SPLK-1001 Splunk Core Certified User Question and Answers

Index=Security

index=Security

Index=security

index!=Security

True

False

error AND (fail AND 400)

error OR (fail and 400)

error AND (fail OR 400)

error OR fail OR 400

Index

Search Head

Indexer

Forwarder

A number to the right of the field name.

A # symbol to the left of the field name.

A lowercase n to the left of the field name.

A lowercase n to the right of the field name.

The owner of the report can edit permissions from the Edit dropdown

Only users with an Admin or Power User role can access other users' reports

Anyone can access any reports marked as public within a shared Splunk deployment

The owner of the report must clone the original report and save it to their user account

True

False

Export the results to CSV format

Add the Job results to a dashboard

Schedule the Job to re-run in 10 minutes

Change Job Lifetime from 10 minutes to 7 days.

Time summary

Time range picker

Search time picker

Data source time statistics

5 minutes

1 minute

10 minutes

60 minutes

No

Yes

Writes search results to a file named products.csv

Returns the contents of a file named products.csv

Built only by Splunk employees.

A collection of files.

Only available for download on Splunkbase.

Available on iOS and Android.

8089

8000

8080

443

users

power users

administrators

False

True

The search will fail. The proper top command format is top limit=3 instead of top 3.

The top three most common values in statusCode will be displayed for each user.

Only the top three overall most common values in statusCode will be displayed.

The percentage field will be displayed in the results.

sourcetype=firewall | rare num=15 dest_ip

sourcetype=firewall | rare last=15 dest_ip

sourcetype=firewall | rare count=15 dest_ip

sourcetype=firewall | rare limit=15 dest_ip

Designed to cater numerous use cases and empower Splunk.

We can not install Splunk App.

Allows multiple workspaces for different use cases/user roles.

It is collection of different Splunk config files like data inputs, UI and Knowledge Object.

False

True

inputlookup

lookup

To sort field values in descending order.

To return only fields containing five of fewer values.

To find the least common values of a field in a dataset.

To find the fields with the fewest number of values across a dataset.

Description_Group_Object

Group_Description_Object

Group_Object_Description

Object_Group_Description

earliest=

latest=

beginning=

ending=

All the above

Only 3rd and 4th

Splunk only extracts the most interesting data from the last 24 hours.

Splunk only extracts fields users have manually specified in their data.

Splunk automatically extracts any fields that generate interesting visualizations.

Splunk automatically discovers many fields based on sourcetype and key/value pairs found in the data.

Sourcetype=access_* |sum bytes by host

Sourcetype=access_* |stats sum(categorylD) by host

Sourcetype=access_* |sum(bytes) by host

Sourcetype=access_* |stats sum by host

host

index

source

sourcetype

a list of events

transactions

statistical values

|

$

!

,

Splunk User Behavior Analytics (UBA)

Splunk IT Service Intelligence (ITSI)

Splunk Enterprise Security (ES)

Splunk Analytics Security (AS)

Once a search job begins, it cannot be stopped

A search job can only be paused when less than 50% of events are returned

A search job can only be stopped when less than 50% of events are returned

Once a search job begins, it can be stopped or paused at any point in time

indexer—index_name

indexer name—index_name

index=index_name

index name=index_name

Zoom to selection

Format Timeline

Deselect

Delete

Zoom Out

Table

Raw

Pie Chart

List

user

source

location

sourcelp

Cloned panel

Inline panel

Report panel

Prebuilt panel

True

False

False

True

dc(field)

count(field)

count-by(field)

distinct-count(field)

Both field names and field values ARE case sensitive.

Field names ARE case sensitive; field values are NOT.

Field values ARE case sensitive; field names ARE NOT.

Both field names and field values ARE NOT case sensitive.

index=security Error Fail

index=security error OR fail

index=security “error failure”

index=security NOT error NOT fail

h

day

mon

yr

y

w

week

Splunk Enterprise Security Suite

Searching and Reporting

Reporting and Searching

Splunk apps for Security

index

action

_time

host

count stats vendor_action

count stats (vendor_action)

stats count (vendor_action)

stats vendor_action (count)

index

action

clientip

sourcetype

They must be lowercase.

They must be uppercase.

They must be in quotations.

They must be in parentheses.

Look back 3 days ago and prior

Look back 72 hours up to one day ago

Look back 72 hours, up to the end of today

Look back from 3 days ago up to the beginning of today

Forwarders

Indexer

Heavy Forwarders

Search head

input

output

Correlated

File-based

Total

Segmented

Time

Fast mode

Sourcetype

Selected Fields

CTRL + Enter

Shift + Enter

Space + Enter

ALT + Enter

Only HF

No

Yes

Source type

At least five columns

Timestamp

Input filed

Add an output.

Export a dashboard panel.

Modify the chart type displayed in a dashboard panel.

Drag a dashboard panel to a different location on the dashboard.

Password

Port number

Username

Data access

True

False

True

False

Yes

No

host

owner

bytes

action

Any search can be saved as a report

Only searches that generate visualizations

Only searches containing a transforming command

Only searches that generate statistics or visualizations

Date & Time Range

Advanced

Date Range

Presets

Relative

App, Owner, Severity, and Type

App, Owner, Priority, and Status

App, Dashboard, Severity, and Type

App, Time Window, Type, and Severity

To differentiate between structured and unstructured events in the data

To sort the events returned by the search command in chronological order

To zoom in and zoom out. although this does not change the scale of the chart

To show peaks and/or valleys in the timeline, which can indicate spikes in activity or downtime

index=security failure | stats sum as “Event Count”

index=security failure | stats count as “Event Count”

index=security failure | stats count by “Event Count”

index=security failure | stats dc(count) as “Event Count”

Only data where the error field is present and does not contain a value will be displayed.

Only data with a value in the field error will be displayed.

Only data that does not contain the error field will be displayed.

Only data where the value of the field error does not equal an asterisk (*) will be displayed.

No

Yes

top

stats

table

percent

index=* “failed password”

“failed password” index=*

(index=* OR index=security) “failed password”

index=security “failed password”