Of the following, which is the best description of Splunk?
- Splunk is a log collector.
- Splunk is a business intelligence tool.
- Splunk is operational intelligence that consumes and makes machine data useable and valuable. (Ans)
- Splunk is an alerting tool.
What are the building blocks of a Splunk App?
- Configuration files (Ans)
- Data sources
Where is the best place to get help for Splunk?
- answers.splunk.com (Ans)
What is the primary way in which the timechart command differs from the chart command?
- There is no difference. timechart is just a shortcut for chart with a specified x-axis of _time .
- timechart does not take a span argument. chart does.
- chart forces the x-axis to be _time. timechart does not.
- timechart forces the x-axis to be _time. chart does not. (Ans)
Another way to say | is
- “take the output of the commands before it, then do this with the input.”
- “take the input of the commands before it, then do this with the output.”
- “take the output of the commands before it, then do this with the output.” (Ans)
- “take the output of the commands after it, then do this with the output.”
What is one of the differences between a heavy forwarder and a universal forwarder?
- A universal forwarder is a complete installation of Splunk; a heavy forwarder is a light agent.
- A heavy forwarder is a complete installation of Splunk; a universal forwarder is a light agent. (Ans)
- Heavy forwards are limited in their functionality, but universal forwarders can do advanced things like route data.
- The only difference is the type of machine you install the forwarder on.
Which search mode will Splunk default to if your search specifies fields?
- Fast (Ans)
What is “the language of Splunk” known as?
- SSL: Splunk Search Language
- SQL: Splunk Query Language
- SPL: Splunk Processing Language (Ans)
- SEL: Splunk Execution Language
The default Splunk forwarding and management ports are, respectively
- 8088, 9998
- 9997, 8089 (Ans)
- 9997, 8087
- 443, 9797
Splunk assigns which three fields as default metadata?
- host, source, source type (Ans)
- host, ip, port
- host, hostname, source
- host, sourcetype, ip
What is the purpose of a lookup?
- Allows you to add custom fields to events from external sources, like csv files. (Ans)
- Allows Splunk to examine semantic knowledge objects.
- Allows users to build custom reports based on data models.
- Keeps a record of all previous searches, so that Splunk can look them up later.
Searches in the search pipeline go from
- general to specific. (Ans)
- specific to general.
- middle out.
- bottom up.
What’s wrong with this search?
host=homework user=* status=failed stats count(status) BY user | rename count(status) as “Number of Failed Logins”
- count is not a stats function.
- You need to have a | before the stats command. (Ans)
- The rename command is invalid because you cannot rename a field to a phrase.
- This search is valid.
Which type of authentication method does Splunk recommend for anything other than a small deployment?
- LDAP/AD (Ans)
The rare function returns , while the top function returns .
- a visualization with _time on the x axis; a visualization with a specified field on the x axis
- limits; thresholds
- least common values; most common values (Ans)
- top ten common values; top ten uncommon values
The Enterprise Trial license is valid for , after which point it will convert to a license.
- 60 days; free (Ans)
- 30 days; limited functionality
- 30 days; free
- 60 days; limited functionality
- require a universal license.
- require an enterprise license.
- do not require a license.
- require a forwarder license. (Ans)
Of the following, which best describes the difference between a tag and an event type?
- There is no difference.
- Tags are more complex knowledge objects than event types.
- Tags are much more powerful than event types, because they can contain multiple fields.
- Event types can contain multiple fields, while tags can only contain one. (Ans)
Which of the following is not one of the four major functions of Splunk?
- Compressing (Ans)
The structure of Splunk configuration files is:
- key=value [stanza]
- [stanza] [sub-stanza]
- [stanza] attribute=value (Ans)
- savedsearch=value [stanza]