SPLUNK CERTIFICATION ACTUAL
STUDY QUESTIONS AND ANSWERS
5 Main components of Splunk ES - ANSWER- Index Data, Search & investigate, Add
knowledge, Monitor & Alert, Report & Analyze.
What does index data do? (3) - ANSWER- 1. Collects data
2. Label data with source type
3. Stored in splunk index
Three main roles in splunk? (3) - ANSWER- Admin, Power, User
An admin does what? - ANSWER- Install apps, create knowledge objects for all users (what
apps a user will see by default)
A power user does what? - ANSWER- Creates and shares knowledge objects for users of app,
real-time searches
A Splunk user does what? - ANSWER- Only see own knowledge objects and those shared to
them.
Apps in Splunk? - ANSWER- 1. Pre-built dashboards, reports, alerts and workflows
2. In-depth data analysis for power users
3. Search & Reporting
What does the search and reporting app do in splunk? - ANSWER- Creates knowledge
objects, reports, and dashboards
The seven main components in splunk searching and reporting? - ANSWER- 1. Splunk bar
2. App bar
3. Search bar
4. Time range picker
5. How to search panel
6. What to search panel
7. Search History
, What does the time range picker do? - ANSWER- Allow search by preset times, relative
times. Real time (earliest, latest), date range. Retrieve events over a specific time period.
Limiting search by ___________ is key to faster results and is a best practice - ANSWER- time
The time range picker is set to _________ by default. - ANSWER- All-time
Search jobs are available after ____ minutes by default. - ANSWER- 10
________ commands create statistics and visualizations. - ANSWER- Transforming
________ tab is default tab for searches - ANSWER- Event
What are the three main search modes? - ANSWER- Fast, Verbose, and Smart
_______ mode discovery off for event searches. No event or field data for stats searches. -
ANSWER- Fast
______ mode all events and field data; switches to this mode after visualization - ANSWER-
Verbose
______ mode (default-based on search string data). Field discovery ON for event searches. No
event or field data for stats searches. - ANSWER- Smart
This search action button "Job V" does what? - ANSWER- Edit job settings, send job to
background, inspect and delete job.
Saved searches are set to ______ by default. - ANSWER- private
Timestamp seen in events is based on______setting in user account profile - ANSWER- time
zone
List the three booleans - ANSWER- AND OR NOT
________boolean is used if none is implied. - ANSWER- AND
Exact phrases use______ - ANSWER- quotes
Use a _______ for searching a string with quotes in the string. - ANSWER- Backslash
Example: info="user "chrisV4" not in database" info="user\"chrisV4\" not in database "
Three default search fields automatically selected? - ANSWER- Source, Host, Sourcetype
_______ sidebar shows all field extracted at search time. - ANSWER- Fields
STUDY QUESTIONS AND ANSWERS
5 Main components of Splunk ES - ANSWER- Index Data, Search & investigate, Add
knowledge, Monitor & Alert, Report & Analyze.
What does index data do? (3) - ANSWER- 1. Collects data
2. Label data with source type
3. Stored in splunk index
Three main roles in splunk? (3) - ANSWER- Admin, Power, User
An admin does what? - ANSWER- Install apps, create knowledge objects for all users (what
apps a user will see by default)
A power user does what? - ANSWER- Creates and shares knowledge objects for users of app,
real-time searches
A Splunk user does what? - ANSWER- Only see own knowledge objects and those shared to
them.
Apps in Splunk? - ANSWER- 1. Pre-built dashboards, reports, alerts and workflows
2. In-depth data analysis for power users
3. Search & Reporting
What does the search and reporting app do in splunk? - ANSWER- Creates knowledge
objects, reports, and dashboards
The seven main components in splunk searching and reporting? - ANSWER- 1. Splunk bar
2. App bar
3. Search bar
4. Time range picker
5. How to search panel
6. What to search panel
7. Search History
, What does the time range picker do? - ANSWER- Allow search by preset times, relative
times. Real time (earliest, latest), date range. Retrieve events over a specific time period.
Limiting search by ___________ is key to faster results and is a best practice - ANSWER- time
The time range picker is set to _________ by default. - ANSWER- All-time
Search jobs are available after ____ minutes by default. - ANSWER- 10
________ commands create statistics and visualizations. - ANSWER- Transforming
________ tab is default tab for searches - ANSWER- Event
What are the three main search modes? - ANSWER- Fast, Verbose, and Smart
_______ mode discovery off for event searches. No event or field data for stats searches. -
ANSWER- Fast
______ mode all events and field data; switches to this mode after visualization - ANSWER-
Verbose
______ mode (default-based on search string data). Field discovery ON for event searches. No
event or field data for stats searches. - ANSWER- Smart
This search action button "Job V" does what? - ANSWER- Edit job settings, send job to
background, inspect and delete job.
Saved searches are set to ______ by default. - ANSWER- private
Timestamp seen in events is based on______setting in user account profile - ANSWER- time
zone
List the three booleans - ANSWER- AND OR NOT
________boolean is used if none is implied. - ANSWER- AND
Exact phrases use______ - ANSWER- quotes
Use a _______ for searching a string with quotes in the string. - ANSWER- Backslash
Example: info="user "chrisV4" not in database" info="user\"chrisV4\" not in database "
Three default search fields automatically selected? - ANSWER- Source, Host, Sourcetype
_______ sidebar shows all field extracted at search time. - ANSWER- Fields
