Download Splunk Enterprise Fundamentals and more Exams Business Fundamentals in PDF only on Docsity!
Splunk Exam 169 Questions with Answer 2023
___ allows different workspaces for specific use cases or user roles to co-exist on a single Splunk instance. - CORRECT ANSWER Apps Unique identifier of where the events originated (hostname, IP address, etc.). - CORRECT ANSWER Hosts Name of he file, stream, or other input. - CORRECT ANSWER Sources Specific data type or data format. - CORRECT ANSWER Sourcetypes Machine data is only generated by web servers. True/False. - CORRECT ANSWER False Machine data makes up for more than ___% of the data accumulated by organizations. - CORRECT ANSWER 90 Machine data is always structured. True/False. - CORRECT ANSWER False Splunk is comprised of three main processing components. What are they? - CORRECT ANSWER Indexer, Search Head, Forwarder ___ processes machine data, storing the results in indexes as events, enabling fast search and analysis. - CORRECT ANSWER Indexer As the Indexer indexes your data, it creates a number of files organized in sets of ___ by age, and it contains raw data (compressed) and indexes (points to the raw data). - CORRECT ANSWER Directories ___ allows users to use the Search language to search the indexed data, and it distributes user search requests to the Indexer. ___ consolidates the results and
extracts field value pairs from the events to the user. - CORRECT ANSWER Search Heads ___ on the Search Heads can be created to extract additional fields and transform the data without changing the underlying index data. - CORRECT ANSWER Knowledge Objects ___ provide tools to enhance the search experience such as reports, dashboards and visualization. - CORRECT ANSWER Search Heads ___ are instances that consume and send data to the index, and it require minimal resources and have little impact on performance. ___ typically reside on the machines where the data originates, and it is the primary way data is supplied for indexing. - CORRECT ANSWER Forwarders In addition to the three main Splunk processing components, there are some lee- common components. What are they? - CORRECT ANSWER Deployment Server, Cluster Master, License Master In ___ Deployment, a single server contains all functions in a single instance of Splunk for testing, proof of concept, personal user, and learning purposes. It is recommended to have at least one test/development setup at the site. - CORRECT ANSWER Standalone In ___ Deployment, Splunk server manages the deployment of forwarder configurations. - CORRECT ANSWER Basic In Basic Deployment, ___ collect data and send it to Splunk Servers. It installs forwarders at the data source (usually production servers). - CORRECT ANSWER Forwarders Basic Deployment for organizations:
- Indexing less than __ GB per day
- With user __ user
- Small amount of forwarders - CORRECT ANSWER 20
A single-instance deployment of Splunk Enterprise handles: - CORRECT ANSWER Input, Parsing, Indexing, Searching After installation, Splunk starts automatically on ___, and must be manually started on ___ until boot-start is enabled. - CORRECT ANSWER Windows, *NIX Installing Splunk Enterprise as an Indexer or Search Head is identical to installing a ___ deployment instance. - CORRECT ANSWER single ___ define what users can do in Splunk. - CORRECT ANSWER Roles This role will only see their own knowledge objects and those that have been shared with them. - CORRECT ANSWER User Which apps ship with Splunk Enterprise? - CORRECT ANSWER Search & Reporting, Home App You can launch and manage apps from the home app. True/False. - CORRECT ANSWER True What are the three main default roles in Splunk Enterprise? - CORRECT ANSWER Admin, Power, User Splunk index time process (Data ingestion) can be broken down into three phases. What are they? - CORRECT ANSWER Input, Parsing, Indexing After data is written to disk, it cannot be changed. True/False. - CORRECT ANSWER True User can add data inputs with directly editing ___. - CORRECT ANSWER inputs.conf When you index a data source, Splunk assigns ___ values. - CORRECT ANSWER metadata Upload allows uploading local files that only get indexed ___. Useful for testing or data that is created ___ and never updated. - CORRECT ANSWER once
Add data menu provides three options depending on the source to be used. What are they? - CORRECT ANSWER Upload, Monitor, Forward What Add Data option is the main source of input in production environments? - CORRECT ANSWER Forward For one-time indexing (or testing); the ___ option does not create a stanza in inputs.conf. - CORRECT ANSWER Index Once ___ displays how your processed events will be indexed. - CORRECT ANSWER Data preview When add data, by default, the default host name in ___ is used. - CORRECT ANSWER General settings Indexed events are available for immediate search;however, it may take a ___ for Splunk to start indexing the data. - CORRECT ANSWER minute Splunk uses ___ to categorize the type of data being indexed. - CORRECT ANSWER source type Splunk knows where to break the event, where the time stamp is located and how to automatically create field value pairs using these. - CORRECT ANSWER source types The monitor input option will allow you to continuously monitor files. True/False.
- CORRECT ANSWER True In most production environments, ___ will be used as the source of data input. - CORRECT ANSWER Forwarder Files indexed using the the upload input option get indexed ___. - CORRECT ANSWER once ___ provides selections for how to complete the search string. - CORRECT ANSWER Search Assistant
Sharing search extends results retention to ___ days. - CORRECT ANSWER 7 Search History displays your most recent ad-hoc searches - ___ per page. - CORRECT ANSWER 5 In Search, "failed password" and "failed AND password" will return the same results. True/False. - CORRECT ANSWER True Which following search mode toggles behavior based on the type of search being run? - CORRECT ANSWER Smart These are booleans in the Splunk Search Language. What are they? - CORRECT ANSWER NOT, OR, AND Shared search jobs remain active for ___ days by default. - CORRECT ANSWER 7 When zooming in on the event time line, a new search is run. True/False. - CORRECT ANSWER False ___ are searchable key/value pairs in your event data. - CORRECT ANSWER Fields Between search terms, ___ is implied unless otherwise specified. - CORRECT ANSWER AND Prior to search time, some fields are already stored with the event in the index. What are they in Meta fields? - CORRECT ANSWER host, source, sourcetype, index Prior to search time, some fields are already stored with the event in the index. What are they in Internal fields? - CORRECT ANSWER _time, _raw For the current search, Interesting Fields contains occurring events at least __ % of resulting. - CORRECT ANSWER 20 By default, the selected fields are ___, ___ and ___. - CORRECT ANSWER host, source, sourcetype
You can identify other fields as selected fields from ___ (which shows all of the discovered fields) - CORRECT ANSWER All Fields Field names are case sensitive, but Field values are not case sensitive. True/False.
- CORRECT ANSWER True For IP fields, Splunk is subnet/CIDR aware. True/False. - CORRECT ANSWER True Not status = 200 returns events where a status field exists and value in the field doesn't equal 200 -- and all events where the status field doesn't exist. True/False.
- CORRECT ANSWER True What is the default Search Mode? - CORRECT ANSWER Smart Interesting Fields : Have values in at least ___ % of the events. - CORRECT ANSWER 20 What is the most efficient filer in Seach? - CORRECT ANSWER Time Searching for "access denied" is always better than searching for "denied". True/False. - CORRECT ANSWER True Inclusion is generally better than exclusion. Searching for "access denied" is faster than searching for NOT "access granted". True/False. - CORRECT ANSWER True It's possible to search without an index - but that's inefficient and not recommended. True/False. - CORRECT ANSWER True What duration is the most efficient way to filter events in Time? - CORRECT ANSWER 7 days Searches are made up of 5 basic components. What are they? - CORRECT ANSWER Search terms, Commands, Functions, Arguments, Clauses The __ command returns a table formed by only fields in the argument list. - CORRECT ANSWER table
The ___ command finds the most common values of a given field in the result set.
- CORRECT ANSWER top By default, the top command returns top ___ results. - CORRECT ANSWER 10 By default, the top command returns ___ and ___ columns. - CORRECT ANSWER count, percent The limit=# returns this number of results, and limit=0 returns unlimited results. True/False. - CORRECT ANSWER True If the showperc is not included - or it is included and set to t - a percent column is displayed. If showperc=f, then a percent column is NOT displayed. True/False. - CORRECT ANSWER True By default, the display name of the countfield is ___, and countfield=string renames the field for display purposes. - CORRECT ANSWER count The ___ command returns the least common field values or a given field in the result, and its options are identical to the top command. - CORRECT ANSWER rare The ___ enables you to calculate statistics on data that matches your search criteria. - CORRECT ANSWER stats What is the stats function to lists unique values of a given field? - CORRECT ANSWER values What is the stats function to lists all values of a given field? - CORRECT ANSWER list The ___ returns the number of matching events based on the current search criteria. - CORRECT ANSWER count Adding a ___ as an argument to the count function returns the number of events where a value is present for the specified field. - CORRECT ANSWER field
The ___ clause returns a count for each value of a named field or set of fiends. - CORRECT ANSWER by The ___ provides a count of how many unique values there are for a given field in the result set. - CORRECT ANSWER distinct_count or dc How many results are shown by default when using a Top or Rare Command? - CORRECT ANSWER 10 To display the most common values in a specific field, what command would you use? - CORRECT ANSWER top Which stats function would you use to find the average value of a field? - CORRECT ANSWER avg Running a report returns fresh results each time you run it. True/False. - CORRECT ANSWER True For alphanumeric character fields, there are only ___ available reports. - CORRECT ANSWER 3 A ___ consists of one or more panels displaying data visually in a useful way - such as events, tables, or charts. - CORRECT ANSWER dashboard The Dashboard ID is automatically populated with a unique value used by Splunk and should not be changed. True/False. - CORRECT ANSWER True. Why create Panels from Reports? - CORRECT ANSWER It is efficient to create most dashboard panels based on reports. Any change to the underlying report affects every dashboard panel that utilizes that report. The User role can not create reports. True/False. - CORRECT ANSWER False A time range picker can be included in a report. True/False. - CORRECT ANSWER True
What can be used when sometimes static (or relatively unchanging) data is required for searches, but isn't available in the index? - CORRECT ANSWER Lookups Lookup field values are case sensitive by default. True/False. - CORRECT ANSWER True In Lookups file, the first row represents ___ names (header). - CORRECT ANSWER field Use the ___ command to load the results from a specified static lookup. - CORRECT ANSWER inputlookup If a lookup is not configured to run automatically, use the ___ command in your search to use the lookup fields. - CORRECT ANSWER lookup Use ___ when you do not want to overwrite existing field. - CORRECT ANSWER OUTPUTNEW To use an automatic lookup, specify the ___ fields in your search. - CORRECT ANSWER output If a field in a lookup table represents a(n) ___, you can create a time-based lookup. - CORRECT ANSWER timestamp To keep from overwriting existing fields with your Lookup you can use the ___ clause. - CORRECT ANSWER OUTPUTNEW A lookup is categorized as a dataset. True/False. - CORRECT ANSWER True When using a .csv file for Lookups, the first row in the file represents this. - CORRECT ANSWER Field names Users with admin privileges can select a Schedule Priority of Default, Higher, or Highest. True/False. - CORRECT ANSWER True Before a report can be embedded, it must be ___. - CORRECT ANSWER scheduled
___ are triggered when the results of the search meet a specific condition that you define. - CORRECT ANSWER Alerts By default, ___ has read access and ___ has write access to the alert. - CORRECT ANSWER everyone, power What are the two types of alerts? - CORRECT ANSWER Scheduled, Real-time Trigger condition: ___ executes actions one time for all matching events within the scheduled time and conditions. - CORRECT ANSWER Once The ___ options to suppress the actions for results within a specified time range. - CORRECT ANSWER Throttle If you have administrator privileges, you can use a log event action: - CORRECT ANSWER Event, Source, Sourcetype, Host, Index Alerts can be shared to all apps. True/False. - CORRECT ANSWER True Alerts can send an email. True/False. - CORRECT ANSWER True Alerts can run uploaded scripts. True/False. - CORRECT ANSWER True An alert is an action triggered by a ___ ___. - CORRECT ANSWER Saved Search Once an alert is created, you can no longer edit its defining search. True/False. - CORRECT ANSWER False The password for a newly installed Splunk instance is: - CORRECT ANSWER Created when you install Splunk Enterprise. Commands that create statistics and visualizations are called ___ commands. - CORRECT ANSWER stats Charts can be based on numbers, time, or location. True/False. - CORRECT ANSWER True
