序号 试题

How can search results be kept longer than 7 days?

1

In a deployment with multiple indexes, what will happen

when a search is run and an index is not specified in the
2 search string?

3 The better way of writing search query for index is:

Selected fields are a set of configurable fields displayed
4 for each event.

5 What is Splunk?

6 NOT status = 100:

When placed early in a search, which command is most

7 effective at reducing search execution time?

When looking at a statistics table, what is one way to drill

8 down to see the underlying events?

Which of the following is a best practice when writing a

9 search string?

Which search would return events from the

10 access_combined sourcetype?
11 How do you add or remove fields from search results?
Splunk Enterprise is used as a Scalable service in Splunk
12 Cloud.

Which of the following is true about user account settings

13 and preferences?

Which search matches the events containing the terms

14 `error` and `fail`?

15 By default, how long does Splunk retain a search job?

16 Which search string only returns events from hostWWW3?

In the Search and Reporting app, which is a default

17 selected field?

Keywords are highlighted when you mouse over search

results and you can click this search result to (Choose
18 three.):

You can use the following options to specify start and end
19 time for the query range:

What can be included in the All Fields option in the

20 sidebar?

What does the following specified time range do?

21 earliest=-72h@h latest=@d
 Which of the following is the recommended way to create
multiple dashboards displaying data from the same
22 search?

Which search string returns a filed containing the number

23 of matching events and names that field Event Count?

Which of the following is the most efficient filter for

24 running searches in Splunk?

Which of the following searches will return results where

25 fail, 400, and error exist in every event?

What is the main requirement for creating visualizations

26 using the Splunk UI?

27 What does the values function of the stats command do?

By default, which of the following fields would be listed in

28 the fields sidebar under interesting Fields?

What is one benefit of creating dashboard panels from

29 reports?

30 Which statement is true about Splunk alerts?

 Data summary button just below the search bar gives you
31 the following (Choose three.):

When using the top command in the following search,

which of the following will be true about the results?
index="main" sourcetype="access_*" action="purchase" |
top 3 statusCode by user showperc=f
32 countfield=status_code_count

When refining search results, what is the difference in the

33 time picker between real-time and relative time ranges?

When editing a dashboard, which of the following are

34 possible options? (Choose all that apply.)

Assuming a user has the capability to edit reports, which

35 of the following are editable?

Which of the following index searches would provide the

36 most efficient search performance?

37 Can you stop or pause the searching?

You can also specify a time range in the search bar. You
can use the following for beginning and ending for a time
38 range (Choose two.):

39 Which symbol is used to snap the time?

Splunk Parses data into individual events, extracts time,
40 and assigns metadata.

41 You are able to create new Index in Data Input settings.

42 What will always appear in the Selected Fields list?

In the Search and Reporting app, which tab displays

43 timecharts and bar charts?

44 Fields are searchable key value pairs in your event data.

Select the best options for "search best practices" in

45 Splunk:(Choose five.)

46 Query - status != 100:

47 != and NOT are same arguments.

48 Field names are case sensitive and field value are not.

49 How to make Interesting field into a selected field?

Interesting fields are the fields that have at least 20% of
50 resulting fields.

Which of the following is the appropriately formatted SPL

51 search?
 What is the result of the following search?
52 index=myindex source=c:\mydata.txt NOT error=*

The four types of Lookups that Splunk provides out-of-the-

box are External, KV Store, Geospatial and which of the
53 following?

54 What is the default lifetime of every Splunk search job?

55 Which statement describes field discovery at search time?

56 What are the three main Splunk components?

How can results from a specified static lookup file be

57 displayed?

Which of the following is the best way to create a report

58 that shows the last 24 hours of events?

59 When is the pipe character, |, used in search strings?

Which of the following is a metadata field assigned to

60 every event in Splunk?

Which of the following is a correct way to limit search

61 results to display the 5 most common values of a field?
62 Which command will rename action to Customer Action?

What is the correct way to use a time range specifier in

63 the search bar so that the search looks back 2 hours?
Events in Splunk are automatically segregated using data
64 and time.

The new data uploaded in Splunk are shown in

65 ________________.

66 @ Symbol can be used in advanced time unit option.

67 What is Search Assistant in Splunk?

The default host name used in Inputs general settings can
68 not be changed.

69 Matching of parentheses is a feature of Splunk Assistant.

70 Every Search in Splunk is also called _____________.

71 Matching search terms are highlighted.

Forward Option gather and forward data to indexers over

72 a receiving port from remote machines.
All components are installed and administered in Splunk
73 Enterprise on-premise.

74 Which of the following is the most efficient search?

By default, which role contains the minimum permissions

75 required to have write access to Splunk alerts?

Following are the time selection option while making

76 search:(Choose all that apply.)
 When saving a search directly to a dashboard panel
instead of saving as a report first, which of the following is
77 created?

Which of the following reports is available in the Fields

78 window?

When viewing results of a search job from the Activity

79 menu, which of the following is displayed?

In monitor option you can select the following options in

80 GUI.

What happens when a field is added to the Selected Fields

81 list in the fields sidebar?
A SOC manager is complaining that a scheduled alert for
failed login attempts triggered 150 emails. They still want
to be alerted of failed logins via email, but they want less
volume of alerts. Which of the following would resolve this
82 for the SOC manager?

A field exists in search results, but isn't being displayed in

the fields sidebar.
83 How can it be added to the fields sidebar?
 Which stats command function provides a count of how
many unique values exist for a given field in the result
84 set?

After running a search, what effect does clicking and

85 dragging across the timeline have?

Which of the following is an option after clicking an item in

86 search results?

Which of the following statements about case sensitivity is

87 true?

What is the correct syntax to count the number of events

88 containing a vendor_action field?

Which of the following are common constraints of the top

89 command?

90 ______________ is the default web port used by Splunk.

Put query into separate lines where | (Pipes) are used by

91 selecting following options.

92 Which statement is true about the top command?

93 You can change the App context in Input setting.

Which three statements are true about the DESCRIBE

94 command? (Choose three.)
 Which search matches the events containing the terms
95 "error" and "fail"?

Which of the following file types is an option for exporting

96 Splunk search results?

Which search will return only events containing the word

`error` and display the results as a table that includes the
97 fields named action, src, and dest?

Select the statements that are true for timeline in Splunk

98 (Choose four.):

Which of the following represents the Splunk

99 recommended naming convention for dashboards?

When writing searches in Splunk, which of the following is

100 true about Booleans?

Which of the following searches would return events with

101 failure in index netfw or warn or critical in index netops?

Select the answer that displays the accurate placing of the

pipe in the following search string: index=security
102 sourcetype=access_* status=200 stats count by price

When running searches, command modifiers in the search

103 string are displayed in what color?
 Which of the following constraints can be used with the
104 top command?

There are three different search modes in Splunk (Choose

105 three.):

What determines the scope of data that appears in a

106 scheduled report?
Documentations for Splunk can be found at
107 docs.splunk.com

Which search will return the 15 least common field values

108 for the dest_ip field?

Which of the statements is correct regarding click and

109 drag option in timeline?

Which search string matches only events with the

110 status_code of 404?

When displaying results of a search, which of the following

111 is true about line charts?
We should use heavy forwarder for sending event-based
112 data to Indexers.

113 What user interface component allows for time selection?

114 How many main user roles do you have in Splunk?

 When a Splunk search generates calculated data that
appears in the Statistics tab, in what formats can the
115 results be exported?

When looking at a dashboard panel that is based on a

116 report, which of the following is true?

117 Which of the following is a Splunk search best practice?

Which of the following Splunk components typically

118 resides on the machines where data originates?

What must be done before an automatic lookup can be

119 created? (Choose all that apply.)

120 Which of the statements are correct? (Choose three.)

Beginning parentheses is automatically highlighted to

121 guide you on the presence of complimenting parentheses.

In the Splunk interface, the list of alerts can be filtered

122 based on which characteristics?

Which command is used to review the contents of a

123 specified static lookup file?

124 By default, which of the following is a Selected Field?

 Which of the following statements are correct about
125 Search & Reporting App? (Choose three.)

126 How are events displayed after a search is executed?

127 Which of the following describes lookup files?

What is the purpose of using a by clause with the stats

128 command?
Splunk internal fields contains general information about
129 events and starts from underscore i.e. _ .
Portal for Splunk apps can be accessed through
130 www.splunkbase.com

How does Splunk determine which fields to extract from

131 data?
Will the queries following below get the same result?
1. index=log sourcetype=error_log status !=100
132 2. index=log sourcetype=error_log NOT status =100

133 What are the two most efficient search filters?

In the Fields sidebar, what does the number directly to the

134 right of the field name indicate?

_______________ transforms raw data into events and

135 distributes the results into an index.
 Which events will be returned by the following search
136 string? host=www3 status=503

At index time, in which field does Splunk store the

137 timestamp value?

A collection of items containing things such as data inputs,

138 UI elements, and knowledge objects is known as what?

139 What does the rare command do?

Which time range picker configuration would return real-

140 time events for the past 30 seconds?

What must be done in order to use a lookup table in

141 Splunk?

142 What is a primary function of a scheduled report?

Splunk extracts fields from event data at index time and
143 at search time.

What options do you get after selecting timeline? (Choose

144 four.)

In the fields sidebar, which character denotes

145 alphanumeric field values?
 What is a quick, comprehensive way to learn what data is
146 present in a Splunk deployment?

You can view the search result in following format (Choose

147 three.):

148 Data sources being opened and read applies to:

149 When is an alert triggered?

150 Parsing of data can happen both in HF and Indexer.

151 Upload option creates inputs.conf

Universal forwarder is recommended for forwarding the
152 logs to indexers.

153 Three basic components of Splunk are (Choose three.):

154 Splunk apps are used for following (Choose three.):

Which component of Splunk is primarily responsible for

155 saving data?

Which Field/Value pair will return only events found in the

156 index named security?

157 Snapping rounds down to the nearest specified unit.

At the time of searching the start time is 03:35:08.
Will it look back to 03:00:00 if we use -30m@h in
158 searching?
 Search Assistant is enabled by default in the SPL editor
159 with compact settings.

Select the correct option that applies to Index time

160 processing (Choose three.).

161 Parsing of data can happen both in HF and UF.

162 Splunk indexes the data on the basis of timestamps.

Fields are searchable name and value pairings that
163 differentiates one event from another.

Which of the following are Splunk premium enhanced

164 solutions? (Choose three.)

165 Field names are case sensitive.

Machine data can be in structured and unstructured
166 format.

167 Prefix wildcards might cause performance issues.

Which of the following can be used as wildcard search in

168 Splunk?

169 Splunk shows data in __________________.

170 What kind of logs can Splunk Index?

171 Which is the default app for Splunk Enterprise?

172 Log filtering/parsing can be done from _____________.

Which component of Splunk let us write SPL query to find

173 the required data?
174 Which of the following statements describes a search job?

175 Which search string is the most efficient?

Which command automatically returns percent and count

176 columns when executing searches?

According to Splunk best practices, which placement of

177 the wildcard results in the most efficient search?

178 What is the primary use for the rare command?

Which is primary function of the timeline located under

179 the search bar?

Which of the following fields is stored with the events in

180 the index?

181 What type of search can be saved as a report?

182 Where does Licensing meter happen?

Which of the statements are correct about HF? (Choose

183 three.)

What syntax is used to link key/value pairs in search

184 strings?
 Splunk index time process can be broken down into
185 __________ phases.

What syntax is used to link key/value pairs in search

186 strings?

187 License Meter runs before data compression.

188 Field values are case sensitive.

189 Which of the following is a Splunk internal field?

190 Monitor option in Add Data provides _______________.

191 How can another user gain access to a saved report?

192 What can be configured using the Edit Job Settings menu?

193 What does the stats command do?

When viewing the results of a search, what is an

194 Interesting Field?

Which of the following are functions of the stats

195 command?

In the fields sidebar, what indicates that a field is

196 numeric?
 What is a suggested Splunk best practice for naming
197 reports?
Splunk automatically determines the source type for major
198 data types.

What result will you get with following search index=test

199 sourcetype="The_Questionnaire_P*" ?

When an alert action is configured to run a script, Splunk

must be able to locate the script.
Which is one of the directories Splunk will look in to find
200 the script?

Which Boolean operator is always implied between two

201 search terms, unless otherwise specified?

202 What are the steps to schedule a report?

When sorting on multiple fields with the sort command,

what delimiter can be used between the field names in
203 the search?

Which all time unit abbreviations can you include in

204 Advanced time range picker? (Choose seven.)

205 Which command is used to validate a lookup file?

Uploading local files though Upload options index the file
206 only once.
 Search Language Syntax in Splunk can be broken down
207 into the following components. (Choose all that apply.)

You can on-board data to Splunk using following means

208 (Choose four.):

209 Zoom Out and Zoom to Selection re-executes the search.

210 By default search results are not returned in ________.

Use this command to use lookup fields in a search and see

211 the lookup fields in the field sidebar.

212 Clicking a SEGMENT on a chart, ________.

What is the correct order of steps for creating a new
lookup?
1. Configure the lookup to run automatically
2. Create the lookup table
213 3. Define the lookup

This function of the stats command allows you to return

214 the sample standard deviation of a field.

Which statement is true about the top command (Choose

215 all.)?

It is no possible for a single instance of Splunk to manage

216 the input, parsing and indexing of machine data.

It is mandatory for the lookup file to have this for an

217 automatic lookup to work.

218 Lookups allow you to overwrite your raw event.

 Which of the following are functions of the stats
219 command(Choose all correct answers)?

The command shown here does witch of the following:

220 | outputlookup products.csv

221 These users can create global knowledge objects.

This search will return 20 results.
222 SEARCH: error | top host limit = 20

This clause is used to group the output of a stats

223 command by a specific name.

When a search returns __________, you can view the results

224 as a list.

Which of the following are responsible for reducing search

225 results?

This function of the stats command allows you to return

226 the middle-most value of field X.

Which of the following commands will show the maximum

227 bytes?

By default search results are not returned in ________

228 order.
选项 答案

A. By scheduling a report.
B. By creating a link to the job.
C. By changing the job settings.
D. By changing the time range picker to more than 7 days. A
A. No events will be returned.
B. Splunk will prompt you to specify an index.
C. All non-indexed events to which the user has access will
be returned.
D. Events from every index searched by default to which the
user has access will be returned. D
A. index=a index=b
B. (index=a OR index=b)
C. index=(a & b)
D. index = a, b B
A. True
B. False A
A. Splunk is a software platform to search, analyze and
visualize the machine-generated data.
B. Database management tool.
C. Security Information and Event Management (SIEM).
D. Cloud based application that help in analyzing logs. A
A. Will display result depending on the data.
B. Will return event where status field exist but value of that
field is not 100.
C. Will return event where status field exist but value of that
field is not 100 and all events where status field doesn't
exist. C
A. dedup
B. rename
C. sort -
D. fields + D
A. Creating a pivot table.
B. Clicking on the visualizations tab.
C. Viewing your report in a dashboard.
D. Clicking on any field value in the table. D
A. Include all formatting commands before any search
terms.
B. Include at least one function as this is a search
requirement.
C. Include the search terms at the beginning of the search
string.
D. Avoid using formatting clauses, as they add too much
overhead. C
A. Sourcetype=access_combined
B. Sourcetype=Access_Combined
C. sourcetype=Access_Combined
D. SOURCETYPE=access_combined C
A. Use field +to add and field -to remove.
B. Use table +to add and table -to remove.
C. Use fields +to add and fields -to remove.
D. Use fields Plus to add and fields Minus to remove. C
A. True
B. False A
A. Search & Reporting is the only app that can be set as the
default application.
B. Full names can only be changed by accounts with a
Power User or Admin role.
C. Time zones are automatically updated based on the
setting of the computer accessing Splunk.
D. Full name, time zone, and default app can be defined by
clicking the login name in the Splunk bar. D
A. index=security Error Fail
B. index=security error OR fail
C. index=security "error failure"
D. index=security NOT error NOT fail A
A. 10 Minutes
B. 15 Minutes
C. 1 Day
D. 7 Days A
A. host=*
B. host=WWW3
C. host=WWW*
D. Host=WWW3 B
A. index
B. host
C. _time
D. action B
A. Open new search.
B. Exclude the item from search.
C. None of the above.
D. Add the item to search. ABD
A. earliest=
B. latest=
C. beginning=
D. ending=
E. All the above
F. Only 3rd and 4th AB
A. Dashboards
B. Metadata only
C. Non-interesting fields
D. Field descriptions C

A. Look back 3 days ago and prior.

B. Look back 72 hours, up to one day ago.
C. Look back 72 hours, up to the end of today.
D. Look back from 3 days ago, up to the beginning of today. D
A. Save the search as a report and use it in multiple
dashboards as needed.
B. Save the search as a dashboard panel for each dashboard
that needs the data.
C. Save the search as a scheduled alert and use it in
multiple dashboards as needed.
D. Export the results of the search to an XML file and use
the file as the basis of the dashboards. A

A. index=security failure | stats sum as "Event Count"

B. index=security failure | stats count as "Event Count"
C. index=security failure | stats count by "Event Count"
D. index=security failure | stats dc(count) as "Event Count" B
A. Time
B. Fast mode
C. Sourcetype
D. Selected Fields A
A. error AND (fail AND 400)
B. error OR (fail and 400)
C. error AND (fail OR 400)
D. error OR fail OR 400 A
A. Your search must transform event data into Excel file
format first.
B. Your search must transform event data into XML
formatted data first.
C. Your search must transform event data into statistical
data tables first.
D. Your search must transform event data into JSON
formatted data first. C
A. Lists all values of a given field.
B. Lists unique values of a given field.
C. Returns a count of unique values for a given field.
D. Returns the number of events that match the search. B
A. host
B. index
C. source
D. sourcetype B
A. Any newly created dashboard will include that report.
B. There are no benefits to creating dashboard panels from
reports.
C. It makes the dashboard more efficient because it only has
to run one search string.
D. Any change to the underlying report will affect every
dashboard that utilizes that report. D
A. Alerts are based on searches that are either run on a
scheduled interval or in real-time.
B. Alerts are based on searches and when triggered will only
send an email notification.
C. Alerts are based on searches and require cron to run on
scheduled interval.
D. Alerts are based on searches that are run exclusively as
real-time. A
A. Hosts
B. Sourcetypes
C. Sources
D. Indexes ABC
A. The percentage field will be displayed in the results.
B. The top three most common values in statusCode will be
displayed for each user.
C. The search will fail. The proper top command format is
top limit=3 instead of top 3.
D. Only the top three overall most common values in
statusCode will be displayed. B

A. Real-time searches display results from a rolling time

window, while relative searches display results from a set
length of time.
B. Real-time searches happen instantly, while relative
searches happen at a scheduled time.
C. Real-time represents events that have happened in a set
time window, while relative will display results from a rolling
time window.
D. Real-time searches run constantly in the background,
while relative searches only run when certain criteria are
met. A
A. Add an output.
B. Export a dashboard panel.
C. Modify the chart type displayed in a dashboard panel.
D. Drag a dashboard panel to a different location on the
dashboard. CD
A. Acceleration, schedule, permissions
B. The report's name, schedule, permissions
C. The report's name, acceleration, schedule
D. The report's name, acceleration, permissions A
A. index=*
B. index=web OR index=s*
C. (index=web OR index=sales)
D. *index=sales AND index=web* C
A. No
B. Yes B
A. Not possible to specify time manually in Search query
B. end=
C. start=
D. earliest=
E. latest= DE
A. @
B. &
C. *
D. # A
A. False
B. True B
A. No
B. Yes B
A. index
B. action
C. clientip
D. sourcetype D
A. Events
B. Patterns
C. Statistics
D. Visualization D
A. True
B. False A
A. Select the time range always.
B. Try to specify index values.
C. Include as many search terms as possible.
D. Never select time range.
E. Try to use * with every search term.
F. Inclusion is generally better than exclusion.
G. Try to keep specific search terms. ABCFG
A. Will return event where status field exist but value of that
field is not 100.
B. Will return event where status field exist but value of that
field is not 100 and all events where status field doesn't
exist.
C. Will get different results depending on data. A
A. True
B. False B
A. True
B. False A
A. Click field in field sidebar -> click YES on the pop-up
dialog on upper right side -> check now field should be
visible in the list of selected fields.
B. Not possible.
C. Only CLI changes will enable it.
D. Click Settings -> Find field option -> Drop down select
field -> enable selected field -> check now field should be
visible in the list of selected fields. A
A. True
B. False A
A. index=security sourcetype=linux_secure (invalid OR
failed) | count as "Potential Issues"
B. index=security sourcetype=linux_secure (invalid OR
failed) | stats count as "Potential Issues"
C. index=security sourcetype=linux_secure (invalid OR
failed) | count stats as "Potential Issues"
D. index=security sourcetype=linux_secure (invalid OR
failed) | stats as "Potential Issues" B
A. Only data where the value of the field error does not
equal an asterisk (*) will be displayed.
B. Only data that does not contain the error field will be
displayed.
C. Only data with a value in the field error will be displayed.
D. Only data where the error field is present and does not
contain a value will be displayed. B
A. Correlated
B. Total
C. Segmented
D. File-based D
A. All search jobs are saved for 10 days
B. All search jobs are saved for 10 hours
C. All search jobs are saved for 10 weeks
D. All search jobs are saved for 10 minutes D

A. Splunk automatically discovers only numeric fields

B. Splunk automatically discovers only alphanumeric fields
C. Splunk automatically discovers only manually configured
fields
D. Splunk automatically discovers only fields directly related
to the search results D
A. Search head, GPU, streamer
B. Search head, indexer, forwarder
C. Search head, SQL database, forwarder
D. Search head, SSD, heavy weight agent B
A. lookup command
B. inputlookup command
C. Settings > Lookups > Input
D. Settings > Lookups > Upload B

A. Use earliest=-1d@d latest=@d

B. Set a real-time search over a 24-hour window
C. Use the time range picket to select "Yesterday"
D. Use the time range picker to select "Last 24 hours" D

A. Before clauses. For example: stats sum(bytes) | by host

B. Before commands. For example: | stats sum(bytes) by
host
C. Before arguments. For example: stats sum| (bytes) by
host
D. Before functions. For example: stats |sum(bytes) by host B
A. host
B. owner
C. bytes
D. action A
A. | rare top=5
B. | top rare=5
C. | top limit=5
D. | rare limit=5 C
A. | rename action = CustomerAction
B. | rename Action as "Customer Action"
C. | rename Action to "Customer Action"
D. | rename action as "Customer Action" D
A. latest=-2h
B. earliest=-2h
C. latest=-2hour@d
D. earliest=-2hour@d B
A. Yes
B. No A
A. Real-time
B. 10 Minutes
C. Overnight Download
D. 30 Minutes A
A. No
B. Yes B
A. It is only available to Admins.
B. Such feature does not exist in Splunk.
C. Shows options to complete the search string. C
A. False
B. True A
A. No
B. Yes B
A. None of the above
B. Job
C. Search Only B
A. Yes
B. No A

A. False
B. True A
A. True
B. False A
A. index=* "failed password"
B. "failed password" index=*
C. (index=* OR index=security) "failed password"
D. index=security "failed password" D
A. Alerting
B. Admin
C. Power
D. User C
A. Date & Time Range
B. Advanced
C. Date Range
D. Presets
E. Relative ABCDE
A. Cloned panel
B. Inline panel
C. Report panel
D. Prebuilt panel B

A. Top values by time

B. Rare values by time
C. Events with top value fields
D. Events with rare value fields A

A. New events based on the current time range picker

B. The same events based on the current time range picker
C. The same events from when the original search was
executed
D. New events in addition to the same events from the
original search B
A. Only HTTP Event Collector (HEC) and TCP/UDP
B. None of the above
C. Only TCP/UDP
D. Only Scripts
E. Filed & Directories, HTTP Event Collector (HEC), TCP/UDP
and Scripts E
A. Splunk will re-run the search job in Verbose Mode to
prioritize the new Selected Field.
B. Splunk will highlight related fields as a suggestion to add
them to the Selected Fields list.
C. Custom selections will replace the Interesting Fields that
Splunk populated into the list at search time.
D. The selected field and its corresponding values will
appear underneath the events in the search results. D

A. Change the schedule so the alert runs more frequently.

B. Disable the alert entirely.
C. Change the trigger from "For each result" to "Once''.
D. Change the alert action from email to webhook. C
A. Click All Fields and select the field to add it to Selected
Fields.
B. Click Interesting Fields and select the field to add it to
Selected Fields.
C. Click Selected Fields and select the field to add it to
Interesting Fields.
D. This scenario isn't possible because all fields returned
from a search always appear in the fields sidebar. A
A. dc(field)
B. count(field)
C. count-by(field)
D. distinct-count(field) A
A. Executes a new search.
B. Filters current search results.
C. Moves to past or future events.
D. Expands the time range of the search. B
A. Saving the item to a report.
B. Adding the item to the search.
C. Adding the item to a dashboard.
D. Saving the Search to a JSON file. B
A. Both field names and field values ARE case sensitive.
B. Field names ARE case sensitive; field values are NOT.
C. Field values ARE case sensitive; field names ARE NOT.
D. Both field names and field values ARE NOT case
sensitive. B
A. count stats vendor_action
B. count stats (vendor_action)
C. stats count (vendor_action)
D. stats vendor_action (count) C
A. limit, count
B. limit, showpercent
C. limits, countfield
D. showperc, countfield D
A. 8089
B. 8000
C. 8080
D. 443 B
A. CTRL + Enter
B. Shift + Enter
C. Space + Enter
D. ALT + Enter B
A. It returns the top 10 results.
B. It displays the output in table format.
C. It returns the count and percent columns per row.
D. All of the above. D
A. No
B. Yes B

A. It can be used to display the structure of an existing view

B. It can be used only from SQL*Plus
C. It displays the PRIMARY KEY constraint for any column or
columns that have that constraint
D. It can be used from SQL Developer
E. It displays all constraints that are defined for each column
F. It displays the NOT NULL constraint for any columns that
have that constraint ADF
A. index=security Error Fail
B. index=security error OR fail
C. index=security "error failure"
D. index=security NOT error NOT fail A
A. PDF
B. JSON
C. XLS
D. RTF B
A. error | table action, src, dest
B. error | tabular action, src, dest
C. error | stats table action, src, dest
D. error | table column=action column=src column=dest A

A. Timeline shows distribution of events specified in the

time range in the form of bars.
B. Single click to see the result for particular time period.
C. You can click and drag across the bar for selecting the
range.
D. This is default view and you can't make any changes to
it.
E. You can hover your mouse for details like total events,
time and date. ABCE
A. Description_Group_Object
B. Group_Description_Object
C. Group_Object_Description
D. Object_Group_Description C
A. They must be lowercase.
B. They must be uppercase.
C. They must be in quotations.
D. They must be in parentheses. B

A. (index=netfw failure) AND index=netops warn OR critical

B. (index=netfw failure) OR (index=netops (warn OR
critical))
C. (index=netfw failure) AND (index=netops (warn OR
critical))
D. (index=netfw failure) OR index=netops OR (warn OR
critical) B
A. index=security sourcetype=access_* status=200 stats |
count by price
B. index=security sourcetype=access_* status=200 | stats
count by price
C. index=security sourcetype=access_* status=200 | stats
count | by price
D. index=security sourcetype=access_* | status=200 | stats
count by price B
A. Red
B. Blue
C. Orange
D. Highlighted C
A. limit
B. useperc
C. addtotals
D. fieldcount A
A. Automatic
B. Smart
C. Fast
D. Verbose BCD

A. All data accessible to the User role will appear in the

report.
B. All data accessible to the owner of the report will appear
in the report.
C. All data accessible to all users will appear in the report
until the next time the report is run.
D. The owner of the report can configure permissions so
that the report uses either the User role or the owner's
profile at run time. B
A. True
B. False A
A. sourcetype=firewall | rare num=15 dest_ip
B. sourcetype=firewall | rare last=15 dest_ip
C. sourcetype=firewall | rare count=15 dest_ip
D. sourcetype=firewall | rare limit=15 dest_ip D
A. The new result after selecting the range by dragging
filters the events and displays the most recent first.
B. There is no functionality like click and drag in Splunk's
timeline.
C. Using this option executes a new query.
D. This doesn't execute a new query. D
A. status_code!=404
B. status_code>=400
C. status_code<=404
D. status_code>403 status_code<405 D
A. Line charts are optimal for single and multiple series.
B. Line charts are optimal for single series when using Fast
mode.
C. Line charts are optimal for multiple series with 3 or more
columns.
D. Line charts are optimal for multiseries searches with at
least 2 or more columns. A
A. False
B. True B
A. Time summary
B. Time range picker
C. Search time picker
D. Data source time statistics B
A. 2
B. 4
C. 1
D. 3 D
A. CSV, JSON, PDF
B. CSV, XML, JSON
C. Raw Events, XML, JSON
D. Raw Events, CSV, XML, JSON B
A. You can modify the search string in the panel, and you
can change and configure the visualization.
B. You can modify the search string in the panel, but you
cannot change and configure the visualization.
C. You cannot modify the search string in the panel, but you
can change and configure the visualization.
D. You cannot modify the search string in the panel, and
you cannot change and configure the visualization. C
A. Filter as early as possible.
B. Never specify more than one index.
C. Include as few search terms as possible.
D. Use wildcards to return more search results. A
A. Indexer
B. Forwarder
C. Search head
D. Deployment server B
A. The lookup command must be used.
B. The lookup definition must be created.
C. The lookup file must be uploaded to Splunk.
D. The lookup file must be verified using the inputlookup
command. BC

A. Zoom to selection: Narrows the time range and re-

executes the search.
B. Zoom to selection: Narrows the time range and doesn't
re-executes the search.
C. Format Timeline: Hides or shows the timeline in different
views.
D. Zoom-Out: Expands the time focus and doesn't re-
executes the search.
E. Zoom-out: Expands the time focus and re-executes the
search. ACE

A. No
B. Yes A
A. App, Owner, Severity, and Type
B. App, Owner, Priority, and Status
C. App, Dashboard, Severity, and Type
D. App, Time Window, Type, and Severity A
A. lookup
B. csvlookup
C. inputlookup
D. outputlookup C
A. action
B. clientip
C. categoryId
D. sourcetype D
A. Can be accessed by Apps > Search & Reporting.
B. Provides default interface for searching and analyzing
logs.
C. Enables the user to create knowledge object, reports,
alerts and dashboards.
D. It only gives us search functionality. ABC
A. In chronological order.
B. Randomly by default.
C. In reverse chronological order.
D. Alphabetically according to field name. C

A. Lookup fields cannot be used in searches.

B. Lookups contain static data available in the index.
C. Lookups add more fields to results returned by a search.
D. Lookups pull data at index time and add them to search
results. C

A. To group the results by one or more fields.

B. To compute numerical statistics on each field.
C. To specify how the values in a list are delimited.
D. To partition the input data based on the split-by fields. A
A. True
B. False A
A. False
B. True B
A. Splunk only extracts the most interesting data from the
last 24 hours.
B. Splunk only extracts fields users have manually specified
in their data.
C. Splunk automatically extracts any fields that generate
interesting visualizations.
D. Splunk automatically discovers many fields based on
sourcetype and key/value pairs found in the data. D

A. Yes
B. No B
A. _time and host
B. _time and index
C. host and sourcetype
D. index and sourcetype B
A. The value of the field
B. The number of values for the field
C. The number of unique values for the field
D. The numeric non-unique values of the field C
A. Index
B. Search Head
C. Indexer
D. Forwarder C
A. All events that either have a host of www3 or a status of
503.
B. All events with a host of www3 that also have a status of
503.
C. We need more information; we cannot tell without
knowing the time range.
D. We need more information; a search cannot be run
without specifying an index. B
A. time
B. _time
C. EventTime
D. timestamp B
A. An app
B. JSON
C. A role
D. An enhanced solution A
A. Returns the least common field values of a given field in
the results.
B. Returns the most common field values of a given field in
the results.
C. Returns the top 10 field values of a given field in the
results.
D. Returns the lowest 10 field values of a given field in the
results. A
A. Preset - Relative: 30-seconds ago
B. Relative - Earliest: 30-seconds ago, Latest: Now
C. Real-time - Earliest: 30-seconds ago, Latest: Now
D. Advanced - Earliest: 30-seconds ago, Latest: Now C
A. The lookup must be configured to run automatically.
B. The contents of the lookup file must be copied and
pasted into the search bar.
C. The lookup file must be uploaded to Splunk and a lookup
definition must be created.
D. The lookup file must be uploaded to the etc/apps/lookups
folder for automatic ingestion. C
A. Auto-detect changes in performance.
B. Auto-generated PDF reports of overall data trends.
C. Regularly scheduled archiving to keep disk space use
low.
D. Triggering an alert in your Splunk instance when certain
conditions are met. D
A. True
B. False A
A. Zoom to selection
B. Format Timeline
C. Deselect
D. Delete
E. Zoom Out ABCE
A. #
B. %
C. a
D. a# C
A. Review Splunk reports
B. Run ./splunk show
C. Click Data Summary in Splunk Web
D. Search index=* sourcetype=* host=* C
A. Table
B. Raw
C. Pie Chart
D. List ABD
A. None of the above
B. Indexing Phase
C. Parsing Phase
D. Input Phase
E. License Metering D

A. When Splunk encounters a syntax error in a search

B. When a trigger action meets the predefined conditions
C. When an event in a search matches up with a data model
D. When results of a search meet a specifically defined
condition D
A. Only HF
B. No
C. Yes C
A. Yes
B. No B
A. False
B. True B
A. Forwarders
B. Deployment Server
C. Indexer
D. Knowledge Objects
E. Index
F. Search Head ACF
A. Designed to cater numerous use cases and empower
Splunk.
B. We can not install Splunk App.
C. Allows multiple workspaces for different use cases/user
roles.
D. It is collection of different Splunk config files like data
inputs, UI and Knowledge Object. ACD
A. Search Head
B. Heavy Forwarder
C. Indexer
D. Universal Forwarder C
A. Index=Security
B. index=Security
C. Index=security
D. index!=Security B
A. Yes
B. No A

A. Yes
B. No A
A. No
B. Yes B
A. Indexing
B. Searching
C. Parsing
D. Settings
E. Input ACE
A. Yes
B. No B
A. True
B. False A
A. False
B. True B
A. Splunk User Behavior Analytics (UBA)
B. Splunk IT Service Intelligence (ITSI)
C. Splunk Enterprise Security (ES)
D. Splunk Analytics Security (AS) ABC
A. True
B. False A
A. False
B. True B
A. False
B. True B
A. =
B. >
C. !
D. * D
A. ASCII Character order.
B. Reverse chronological order.
C. Alphanumeric order.
D. Chronological order. B

A. Only A, B
B. Router and Switch Logs
C. Firewall and Web Server Logs
D. Only C
E. Database logs
F. All firewall, web server, database, router and switch logs F
A. Splunk Enterprise Security Suite
B. Searching and Reporting
C. Reporting and Searching
D. Splunk apps for Security B
A. Index Forwarders (IF)
B. Universal Forwarders (UF)
C. Super Forwarder (SF)
D. Heavy Forwarders (HF) D
A. Forwarders
B. Indexer
C. Heavy Forwarders
D. Search head D
A. Once a search job begins, it cannot be stopped
B. A search job can only be paused when less than 50% of
events are returned
C. A search job can only be stopped when less than 50% of
events are returned
D. Once a search job begins, it can be stopped or paused at
any point in time D
A. "failed password"
B. "failed password"*
C. index=* "failed password"
D. index=security "failed password" D
A. top
B. stats
C. table
D. percent A
A. f*il
B. *fail
C. fail*
D. *fail* C
A. To sort field values in descending order.
B. To return only fields containing five of fewer values.
C. To find the least common values of a field in a dataset.
D. To find the fields with the fewest number of values across
a dataset. C
A. To differentiate between structured and unstructured
events in the data.
B. To sort the events returned by the search command in
chronological order.
C. To zoom in and zoom out, although this does not change
the scale of the chart.
D. To show peaks and/or valleys in the timeline, which can
indicate spikes in activity or downtime. D
A. user
B. source
C. location
D. sourceIp B
A. Any search can be saved as a report.
B. Only searches that generate visualizations.
C. Only searches containing a transforming command.
D. Only searches that generate statistics or visualizations. A
A. Indexer
B. Parsing
C. Heavy Forwarder
D. Input A
A. Parsing
B. Masking
C. Searching
D. Forwarding ABD
A. Parentheses
B. @ or # symbols
C. Quotation marks
D. Relational operators such as =, <, or > D
A. 3
B. 2
C. 4
D. 1 A
A. action+purchase
B. action=purchase
C. action | purchase
D. action equal purchase B
A. No
B. Yes B
A. True
B. False B
A. _raw
B. host
C. _host
D. index A
A. Only continuous monitoring.
B. Only One-time monitoring.
C. None of the above.
D. Both One-time and continuous monitoring. D
A. The owner of the report can edit permissions from the
Edit dropdown.
B. Only users with an Admin or Power User role can access
other users' reports.
C. Anyone can access any reports marked as public within a
shared Splunk deployment.
D. The owner of the report must clone the original report
and save it to their user account. A
A. Export the result to CSV format.
B. Add the Job results to a dashboard.
C. Schedule the Job to re-run in 10 minutes.
D. Change Job Lifetime from 10 minutes to 7 days. D
A. Automatically correlates related fields.
B. Converts field values into numerical values.
C. Calculates statistics on data that matches the search
criteria.
D. Analyzes numerical fields for their ability to predict
another discrete field. C
A. A field that appears in any event.
B. A field that appears in every event.
C. A field that appears in the top 10 events.
D. A field that appears in at least 20% of the events. D
A. count, sum, add
B. count, sum, less
C. sum, avg, values
D. sum, values, table C
A. A number to the right of the field name.
B. A # symbol to the left of the field name.
C. A lowercase n to the left of the field name.
D. A lowercase n to the right of the field name. B
A. Reports are best named using many numbers so they can
be more easily sorted.
B. Use a consistent naming convention so they are easily
separated by characteristics such as group and object.
C. Name reports as uniquely as possible with no overlap to
differentiate them from one another.
D. Any naming convention is fine as long as you keep an
external spreadsheet to keep track. B
A. False
B. True B
A. the_questionnaire _pedia
B. the_questionnaire pedia
C. the_questionnaire_pedia
D. the_questionnaire Pedia C

A. $SPLUNK_HOME/bin/scripts
B. $SPLUNK_HOME/etc/scripts
C. $SPLUNK_HOME/bin/etc/scripts
D. $SPLUNK_HOME/etc/scripts/bin A
A. OR
B. NOT
C. AND
D. XOR C
A. After saving the report, click Schedule.
B. After saving the report, click Event Type.
C. After saving the report, click Scheduling.
D. After saving the report, click Dashboard Panel. A

A. |
B. $
C. !
D. , D

A. h
B. day
C. mon
D. yr
E. y
F. w
G. week
H. d
I. s
J. m ACEFHIJ
A. | lookup products.csv
B. inputlookup products.csv
C. | inputlookup products.csv
D. | lookup_definition products.csv C
A. No
B. Yes B
A. Search term
B. Command
C. Pipe
D. Functions
E. Arguments
F. Clause ABCDEF
A. Props
B. CLI
C. Splunk Web
D. savedsearches.conf
E. Splunk apps and add-ons
F. indexes.conf
G. inputs.conf
H. metadata.conf BCEG
A. No
B. Yes B
A - ASCII Character order
B - Reverse chronological order
C - Alphanumeric order
D - Chronological order CD
A - inputlookup
B - lookup
C - outputlookup
D - csvlookup B
A - Drills down for that value
B - Highlights the field value across the chart
C - Adds the highlighted value to the search criteria
D - WTF is SEGMENT?? C

A - 1>2>3
B - 3>2>1
C - 2>3>1
D - 2>1>3 C
A - Dev
B - Stdev
C - Count deviation
D - By standarddev B
A - It returns the count and percent columns per row
B - It displays the output in table format
C - It returns the count and percent columns per column
D - It returns the top 10 results ABD

A - True
B - False B
A - Input field
B - At least five columns
C - Timestamp
D - Source type A
A - True
B - False A
A - count
B - distinct_count
C - dc
D - sum
E - avg
F - list
G - values ABCDEFG
A - Both of the answers
B - Returns the contents of a file named products.csv
C - Writes search results to a file named products.csv C
A - admin
B - power
C - user AB
A - True
B - False A
A - As
B - Rex
C - By
D - List B
A - Statistical values
B - A list of events
C - All of the answer stated here
D - Transactions A
A - search head
B - indexers
C - forwarders B
A - Fields(X)
B - Eval by (X)
C - Values(X)
D - Median(X) D
A - Sourcetype=access_* | max(bytes)
B - Sourcetype=access_* | stats max(bytes)
C - Sourcetype=access_* | avg(bytes)
D - Sourcetype=access_* | maximum totals by bytes B
A - Chronological
B - Alphabetical
C - Reverse chronological
D - ASCIE AB
field name is case sensitive not values
When using a panel from a report, you cannot
modify the search string in the panel, but you can
change and configure the visualization. If the
report search changes, the panel using that report
updates accordingly.
* earliest=-24h latest=now | stats count (searches
the default index only)
If you want the event count for specific search try
this:
[your splunk search] earliest=-24h latest=now|
stats count
The "Forward" option in Splunk is used to forward
data from a forwarder to an indexer or another
forwarder. The forwarder sends data over a
network connection to the indexer, which then
indexes the data and makes it available for search
and analysis.

By default, everyone has read access and power

user have write access to the aler
Top values
Top values by time
Rare values
Events with this field for field that has "a" in the
front
and the fields that have "#" in the front will be
Top values
Top values by time
Rare values
Events with this field
Average over time
Maximum value over time
Minimum value over time
Returns the count of distinct values of the field X.
This function processes field values as strings. To
use this function, you can specify distinct_count(X),
or the abbreviation dc(X).

limit, showperc, countfield are valid options for Top

both Ctrl + \ AND Shift + ENTER.

DESCRIBE gives you a list of columns in the table

or view, along with its resulting datatypes, lengths,
and nullability. If you need to know more, such as
whether a column has a default value, you will
need to query the data dictionary directly.
csv, json, xml.

Boolean and command modifiers : Orange

"Scheduled reports and alerts can only run as
Owner. If you share a report so that it runs as User
and then schedule that report, its permissions
change to run as Owner."
Check:
https://docs.splunk.com/Documentation/Splunk/
7.2.6/Report/Managereportpermissions
If the report search changes, the panel using that
report updates accordingly
by clause returns a count for each value of a
named field or set of fields

such as _time and _raw

A scheduled report is a report that runs on a
scheduled interval, and which can trigger an action
each time it runs
Parsing phase handled by indexers or heavy
forwarders (HF).
The License Meter runs on the Indexer after
Parsing and before Indexing.
Input
Parsing
Indexing
The script or batch file that an alert triggers must
be at either of the following locations:
$SPLUNK_HOME/bin/scripts
$SPLUNK_HOME/etc/apps/<AppName>/bin/scripts

List of fields to sort by and the sort order. Use a

minus sign (-) for descending order and a plus sign
(+) for ascending order. When specifying more
than one field, separate the field names with
commas

page 64 in PDF: s, m, h, d, w, mon, y https://docs.splunk.com/Documentation/Splunk

序号 題目

How can search results be kept longer than 7 days?

1

In a deployment with multiple indexes, what will

happen when a search is run and an index is not
2 specified in the search string?

3 The better way of writing search query for index is:

Selected fields are a set of configurable fields
4 displayed for each event.

5 What is Splunk?

6 NOT status = 100:

When placed early in a search, which command is

7 most effective at reducing search execution time?

When looking at a statistics table, what is one way

8 to drill down to see the underlying events?

Which of the following is a best practice when

9 writing a search string?

Which search would return events from the

10 access_combined sourcetype?

How do you add or remove fields from search

11 results?
Splunk Enterprise is used as a Scalable service in
12 Splunk Cloud.
 Which of the following is true about user account
13 settings and preferences?

Which search matches the events containing the

14 terms `error` and `fail`?

By default, how long does Splunk retain a search

15 job?

Which search string only returns events from

16 hostWWW3?

In the Search and Reporting app, which is a default

17 selected field?

Keywords are highlighted when you mouse over

search results and you can click this search result
18 to (Choose three.):

You can use the following options to specify start

19 and end time for the query range:

What can be included in the All Fields option in the

20 sidebar?

What does the following specified time range do?

21 earliest=-72h@h latest=@d

Which of the following is the recommended way to

create multiple dashboards displaying data from
22 the same search?
 Which search string returns a filed containing the
number of matching events and names that field
23 Event Count?

Which of the following is the most efficient filter for

24 running searches in Splunk?

Which of the following searches will return results

25 where fail, 400, and error exist in every event?

What is the main requirement for creating

26 visualizations using the Splunk UI?

What does the values function of the stats

27 command do?

By default, which of the following fields would be

28 listed in the fields sidebar under interesting Fields?

What is one benefit of creating dashboard panels

29 from reports?

30 Which statement is true about Splunk alerts?

Data summary button just below the search bar

31 gives you the following (Choose three.):

When using the top command in the following

search, which of the following will be true about the
results? index="main" sourcetype="access_*"
action="purchase" | top 3 statusCode by user
32 showperc=f countfield=status_code_count
 When refining search results, what is the difference
in the time picker between real-time and relative
33 time ranges?

When editing a dashboard, which of the following

34 are possible options? (Choose all that apply.)

Assuming a user has the capability to edit reports,

35 which of the following are editable?

Which of the following index searches would

36 provide the most efficient search performance?

37 Can you stop or pause the searching?

You can also specify a time range in the search bar.

You can use the following for beginning and ending
38 for a time range (Choose two.):

39 Which symbol is used to snap the time?

Splunk Parses data into individual events, extracts
40 time, and assigns metadata.
You are able to create new Index in Data Input
41 settings.

42 What will always appear in the Selected Fields list?

In the Search and Reporting app, which tab

43 displays timecharts and bar charts?
Fields are searchable key value pairs in your event
44 data.

Select the best options for "search best practices"

45 in Splunk:(Choose five.)
46 Query - status != 100:

47 != and NOT are same arguments.

Field names are case sensitive and field value are
48 not.

49 How to make Interesting field into a selected field?

Interesting fields are the fields that have at least
50 20% of resulting fields.

Which of the following is the appropriately

51 formatted SPL search?

What is the result of the following search?

52 index=myindex source=c:\mydata.txt NOT error=*

The four types of Lookups that Splunk provides out-

of-the-box are External, KV Store, Geospatial and
53 which of the following?

What is the default lifetime of every Splunk search

54 job?

Which statement describes field discovery at

55 search time?

56 What are the three main Splunk components?

How can results from a specified static lookup file

57 be displayed?
 Which of the following is the best way to create a
58 report that shows the last 24 hours of events?

When is the pipe character, |, used in search

59 strings?

Which of the following is a metadata field assigned

60 to every event in Splunk?

Which of the following is a correct way to limit

search results to display the 5 most common
61 values of a field?

Which command will rename action to Customer

62 Action?

What is the correct way to use a time range

specifier in the search bar so that the search looks
63 back 2 hours?
Events in Splunk are automatically segregated
64 using data and time.

The new data uploaded in Splunk are shown in

65 ________________.
@ Symbol can be used in advanced time unit
66 option.

67 What is Search Assistant in Splunk?

The default host name used in Inputs general
68 settings can not be changed.
Matching of parentheses is a feature of Splunk
69 Assistant.

70 Every Search in Splunk is also called _____________.

71 Matching search terms are highlighted.

Forward Option gather and forward data to
indexers over a receiving port from remote
72 machines.
All components are installed and administered in
73 Splunk Enterprise on-premise.
74 Which of the following is the most efficient search?

By default, which role contains the minimum

permissions required to have write access to
75 Splunk alerts?

Following are the time selection option while

76 making search:(Choose all that apply.)

When saving a search directly to a dashboard panel

instead of saving as a report first, which of the
77 following is created?

Which of the following reports is available in the

78 Fields window?

When viewing results of a search job from the

79 Activity menu, which of the following is displayed?

In monitor option you can select the following

80 options in GUI.

What happens when a field is added to the

81 Selected Fields list in the fields sidebar?
A SOC manager is complaining that a scheduled
alert for failed login attempts triggered 150 emails.
They still want to be alerted of failed logins via
email, but they want less volume of alerts. Which of
the following would resolve this for the SOC
82 manager?

A field exists in search results, but isn't being

displayed in the fields sidebar.
83 How can it be added to the fields sidebar?
 Which stats command function provides a count of
how many unique values exist for a given field in
84 the result set?

After running a search, what effect does clicking

85 and dragging across the timeline have?

Which of the following is an option after clicking an

86 item in search results?

Which of the following statements about case

87 sensitivity is true?

What is the correct syntax to count the number of

88 events containing a vendor_action field?

Which of the following are common constraints of

89 the top command?

______________ is the default web port used by

90 Splunk.

Put query into separate lines where | (Pipes) are

91 used by selecting following options.

92 Which statement is true about the top command?

93 You can change the App context in Input setting.

Which three statements are true about the

94 DESCRIBE command? (Choose three.)

Which search matches the events containing the

95 terms "error" and "fail"?
 Which of the following file types is an option for
96 exporting Splunk search results?

Which search will return only events containing the

word `error` and display the results as a table that
97 includes the fields named action, src, and dest?

Select the statements that are true for timeline in

98 Splunk (Choose four.):

Which of the following represents the Splunk

99 recommended naming convention for dashboards?

When writing searches in Splunk, which of the

100 following is true about Booleans?

Which of the following searches would return

events with failure in index netfw or warn or critical
101 in index netops?
Select the answer that displays the accurate
placing of the pipe in the following search string:
index=security sourcetype=access_* status=200
102 stats count by price

When running searches, command modifiers in the

103 search string are displayed in what color?

Which of the following constraints can be used with

104 the top command?

There are three different search modes in Splunk

105 (Choose three.):

What determines the scope of data that appears in

106 a scheduled report?
Documentations for Splunk can be found at
107 docs.splunk.com
 Which search will return the 15 least common field
108 values for the dest_ip field?

Which of the statements is correct regarding click

109 and drag option in timeline?

Which search string matches only events with the

110 status_code of 404?

When displaying results of a search, which of the

111 following is true about line charts?
We should use heavy forwarder for sending event-
112 based data to Indexers.

What user interface component allows for time

113 selection?

114 How many main user roles do you have in Splunk?

When a Splunk search generates calculated data

that appears in the Statistics tab, in what formats
115 can the results be exported?

When looking at a dashboard panel that is based

116 on a report, which of the following is true?

Which of the following is a Splunk search best

117 practice?

Which of the following Splunk components typically

118 resides on the machines where data originates?

What must be done before an automatic lookup can

119 be created? (Choose all that apply.)
 Which of the statements are correct? (Choose
120 three.)
Beginning parentheses is automatically highlighted
to guide you on the presence of complimenting
121 parentheses.

In the Splunk interface, the list of alerts can be

122 filtered based on which characteristics?

Which command is used to review the contents of a

123 specified static lookup file?

By default, which of the following is a Selected

124 Field?

Which of the following statements are correct about

125 Search & Reporting App? (Choose three.)

How are events displayed after a search is

126 executed?

127 Which of the following describes lookup files?

What is the purpose of using a by clause with the

128 stats command?

Splunk internal fields contains general information

129 about events and starts from underscore i.e. _ .
Portal for Splunk apps can be accessed through
130 www.splunkbase.com

How does Splunk determine which fields to extract

131 from data?
 Will the queries following below get the same
result?
1. index=log sourcetype=error_log status !=100
2. index=log sourcetype=error_log NOT status
132 =100

133 What are the two most efficient search filters?

In the Fields sidebar, what does the number

134 directly to the right of the field name indicate?

_______________ transforms raw data into events and

135 distributes the results into an index.

Which events will be returned by the following

136 search string? host=www3 status=503

At index time, in which field does Splunk store the

137 timestamp value?

A collection of items containing things such as data

inputs, UI elements, and knowledge objects is
138 known as what?

139 What does the rare command do?

Which time range picker configuration would return

140 real-time events for the past 30 seconds?

What must be done in order to use a lookup table

141 in Splunk?

142 What is a primary function of a scheduled report?

 Splunk extracts fields from event data at index
143 time and at search time.

What options do you get after selecting timeline?

144 (Choose four.)

In the fields sidebar, which character denotes

145 alphanumeric field values?

What is a quick, comprehensive way to learn what

146 data is present in a Splunk deployment?

You can view the search result in following format

147 (Choose three.):

148 Data sources being opened and read applies to:

149 When is an alert triggered?

150 Parsing of data can happen both in HF and Indexer.

151 Upload option creates inputs.conf

Universal forwarder is recommended for forwarding
152 the logs to indexers.

Three basic components of Splunk are (Choose

153 three.):

154 Splunk apps are used for following (Choose three.):

Which component of Splunk is primarily responsible

155 for saving data?
 Which Field/Value pair will return only events found
156 in the index named security?
Snapping rounds down to the nearest specified
157 unit.

At the time of searching the start time is 03:35:08.

Will it look back to 03:00:00 if we use -30m@h in
158 searching?
Search Assistant is enabled by default in the SPL
159 editor with compact settings.

Select the correct option that applies to Index time

160 processing (Choose three.).

161 Parsing of data can happen both in HF and UF.

Splunk indexes the data on the basis of
162 timestamps.
Fields are searchable name and value pairings that
163 differentiates one event from another.

Which of the following are Splunk premium

164 enhanced solutions? (Choose three.)

165 Field names are case sensitive.

Machine data can be in structured and
166 unstructured format.

167 Prefix wildcards might cause performance issues.

Which of the following can be used as wildcard

168 search in Splunk?

169 Splunk shows data in __________________.

170 What kind of logs can Splunk Index?

171 Which is the default app for Splunk Enterprise?

 Log filtering/parsing can be done from
172 _____________.

Which component of Splunk let us write SPL query

173 to find the required data?

Which of the following statements describes a

174 search job?

175 Which search string is the most efficient?

Which command automatically returns percent and

176 count columns when executing searches?

According to Splunk best practices, which

placement of the wildcard results in the most
177 efficient search?

178 What is the primary use for the rare command?

Which is primary function of the timeline located

179 under the search bar?

Which of the following fields is stored with the

180 events in the index?

181 What type of search can be saved as a report?

182 Where does Licensing meter happen?

 Which of the statements are correct about HF?
183 (Choose three.)

What syntax is used to link key/value pairs in

184 search strings?

Splunk index time process can be broken down into

185 __________ phases.

What syntax is used to link key/value pairs in

186 search strings?

187 License Meter runs before data compression.

188 Field values are case sensitive.

189 Which of the following is a Splunk internal field?

Monitor option in Add Data provides

190 _______________.

How can another user gain access to a saved

191 report?

What can be configured using the Edit Job Settings

192 menu?

193 What does the stats command do?

When viewing the results of a search, what is an

194 Interesting Field?

Which of the following are functions of the stats

195 command?
 In the fields sidebar, what indicates that a field is
196 numeric?

What is a suggested Splunk best practice for

197 naming reports?
Splunk automatically determines the source type
198 for major data types.

What result will you get with following search

199 index=test sourcetype="The_Questionnaire_P*" ?
When an alert action is configured to run a script,
Splunk must be able to locate the script.
Which is one of the directories Splunk will look in to
200 find the script?

Which Boolean operator is always implied between

201 two search terms, unless otherwise specified?

202 What are the steps to schedule a report?

When sorting on multiple fields with the sort

command, what delimiter can be used between the
203 field names in the search?

Which all time unit abbreviations can you include in

204 Advanced time range picker? (Choose seven.)

205 Which command is used to validate a lookup file?

Uploading local files though Upload options index
206 the file only once.
 Search Language Syntax in Splunk can be broken
down into the following components. (Choose all
207 that apply.)

You can on-board data to Splunk using following

208 means (Choose four.):
Zoom Out and Zoom to Selection re-executes the
209 search.

By default search results are not returned in

210 ________.

Use this command to use lookup fields in a search

211 and see the lookup fields in the field sidebar.

212 Clicking a SEGMENT on a chart, ________.

What is the correct order of steps for creating a
new lookup?
1. Configure the lookup to run automatically
2. Create the lookup table
213 3. Define the lookup

This function of the stats command allows you to

214 return the sample standard deviation of a field.

Which statement is true about the top command

215 (Choose all.)?
It is no possible for a single instance of Splunk to
manage the input, parsing and indexing of machine
216 data.

It is mandatory for the lookup file to have this for

217 an automatic lookup to work.

218 Lookups allow you to overwrite your raw event.

 Which of the following are functions of the stats
219 command(Choose all correct answers)?
The command shown here does witch of the
following:
220 | outputlookup products.csv

221 These users can create global knowledge objects.

This search will return 20 results.
222 SEARCH: error | top host limit = 20

This clause is used to group the output of a stats

223 command by a specific name.

When a search returns __________, you can view the

224 results as a list.

Which of the following are responsible for reducing

225 search results?

This function of the stats command allows you to

226 return the middle-most value of field X.

Which of the following commands will show the

227 maximum bytes?

By default search results are not returned in

228 ________ order.
选项
A. By scheduling a report.
B. By creating a link to the job.
C. By changing the job settings.
D. By changing the time range picker to more than 7 days.
A. No events will be returned.
B. Splunk will prompt you to specify an index.
C. All non-indexed events to which the user has access will be returned.
D. Events from every index searched by default to which the user has access
will be returned.
A. index=a index=b
B. (index=a OR index=b)
C. index=(a & b)
D. index = a, b
A. True
B. False
A. Splunk is a software platform to search, analyze and visualize the machine-
generated data.
B. Database management tool.
C. Security Information and Event Management (SIEM).
D. Cloud based application that help in analyzing logs.
A. Will display result depending on the data.
B. Will return event where status field exist but value of that field is not 100.
C. Will return event where status field exist but value of that field is not 100
and all events where status field doesn't exist.
A. dedup
B. rename
C. sort -
D. fields +
A. Creating a pivot table.
B. Clicking on the visualizations tab.
C. Viewing your report in a dashboard.
D. Clicking on any field value in the table.
A. Include all formatting commands before any search terms.
B. Include at least one function as this is a search requirement.
C. Include the search terms at the beginning of the search string.
D. Avoid using formatting clauses, as they add too much overhead.
A. Sourcetype=access_combined
B. Sourcetype=Access_Combined
C. sourcetype=Access_Combined
D. SOURCETYPE=access_combined
A. Use field +to add and field -to remove.
B. Use table +to add and table -to remove.
C. Use fields +to add and fields -to remove.
D. Use fields Plus to add and fields Minus to remove.
A. True
B. False
A. Search & Reporting is the only app that can be set as the default
application.
B. Full names can only be changed by accounts with a Power User or Admin
role.
C. Time zones are automatically updated based on the setting of the computer
accessing Splunk.
D. Full name, time zone, and default app can be defined by clicking the login
name in the Splunk bar.
A. index=security Error Fail
B. index=security error OR fail
C. index=security "error failure"
D. index=security NOT error NOT fail
A. 10 Minutes
B. 15 Minutes
C. 1 Day
D. 7 Days
A. host=*
B. host=WWW3
C. host=WWW*
D. Host=WWW3
A. index
B. host
C. _time
D. action
A. Open new search.
B. Exclude the item from search.
C. None of the above.
D. Add the item to search.
A. earliest=
B. latest=
C. beginning=
D. ending=
E. All the above
F. Only 3rd and 4th
A. Dashboards
B. Metadata only
C. Non-interesting fields
D. Field descriptions
A. Look back 3 days ago and prior.
B. Look back 72 hours, up to one day ago.
C. Look back 72 hours, up to the end of today.
D. Look back from 3 days ago, up to the beginning of today.

A. Save the search as a report and use it in multiple dashboards as needed.

B. Save the search as a dashboard panel for each dashboard that needs the
data.
C. Save the search as a scheduled alert and use it in multiple dashboards as
needed.
D. Export the results of the search to an XML file and use the file as the basis
of the dashboards.
A. index=security failure | stats sum as "Event Count"
B. index=security failure | stats count as "Event Count"
C. index=security failure | stats count by "Event Count"
D. index=security failure | stats dc(count) as "Event Count"
A. Time
B. Fast mode
C. Sourcetype
D. Selected Fields
A. error AND (fail AND 400)
B. error OR (fail and 400)
C. error AND (fail OR 400)
D. error OR fail OR 400
A. Your search must transform event data into Excel file format first.
B. Your search must transform event data into XML formatted data first.
C. Your search must transform event data into statistical data tables first.
D. Your search must transform event data into JSON formatted data first.
A. Lists all values of a given field.
B. Lists unique values of a given field.
C. Returns a count of unique values for a given field.
D. Returns the number of events that match the search.
A. host
B. index
C. source
D. sourcetype
A. Any newly created dashboard will include that report.
B. There are no benefits to creating dashboard panels from reports.
C. It makes the dashboard more efficient because it only has to run one search
string.
D. Any change to the underlying report will affect every dashboard that utilizes
that report.

A. Alerts are based on searches that are either run on a scheduled interval or
in real-time.
B. Alerts are based on searches and when triggered will only send an email
notification.
C. Alerts are based on searches and require cron to run on scheduled interval.
D. Alerts are based on searches that are run exclusively as real-time.
A. Hosts
B. Sourcetypes
C. Sources
D. Indexes
A. The percentage field will be displayed in the results.
B. The top three most common values in statusCode will be displayed for each
user.
C. The search will fail. The proper top command format is top limit=3 instead
of top 3.
D. Only the top three overall most common values in statusCode will be
displayed.
A. Real-time searches display results from a rolling time window, while relative
searches display results from a set length of time.
B. Real-time searches happen instantly, while relative searches happen at a
scheduled time.
C. Real-time represents events that have happened in a set time window, while
relative will display results from a rolling time window.
D. Real-time searches run constantly in the background, while relative
searches only run when certain criteria are met.
A. Add an output.
B. Export a dashboard panel.
C. Modify the chart type displayed in a dashboard panel.
D. Drag a dashboard panel to a different location on the dashboard.
A. Acceleration, schedule, permissions
B. The report's name, schedule, permissions
C. The report's name, acceleration, schedule
D. The report's name, acceleration, permissions
A. index=*
B. index=web OR index=s*
C. (index=web OR index=sales)
D. *index=sales AND index=web*
A. No
B. Yes
A. Not possible to specify time manually in Search query
B. end=
C. start=
D. earliest=
E. latest=
A. @
B. &
C. *
D. #
A. False
B. True
A. No
B. Yes
A. index
B. action
C. clientip
D. sourcetype
A. Events
B. Patterns
C. Statistics
D. Visualization
A. True
B. False
A. Select the time range always.
B. Try to specify index values.
C. Include as many search terms as possible.
D. Never select time range.
E. Try to use * with every search term.
F. Inclusion is generally better than exclusion.
G. Try to keep specific search terms.
A. Will return event where status field exist but value of that field is not 100.
B. Will return event where status field exist but value of that field is not 100
and all events where status field doesn't exist.
C. Will get different results depending on data.
A. True
B. False
A. True
B. False

A. Click field in field sidebar -> click YES on the pop-up dialog on upper right
side -> check now field should be visible in the list of selected fields.
B. Not possible.
C. Only CLI changes will enable it.
D. Click Settings -> Find field option -> Drop down select field -> enable
selected field -> check now field should be visible in the list of selected fields.
A. True
B. False
A. index=security sourcetype=linux_secure (invalid OR failed) | count as
"Potential Issues"
B. index=security sourcetype=linux_secure (invalid OR failed) | stats count as
"Potential Issues"
C. index=security sourcetype=linux_secure (invalid OR failed) | count stats as
"Potential Issues"
D. index=security sourcetype=linux_secure (invalid OR failed) | stats as
"Potential Issues"
A. Only data where the value of the field error does not equal an asterisk (*)
will be displayed.
B. Only data that does not contain the error field will be displayed.
C. Only data with a value in the field error will be displayed.
D. Only data where the error field is present and does not contain a value will
be displayed.
A. Correlated
B. Total
C. Segmented
D. File-based
A. All search jobs are saved for 10 days
B. All search jobs are saved for 10 hours
C. All search jobs are saved for 10 weeks
D. All search jobs are saved for 10 minutes
A. Splunk automatically discovers only numeric fields
B. Splunk automatically discovers only alphanumeric fields
C. Splunk automatically discovers only manually configured fields
D. Splunk automatically discovers only fields directly related to the search
results
A. Search head, GPU, streamer
B. Search head, indexer, forwarder
C. Search head, SQL database, forwarder
D. Search head, SSD, heavy weight agent
A. lookup command
B. inputlookup command
C. Settings > Lookups > Input
D. Settings > Lookups > Upload
A. Use earliest=-1d@d latest=@d
B. Set a real-time search over a 24-hour window
C. Use the time range picket to select "Yesterday"
D. Use the time range picker to select "Last 24 hours"
A. Before clauses. For example: stats sum(bytes) | by host
B. Before commands. For example: | stats sum(bytes) by host
C. Before arguments. For example: stats sum| (bytes) by host
D. Before functions. For example: stats |sum(bytes) by host
A. host
B. owner
C. bytes
D. action
A. | rare top=5
B. | top rare=5
C. | top limit=5
D. | rare limit=5
A. | rename action = CustomerAction
B. | rename Action as "Customer Action"
C. | rename Action to "Customer Action"
D. | rename action as "Customer Action"
A. latest=-2h
B. earliest=-2h
C. latest=-2hour@d
D. earliest=-2hour@d
A. Yes
B. No
A. Real-time
B. 10 Minutes
C. Overnight Download
D. 30 Minutes
A. No
B. Yes
A. It is only available to Admins.
B. Such feature does not exist in Splunk.
C. Shows options to complete the search string.
A. False
B. True
A. No
B. Yes
A. None of the above
B. Job
C. Search Only
A. Yes
B. No

A. False
B. True
A. True
B. False
A. index=* "failed password"
B. "failed password" index=*
C. (index=* OR index=security) "failed password"
D. index=security "failed password"
A. Alerting
B. Admin
C. Power
D. User
A. Date & Time Range
B. Advanced
C. Date Range
D. Presets
E. Relative
A. Cloned panel
B. Inline panel
C. Report panel
D. Prebuilt panel
A. Top values by time
B. Rare values by time
C. Events with top value fields
D. Events with rare value fields
A. New events based on the current time range picker
B. The same events based on the current time range picker
C. The same events from when the original search was executed
D. New events in addition to the same events from the original search
A. Only HTTP Event Collector (HEC) and TCP/UDP
B. None of the above
C. Only TCP/UDP
D. Only Scripts
E. Filed & Directories, HTTP Event Collector (HEC), TCP/UDP and Scripts
A. Splunk will re-run the search job in Verbose Mode to prioritize the new
Selected Field.
B. Splunk will highlight related fields as a suggestion to add them to the
Selected Fields list.
C. Custom selections will replace the Interesting Fields that Splunk populated
into the list at search time.
D. The selected field and its corresponding values will appear underneath the
events in the search results.

A. Change the schedule so the alert runs more frequently.

B. Disable the alert entirely.
C. Change the trigger from "For each result" to "Once''.
D. Change the alert action from email to webhook.
A. Click All Fields and select the field to add it to Selected Fields.
B. Click Interesting Fields and select the field to add it to Selected Fields.
C. Click Selected Fields and select the field to add it to Interesting Fields.
D. This scenario isn't possible because all fields returned from a search always
appear in the fields sidebar.
A. dc(field)
B. count(field)
C. count-by(field)
D. distinct-count(field)
A. Executes a new search.
B. Filters current search results.
C. Moves to past or future events.
D. Expands the time range of the search.
A. Saving the item to a report.
B. Adding the item to the search.
C. Adding the item to a dashboard.
D. Saving the Search to a JSON file.
A. Both field names and field values ARE case sensitive.
B. Field names ARE case sensitive; field values are NOT.
C. Field values ARE case sensitive; field names ARE NOT.
D. Both field names and field values ARE NOT case sensitive.
A. count stats vendor_action
B. count stats (vendor_action)
C. stats count (vendor_action)
D. stats vendor_action (count)
A. limit, count
B. limit, showpercent
C. limits, countfield
D. showperc, countfield
A. 8089
B. 8000
C. 8080
D. 443
A. CTRL + Enter
B. Shift + Enter
C. Space + Enter
D. ALT + Enter
A. It returns the top 10 results.
B. It displays the output in table format.
C. It returns the count and percent columns per row.
D. All of the above.
A. No
B. Yes
A. It can be used to display the structure of an existing view
B. It can be used only from SQL*Plus
C. It displays the PRIMARY KEY constraint for any column or columns that have
that constraint
D. It can be used from SQL Developer
E. It displays all constraints that are defined for each column
F. It displays the NOT NULL constraint for any columns that have that
constraint
A. index=security Error Fail
B. index=security error OR fail
C. index=security "error failure"
D. index=security NOT error NOT fail
A. PDF
B. JSON
C. XLS
D. RTF
A. error | table action, src, dest
B. error | tabular action, src, dest
C. error | stats table action, src, dest
D. error | table column=action column=src column=dest
A. Timeline shows distribution of events specified in the time range in the form
of bars.
B. Single click to see the result for particular time period.
C. You can click and drag across the bar for selecting the range.
D. This is default view and you can't make any changes to it.
E. You can hover your mouse for details like total events, time and date.
A. Description_Group_Object
B. Group_Description_Object
C. Group_Object_Description
D. Object_Group_Description
A. They must be lowercase.
B. They must be uppercase.
C. They must be in quotations.
D. They must be in parentheses.
A. (index=netfw failure) AND index=netops warn OR critical
B. (index=netfw failure) OR (index=netops (warn OR critical))
C. (index=netfw failure) AND (index=netops (warn OR critical))
D. (index=netfw failure) OR index=netops OR (warn OR critical)
A. index=security sourcetype=access_* status=200 stats | count by price
B. index=security sourcetype=access_* status=200 | stats count by price
C. index=security sourcetype=access_* status=200 | stats count | by price
D. index=security sourcetype=access_* | status=200 | stats count by price
A. Red
B. Blue
C. Orange
D. Highlighted
A. limit
B. useperc
C. addtotals
D. fieldcount
A. Automatic
B. Smart
C. Fast
D. Verbose
A. All data accessible to the User role will appear in the report.
B. All data accessible to the owner of the report will appear in the report.
C. All data accessible to all users will appear in the report until the next time
the report is run.
D. The owner of the report can configure permissions so that the report uses
either the User role or the owner's profile at run time.
A. True
B. False
A. sourcetype=firewall | rare num=15 dest_ip
B. sourcetype=firewall | rare last=15 dest_ip
C. sourcetype=firewall | rare count=15 dest_ip
D. sourcetype=firewall | rare limit=15 dest_ip
A. The new result after selecting the range by dragging filters the events and
displays the most recent first.
B. There is no functionality like click and drag in Splunk's timeline.
C. Using this option executes a new query.
D. This doesn't execute a new query.
A. status_code!=404
B. status_code>=400
C. status_code<=404
D. status_code>403 status_code<405
A. Line charts are optimal for single and multiple series.
B. Line charts are optimal for single series when using Fast mode.
C. Line charts are optimal for multiple series with 3 or more columns.
D. Line charts are optimal for multiseries searches with at least 2 or more
columns.
A. False
B. True
A. Time summary
B. Time range picker
C. Search time picker
D. Data source time statistics
A. 2
B. 4
C. 1
D. 3
A. CSV, JSON, PDF
B. CSV, XML, JSON
C. Raw Events, XML, JSON
D. Raw Events, CSV, XML, JSON
A. You can modify the search string in the panel, and you can change and
configure the visualization.
B. You can modify the search string in the panel, but you cannot change and
configure the visualization.
C. You cannot modify the search string in the panel, but you can change and
configure the visualization.
D. You cannot modify the search string in the panel, and you cannot change
and configure the visualization.
A. Filter as early as possible.
B. Never specify more than one index.
C. Include as few search terms as possible.
D. Use wildcards to return more search results.
A. Indexer
B. Forwarder
C. Search head
D. Deployment server
A. The lookup command must be used.
B. The lookup definition must be created.
C. The lookup file must be uploaded to Splunk.
D. The lookup file must be verified using the inputlookup command.
A. Zoom to selection: Narrows the time range and re-executes the search.
B. Zoom to selection: Narrows the time range and doesn't re-executes the
search.
C. Format Timeline: Hides or shows the timeline in different views.
D. Zoom-Out: Expands the time focus and doesn't re-executes the search.
E. Zoom-out: Expands the time focus and re-executes the search.

A. No
B. Yes
A. App, Owner, Severity, and Type
B. App, Owner, Priority, and Status
C. App, Dashboard, Severity, and Type
D. App, Time Window, Type, and Severity
A. lookup
B. csvlookup
C. inputlookup
D. outputlookup
A. action
B. clientip
C. categoryId
D. sourcetype
A. Can be accessed by Apps > Search & Reporting.
B. Provides default interface for searching and analyzing logs.
C. Enables the user to create knowledge object, reports, alerts and
dashboards.
D. It only gives us search functionality.
A. In chronological order.
B. Randomly by default.
C. In reverse chronological order.
D. Alphabetically according to field name.
A. Lookup fields cannot be used in searches.
B. Lookups contain static data available in the index.
C. Lookups add more fields to results returned by a search.
D. Lookups pull data at index time and add them to search results.
A. To group the results by one or more fields.
B. To compute numerical statistics on each field.
C. To specify how the values in a list are delimited.
D. To partition the input data based on the split-by fields.

A. True
B. False
A. False
B. True
A. Splunk only extracts the most interesting data from the last 24 hours.
B. Splunk only extracts fields users have manually specified in their data.
C. Splunk automatically extracts any fields that generate interesting
visualizations.
D. Splunk automatically discovers many fields based on sourcetype and
key/value pairs found in the data.
A. Yes
B. No
A. _time and host
B. _time and index
C. host and sourcetype
D. index and sourcetype
A. The value of the field
B. The number of values for the field
C. The number of unique values for the field
D. The numeric non-unique values of the field
A. Index
B. Search Head
C. Indexer
D. Forwarder

A. All events that either have a host of www3 or a status of 503.

B. All events with a host of www3 that also have a status of 503.
C. We need more information; we cannot tell without knowing the time range.
D. We need more information; a search cannot be run without specifying an
index.
A. time
B. _time
C. EventTime
D. timestamp
A. An app
B. JSON
C. A role
D. An enhanced solution
A. Returns the least common field values of a given field in the results.
B. Returns the most common field values of a given field in the results.
C. Returns the top 10 field values of a given field in the results.
D. Returns the lowest 10 field values of a given field in the results.
A. Preset - Relative: 30-seconds ago
B. Relative - Earliest: 30-seconds ago, Latest: Now
C. Real-time - Earliest: 30-seconds ago, Latest: Now
D. Advanced - Earliest: 30-seconds ago, Latest: Now
A. The lookup must be configured to run automatically.
B. The contents of the lookup file must be copied and pasted into the search
bar.
C. The lookup file must be uploaded to Splunk and a lookup definition must be
created.
D. The lookup file must be uploaded to the etc/apps/lookups folder for
automatic ingestion.

A. Auto-detect changes in performance.

B. Auto-generated PDF reports of overall data trends.
C. Regularly scheduled archiving to keep disk space use low.
D. Triggering an alert in your Splunk instance when certain conditions are met.
A. True
B. False
A. Zoom to selection
B. Format Timeline
C. Deselect
D. Delete
E. Zoom Out
A. #
B. %
C. a
D. a#
A. Review Splunk reports
B. Run ./splunk show
C. Click Data Summary in Splunk Web
D. Search index=* sourcetype=* host=*
A. Table
B. Raw
C. Pie Chart
D. List
A. None of the above
B. Indexing Phase
C. Parsing Phase
D. Input Phase
E. License Metering
A. When Splunk encounters a syntax error in a search
B. When a trigger action meets the predefined conditions
C. When an event in a search matches up with a data model
D. When results of a search meet a specifically defined condition
A. Only HF
B. No
C. Yes
A. Yes
B. No
A. False
B. True
A. Forwarders
B. Deployment Server
C. Indexer
D. Knowledge Objects
E. Index
F. Search Head
A. Designed to cater numerous use cases and empower Splunk.
B. We can not install Splunk App.
C. Allows multiple workspaces for different use cases/user roles.
D. It is collection of different Splunk config files like data inputs, UI and
Knowledge Object.
A. Search Head
B. Heavy Forwarder
C. Indexer
D. Universal Forwarder
A. Index=Security
B. index=Security
C. Index=security
D. index!=Security
A. Yes
B. No

A. Yes
B. No
A. No
B. Yes
A. Indexing
B. Searching
C. Parsing
D. Settings
E. Input
A. Yes
B. No
A. True
B. False
A. False
B. True
A. Splunk User Behavior Analytics (UBA)
B. Splunk IT Service Intelligence (ITSI)
C. Splunk Enterprise Security (ES)
D. Splunk Analytics Security (AS)
A. True
B. False
A. False
B. True
A. False
B. True
A. =
B. >
C. !
D. *
A. ASCII Character order.
B. Reverse chronological order.
C. Alphanumeric order.
D. Chronological order.
A. Only A, B
B. Router and Switch Logs
C. Firewall and Web Server Logs
D. Only C
E. Database logs
F. All firewall, web server, database, router and switch logs
A. Splunk Enterprise Security Suite
B. Searching and Reporting
C. Reporting and Searching
D. Splunk apps for Security
A. Index Forwarders (IF)
B. Universal Forwarders (UF)
C. Super Forwarder (SF)
D. Heavy Forwarders (HF)
A. Forwarders
B. Indexer
C. Heavy Forwarders
D. Search head

A. Once a search job begins, it cannot be stopped

B. A search job can only be paused when less than 50% of events are returned
C. A search job can only be stopped when less than 50% of events are
returned
D. Once a search job begins, it can be stopped or paused at any point in time
A. "failed password"
B. "failed password"*
C. index=* "failed password"
D. index=security "failed password"
A. top
B. stats
C. table
D. percent
A. f*il
B. *fail
C. fail*
D. *fail*
A. To sort field values in descending order.
B. To return only fields containing five of fewer values.
C. To find the least common values of a field in a dataset.
D. To find the fields with the fewest number of values across a dataset.

A. To differentiate between structured and unstructured events in the data.

B. To sort the events returned by the search command in chronological order.
C. To zoom in and zoom out, although this does not change the scale of the
chart.
D. To show peaks and/or valleys in the timeline, which can indicate spikes in
activity or downtime.
A. user
B. source
C. location
D. sourceIp
A. Any search can be saved as a report.
B. Only searches that generate visualizations.
C. Only searches containing a transforming command.
D. Only searches that generate statistics or visualizations.
A. Indexer
B. Parsing
C. Heavy Forwarder
D. Input
A. Parsing
B. Masking
C. Searching
D. Forwarding
A. Parentheses
B. @ or # symbols
C. Quotation marks
D. Relational operators such as =, <, or >
A. 3
B. 2
C. 4
D. 1
A. action+purchase
B. action=purchase
C. action | purchase
D. action equal purchase
A. No
B. Yes
A. True
B. False
A. _raw
B. host
C. _host
D. index
A. Only continuous monitoring.
B. Only One-time monitoring.
C. None of the above.
D. Both One-time and continuous monitoring.
A. The owner of the report can edit permissions from the Edit dropdown.
B. Only users with an Admin or Power User role can access other users'
reports.
C. Anyone can access any reports marked as public within a shared Splunk
deployment.
D. The owner of the report must clone the original report and save it to their
user account.
A. Export the result to CSV format.
B. Add the Job results to a dashboard.
C. Schedule the Job to re-run in 10 minutes.
D. Change Job Lifetime from 10 minutes to 7 days.

A. Automatically correlates related fields.

B. Converts field values into numerical values.
C. Calculates statistics on data that matches the search criteria.
D. Analyzes numerical fields for their ability to predict another discrete field.
A. A field that appears in any event.
B. A field that appears in every event.
C. A field that appears in the top 10 events.
D. A field that appears in at least 20% of the events.
A. count, sum, add
B. count, sum, less
C. sum, avg, values
D. sum, values, table
A. A number to the right of the field name.
B. A # symbol to the left of the field name.
C. A lowercase n to the left of the field name.
D. A lowercase n to the right of the field name.
A. Reports are best named using many numbers so they can be more easily
sorted.
B. Use a consistent naming convention so they are easily separated by
characteristics such as group and object.
C. Name reports as uniquely as possible with no overlap to differentiate them
from one another.
D. Any naming convention is fine as long as you keep an external spreadsheet
to keep track.
A. False
B. True
A. the_questionnaire _pedia
B. the_questionnaire pedia
C. the_questionnaire_pedia
D. the_questionnaire Pedia
A. $SPLUNK_HOME/bin/scripts
B. $SPLUNK_HOME/etc/scripts
C. $SPLUNK_HOME/bin/etc/scripts
D. $SPLUNK_HOME/etc/scripts/bin
A. OR
B. NOT
C. AND
D. XOR
A. After saving the report, click Schedule.
B. After saving the report, click Event Type.
C. After saving the report, click Scheduling.
D. After saving the report, click Dashboard Panel.
A. |
B. $
C. !
D. ,

A. h
B. day
C. mon
D. yr
E. y
F. w
G. week
H. d
I. s
J. m
A. | lookup products.csv
B. inputlookup products.csv
C. | inputlookup products.csv
D. | lookup_definition products.csv
A. No
B. Yes
A. Search term
B. Command
C. Pipe
D. Functions
E. Arguments
F. Clause
A. Props
B. CLI
C. Splunk Web
D. savedsearches.conf
E. Splunk apps and add-ons
F. indexes.conf
G. inputs.conf
H. metadata.conf
A. No
B. Yes
A - ASCII Character order
B - Reverse chronological order
C - Alphanumeric order
D - Chronological order
A - inputlookup
B - lookup
C - outputlookup
D - csvlookup
A - Drills down for that value
B - Highlights the field value across the chart
C - Adds the highlighted value to the search criteria
D - WTF is SEGMENT??

A - 1>2>3
B - 3>2>1
C - 2>3>1
D - 2>1>3
A - Dev
B - Stdev
C - Count deviation
D - By standarddev
A - It returns the count and percent columns per row
B - It displays the output in table format
C - It returns the count and percent columns per column
D - It returns the top 10 results

A - True
B - False
A - Input field
B - At least five columns
C - Timestamp
D - Source type
A - True
B - False
A - count
B - distinct_count
C - dc
D - sum
E - avg
F - list
G - values
A - Both of the answers
B - Returns the contents of a file named products.csv
C - Writes search results to a file named products.csv
A - admin
B - power
C - user
A - True
B - False
A - As
B - Rex
C - By
D - List
A - Statistical values
B - A list of events
C - All of the answer stated here
D - Transactions
A - search head
B - indexers
C - forwarders
A - Fields(X)
B - Eval by (X)
C - Values(X)
D - Median(X)
A - Sourcetype=access_* | max(bytes)
B - Sourcetype=access_* | stats max(bytes)
C - Sourcetype=access_* | avg(bytes)
D - Sourcetype=access_* | maximum totals by bytes
A - Chronological
B - Alphabetical
C - Reverse chronological
D - ASCIE
Enter your answer #DIV/0!