SPLK-1001 Splunk Core Certified User Questions and Answers

True

False

sourcetype=firewall | rare num=15 dest_ip

sourcetype=firewall | rare last=15 dest_ip

sourcetype=firewall | rare count=15 dest_ip

sourcetype=firewall | rare limit=15 dest_ip

False

True

It is only available to Admins.

Such feature does not exist in Splunk.

Shows options to complete the search string

sourcetype

index

source

host

Zoom to selection: Narrows the time range and re-executes the search.

Zoom to selection: Narrows the time range and doesn ' t re-executes the search.

Format Timeline: Hides or shows the timeline in different views.

Zoom-Out: Expands the time focus and doesn ' t re-executes the search.

Zoom-out: Expands the time focus and re-executes the search.

5 minutes

1 minute

10 minutes

60 minutes

All data accessible to the User role will appear in the report.

All data accessible to the owner of the report will appear in the report.

All data accessible to all users will appear in the report until the next time the report is run.

The owner of the report can configure permissions so that the report uses either the User role or the owner’s profile at run time.

index=security Error Fail

index=security error OR fail

index=security “error failure”

index=security NOT error NOT fail

Automatic

Smart

Fast

Verbose

lookup command

inputlookup command

Settings > Lookups > Input

Settings > Lookups > Upload

Splunk is a software platform to search, analyze and visualize the machine-generated data.

Database management tool.

Security Information and Event Management (SIEM).

Cloud based application that help in analyzing logs.

True

False

8089

8000

8080

443

host

owner

bytes

action

Returns the least common field values of a given field in the results.

Returns the most common field values of a given field in the results.

Returns the top 10 field values of a given field in the results.

Returns the lowest 10 field values of a given field in the results.

Not possible to specify time manually in Search query

end=

start=

earliest=

latest=

No events will be returned.

Splunk will prompt you to specify an index.

All non-indexed events to which the user has access will be returned.

Events from every index searched by default to which the user has access will be returned.

(index=netfw failure) AND index=netops warn OR critical

(index=netfw failure) OR (index=netops (warn OR critical))

(index=netfw failure) AND (index=netops (warn OR critical))

(index=netfw failure) OR index=netops OR (warn OR critical)

Indexer

Parsing

Heavy Forwarder

Input

Table

Report

Pie chart

Yes

No

A field that appears in any event

A field that appears in every event

A field that appears in the top 10 events

A field that appears in at least 20% of the events

Indexing

Searching

Parsing

Settings

Input

time

_time

EventTime

timestamp

False

True

App, Owner, Severity, and Type

App, Owner, Priority, and Status

App, Dashboard, Severity, and Type

App, Time Window, Type, and Severity

Index=Security

index=Security

Index=security

index!=Security

Open new search.

Exclude the item from search.

None of the above.

Add the item to search

Rex

As

List

By

True

False

the_questionnaire _pedia

the_questionnaire pedia

the_questionnaire_pedia

the_questionnaire Pedia

Index Forwarders (IF)

Universal Forwarders (UF)

Super Forwarder (SF)

Heavy Forwarders (HF)

dedup

rename

sort -

fields +

False

True

Forwarders

Indexer

Heavy Forwarders

Search head

count stats vendor_action

count stats (vendor_action)

stats count (vendor_action)

stats vendor_action (count)

index==main status!==200

index=main NOT status=200

index==main NOT status==200

index-main status!=200

No

Yes

Creating a pivot table.

Clicking on the visualizations tab.

Viewing your report in a dashboard.

Clicking on any field value in the table.

host

index

source

sourcetype

@

&

*

#

An app

JSON

A role

An enhanced solution

Will display result depending on the data.

Will return event where status field exist but value of that field is not 100.

Will return event where status field exist but value of that field is not 100 and all events where status field

doesn ' t exist.

index

action

_time

host

Splunk automatically discovers only numeric fields

Splunk automatically discovers only alphanumeric fields

Splunk automatically discovers only manually configured fields

Splunk automatically discovers only fields directly related to the search results

latest=-2h

earliest=-2h

latest=-2hour@d

earliest=-2hour@d

True

False

< =

=

!=

>

?=

Before clauses. For example: stats sum(bytes) | by host

Before commands. For example: | stats sum(bytes) by host

Before arguments. For example: stats sum| (bytes) by host

Before functions. For example: stats |sum(bytes) by host

| rare top=5

| top rare=5

| top limit=5

| rare limit=5

False

True

False

True

Dashboards

Metadata only

Non-interesting fields

Field descriptions

Save the search as a report and use it in multiple dashboards as needed

Save the search as a dashboard panel for each dashboard that needs the data

Save the search as a scheduled alert and use it in multiple dashboards as needed

Export the results of the search to an XML file and use the file as the basis of the dashboards

Parentheses

@ or # symbols

Quotation marks

Relational operators such as =, < , or >

Auto-detect changes in performance

Auto-generated PDF reports of overall data trends

Regularly scheduled archiving to keep disk space use low

Triggering an alert in your Splunk instance when certain conditions are met

No

Yes

|

$

!

,

CTRL + Enter

Shift + Enter

Space + Enter

ALT + Enter

New events based on the current time range picker

The same events based on the current time range picker

The same events from when the original search was executed

New events in addition to the same events from the original search

index=a index=b

(index=a OR index=b)

index=(a & b)

index = a, b

count, sum, add

count, sum, less

sum, avg, values

sum, values, table

earliest=

latest=

beginning=

ending=

All the above

Only 3rd and 4th

Median(X)

Eval by X

Fields(X)

Values(X)

CSV, JSON, PDF

CSV, XML JSON

Raw Events, XML, JSON

Raw Events, CSV, XML, JSON

Built only by Splunk employees.

A collection of files.

Only available for download on Splunkbase.

Available on iOS and Android.

The owner of the report can edit permissions from the Edit dropdown

Only users with an Admin or Power User role can access other users ' reports

Anyone can access any reports marked as public within a shared Splunk deployment

The owner of the report must clone the original report and save it to their user account

PDF

JSON

XLS

RTF

Only A, B

Router and Switch Logs

Firewall and Web Server Logs

Only C

Database logs

All firewall, web server, database, router and switch logs