Power User training Revamp
Quiz yourself by thinking what should be in
each of the black spaces below before clicking
on it to display the answer.
Help!
|
|
||||
|---|---|---|---|---|---|
| By default, how long does a search job remain active? 10 minutes 30 minutes 1 hours | show 🗑
|
||||
| show | The user who created it
🗑
|
||||
| show | AND, OR, NOT
🗑
|
||||
| What is the most efficient way to limit search results returned? index host time source | show 🗑
|
||||
| What determines the timestamp shown on returned events in a search? the time zone where the event originated the time zone defined in the user settings timestamps are displayed in epoch time timestamps are displayed in greenwich mean time | show 🗑
|
||||
| Which Splunk infrastructure component stores ingested data? index dashboard dataset data models | show 🗑
|
||||
| Which command can be used to further filter results in a search? search subsearch filter subset | show 🗑
|
||||
| show | User, Power, Admin
🗑
|
||||
| When a search is run, in what order are events returned? ALphanumeric Reverse chrolonological reverse alphanumeric chronological | show 🗑
|
||||
| show | Smart
🗑
|
||||
| By default, which of the following roles are required to share knowledge objects? Admin Power Manager User | show 🗑
|
||||
| show | fail*
🗑
|
||||
| Which of the following searches will return results containing the phrase "failed password"? failed password "failed password" (failed password) 'failed password' | show 🗑
|
||||
| Which character is used in a search before a command? a pipe | a backtick ` a tilde ~ a quote " | show 🗑
|
||||
| Which of the following searches will return results containing the terms failed, password, or failed password? failed password OR "failed password" failed OR password OR "failed password" fail* failed OR password | show 🗑
|
||||
| show | True
🗑
|
||||
| show | fields-
🗑
|
||||
| At search time, if an event has an equal(=) sign, the data to the left is treated as a ______ and the data to the right is treated as a ______. lookup, value lookup, sourcetype field name, value field name, sourcetype | show 🗑
|
||||
| True or False: Once you rename a field, the new field name must be used in the rest of the search string. | show 🗑
|
||||
| show | 20%
🗑
|
||||
| show | Discovery
🗑
|
||||
| show | all
🗑
|
||||
| show | Host, source, sourcetype
🗑
|
||||
| show | latest, earliest
🗑
|
||||
| Choose the search that will sort events into one minute groups. Select all that apply. |bin_time span=1m |bin_time span=1mins |bin span=1minute |bin span=1minutes | show 🗑
|
||||
| What will the strftime function return when using the %H argument with the _time field? convert the hour into your local time based on your time zone setting of your Splunk web sessions hour of the generated at index time time of raw in UTC | show 🗑
|
||||
| show | False
🗑
|
||||
| When using the following search arguments, what will be returned? | timechart count span=1h events with a duration of 1hr events in the last 24 hr chart of events in 1 hr chunks | show 🗑
|
||||
| Which of the following are default time fields? Select all that apply. date_day date_year date_mday date_hour | show 🗑
|
||||
| show | False
🗑
|
||||
| show | False
🗑
|
||||
| show | Random
🗑
|
||||
| show | False
🗑
|
||||
| show | ""
🗑
|
||||
| show | return results groups by the field you specify in the BY clause
🗑
|
||||
| show | True
🗑
|
||||
| True or False: The timechart command will always have _time as the X-axis. | show 🗑
|
||||
| To display the least common values of a field, use the ___ command. timechart with common=f option stats rare top | show 🗑
|
||||
| By default, the sort command lists results in ___ order. ascending decending | show 🗑
|
||||
| If you use the stats command with two functions and a BY clause, which function is the BY clause applied to? the first function the second function both functions if they are both aggregates both functions | show 🗑
|
||||
| True or False: The pow(X,Y) eval function returns Y to the power of X. | show 🗑
|
||||
| show | a stat output for each value of the names field
🗑
|
||||
| show | True
🗑
|
||||
| Which eval function would you use to round numerical values? roundvalue commas round tonumber | show 🗑
|
||||
| show | True
🗑
|
||||
| Which of these functions lists ALL values of the field X? values(x) list(x) | show 🗑
|
||||
| show | isnull, isnotnull
🗑
|
||||
| True or False: Temporary fields created by using eval can be referenced in the search pipeline following creation. | show 🗑
|
||||
| Which eval function is the best option for masking data? case replace isnotnull validate | show 🗑
|
||||
| Which are the Boolean operators that can be used by the eval command? Select all that apply. OR NAND XOR AND | show 🗑
|
||||
| Which of the following functions must be used with the in function? Select all that apply. validate sum if case | show 🗑
|
||||
| show | field, field values
🗑
|
||||
| show | |fillnull value="NOT FOUND"
🗑
|
||||
| show | value
🗑
|
||||
| show | False
🗑
|
||||
| True or False: The case function will return NULL if no expressions evaluate to TRUE. | show 🗑
|
||||
| show | True
🗑
|
||||
| The where command only returns results that evaluate to TRUE. True False | show 🗑
|
||||
| What is the order of Boolean Expression of Evaluation for the where and eval commands? AND, NOT, Express w (), OR NOT, AND, OR, Express w () AND, OR, NOT, Express w () Express w (), NOT, AND, OR | show 🗑
|
||||
| True or False: eval cannot exist as an expression. | show 🗑
|
||||
| The ___ command replaces NULL values in fields. isnull isnotnull null fillnull | show 🗑
|
||||
| show | |eval OS = coalesce(OpSys,CSys)
🗑
|
||||
| show | False
🗑
|
||||
| show | stats followed by command then xyseries,
stats followed by xyseries
🗑
|
||||
| show | Normalization
🗑
|
||||
| Which statement(s) about appendpipe is false? Only one apppipe can exist The subpipe only executes when splunk reaches that command apppipe is the last command to be exectued apppipe doesnt overwrite the original results | show 🗑
|
||||
| True or False: The foreach command can be used without a subsearch. | show 🗑
|
||||
| Which command uses a template subsearch to replace the values of specific fields? replace foreach eval none, commands only use functions to replace values not templates or subsearches | show 🗑
|
||||
| show | upper(), lower()
🗑
|
||||
| show | True
🗑
|
||||
| show | eval PROFIT="$".tostring(PROFIT,"comas")
🗑
|
||||
| Which of the following user roles can create knowledge objects? Super User User Power User Admin | show 🗑
|
||||
| Which of the following file types can be uploaded to create a lookup? PDF CSV XLS XML | show 🗑
|
||||
| Which of the following methods can be used to manually extract fields? Regex Delimiters the Regex Generator The event type builder | show 🗑
|
||||
| show | calculated fields
🗑
|
||||
| By default, what user role is required to make a knowledge object available to all apps? Power user Admin Super user user | show 🗑
|
||||
| Which knowledge objects can be scheduled to execute at specific times? Alerts Reports Macros Workflow actions | show 🗑
|
||||
| show | data models
🗑
|
||||
| What are the three predefined sharing options for a knowledge object? Private shared in app shared in all apps blocked in app | show 🗑
|
||||
| show | cal fields, macros
🗑
|
||||
| Where can you find a list of all fields returned from events? the fiel dropdown field posting list field library field sidebare | show 🗑
|
||||
| show | admin can reassign
🗑
|
||||
| show | macros
🗑
|
||||
| show | commun w external source using http GET
commun w external using http post
secondary searches
🗑
|
||||
| show | workflow actions
🗑
|
||||
| By default, when a knowledge object is created, who can access its contents? anyone any power user any user in the app the user who made it and admins | show 🗑
|
Review the information in the table. When you are ready to quiz yourself you can hide individual columns or the entire table. Then you can click on the empty cells to reveal the answer. Try to recall what will be displayed before clicking the empty cell.
To hide a column, click on the column name.
To hide the entire table, click on the "Hide All" button.
You may also shuffle the rows of the table by clicking on the "Shuffle" button.
Or sort by any of the columns using the down arrow next to any column heading.
If you know all the data on any row, you can temporarily remove it by tapping the trash can to the right of the row.
To hide a column, click on the column name.
To hide the entire table, click on the "Hide All" button.
You may also shuffle the rows of the table by clicking on the "Shuffle" button.
Or sort by any of the columns using the down arrow next to any column heading.
If you know all the data on any row, you can temporarily remove it by tapping the trash can to the right of the row.
Embed Code - If you would like this activity on your web page, copy the script below and paste it into your web page.
Normal Size Small Size show me how
Normal Size Small Size show me how
Created by:
runine