Help
Options
Didn't know it?
click below
click below
Knew it?
click below
click below
Don't Know
Remaining cards (0)
Know
retry
shuffle
restart
0:00
Embed Code - If you would like this activity on your web page, copy the script below and paste it into your web page.
Normal Size Small Size show me how
Normal Size Small Size show me how
Intro to Splunk
Splunk Certified Power User- SPLK-1002
| Question | Answer |
|---|---|
| Which character is used in a search before a command? A quotation mark (") A tilde (~) A pipe (|) A backtick (`) | A backtick (`) |
| By default, how long does a search job remain active? 10 minutes 7 days 30 minutes | 10 minutes |
| When a search is run, in what order are events returned? Reverse chronological order Chronological order Alphanumeric order Reverse alphanumeric order | Reverse chronological order |
| Which of the following searches will return results containing the phrase "failed password"? (failed password) `failed password` failed password "failed password" | "failed password" |
| Which of the following searches will return results containing the terms failed, password, or failed password? ○ failed OR password ○ failed OR password OR "failed password" ○ fail* ○ failed password OR "failed password" | failed password OR "failed password" |
| Which command can be used to further filter results in a search? subset subsearch filter Search | Search |
| What are the default roles in Splunk Enterprise? Admin Power User Manager | Admin Power User |
| By default, which of the following roles are required to share knowledge objects? Admin Manager User Power | Admin |
| Which search mode behaves differently depending on the type of search being run? Variable Fast Verbose Smart | Smart |
| Which of the following booleans can be used in a search? ○ AND ○ OR ○ NOT ○ ALSO | AND OR NOT |
| Which Splunk infrastructure component stores ingested data? Dashboards Data models Datasets Index | Index |
| What is the most efficient way to limit search results returned? time host source index | time |
| By default, who is able to view a saved report? Any user with the viewreports capability The user who created it Any user with a power or admin role Any user with a power or admin role | The user who created it |
| Which of the following searches will return results containing the words fail, failure, or failed? *fail fail* fail fail+ | fail* |
| What determines the timestamp shown on returned events in a search? The time zone defined in user settings Timestamps are displayed in Greenwich Mean Time The time zone where the event originated Timestamps are displayed in epoch time | The time zone defined in user settings |
| The _______ and _______ time modifiers will override the time range picker in a historical report. latest first earliest Last | latest, earliest |
| Which of the following are default time fields? Select all that apply. date_mday date_year date_hour date_day | date_mday date_year date_hour |
| What will the strftime function return when using the %H argument with the _time field? -hour of the event generated at index time -convert the hour into your local time based on your time zone setting of your Splunk web sessions | convert the hour into your local time based on your time zone setting of your Splunk web sessions |
| date_time always reflects your local time zone and not the time/date from raw events. TRUE FALSE | FALSE |
| Using earliest=-30d@d latest=@d is how to return results from 30 days ago up until the time the search was executed. FALSE TRUE | TRUE |
| When using the following search arguments, what will be returned? | timechart count span=1h chart of events in 1 hour chunks events with a duration of 1 hour events in the last 24 hours | chart of events in 1 hour chunks |
| Choose the search that will sort events into one minute groups. Select all that apply. ○ | bin span=1minutes ○ | bin _time span=1mins ○ | bin span=1minute ○ | bin _time span=1m | | bin _time span=1mins | bin _time span=1m |
| @timeUnit will always round up and go forward through time. FALSE TRUE | FALSE |
| To display the least common values of a field, use the ___ command. top rare stats timechart with common=f option | rare |
| If you use the stats command with two functions and a BY clause, which function is the BY clause applied to? both functions both functions if they are both aggregate functions the second function the first function | both functions |
| When using the top command, add the BY clause to ___. return results grouped by the field you specify in the BY clause specify how many results to return specify which search mode to return results by return a percentage of events | return results grouped by the field you specify in the BY clause |
| True or False: Use useother=false with the chart command if you want to hide the OTHER column. TRUE FALSE | TRUE |
| When renaming fields with spaces or special characters, use the rename command and include the new field name in ___. None of the above single quotes parenthesis double quotes | double quotes |
| Which of these eval functions takes no arguments? max random pow min | random |
| By default, the sort command lists results in ___ order. ascending descending | ascending |
| True or False: Using an OVER and a BY clause with the chart command will create a multiseries data series. TRUE FALSE | TRUE |
| Which of these functions lists ALL values of the field X? list(X) values(X) | list(X) |
| True or False: You can use wildcards (*) with the rename command to rename multiple fields that match a pattern. FALSE TRUE | TRUE |
| Which eval function would you use to round numerical values? tonumber roundvalue commas round | round |
| True or False: The timechart command will always have _time as the X-axis. FALSE TRUE | TRUE |
| True or False: When using the eval command, all field values are treated in a case-sensitive manner and must be double-quoted. | TRUE |
| Order of Boolean Expression of Evaluation for where and eval commands? NOT, AND, OR, Expressions with parenthesis Expressions with parenthesis, NOT, AND, OR AND, NOT, Expressions with parenthesis, OR AND, OR, NOT, Expressions with parenthesis | Expressions with parenthesis, NOT, AND, OR |
| Which eval function is the best option for masking data? snotnull replace validate Case | isnotnull Case |
| The ___ command replaces NULL values in fields. fillnull isnotnull isnull Null | fillnull |
| True or False: The case function will return NULL if no expressions evaluate to TRUE. TRUE FALSE | TRUE |
| Which of the following functions must be used with the in function? Select all that apply. case sum if validate | Case If |
| Which of the following functions can be used to filter NULL values? usenull=f usenull=t isnotnull isnull | isnotnull isnull |
| True or False: Specify a wildcard by using the * character with the where command. TRUE FALSE | FALSE |
| 8 9. True or False: Temporary fields created by using eval can be referenced in the search pipeline following creation. FALSE TRUE | TRUE |
| True or False: eval cannot exist as an expression. TRUE FALSE | FALSE |
| The where command only returns results that evaluate to TRUE. TRUE FALSE | TRUE |
| Which of these fillnull expressions will replace NULL data with the string "NOT FOUND"? | fillnull NOTFOUND=true | fillnull value="NOT FOUND" | fillnull | fillnull NOTFOUND | | fillnull value="NOT FOUND" |
| Which are the Boolean operators that can be used by the eval command? Select all that apply. XOR OR AND NAND | OR AND |
| The where command interprets unquoted or single-quoted strings as _____ and double-quoted strings as _____. integers, field values field values, fields field values, integers fields, field values | fields, field values |
| The eval command calculates an expression and puts the resulting ____ into a new or existing field. command value argument | value |
| True or False: The foreach command can be used without a subsearch. TRUE FALSE | FALSE |
| True or False: If there is an appendpipe in a search, its subpipeline will always be executed last. FALSE TRUE | FALSE |
| Which command uses a template subsearch to replace the values of specific fields? replace eval none; commands only use functions to replace field values, not templates or subsearches foreach | foreach |
| ___ is the process of organizing data to appear similar across all records, making the information easier to search. Collating Normalization Splunkification Segmentation | Normalization |
| You would use the ___ function to convert a string to uppercase and the ___ function to convert a string to lowercase. lower(), upper() lowercase(), uppercase() uppercase(), lowercase() upper(), lower() | upper(), lower() |
| True or False: eventstats and streamstats support multiple stats functions, just like stats. TRUE FALSE | TRUE |
| Transactions contain the _____ field contents and the _____ of the earliest member. _time, timestamp _raw, timestamp host, timestamp source, timestamp | _raw, timestamp |
| Which fields are added to raw events by the transaction command? Select all that apply. • _time • duration • eventcount • index | • duration • eventcount |
| The ______ option controls the maximum total time between the earliest and latest events. maxspan minpause span maxpause | maxspan |
| Which of the following options can be used with the transaction command? • maxpause • endswith • maxevents • startswith | ALL: • maxpause • endswith • maxevents • startswith |
| True or False: The transaction command is resource intensive. TRUE FALSE | TRUE |
| When present in a search pipleine, a subsearch is executed _____ and it sends its _____ to the main search. first, search query first, results last, search query last, results | first, results |
| Which of the following statements about subsearches are true? • Multiple searches can be used. • They can be nested. • They can not be nested. • They are great for filtering data. | They can be nested. They can not be nested. |
| The append command attaches results of a subsearch to the _____ of current results. end append command does not attach to the current results. start | end |
| If a search and a subsearch produce the same number of results in the same order, it is safe to use this command. Otherwise, you will get misleading results. transaction append union appendcols | appendcols |
| The ___ command combines results from two or more datasets and returns a single result set. join union append | union |
| Which knowledge object type can store entire search strings, including commands? Event types Tags Calculated fields Macros | Macros |
| Which knowledge objects can be scheduled to execute at specific times? Alerts Macros Workflow actions Reports | Alerts Macros Workflow actions Reports |
| Which of the following user roles can create knowledge objects? Power User Admin User Super User | Admin |
| Which of the following methods can be used to manually extract fields? Regular Expressions, or RegEx Delimiters The Event Type Builder The Regular Expression Generator | Regular Expressions, or RegEx Delimiters |
| Which knowledge object type can contain an eval expression? Calculated fields Event types Tags Field aliases | Calculated fields |
| By default, when a knowledge object is created, who can access its contents? Any power user in the environment Any user of the app in which it was created The user who created it or a user with an admin role Any user in the environment | The user who created it or a user with an admin role |
| By default, what user role is required to make a knowledge object available to all apps? User Super User Power User Admin | Admin |
| Which knowledge object type can communicate with external sources using the HTTP GET and POST methods? Search actions Lookups Workflow actions Field extractions | Lookups |
| A user left ORG their knowledge objects? They are automatically reassigned to an admin. A power user can reassign them to another user. They are automatically reassigned to a power user. An admin can reassign them to another user. | An admin can reassign them to another user. |
| Which knowledge object type can be searched in Pivot? Dashboards Event types Data models Data types | Data types |
| What are the three predefined sharing options for a knowledge object? • Private • Blocked in app • Shared in all apps • Shared in app | • Private • Shared in all apps • Shared in app |
| Which two of the following knowledge object types can contain an eval expression? Calculated fields Macros Workflow actions Field aliases | Field aliases |
| primary workflow action? Passing info back to Splunk to run a secondary search talking with an ext source using the HTTP GET method Passing info to ext deployments to query additional indexes talking with an ext source using the HTTP POST method | Passing information to external deployments to query additional indexes Communicating with an external source using the HTTP POST method |
| Where can you find a list of all fields returned from events? The fields sidebar The fields library The fields dropdown The fields posting list | The fields sidebar |
| Which of the following are ways you can create an event type. Select all that apply. • Run a search, then save as Event Type • From event details, select Event Actions > Build Event Type • Settings > Event types > "New Event Type" | • Run a search, then save as Event Type • From event details, select Event Actions > Build Event Type • Settings > Event types > "New Event Type" |
| Which statement best describes the function of a Workflow Action Allows users to interact with web resources Retrieves information from an external source Sends field values to an external source Uses field values to perform a secondary search | • Retrieves information from an external source • Sends field values to an external source • Uses field values to perform a secondary search |
| When adding arguments to a macro, include the number of arguments in_____ Using the pipe function Parentheses after the macro name Dollar signs with the search definition Parentheses before the macro name | Parentheses after the macro name |
| Field aliases are applied after _________ and before ________ . Select all that apply. • lookups, field extractions • field extractions, tags • field extractions, lookups • tags, field extractions | • field extractions, tags • field extractions, lookups |
| Which statements best describe an Event Type. • tags, field extractions • Can be used to normalize field names, tags and field extractions • Allow users to interact with web resources • Categorizes events based on search constraints | • Can be used to normalize field names, tags and field extractions • Categorizes events based on search constraints |
| Select all knowledge objects. • users • field aliases • lookups • workflow actions | • field aliases • lookups • workflow actions |
| Surround the macro name with the _____ when executing the macro in search. Double quote character Backtick character Single quote character Dollar sign | Backtick character |
| True or False: Splunk knowledge objects can only be used privately. TRUE FALSE | FALSE |
| To perform a secondary search, use a _______ workflow action PUT GET POST Search | Search |
| If you have a tag label called "homeoffice" associated with the field/value pair system_ip=<your ip address>, when you search with tag=homeoffice? field lookup table events from _internal the value of the system_ip field equal to your ip address | events with the value of the system_ip field equal to your ip address |
| To search for a tag associated with a value on a specific field, select the correct string. tag=user::privileged tag=user=privileged tag-user::privileged tag::user=privileged | tag::user=privileged |
| Which function is used to send field values externally in Workflow Actions? GET PUT Search POST | POST |
| Which workflow actions require you to specify if the behavior should open in a new window or current window? Select all that apply. • Search • PUT • GET • POST | • GET • POST |
| True or False. Fields can be extracted only after indexing is complete. TRUE FALSE | TRUE |
| Which of the following character delimiters are supported for a delimited field extraction? • pipe • space • tab • comma | • pipe • comma |
| Which of the following statements are true about a Regex "capture"? • Captures a matching pattern • Can be referenced with a given name using: ?<name> • Allows the Regex to be case insensitive • Defined with a matching parentheses: () | • Defined with a matching parentheses: () |
| True or False: A constraint inherited by the children dataset from the parent dataset can be removed. TRUE FALSE | FALSE |
| What is required to configure persistent data model acceleration? A user role with the accelerate_datamodel capability All 3 root dataset types: events, search, and transaction A private data model A user accessing a data model dataset in Pivot | A user role with the accelerate_datamodel capability |
| True of False: You can only split a pivot with a maximum of one row or column. TRUE FALSE | FALSE |
| What occurs when setting a field flag to Hidden? Constraints will ignore the use of this field. The field doesn't have to appear in every event. The field is not displayed to Pivot users when they select the dataset in Pivot. Only events that co | The field is not displayed to Pivot users when they select the dataset in Pivot. |
Created by:
rruiz57
Popular Engineering sets