Splunk Core Certified User Test! Trivia Questions Quiz

What user interface component allows for time selection?

• Time summary

• Time range picker

• Search time picker

• Data source time statistics

By default, which of the following is a Selected Field?

• Action

• Clientip

• CategoryId

• Sourcetype

Which Boolean operator is always implied between two search terms, unless otherwise specified?

• Or

• Not

• And

• Xor

1. What syntax is used to link key/value pairs in search strings?

• Action+purchase

• Action=purchase

• Action | purchase

• Action equal purchase

What must be done in order to use a lookup table in Splunk?

• The lookup must be configured to run automatically.

• The contents of the lookup file must be copied and pasted into the search bar.

• The lookup file must be uploaded to Splunk and a lookup definition must be created.

• The lookup file must be uploaded to the etc/apps/lookups folder for automatic ingestion.

Which is not a comparison operator in Splunk

• <=

• =

• !=

• >

• ?=

A collection of items containing things such as data inputs, UI elements, and knowledge objects is known as what?

• An app

• JSON

• A role

• An enhanced solution

Which of the following constraints can be used with the top command?

• Limit

• Useperc

• Addtotals

• Fieldcount

Which of the following is a Splunk search best practice?

• Filter as early as possible.

• Never specify more than one index.

• Include as few search terms as possible.

• Use wildcards to return more search results.

When viewing the results of a search, what is an Interesting Field?

• A field that appears in any event

• A field that appears in every event

• A field that appears in the top 10 events

• A field that appears in at least 20% of the events

What is a suggested Splunk best practice for naming reports?

• Reports are best named using many numbers so they can be more easily sorted.

• Use a consistent naming convention so they are easily separated by characteristics such as group and object.

• Name reports as uniquely as possible with no overlap to differentiate them from one another.

• Any naming convention is fine as long as you keep an external spreadsheet to keep track.

By default, all users have DELETE permission to ALL knowledge objects.

When writing searches in Splunk, which of the following is true about Booleans?

• They must be lowercase.

• They must be uppercase.

• They must be in quotations.

• They must be in parentheses.

What does the rare command do?

• Returns the least common field values of a given field in the results.

• Returns the most common field values of a given field in the results.

• Returns the top 10 field values of a given field in the results.

• Returns the lowest 10 field values of a given field in the results.

What is the correct syntax to count the number of events containing a vendor_action field?=

• Count stats vendor_action

• Count stats (vendor_action)

• Stats count (vendor_action)

• Stats vendor_action (count)

What syntax is used to link key/value pairs in search strings?

• Parentheses

• @ or # symbols

• Quotation marks

• Relational operators such as =, <, or >

Which statement is true about Splunk alerts?

• Alerts are based on searches that are either run on a scheduled interval or in real-time.

• Alerts are based on searches and when triggered will only send an email notification.

• Alerts are based on searches and require cron to run on scheduled interval.

• Alerts are based on searches that are run exclusively as real-time.

By default, how long does Splunk retain a search job?

• 10 minutes

• 15 minutes 

• 1 day

• 7 days

All users by default have WRITE permission to ALL knowledge objects.

How are events displayed after a search is executed?

• In chronological order.

• Randomly by default.

• In reverse chronological order.

• Alphabetically according to field name.

Which time range picker configuration would return real-time events for the past 30 seconds?

• Preset - Relative: 30-seconds ago

• Relative - Earliest: 30-seconds ago, Latest: Now

• Real-time - Earliest: 30-seconds ago, Latest: Now

• Advanced - Earliest: 30-seconds ago, Latest: Now

Which of the following statements about case sensitivity is true?

• Both field names and field values ARE case sensitive.

• Field names ARE case sensitive; field values are NOT.

• Field values ARE case sensitive; field names ARE NOT.

• Both field names and field values ARE NOT case sensitive.

What does the stats command do?

• Automatically correlates related fields

• Converts field values into numerical values

• Calculates statistics on data that matches the search criteria

• Analyzes numerical fields for their ability to predict another discrete field

This function of the stats command allows you to return the middle-most value of field X.

• Median(X)

• Eval by X

• Fields(X)

• Values(X)

In the fields sidebar, what indicates that a field is numeric?

• A number to the right of the field name.

• A # symbol to the left of the field name.

• A lowercase n to the left of the field name.

• A lowercase n to the right of the field name.

Which events will be returned by the following search string? host=www3 status=503

• All events that either have a host of www3 or a status of 503.

• B. All events with a host of www3 that also have a status of 503

• C. We need more information: we cannot tell without knowing the time range

• D. We need more information a search cannot be run without specifying an index

What are the steps to schedule a report?

• After saving the report, click Schedule.

• After saving the report, click Event Type.

• After saving the report, click Scheduling.

• After saving the report, click Dashboard Panel.

At index time, in which field does Splunk store the timestamp value?

• Time

• _time

• EventTime

• Timestamp

What is the primary use for the rare command1?

• To sort field values in descending order

• To return only fields containing five or fewer values

• To find the least common values of a field in a dataset

• To find the fields with the fewest number of values across a dataset

Which of the following fields is stored with the events in the index?   WTF

• User

• Source

• Location

• SourceIp

Which stats command function provides a count of how many unique values exist for a given field in the result set?

• Dc(field)

• Count(field)

• Count-by(field)

• Distinct-count(field)

When sorting on multiple fields with the sort command, what delimiter can be used between the field names in the search?

• |

• $

• !

• ,

Which of the following commands will show the maximum bytes?

• Sourcetype=access_* | maximum totals by bytes

• Sourcetype=access_* | avg (bytes)

• Sourcetype=access_* | stats max(bytes)

• Sourcetype=access_* | max(bytes)

How does Splunk determine which fields to extract from data?

• Splunk only extracts the most interesting data from the last 24 hours.

• Splunk only extracts fields users have manually specified in their data;

• Splunk automatically extracts any fields that generate interesting visualizations.

• Splunk automatically discovers many fields based on sourcetype and key/value pairs found in the data;

According to Splunk best practices, which placement of the wildcard results in the most efficient search?

• F*iI

• *fail

• Fail*

• 'fail*

Which command automatically returns percent and count columns when executing searches?

• Top

• Stats

• Table

• Percent

Which of the following is the most efficient filter for running searches in Splunk?

• Time

• Fast mode

• Sourcetype

• Selected fields

What is the purpose of using a by clause with the stats command?

• To group the results by one or more fields.

• To compute numerical statistics on each field.

• To specify how the values in a list are delimited.

• To partition the input data based on the split-by fields.

Which of the following searches will show the number of categoryld used by each host?

• Sourcetype=access_* |sum bytes by host

• Sourcetype=access_* |stats sum(categorylD. by host

• Sourcetype=access_* |sum(bytes) by host

• Sourcetype=access_* |stats sum by host

Which command is used to review the contents of a specified static lookup file?

• Lookup

• Csvlookup

• Inputlookup

• Outputlookup

When looking at a dashboard panel that is based on a report, which of the following is true?

• You can modify the search string in the panel, and you can change and configure the visualization.

• You can modify the search string in the panel, but you cannot change and configure the visualization.

• You cannot modify the search string in the panel, but you can change and configure the visualization.

• You cannot modify the search string in the panel, and you cannot change and configure the visualization.

What is a primary function of a scheduled report?

• Auto-detect changes in performance

• Auto-generated PDF reports of overall data trends

• Regularly scheduled archiving to keep disk space use low

• Triggering an alert in your Splunk instance when certain conditions are met

This function of the stats command allows you to return the sample standard deviation of a field.

• Stdev

• Dev

• Count deviation

• By standarddev

When an alert action is configured to run a script, Splunk must be able to locate the script. Which is one of the directories Splunk will look in to find the script?

• $SPLUNK_HOME/bin/scripts

• $SPLUNK_HOME/etc/scripts

• $SPLUNK_HOME/bin/etc/scripts

• $SPLUNK_HOME/etc/scripts/bin

When running searches command modifiers in the search string are displayed in what color?

• Red

• Blue

• Orange

• Highlighted

Which of the following represents the Splunk recommended naming convention for dashboards?

• Description_Group_Object

• Group_Description_Object

• Group_Object_Description

• Object_Group_Description

Which search would return events from the access_combined sourcetype?

• Sourcetype=access_combined

• Sourcetype=Access_Combined

• Sourcetype=Access_Combined

• SOURCETYPE=access_combined

Which of the following index searches would provide the most efficient search performance?

• Index=*

• Index=web OR index=s*

• (index=web OR index=sales)

• *index=sales AND index=web*