SPLUNK USER CERTIFICATION
STUDY GUIDE QUESTIONS AND
ANSWERS 2023
5 Main components of Splunk ES - Index Data, Search & investigate, Add knowledge,
Monitor & Alert, Report & Analyze.
Three main roles in splunk? (3) - Admin, Power, User
Installs apps, creates knowledge objects for all users (what apps a user will see
by default) - Admin
Creates and shares knowledge objects for users of app, real-time searches - Power
User
Only sees own knowledge objects and those shared to them - User
Apps in Splunk? - 1. Pre-built dashboards, reports, alerts and workflows
2. In-depth data analysis for power users
3. Search & Reporting
What does the search and reporting app do in splunk? - Creates knowledge
objects, reports, and dashboards
The seven main components in splunk searching and reporting? - 1. Splunk bar
2. App bar
3. Search bar
4. Time range picker
5. How to search panel
6. What to search panel
7. Search History
What does the time range picker do? - Allow search by preset times, relative times.
Real time (earliest, latest), date range. Retrieve events over a specific time period.
Limiting search by ___________ is key to faster results and is a best practice - time
The time range picker is set to _________ by default. - All-time
Search jobs are available for ____ minutes by default. - 10
________ commands create statistics and visualizations. - Transforming
, ________ tab is default tab for searches - Event
The three main search modes? - Fast, Verbose, and Smart
_______ mode has discovery off for event searches. No event or field data for stats
searches. - Fast
______ mode has all events and field data; switches to this mode after visualization -
Verbose
______ mode (default-based on search string data) has field discovery ON for event
searches. No event or field data for stats searches. - Smart
What does the "Job V" action button do - Edits job settings, sends jobs to
the background, inspects and deletes job.
Saved searches are set to ______ by default. - private
Timestamp seen in events is based on______setting in user account profile - time zone
List the three booleans - AND OR NOT
________boolean is used if none is implied - AND
Exact phrases use______ - quotes
Use a _______ for searching a string with quotes in the string - Backslash
Example: info="user "chrisV4" not in database" info="user\"chrisV4\" not in database "
The three default search fields automatically selected are - Source, Host, Sourcetype
_______ sidebar shows all fields extracted at search time - Fields
_______ fields that appear by default are host, sourcetype, source - Selected
_______ fields have values in at least 20% of the events - Interesting
Clicking on a field shows a list of _______, ________, and ________. - values, count,
and percentage
These fields can launch a quick report by clicking on them (4) - top values, top
values by time, rare values, events with this field
Use ______ to limit search to only one sourcetype - sourcetype=
_____ are case sensitive, _______ case insensitive - field names, field values
STUDY GUIDE QUESTIONS AND
ANSWERS 2023
5 Main components of Splunk ES - Index Data, Search & investigate, Add knowledge,
Monitor & Alert, Report & Analyze.
Three main roles in splunk? (3) - Admin, Power, User
Installs apps, creates knowledge objects for all users (what apps a user will see
by default) - Admin
Creates and shares knowledge objects for users of app, real-time searches - Power
User
Only sees own knowledge objects and those shared to them - User
Apps in Splunk? - 1. Pre-built dashboards, reports, alerts and workflows
2. In-depth data analysis for power users
3. Search & Reporting
What does the search and reporting app do in splunk? - Creates knowledge
objects, reports, and dashboards
The seven main components in splunk searching and reporting? - 1. Splunk bar
2. App bar
3. Search bar
4. Time range picker
5. How to search panel
6. What to search panel
7. Search History
What does the time range picker do? - Allow search by preset times, relative times.
Real time (earliest, latest), date range. Retrieve events over a specific time period.
Limiting search by ___________ is key to faster results and is a best practice - time
The time range picker is set to _________ by default. - All-time
Search jobs are available for ____ minutes by default. - 10
________ commands create statistics and visualizations. - Transforming
, ________ tab is default tab for searches - Event
The three main search modes? - Fast, Verbose, and Smart
_______ mode has discovery off for event searches. No event or field data for stats
searches. - Fast
______ mode has all events and field data; switches to this mode after visualization -
Verbose
______ mode (default-based on search string data) has field discovery ON for event
searches. No event or field data for stats searches. - Smart
What does the "Job V" action button do - Edits job settings, sends jobs to
the background, inspects and deletes job.
Saved searches are set to ______ by default. - private
Timestamp seen in events is based on______setting in user account profile - time zone
List the three booleans - AND OR NOT
________boolean is used if none is implied - AND
Exact phrases use______ - quotes
Use a _______ for searching a string with quotes in the string - Backslash
Example: info="user "chrisV4" not in database" info="user\"chrisV4\" not in database "
The three default search fields automatically selected are - Source, Host, Sourcetype
_______ sidebar shows all fields extracted at search time - Fields
_______ fields that appear by default are host, sourcetype, source - Selected
_______ fields have values in at least 20% of the events - Interesting
Clicking on a field shows a list of _______, ________, and ________. - values, count,
and percentage
These fields can launch a quick report by clicking on them (4) - top values, top
values by time, rare values, events with this field
Use ______ to limit search to only one sourcetype - sourcetype=
_____ are case sensitive, _______ case insensitive - field names, field values
