SPLUNK FUNDAMENTALS AND
POWER USER CERTIFICATION
Which search will return the same events as the search in the searchbar?
password failed - Correct Answers -password AND failed
What is the most efficient way to filter events in Splunk? - Correct Answers -By time.
Which is not a comparison operator in Splunk? - Correct Answers -?=
How is the asterisk used in Splunk search? - Correct Answers -As a wildcard
As general practice, inclusion is better than exclusion in a Splunk search. - Correct
Answers -True
Field names are _________. - Correct Answers -case sensitive
What command would you use to remove the status field from the returned events? -
Correct Answers -fields -
Finish the rename command to change the name of the status field to HTTP Status.
sourcetype=access* status=404 | rename ______ - Correct Answers -status as "HTTP
Status"
Would the clientip column be removed in the results of this search? Why or why not?
sourcetype=access* | rename clientip as "user" | table user status | fields - clientip -
Correct Answers -No, because the name was changed.
What is missing from this search?
sourcetype=acc* status=404 | rename clientip as "User ID" | table USer ID status host -
Correct Answers -Quotation marks around User ID
Which command removes results with duplicate field values? - Correct Answers -Dedup
To display the most common values in a specific field, what command would you use?
,sourcetype=vendor_sales | ______ Vendor - Correct Answers -top
How many events are shown by default when using the top or rare command? - Correct
Answers -10
Finish this search to return unlimited results.
sourcetype=access_combined action=purchase | rare product_name _________ -
Correct Answers -limit=0
Which of these is NOT a stats function? - Correct Answers -addtotals
Which clause would you use to rename the count field?
sourcetype=vendor_sales | stats count(linecount) ______ "Units Sold" - Correct
Answers -as
Which stats function would you use to find the average value of a field? - Correct
Answers -avg
If a search returns this, you can view the results as a chart. - Correct Answers -
Statistical values
When using the chart command, the x-axis should always be numeric. - Correct
Answers -False
The timechart command clusters data in time intervals dependent on: - Correct Answers
-Time range selected
Finish this search to remove any results that do not contain a value in the
product_name field.
sourcetype=access_c* status>299 | chart count over host by product_name _______ -
Correct Answers -usenull=f
When using the search below, what axis would time be on?
sourcetype=vendor_sales | timechart count(linecount) - Correct Answers -x
The Trendline Command requires this many arguments: - Correct Answers -3
In the following search, what should the empty argument contain?
sourcetype=linux_secure | iplocation ______ - Correct Answers -An IP address.
, The Geostats Command requires both latitude and longitude data to use on a map. -
Correct Answers -True
Data created using the Iplocation Command can not be used with the Geostats
Command. - Correct Answers -False
Which command do you use when creating a choropeth map? - Correct Answers -geom
Which Splunk search command allows you to perform mathematical functions on field
values? - Correct Answers -Eval
Which is the correct argument order when using the eval if function? - Correct Answers
-if (Boolean, Is True, Is False)
If you want to format values without changing their characteristics, which would you
use? - Correct Answers -The Fieldformat Command.
By default, the Fillnull Command replaces null values with this: - Correct Answers -0
You can only use one Eval Command per search. - Correct Answers -False
This command allows you to correlate related events on a field or list of fields that span
time. - Correct Answers -transaction
Which of these is NOT a field created with the transaction command? - Correct Answers
-maxcount
__________ should be used when you want to see the results of a calculation, or you
need to group events on a field value. - Correct Answers -Stats
__________ should be used when you need to see events correlated together, or when
events need to be grouped on start and end values. - Correct Answers -Transactions
What should you use with the transaction command to set the maximum total time
between the earliest and latest events returned. - Correct Answers -maxspan
When results contain a single value, these visualizations can be used. - Correct
Answers -
This stats function will return unique values for a given field. - Correct Answers -Value
Results of the Eval Commands always replace the existing field. - Correct Answers -
False
Which roles can create Private Knowledge Objects? - Correct Answers -User, Power,
Admin
POWER USER CERTIFICATION
Which search will return the same events as the search in the searchbar?
password failed - Correct Answers -password AND failed
What is the most efficient way to filter events in Splunk? - Correct Answers -By time.
Which is not a comparison operator in Splunk? - Correct Answers -?=
How is the asterisk used in Splunk search? - Correct Answers -As a wildcard
As general practice, inclusion is better than exclusion in a Splunk search. - Correct
Answers -True
Field names are _________. - Correct Answers -case sensitive
What command would you use to remove the status field from the returned events? -
Correct Answers -fields -
Finish the rename command to change the name of the status field to HTTP Status.
sourcetype=access* status=404 | rename ______ - Correct Answers -status as "HTTP
Status"
Would the clientip column be removed in the results of this search? Why or why not?
sourcetype=access* | rename clientip as "user" | table user status | fields - clientip -
Correct Answers -No, because the name was changed.
What is missing from this search?
sourcetype=acc* status=404 | rename clientip as "User ID" | table USer ID status host -
Correct Answers -Quotation marks around User ID
Which command removes results with duplicate field values? - Correct Answers -Dedup
To display the most common values in a specific field, what command would you use?
,sourcetype=vendor_sales | ______ Vendor - Correct Answers -top
How many events are shown by default when using the top or rare command? - Correct
Answers -10
Finish this search to return unlimited results.
sourcetype=access_combined action=purchase | rare product_name _________ -
Correct Answers -limit=0
Which of these is NOT a stats function? - Correct Answers -addtotals
Which clause would you use to rename the count field?
sourcetype=vendor_sales | stats count(linecount) ______ "Units Sold" - Correct
Answers -as
Which stats function would you use to find the average value of a field? - Correct
Answers -avg
If a search returns this, you can view the results as a chart. - Correct Answers -
Statistical values
When using the chart command, the x-axis should always be numeric. - Correct
Answers -False
The timechart command clusters data in time intervals dependent on: - Correct Answers
-Time range selected
Finish this search to remove any results that do not contain a value in the
product_name field.
sourcetype=access_c* status>299 | chart count over host by product_name _______ -
Correct Answers -usenull=f
When using the search below, what axis would time be on?
sourcetype=vendor_sales | timechart count(linecount) - Correct Answers -x
The Trendline Command requires this many arguments: - Correct Answers -3
In the following search, what should the empty argument contain?
sourcetype=linux_secure | iplocation ______ - Correct Answers -An IP address.
, The Geostats Command requires both latitude and longitude data to use on a map. -
Correct Answers -True
Data created using the Iplocation Command can not be used with the Geostats
Command. - Correct Answers -False
Which command do you use when creating a choropeth map? - Correct Answers -geom
Which Splunk search command allows you to perform mathematical functions on field
values? - Correct Answers -Eval
Which is the correct argument order when using the eval if function? - Correct Answers
-if (Boolean, Is True, Is False)
If you want to format values without changing their characteristics, which would you
use? - Correct Answers -The Fieldformat Command.
By default, the Fillnull Command replaces null values with this: - Correct Answers -0
You can only use one Eval Command per search. - Correct Answers -False
This command allows you to correlate related events on a field or list of fields that span
time. - Correct Answers -transaction
Which of these is NOT a field created with the transaction command? - Correct Answers
-maxcount
__________ should be used when you want to see the results of a calculation, or you
need to group events on a field value. - Correct Answers -Stats
__________ should be used when you need to see events correlated together, or when
events need to be grouped on start and end values. - Correct Answers -Transactions
What should you use with the transaction command to set the maximum total time
between the earliest and latest events returned. - Correct Answers -maxspan
When results contain a single value, these visualizations can be used. - Correct
Answers -
This stats function will return unique values for a given field. - Correct Answers -Value
Results of the Eval Commands always replace the existing field. - Correct Answers -
False
Which roles can create Private Knowledge Objects? - Correct Answers -User, Power,
Admin
