index-main status!=200

Parentheses

@ or # symbols

Quotation marks

Relational operators such as =, <, or >

Hosts

Sourcetypes

Sources

Indexes

Before clauses. For example: stats sum(bytes) | by host

Before commands. For example: | stats sum(bytes) by host

Before arguments. For example: stats sum| (bytes) by host

Before functions. For example: stats |sum(bytes) by host

stdev

dev

count deviation

by standarddev

Index

Search Head

Indexer

Forwarder

Splunk only extracts the most interesting data from the last 24 hours.

Splunk only extracts fields users have manually specified in their data.

Splunk automatically extracts any fields that generate interesting visualizations.

Splunk automatically discovers many fields based on sourcetype and key/value pairs found in the data.

CTRL + Enter

Shift + Enter

Space + Enter

ALT + Enter

index=* “failed password”

“failed password” index=*

(index=* OR index=security) “failed password”

index=security “failed password”

Correlated

File-based

Total

Segmented

Open new search.

Exclude the item from search.

None of the above.

Add the item to search

Both field names and field values ARE case sensitive.

Field names ARE case sensitive; field values are NOT.

Field values ARE case sensitive; field names ARE NOT.

Both field names and field values ARE NOT case sensitive.

sourcetype

index

source

host

False

True

Can be accessed by Apps > Search & Reporting.

Provides default interface for searching and analyzing logs.

Enables the user to create knowledge object, reports, alerts and dashboards.

It only gives us search functionality.

To differentiate between structured and unstructured events in the data

To sort the events returned by the search command in chronological order

To zoom in and zoom out. although this does not change the scale of the chart

To show peaks and/or valleys in the timeline, which can indicate spikes in activity or downtime

Built only by Splunk employees.

A collection of files.

Only available for download on Splunkbase.

Available on iOS and Android.

Export the results to CSV format

Add the Job results to a dashboard

Schedule the Job to re-run in 10 minutes

Change Job Lifetime from 10 minutes to 7 days.

Splunk will re-run the search job in Verbose Mode to prioritize the new Selected Field

Splunk will highlight related fields as a suggestion to add them to the Selected Fields list.

Custom selections will replace the Interesting Fields that Splunk populated into the list at search time

The selected field and its corresponding values will appear underneath the events in the search results

Red

Blue

Orange

Highlighted