SPLUNK EXAM STUDY QUESTIONS &
ANSWERS
Which search string only returns events from hostWWW3? - ANSWER-host=WWW3
By default, how long does Splunk retain a search job? - ANSWER-10 Minutes
What must be done before an automatic lookup can be created? (Choose all that apply.) -
ANSWER-The lookup definition must be created.
Which of the following Splunk components typically resides on the machines where data
originates? - ANSWER-Forwarder
What determines the scope of data that appears in a scheduled report? - ANSWER-All data
accessible to the owner of the report will appear in the report.
When writing searches in Splunk, which of the following is true about Booleans? - ANSWER-
They must be uppercase.
Which of the following searches would return events with failure in index netfw or warn or
critical in index netops? - ANSWER-(index=netfw failure) OR (index=netops (warn OR critical))
When looking at a dashboard panel that is based on a report, which of the following is true? -
ANSWER-You cannot modify the search string in the panel, but you can change and configure
the visualization.
Which of the following constraints can be used with the top command? - ANSWER-limit
Select the answer that displays the accurate placing of the pipe in the following search string:
index=security sourcetype=access_* status=200 stats count by price - ANSWER-index=security
sourcetype=access_* status=200 | stats count by price
When running searches, command modifiers in the search string are displayed in what color? -
ANSWER-Blue
Which of the following represents the Splunk recommended naming convention for
dashboards? - ANSWER-Group_Object_Description
How can search results be kept longer than 7 days? - ANSWER-By scheduling a report.
Which of the following is a Splunk search best practice? - ANSWER-Filter as early as possible.
,When looking at a dashboard panel that is based on a report, which of the following is true? -
ANSWER-You cannot modify the search string in the panel, but you can change and configure
the visualization.
Which of the following are common constraints of the top command? - ANSWER-showperc,
countfield
When displaying results of a search, which of the following is true about line charts? -
ANSWER-Line charts are optimal for single and multiple series.
How are events displayed after a search is executed? - ANSWER-In reverse chronological order.
Which of the following is true about user account settings and preferences? - ANSWER-Full
name, time zone, and default app can be defined by clicking the login name in the Splunk bar.
What is a primary function of a scheduled report? - ANSWER-Triggering an alert in your Splunk
instance when certain conditions are met.
After running a search, what effect does clicking and dragging across the timeline have? -
ANSWER-Filters current search results.
Which command is used to review the contents of a specified static lookup file? - ANSWER-
inputlookup
What must be done in order to use a lookup table in Splunk? - ANSWER-The lookup file must
be uploaded to Splunk and a lookup definition must be created.
When sorting on multiple fields with the sort command, what delimiter can be used between
the field names in the search? - ANSWER-,
Which time range picker configuration would return real-time events for the past 30 seconds? -
ANSWER-Real-time - Earliest: 30-seconds ago, Latest: Now
What is the correct syntax to count the number of events containing a vendor_action field? -
ANSWER-stats count (vendor_action)
What is one benefit of creating dashboard panels from reports? - ANSWER-Any change to the
underlying report will affect every dashboard that utilizes that report.
By default, which of the following fields would be listed in the fields sidebar under interesting
Fields? - ANSWER-index
Which of the following statements about case sensitivity is true? - ANSWER-Field names ARE
case sensitive; field values are NOT.
, What does the rare command do? - ANSWER-Returns the least common field values of a given
field in the results.
When an alert action is configured to run a script, Splunk must be able to locate the script.
Which is one of the directories Splunk will look in to find the script? - ANSWER-
$SPLUNK_HOME/bin/scripts
Which Boolean operator is always implied between two search terms, unless otherwise
specified? - ANSWER-AND
What does the values function of the stats command do? - ANSWER-Lists unique values of a
given field.
Which stats command function provides a count of how many unique values exist for a given
field in the result set? - ANSWER-dc(field)
A collection of items containing things such as data inputs, UI elements, and knowledge
objects is known as what? - ANSWER-An app
Which statement is true about Splunk alerts? - ANSWER-Alerts are based on searches that are
either run on a scheduled interval or in real-time.
What is the purpose of using a by clause with the stats command? - ANSWER-To group the
results by one or more fields.
How do you add or remove fields from search results? - ANSWER-Use fields +to add and fields
'"to remove.
A field exists in search results, but isn't being displayed in the fields sidebar. How can it be
added to the fields sidebar? - ANSWER-Click All Fields and select the field to add it to Selected
Fields.
In the fields sidebar, which character denotes alphanumeric field values? - ANSWER-a
What is the main requirement for creating visualizations using the Splunk UI? - ANSWER-Your
search must transform event data into statistical data tables first.
What syntax is used to link key/value pairs in search strings? - ANSWER-action=purchase
What user interface component allows for time selection? - ANSWER-Time range picker
Which of the following searches will return results where fail, 400, and error exist in every
event? - ANSWER-error AND (fail AND 400)
ANSWERS
Which search string only returns events from hostWWW3? - ANSWER-host=WWW3
By default, how long does Splunk retain a search job? - ANSWER-10 Minutes
What must be done before an automatic lookup can be created? (Choose all that apply.) -
ANSWER-The lookup definition must be created.
Which of the following Splunk components typically resides on the machines where data
originates? - ANSWER-Forwarder
What determines the scope of data that appears in a scheduled report? - ANSWER-All data
accessible to the owner of the report will appear in the report.
When writing searches in Splunk, which of the following is true about Booleans? - ANSWER-
They must be uppercase.
Which of the following searches would return events with failure in index netfw or warn or
critical in index netops? - ANSWER-(index=netfw failure) OR (index=netops (warn OR critical))
When looking at a dashboard panel that is based on a report, which of the following is true? -
ANSWER-You cannot modify the search string in the panel, but you can change and configure
the visualization.
Which of the following constraints can be used with the top command? - ANSWER-limit
Select the answer that displays the accurate placing of the pipe in the following search string:
index=security sourcetype=access_* status=200 stats count by price - ANSWER-index=security
sourcetype=access_* status=200 | stats count by price
When running searches, command modifiers in the search string are displayed in what color? -
ANSWER-Blue
Which of the following represents the Splunk recommended naming convention for
dashboards? - ANSWER-Group_Object_Description
How can search results be kept longer than 7 days? - ANSWER-By scheduling a report.
Which of the following is a Splunk search best practice? - ANSWER-Filter as early as possible.
,When looking at a dashboard panel that is based on a report, which of the following is true? -
ANSWER-You cannot modify the search string in the panel, but you can change and configure
the visualization.
Which of the following are common constraints of the top command? - ANSWER-showperc,
countfield
When displaying results of a search, which of the following is true about line charts? -
ANSWER-Line charts are optimal for single and multiple series.
How are events displayed after a search is executed? - ANSWER-In reverse chronological order.
Which of the following is true about user account settings and preferences? - ANSWER-Full
name, time zone, and default app can be defined by clicking the login name in the Splunk bar.
What is a primary function of a scheduled report? - ANSWER-Triggering an alert in your Splunk
instance when certain conditions are met.
After running a search, what effect does clicking and dragging across the timeline have? -
ANSWER-Filters current search results.
Which command is used to review the contents of a specified static lookup file? - ANSWER-
inputlookup
What must be done in order to use a lookup table in Splunk? - ANSWER-The lookup file must
be uploaded to Splunk and a lookup definition must be created.
When sorting on multiple fields with the sort command, what delimiter can be used between
the field names in the search? - ANSWER-,
Which time range picker configuration would return real-time events for the past 30 seconds? -
ANSWER-Real-time - Earliest: 30-seconds ago, Latest: Now
What is the correct syntax to count the number of events containing a vendor_action field? -
ANSWER-stats count (vendor_action)
What is one benefit of creating dashboard panels from reports? - ANSWER-Any change to the
underlying report will affect every dashboard that utilizes that report.
By default, which of the following fields would be listed in the fields sidebar under interesting
Fields? - ANSWER-index
Which of the following statements about case sensitivity is true? - ANSWER-Field names ARE
case sensitive; field values are NOT.
, What does the rare command do? - ANSWER-Returns the least common field values of a given
field in the results.
When an alert action is configured to run a script, Splunk must be able to locate the script.
Which is one of the directories Splunk will look in to find the script? - ANSWER-
$SPLUNK_HOME/bin/scripts
Which Boolean operator is always implied between two search terms, unless otherwise
specified? - ANSWER-AND
What does the values function of the stats command do? - ANSWER-Lists unique values of a
given field.
Which stats command function provides a count of how many unique values exist for a given
field in the result set? - ANSWER-dc(field)
A collection of items containing things such as data inputs, UI elements, and knowledge
objects is known as what? - ANSWER-An app
Which statement is true about Splunk alerts? - ANSWER-Alerts are based on searches that are
either run on a scheduled interval or in real-time.
What is the purpose of using a by clause with the stats command? - ANSWER-To group the
results by one or more fields.
How do you add or remove fields from search results? - ANSWER-Use fields +to add and fields
'"to remove.
A field exists in search results, but isn't being displayed in the fields sidebar. How can it be
added to the fields sidebar? - ANSWER-Click All Fields and select the field to add it to Selected
Fields.
In the fields sidebar, which character denotes alphanumeric field values? - ANSWER-a
What is the main requirement for creating visualizations using the Splunk UI? - ANSWER-Your
search must transform event data into statistical data tables first.
What syntax is used to link key/value pairs in search strings? - ANSWER-action=purchase
What user interface component allows for time selection? - ANSWER-Time range picker
Which of the following searches will return results where fail, 400, and error exist in every
event? - ANSWER-error AND (fail AND 400)
