SPLK-1001 Splunk Core Certified User Questions and Answers

By scheduling a report.

By creating a link to the job.

By changing the job settings.

By changing the time range picker to more than 7 days.

When Splunk encounters a syntax error in a search

When a trigger action meets the predefined conditions

When an event in a search matches up with a data model

When results of a search meet a specifically defined condition

The new result after selecting the range by dragging filters the events and displays the most recent first.

There is no functionality like click and drag in Splunk's timeline.

Using this option executes a new query.

This doesn't execute a new query

True

False

forwarders

indexers

search heads

Yes

No

True

False

True

False

#

%

a

a#

False

True

CTRL + Enter

Shift + Enter

Space + Enter

ALT + Enter

a base search for the object

fields for the object

users

power users

administrators

Automatic

Smart

Fast

Verbose

Indexer

Forwarder

Search head

Deployment server

Include all formatting commands before any search terms

Include at least one function as this is a search requirement

Include the search terms at the beginning of the search string

Avoid using formatting clauses as they add too much overhead

Date & Time Range

Advanced

Date Range

Presets

Relative

|

$

!

,

index!=Security

Index-security

Index=Security

index=Security

drills down for that value

highlights the field value across the chart

adds the highlighted value to the search criteria

latest=-2h

earliest=-2h

latest=-2hour@d

earliest=-2hour@d

It returns the top 10 results

It displays the output in table format

It returns the count and percent columns per row

All of the above

True

False

Saving the item to a report

Adding the item to the search.

Adding the item to a dashboard

Saving the search to a JSON file.

search heads

indexers

forwarders

| rename action = CustomerAction

| rename Action as “Customer Action”

| rename Action to “Customer Action”

| rename action as “Customer Action”

True

False

Indexer

Parsing

Heavy Forwarder

Input

Splunk only extracts the most interesting data from the last 24 hours.

Splunk only extracts fields users have manually specified in their data.

Splunk automatically extracts any fields that generate interesting visualizations.

Splunk automatically discovers many fields based on sourcetype and key/value pairs found in the data.

No

Yes

No

Yes

Lookups can be time based

Search results can be used to populate a lookup table

Splunk DB Connect can be used to populate a lookup table from relational databases

Output from a script can be used to populate a lookup table

Lookup have a 10mg maximum size limit

top

stats

table

percent

ASCII Character order.

Reverse chronological order.

Alphanumeric order.

Chronological order.

<=

=

!=

>

?=

Splunk will re-run the search job in Verbose Mode to prioritize the new Selected Field

Splunk will highlight related fields as a suggestion to add them to the Selected Fields list.

Custom selections will replace the Interesting Fields that Splunk populated into the list at search time

The selected field and its corresponding values will appear underneath the events in the search results

Before clauses. For example: stats sum(bytes) | by host

Before commands. For example: | stats sum(bytes) by host

Before arguments. For example: stats sum| (bytes) by host

Before functions. For example: stats |sum(bytes) by host

index=security sourcetype=access_* status=200 stats | count by price

index=security sourcetype=access_* status=200 | stats count by price

index=security sourcetype=access_* status=200 | stats count | by price

index=security sourcetype=access_* | status=200 | stats count by price

Forwarders

Indexer

Heavy Forwarders

Search head

Time

Fast mode

Sourcetype

Selected Fields

Description_Group_Object

Group_Description_Object

Group_Object_Description

Object_Group_Description

Splunk User Behavior Analytics (UBA)

Splunk IT Service Intelligence (ITSI)

Splunk Enterprise Security (ES)

Splunk Analytics Security (AS)

index=security Error Fail

index=security error OR fail

index=security “error failure”

index=security NOT error NOT fail

Search head, GPU, streamer

Search head, indexer, forwarder

Search head, SQL database, forwarder

Search head, SSD, heavy weight agent

No

Yes

Lists all values of a given field.

Lists unique values of a given field.

Returns a count of unique values for a given field.

Returns the number of events that match the search.

2

4

1

3

The value of the field

The number of values for the field

The number of unique values for the field

The numeric non-unique values of the field

Zoom to selection: Narrows the time range and re-executes the search.

Zoom to selection: Narrows the time range and doesn't re-executes the search.

Format Timeline: Hides or shows the timeline in different views.

Zoom-Out: Expands the time focus and doesn't re-executes the search.

Zoom-out: Expands the time focus and re-executes the search.

Rex

As

List

By

True

False

Yes

No

Filter as early as possible.

Never specify more than one index.

Include as few search terms as possible.

Use wildcards to return more search results.

Table

Report

Pie chart

index==main status!==200

index=main NOT status=200

index==main NOT status==200

index-main status!=200

Only HF

No

Yes

user

source

location

sourcelp

Time summary

Time range picker

Search time picker

Data source time statistics

Use field +to add and field -to remove.

Use table +to add and table -to remove.

Use fields +to add and fields –to remove.

Use fields Plus to add and fields Minus to remove.

None of the above

Job

Search Only

No

Yes

@

&

*

#

sourcetype

index

source

host

input

output

Will display result depending on the data.

Will return event where status field exist but value of that field is not 100.

Will return event where status field exist but value of that field is not 100 and all events where status field

doesn't exist.

The search will fail. The proper top command format is top limit=3 instead of top 3.

The top three most common values in statusCode will be displayed for each user.

Only the top three overall most common values in statusCode will be displayed.

The percentage field will be displayed in the results.

Dashboards must have a unique dashboard ID within a permission's context.

Splunk dashboards consist of one or more panels displaying data visually in a useful way.

Splunk dashboards may not be directly created from search results without first creating a report.

Splunk dashboard panels can be populated by reports.

Use earliest=-1d@d latest=@d

Set a real-time search over a 24-hour window

Use the time range picket to select “Yesterday”

Use the time range picker to select “Last 24 hours”

To sort field values in descending order.

To return only fields containing five of fewer values.

To find the least common values of a field in a dataset.

To find the fields with the fewest number of values across a dataset.

The lookup must be configured to run automatically.

The contents of the lookup file must be copied and pasted into the search bar.

The lookup file must be uploaded to Splunk and a lookup definition must be created.

The lookup file must be uploaded to the etc/apps/lookups folder for automatic ingestion.