Power User training Revamp
Help!
|
|
||||
|---|---|---|---|---|---|
| By default, how long does a search job remain active? 10 minutes 30 minutes 1 hours | 10 minutes
🗑
|
||||
| By default, who is able to view a saved report? The user who created it Any user with the viewreport capability Any user with a power or admin role | The user who created it
🗑
|
||||
| Which of the following booleans can be used in a search? AND OR NOT ALSO | AND, OR, NOT
🗑
|
||||
| What is the most efficient way to limit search results returned? index host time source | time
🗑
|
||||
| What determines the timestamp shown on returned events in a search? the time zone where the event originated the time zone defined in the user settings timestamps are displayed in epoch time timestamps are displayed in greenwich mean time | the time zone defined in the user settings
🗑
|
||||
| Which Splunk infrastructure component stores ingested data? index dashboard dataset data models | index
🗑
|
||||
| Which command can be used to further filter results in a search? search subsearch filter subset | search
🗑
|
||||
| What are the default roles in Splunk Enterprise? user Power Admin Manager | User, Power, Admin
🗑
|
||||
| When a search is run, in what order are events returned? ALphanumeric Reverse chrolonological reverse alphanumeric chronological | Reverse chrolonological
🗑
|
||||
| Which search mode behaves differently depending on the type of search being run? Fast Smart Verbose Variable | Smart
🗑
|
||||
| By default, which of the following roles are required to share knowledge objects? Admin Power Manager User | Admin, Power
🗑
|
||||
| Which of the following searches will return results containing the words fail, failure, or failed? *fail fail* fail+ fail- | fail*
🗑
|
||||
| Which of the following searches will return results containing the phrase "failed password"? failed password "failed password" (failed password) 'failed password' | failed password
🗑
|
||||
| Which character is used in a search before a command? a pipe | a backtick ` a tilde ~ a quote " | a pipe |
🗑
|
||||
| Which of the following searches will return results containing the terms failed, password, or failed password? failed password OR "failed password" failed OR password OR "failed password" fail* failed OR password | failed OR password OR "failed password",
failed OR password
🗑
|
||||
| True or False: Fields are knowledge objects. | True
🗑
|
||||
| To remove fields from a search, you would use the _________ command. -fields fields- +fields fields+ | fields-
🗑
|
||||
| At search time, if an event has an equal(=) sign, the data to the left is treated as a ______ and the data to the right is treated as a ______. lookup, value lookup, sourcetype field name, value field name, sourcetype | field name, value
🗑
|
||||
| True or False: Once you rename a field, the new field name must be used in the rest of the search string. | True
🗑
|
||||
| In the Fields sidebar, Interesting Fields occur in at least ________ of resulting events. 20% 10% 3% 50% | 20%
🗑
|
||||
| At search time, _______ extracts fields from raw event data. field extractor fields command field discovery | Discovery
🗑
|
||||
| The fields command allows you to do which of the following? Select all that apply. Exclude (fields -) Include (fields) Include (fields +) | all
🗑
|
||||
| Which of the following fields are default selected fields? host index sourcetype source | Host, source, sourcetype
🗑
|
||||
| The _______ and _______ time modifiers will override the time range picker in a historical report. first last earliest latest | latest, earliest
🗑
|
||||
| Choose the search that will sort events into one minute groups. Select all that apply. |bin_time span=1m |bin_time span=1mins |bin span=1minute |bin span=1minutes | |bin_time span=1m, |bin_time span=1mins
🗑
|
||||
| What will the strftime function return when using the %H argument with the _time field? convert the hour into your local time based on your time zone setting of your Splunk web sessions hour of the generated at index time time of raw in UTC | local time zone of your splunk web sessions
🗑
|
||||
| Using earliest=-30d@d latest=@d is how to return results from 30 days ago up until the time the search was executed. True or False | False
🗑
|
||||
| When using the following search arguments, what will be returned? | timechart count span=1h events with a duration of 1hr events in the last 24 hr chart of events in 1 hr chunks | chart of events in 1 hr chunks
🗑
|
||||
| Which of the following are default time fields? Select all that apply. date_day date_year date_mday date_hour | hour, year, mday
🗑
|
||||
| date_time always reflects your local time zone and not the time/date from raw events. True or False | False
🗑
|
||||
| @timeUnit will always round up and go forward through time. True or False | False
🗑
|
||||
| Which of these eval functions takes no arguments? min random max pow | Random
🗑
|
||||
| True or False: Only one field can be created when using the eval command. | False
🗑
|
||||
| When renaming fields with spaces or special characters, use the rename command and include the new field name in ___. () '' "" None of these | ""
🗑
|
||||
| When using the top command, add the BY clause to ___. return results grouped by the field you specify in the BY clause specify which search mode to return results by return a percentage of events specify how many results to return | return results groups by the field you specify in the BY clause
🗑
|
||||
| True or False: Use useother=false with the chart command if you want to hide the OTHER column. | True
🗑
|
||||
| True or False: The timechart command will always have _time as the X-axis. | True
🗑
|
||||
| To display the least common values of a field, use the ___ command. timechart with common=f option stats rare top | rare
🗑
|
||||
| By default, the sort command lists results in ___ order. ascending decending | ascending
🗑
|
||||
| If you use the stats command with two functions and a BY clause, which function is the BY clause applied to? the first function the second function both functions if they are both aggregates both functions | both
🗑
|
||||
| True or False: The pow(X,Y) eval function returns Y to the power of X. | False
🗑
|
||||
| When you use the stats command with a BY clause, what is returned? a stat output for each value of the names field # stats on each field if and only if all the values of that field a # an error message bc you didn't include a stat function one row | a stat output for each value of the names field
🗑
|
||||
| True or False: Using an OVER and a BY clause with the chart command will create a multiseries data series. | True
🗑
|
||||
| Which eval function would you use to round numerical values? roundvalue commas round tonumber | round
🗑
|
||||
| True or False: You can use wildcards (*) with the rename command to rename multiple fields that match a pattern. | True
🗑
|
||||
| Which of these functions lists ALL values of the field X? values(x) list(x) | list(x)
🗑
|
||||
| Which of the following functions can be used to filter NULL values? usenull=t isnull usenull-f isnotnull | isnull, isnotnull
🗑
|
||||
| True or False: Temporary fields created by using eval can be referenced in the search pipeline following creation. | True
🗑
|
||||
| Which eval function is the best option for masking data? case replace isnotnull validate | replace
🗑
|
||||
| Which are the Boolean operators that can be used by the eval command? Select all that apply. OR NAND XOR AND | AND, OR, XOR
🗑
|
||||
| Which of the following functions must be used with the in function? Select all that apply. validate sum if case | if, case
🗑
|
||||
| The where command interprets unquoted or single-quoted strings as _____ and double-quoted strings as _____. field values, fields field values, integers fields, field values integers, field values | field, field values
🗑
|
||||
| Which of these fillnull expressions will replace NULL data with the string "NOT FOUND"? |fillnull value="NOT FOUND" |fillnull |fillnull NOTFOUND=true |fillnull NOTFOUND | |fillnull value="NOT FOUND"
🗑
|
||||
| The eval command calculates an expression and puts the resulting ____ into a new or existing field. command value argument | value
🗑
|
||||
| True or False: Specify a wildcard by using the * character with the where command. | False
🗑
|
||||
| True or False: The case function will return NULL if no expressions evaluate to TRUE. | True
🗑
|
||||
| True of False: When using the eval command, all field values are treated in a case-sensitive manner and must be double-quoted. True False | True
🗑
|
||||
| The where command only returns results that evaluate to TRUE. True False | True
🗑
|
||||
| What is the order of Boolean Expression of Evaluation for the where and eval commands? AND, NOT, Express w (), OR NOT, AND, OR, Express w () AND, OR, NOT, Express w () Express w (), NOT, AND, OR | Expressions with (), NOT, AND, OR
🗑
|
||||
| True or False: eval cannot exist as an expression. | False
🗑
|
||||
| The ___ command replaces NULL values in fields. isnull isnotnull null fillnull | fillnull
🗑
|
||||
| Which of these expressions will accurately normalize values from the OpSys and CSys fields into a new field called OS? |eval OS = coalesce(OpSys,CSys) |eval replace(OpSys OR CSys,OS) |eval OS = case(OpSys=OpeSys, "OS",CSys=CSys, "OS",true(),"OS") | |eval OS = coalesce(OpSys,CSys)
🗑
|
||||
| True or False: If there is an appendpipe in a search, its subpipeline will always be executed last. | False
🗑
|
||||
| Which two commands when used together are equivalent to chart A over B by C? any below: stats A by B, C followed by commands then xyseries stats A by B, C followed by commands then untable stats A by B, C then untable stats A by B, C then xyseries | stats followed by command then xyseries,
stats followed by xyseries
🗑
|
||||
| ___ is the process of organizing data to appear similar across all records, making the information easier to search. Collating Splunkification Normalization Segmentation | Normalization
🗑
|
||||
| Which statement(s) about appendpipe is false? Only one apppipe can exist The subpipe only executes when splunk reaches that command apppipe is the last command to be exectued apppipe doesnt overwrite the original results | only one apppipe can exist
apppipe is always executed last
🗑
|
||||
| True or False: The foreach command can be used without a subsearch. | False
🗑
|
||||
| Which command uses a template subsearch to replace the values of specific fields? replace foreach eval none, commands only use functions to replace values not templates or subsearches | foreach
🗑
|
||||
| You would use the ___ function to convert a string to uppercase and the ___ function to convert a string to lowercase. uppercase(), lowercase() upper(), lower() lowercase(), uppercase(), lower(), upper() | upper(), lower()
🗑
|
||||
| True or False: eventstats and streamstats support multiple stats functions, just like stats. | True
🗑
|
||||
| Which of these tostring expressions will format the PROFIT field in the USD currency format, $x,xxx? eval PROFIT="$".tostring(PROFIT,"comas") eval PROFIT=.tostring(PROFIT,"$""comas") eval PROFIT=.tostring("$x,xxx",PROFIT) | eval PROFIT="$".tostring(PROFIT,"comas")
🗑
|
||||
| Which of the following user roles can create knowledge objects? Super User User Power User Admin | Admin, Power User, user
🗑
|
||||
| Which of the following file types can be uploaded to create a lookup? PDF CSV XLS XML | CVS
🗑
|
||||
| Which of the following methods can be used to manually extract fields? Regex Delimiters the Regex Generator The event type builder | Regex, delimt
🗑
|
||||
| Which knowledge object type can contain an eval expression? Calculated fields event types tags field aliases | calculated fields
🗑
|
||||
| By default, what user role is required to make a knowledge object available to all apps? Power user Admin Super user user | admin
🗑
|
||||
| Which knowledge objects can be scheduled to execute at specific times? Alerts Reports Macros Workflow actions | alerts, reports, macros
🗑
|
||||
| Which knowledge object type can be searched in Pivot? event typoes data types data models dashboards | data models
🗑
|
||||
| What are the three predefined sharing options for a knowledge object? Private shared in app shared in all apps blocked in app | private, share in app, share in all
🗑
|
||||
| Which two of the following knowledge object types can contain an eval expression? workflow actions field aliases macros calculated fields | cal fields, macros
🗑
|
||||
| Where can you find a list of all fields returned from events? the fiel dropdown field posting list field library field sidebare | sidebar
🗑
|
||||
| When a user has left your organization, what happens to their knowledge objects? a power user can reassign them an admin can reassign them they auto assign to power user the auto assign to admin | admin can reassign
🗑
|
||||
| Which knowledge object type can store entire search strings, including commands? event types macros tags calculated fields | macros
🗑
|
||||
| What are the primary functions of a workflow action? commun w external source using http GET pass info back to splunk to run second pass info to externals for more index commun w external using http post | commun w external source using http GET
commun w external using http post
secondary searches
🗑
|
||||
| Which knowledge object type can communicate with external sources using the HTTP GET and POST methods? workflow actions lkookups field extractions search actions | workflow actions
🗑
|
||||
| By default, when a knowledge object is created, who can access its contents? anyone any power user any user in the app the user who made it and admins | the user who made it and admins
🗑
|
Review the information in the table. When you are ready to quiz yourself you can hide individual columns or the entire table. Then you can click on the empty cells to reveal the answer. Try to recall what will be displayed before clicking the empty cell.
To hide a column, click on the column name.
To hide the entire table, click on the "Hide All" button.
You may also shuffle the rows of the table by clicking on the "Shuffle" button.
Or sort by any of the columns using the down arrow next to any column heading.
If you know all the data on any row, you can temporarily remove it by tapping the trash can to the right of the row.
To hide a column, click on the column name.
To hide the entire table, click on the "Hide All" button.
You may also shuffle the rows of the table by clicking on the "Shuffle" button.
Or sort by any of the columns using the down arrow next to any column heading.
If you know all the data on any row, you can temporarily remove it by tapping the trash can to the right of the row.
Embed Code - If you would like this activity on your web page, copy the script below and paste it into your web page.
Normal Size Small Size show me how
Normal Size Small Size show me how
Created by:
runine