SPLK-1001 Splunk Core Certified User Questions and Answers

A number to the right of the field name.

A # symbol to the left of the field name.

A lowercase n to the left of the field name.

A lowercase n to the right of the field name.

Before clauses. For example: stats sum(bytes) | by host

Before commands. For example: | stats sum(bytes) by host

Before arguments. For example: stats sum| (bytes) by host

Before functions. For example: stats |sum(bytes) by host

False

True

The search will fail. The proper top command format is top limit=3 instead of top 3.

The top three most common values in statusCode will be displayed for each user.

Only the top three overall most common values in statusCode will be displayed.

The percentage field will be displayed in the results.

No

Yes

Acceleration, schedule, permissions

The report’s name, schedule, permissions

The report’s name, acceleration, schedule

The report’s name, acceleration, permissions

input

output

error AND (fail AND 400)

error OR (fail and 400)

error AND (fail OR 400)

error OR fail OR 400

index=* “failed password”

“failed password” index=*

(index=* OR index=security) “failed password”

index=security “failed password”

True

False

No

Yes

Index=Security

index=Security

Index=security

index!=Security

Hosts

Sourcetypes

Sources

Indexes

dedup

rename

sort -

fields +

Only data where the error field is present and does not contain a value will be displayed.

Only data with a value in the field error will be displayed.

Only data that does not contain the error field will be displayed.

Only data where the value of the field error does not equal an asterisk (*) will be displayed.

You can modify the search string in the panel, and you can change and configure the visualization.

You can modify the search string in the panel, but you cannot change and configure the visualization.

You cannot modify the search string in the panel, but you can change and configure the visualization.

You cannot modify the search string in the panel, and you cannot change and configure the visualization.

error | table action, src, dest

error | tabular action, src, dest

error | stats table action, src, dest

error | table column=action column=src column=dest

Filter as early as possible.

Never specify more than one index.

Include as few search terms as possible.

Use wildcards to return more search results.

All data accessible to the User role will appear in the report.

All data accessible to the owner of the report will appear in the report.

All data accessible to all users will appear in the report until the next time the report is run.

The owner of the report can configure permissions so that the report uses either the User role or the owner’s profile at run time.

sourcetype=access_* | maximum totals by bytes

sourcetype=access_* | avg (bytes)

sourcetype=access_* | stats max(bytes)

sourcetype=access_* | max(bytes)

Yes

No

The value of the field

The number of values for the field

The number of unique values for the field

The numeric non-unique values of the field

True

False

f*il

*fail

fail*

*fail*

They must be lowercase.

They must be uppercase.

They must be in quotations.

They must be in parentheses.

True

False

Returns the least common field values of a given field in the results.

Returns the most common field values of a given field in the results.

Returns the top 10 field values of a given field in the results.

Returns the lowest 10 field values of a given field in the results.

None of the above

Indexing Phase

Parsing Phase

Input Phase

License Metering

Look back 3 days ago and prior

Look back 72 hours up to one day ago

Look back 72 hours, up to the end of today

Look back from 3 days ago up to the beginning of today

No

Yes

True

False

users

power users

administrators

latest=-2h

earliest=-2h

latest=-2hour@d

earliest=-2hour@d

Zoom to selection

Format Timeline

Deselect

Delete

Zoom Out

Click field in field sidebar -> click YES on the pop-up dialog on upper right side -> check now field should

be visible in the list of selected fields.

Not possible.

Only CLI changes will enable it.

Click Settings -> Find field option -> Drop down select field -> enable selected field -> check now field

should be visible in the list of selected fields.

False

True

Not possible to specify time manually in Search query

end=

start=

earliest=

latest=

status_code !=404

status_code>=400

status_code<=404

status code>403 status_code<405

_raw

host

_host

index

dc(field)

count(field)

count-by(field)

distinct-count(field)

Rex

As

List

By

Add an output.

Export a dashboard panel.

Modify the chart type displayed in a dashboard panel.

Drag a dashboard panel to a different location on the dashboard.

index=security sourcetype=access_* status=200 stats | count by price

index=security sourcetype=access_* status=200 | stats count by price

index=security sourcetype=access_* status=200 | stats count | by price

index=security sourcetype=access_* | status=200 | stats count by price

Indexing

Searching

Parsing

Settings

Input

PDF

JSON

XLS

RTF

OR

NOT

AND

XOR

index=security failure | stats sum as “Event Count”

index=security failure | stats count as “Event Count”

index=security failure | stats count by “Event Count”

index=security failure | stats dc(count) as “Event Count”

True

False

Any newly created dashboard will include that report.

There are no benefits to creating dashboard panels from reports.

It makes the dashboard more efficient because it only has to run one search string.

Any change to the underlying report will affect every dashboard that utilizes that report.

indexer—index_name

indexer name—index_name

index=index_name

index name=index_name

index=security Error Fail

index=security error OR fail

index=security “error failure”

index=security NOT error NOT fail

user

source

location

sourcelp

Forwarders

Indexer

Heavy Forwarders

Search head

False

True

Host

Sourcetype

Index

Source

action+purchase

action=purchase

action | purchase

action equal purchase

Yes

No

3

2

4

1

Lookups can be time based

Search results can be used to populate a lookup table

Splunk DB Connect can be used to populate a lookup table from relational databases

Output from a script can be used to populate a lookup table

Lookup have a 10mg maximum size limit

h

day

mon

yr

y

w

week

Splunk is a software platform to search, analyze and visualize the machine-generated data.

Database management tool.

Security Information and Event Management (SIEM).

Cloud based application that help in analyzing logs.

No

Yes

Correlated

File-based

Total

Segmented

Save the search as a report and use it in multiple dashboards as needed

Save the search as a dashboard panel for each dashboard that needs the data

Save the search as a scheduled alert and use it in multiple dashboards as needed

Export the results of the search to an XML file and use the file as the basis of the dashboards

index=a index=b

(index=a OR index=b)

index=(a & b)

index = a, b

Events

Patterns

Statistics

Visualization

Any search can be saved as a report

Only searches that generate visualizations

Only searches containing a transforming command

Only searches that generate statistics or visualizations

Yes

No

Executes a new search.

Filters current search results.

Moves to past or future events.

Expands the time range of the search.

|

$

!

,