A.  

True

B.  

False

A.  

index=a index=b

B.  

(index=a OR index=b)

C.  

index=(a & b)

D.  

index = a, b

A.  

Both field names and field values ARE case sensitive.

B.  

Field names ARE case sensitive; field values are NOT.

C.  

Field values ARE case sensitive; field names ARE NOT.

D.  

Both field names and field values ARE NOT case sensitive.

A.  

f*il

B.  

*fail

C.  

fail*

D.  

*fail*

A.  

False

B.  

True

A.  

index=security sourcetype=linux secure (invalid OR failed) | stats count as

"Potential Issues"

B.  

index=security sourcetype=linux secure (invalid OR failed) | stats as

"Potential Issues"

C.  

index—security sourcetype=linux secure (invalid OR failed) | count stats as

"Potential Issues"

D.  

index—security sourcetype=linux secure (invalid OR failed) | count as "Potential Issues"

A.  

users

B.  

power users

C.  

administrators

A.  

A field that appears in any event

B.  

A field that appears in every event

C.  

A field that appears in the top 10 events

D.  

A field that appears in at least 20% of the events

A.  

Red

B.  

Blue

C.  

Orange

D.  

Highlighted

A.  

Splunk will re-run the search job in Verbose Mode to prioritize the new Selected Field

B.  

Splunk will highlight related fields as a suggestion to add them to the Selected Fields list.

C.  

Custom selections will replace the Interesting Fields that Splunk populated into the list at search time

D.  

The selected field and its corresponding values will appear underneath the events in the search results

A.  

True

B.  

False

A.  

Splunk automatically discovers only numeric fields

B.  

Splunk automatically discovers only alphanumeric fields

C.  

Splunk automatically discovers only manually configured fields

D.  

Splunk automatically discovers only fields directly related to the search results

A.  

Splunk Enterprise Security Suite

B.  

Searching and Reporting

C.  

Reporting and Searching

D.  

Splunk apps for Security

A.  

True

B.  

False

A.  

Dashboards must have a unique dashboard ID within a permission's context.

B.  

Splunk dashboards consist of one or more panels displaying data visually in a useful way.

C.  

Splunk dashboards may not be directly created from search results without first creating a report.

D.  

Splunk dashboard panels can be populated by reports.

A.  

False

B.  

True

A.  

All events that either have a host of www3 or a status of 503.

B.  

All events with a host of www3 that also have a status of 503

C.  

We need more information: we cannot tell without knowing the time range

D.  

We need more information a search cannot be run without specifying an index

A.  

Chronological

B.  

Reverser chronological

C.  

ASCIE

D.  

Alphabetical

A.  

h

B.  

day

C.  

mon

D.  

yr

E.  

y

F.  

w

G.  

week

A.  

Index Forwarders (IF)

B.  

Universal Forwarders (UF)

C.  

Super Forwarder (SF)

D.  

Heavy Forwarders (HF)

A.  

sourcetype

B.  

index

C.  

source

D.  

host

A.  

New events based on the current time range picker

B.  

The same events based on the current time range picker

C.  

The same events from when the original search was executed

D.  

New events in addition to the same events from the original search

A.  

To group the results by one or more fields.

B.  

To compute numerical statistics on each field.

C.  

To specify how the values in a list are delimited.

D.  

To partition the input data based on the split-by fields.

A.  

Yes

B.  

No

A.  

index=security sourcetype=access_* status=200 stats | count by price

B.  

index=security sourcetype=access_* status=200 | stats count by price

C.  

index=security sourcetype=access_* status=200 | stats count | by price

D.  

index=security sourcetype=access_* | status=200 | stats count by price

A.  

Creating a pivot table.

B.  

Clicking on the visualizations tab.

C.  

Viewing your report in a dashboard.

D.  

Clicking on any field value in the table.

A.  

ASCII Character order.

B.  

Reverse chronological order.

C.  

Alphanumeric order.

D.  

Chronological order.

A.  

Forwarders

B.  

Deployment Server

C.  

Indexer

D.  

Knowledge Objects

E.  

Index

F.  

Search Head

A.  

CSV, JSON, PDF

B.  

CSV, XML JSON

C.  

Raw Events, XML, JSON

D.  

Raw Events, CSV, XML, JSON

A.  

| rare top=5

B.  

| top rare=5

C.  

| top limit=5

D.  

| rare limit=5

A.  

Description_Group_Object

B.  

Group_Description_Object

C.  

Group_Object_Description

D.  

Object_Group_Description

A.  

|

B.  

$

C.  

!

D.  

,

A.  

Indexer

B.  

Parsing

C.  

Heavy Forwarder

D.  

Input

A.  

action+purchase

B.  

action=purchase

C.  

action | purchase

D.  

action equal purchase

A.  

All data accessible to the User role will appear in the report.

B.  

All data accessible to the owner of the report will appear in the report.

C.  

All data accessible to all users will appear in the report until the next time the report is run.

D.  

The owner of the report can configure permissions so that the report uses either the User role or the owner’s profile at run time.

A.  

No

B.  

Yes

A.  

Lookups can be time based

B.  

Search results can be used to populate a lookup table

C.  

Splunk DB Connect can be used to populate a lookup table from relational databases

D.  

Output from a script can be used to populate a lookup table

E.  

Lookup have a 10mg maximum size limit

A.  

Sourcetype=access_* |sum bytes by host

B.  

Sourcetype=access_* |stats sum(categorylD) by host

C.  

Sourcetype=access_* |sum(bytes) by host

D.  

Sourcetype=access_* |stats sum by host

A.  

host

B.  

owner

C.  

bytes

D.  

action

A.  

_raw

B.  

host

C.  

_host

D.  

index

A.  

10

B.  

50

C.  

100

D.  

20

A.  

Returns the least common field values of a given field in the results.

B.  

Returns the most common field values of a given field in the results.

C.  

Returns the top 10 field values of a given field in the results.

D.  

Returns the lowest 10 field values of a given field in the results.

A.  

Auto-detect changes in performance

B.  

Auto-generated PDF reports of overall data trends

C.  

Regularly scheduled archiving to keep disk space use low

D.  

Triggering an alert in your Splunk instance when certain conditions are met

A.  

True

B.  

False

A.  

Table

B.  

Raw

C.  

Pie Chart

D.  

List

A.  

host

B.  

index

C.  

source

D.  

sourcetype

A.  

It is only available to Admins.

B.  

Such feature does not exist in Splunk.

C.  

Shows options to complete the search string

A.  

Open new search.

B.  

Exclude the item from search.

C.  

None of the above.

D.  

Add the item to search

A.  

lookup command

B.  

inputlookup command

C.  

Settings > Lookups > Input

D.  

Settings > Lookups > Upload

A.  

True

B.  

False

A.  

True

B.  

False

A.  

Forwarders

B.  

Indexer

C.  

Heavy Forwarders

D.  

Search head

A.  

| lookup products.csv

B.  

inputlookup products.csv

C.  

I inputlookup products.csv

D.  

| lookup definition products.csv

A.  

True

B.  

False

A.  

10 Minutes

B.  

15 Minutes

C.  

1 Day

D.  

7 Days

A.  

@

B.  

&

C.  

*

D.  

#

A.  

Inherent entities that exist in event data.

B.  

A searchable key/value pair in event data.

C.  

Values pulled exclusively from lookup tables.

D.  

A non-searchable name/value pair used while indexing data.

A.  

a list of events

B.  

transactions

C.  

statistical values

A.  

No

B.  

Yes

A.  

Props

B.  

CLI

C.  

Splunk Web

D.  

savedsearches.conf

E.  

Splunk apps and add-ons

F.  

indexes.conf

G.  

inputs.conf

A.  

the_questionnaire _pedia

B.  

the_questionnaire pedia

C.  

the_questionnaire_pedia

D.  

the_questionnaire Pedia

A.  

Save the search as a report and use it in multiple dashboards as needed

B.  

Save the search as a dashboard panel for each dashboard that needs the data

C.  

Save the search as a scheduled alert and use it in multiple dashboards as needed

D.  

Export the results of the search to an XML file and use the file as the basis of the dashboards

A.  

inputlookup

B.  

lookup

A.  

Real-time searches happen instantly, while relative searches happen at a scheduled time.

B.  

Real-time searches display results from a rolling time window, while relative searches display results from a set length of time.

C.  

Real-time searches run constantly in the background, while relative searches only run when certain criteria are met.

D.  

Real-time represents events that have happened in a set time window, while relative will display results from a rolling time window.

A.  

Indexing

B.  

Searching

C.  

Parsing

D.  

Settings

E.  

Input

A.  

index

B.  

action

C.  

_time

D.  

host

A.  

Correlated

B.  

File-based

C.  

Total

D.  

Segmented

A.  

action

B.  

clientip

C.  

categoryld

D.  

sourcetype

A.  

Acceleration, schedule, permissions

B.  

The report’s name, schedule, permissions

C.  

The report’s name, acceleration, schedule

D.  

The report’s name, acceleration, permissions

A.  

#

B.  

%

C.  

a

D.  

a#

A.  

No events will be returned.

B.  

Splunk will prompt you to specify an index.

C.  

All non-indexed events to which the user has access will be returned.

D.  

Events from every index searched by default to which the user has access will be returned.

A.  

Rex

B.  

As

C.  

List

D.  

By

A.  

Look back 3 days ago and prior

B.  

Look back 72 hours up to one day ago

C.  

Look back 72 hours, up to the end of today

D.  

Look back from 3 days ago up to the beginning of today