SPLK-1001 Splunk Core Certified User Questions and Answers

Only continuous monitoring.

Only One-time monitoring.

None of the above.

Both One-time and continuous monitoring

No

Yes

=

>

!

*

Designed to cater numerous use cases and empower Splunk.

We can not install Splunk App.

Allows multiple workspaces for different use cases/user roles.

It is collection of different Splunk config files like data inputs, UI and Knowledge Object.

Sourcetype=access_* |sum bytes by host

Sourcetype=access_* |stats sum(categorylD) by host

Sourcetype=access_* |sum(bytes) by host

Sourcetype=access_* |stats sum by host

Yes

No

False

True

Search & Reporting is the only app that can be set as the default application.

Full names can only be changed by accounts with a Power User or Admin role.

Time zones are automatically updated based on the setting of the computer accessing Splunk.

Full name, time zone, and default app can be defined by clicking the login name in the Splunk bar.

When Splunk encounters a syntax error in a search

When a trigger action meets the predefined conditions

When an event in a search matches up with a data model

When results of a search meet a specifically defined condition

In descending order by action, then descending order by file, and lastly by ascending order of bytes.

In ascending order by action, then descending order by file, and lastly by ascending order of bytes.

In descending order by action if it exists. If not, then in descending order by file, and if both action and file do not exist, by ascending order of bytes.

In ascending order by action if it exists. If not, then in descending order by file, and if both action and file do not exist, by ascending order of bytes.

The owner of the report can edit permissions from the Edit dropdown

Only users with an Admin or Power User role can access other users' reports

Anyone can access any reports marked as public within a shared Splunk deployment

The owner of the report must clone the original report and save it to their user account

limit, count

limit, showpercent

limits, countfield

showperc, countfield

Splunk is a software platform to search, analyze and visualize the machine-generated data.

Database management tool.

Security Information and Event Management (SIEM).

Cloud based application that help in analyzing logs.

No

Yes

index

action

clientip

sourcetype

Splunk User Behavior Analytics (UBA)

Splunk IT Service Intelligence (ITSI)

Splunk Enterprise Security (ES)

Splunk Analytics Security (AS)

Index Forwarders (IF)

Universal Forwarders (UF)

Super Forwarder (SF)

Heavy Forwarders (HF)

New events based on the current time range picker

The same events based on the current time range picker

The same events from when the original search was executed

New events in addition to the same events from the original search

True

False

Automatically correlates related fields

Converts field values into numerical values

Calculates statistics on data that matches the search criteria

Analyzes numerical fields for their ability to predict another discrete field

Acceleration, schedule, permissions

The report’s name, schedule, permissions

The report’s name, acceleration, schedule

The report’s name, acceleration, permissions

False

True

Will return event where status field exist but value of that field is not 100.

Will return event where status field exist but value of that field is not 100 and all events where status field

doesn't exist.

Will get different results depending on data

False

True

False

True

user

source

location

sourcelp

Median(X)

Eval by X

Fields(X)

Values(X)

Yes

No

False

True

No

Yes

Preset - Relative: 30-seconds ago

Relative - Earliest: 30-seconds ago, Latest: Now

Real-time - Earliest: 30-seconds ago, Latest: Now

Advanced - Earliest: 30-seconds ago, Latest: Now

True

False

Timeline shows distribution of events specified in the time range in the form of bars.

Single click to see the result for particular time period.

You can click and drag across the bar for selecting the range.

This is default view and you can't make any changes to it.

You can hover your mouse for details like total events, time and date.

Before clauses. For example: stats sum(bytes) | by host

Before commands. For example: | stats sum(bytes) by host

Before arguments. For example: stats sum| (bytes) by host

Before functions. For example: stats |sum(bytes) by host

Forwarders

Indexer

Heavy Forwarders

Search head

Yes

No

f*il

*fail

fail*

*fail*

the_questionnaire _pedia

the_questionnaire pedia

the_questionnaire_pedia

the_questionnaire Pedia

Indexer

Forwarder

Search head

Deployment server

error AND (fail AND 400)

error OR (fail and 400)

error AND (fail OR 400)

error OR fail OR 400

CSV, JSON, PDF

CSV, XML JSON

Raw Events, XML, JSON

Raw Events, CSV, XML, JSON

True

False

index=a index=b

(index=a OR index=b)

index=(a & b)

index = a, b

| lookup products.csv

inputlookup products.csv

I inputlookup products.csv

| lookup definition products.csv

10

50

100

20

True

False

Use earliest=-1d@d latest=@d

Set a real-time search over a 24-hour window

Use the time range picket to select “Yesterday”

Use the time range picker to select “Last 24 hours”

| rename action = CustomerAction

| rename Action as “Customer Action”

| rename Action to “Customer Action”

| rename action as “Customer Action”

The new result after selecting the range by dragging filters the events and displays the most recent first.

There is no functionality like click and drag in Splunk's timeline.

Using this option executes a new query.

This doesn't execute a new query

2

4

1

3

It returns the top 10 results

It displays the output in table format

It returns the count and percent columns per row

All of the above

index=security failure | stats sum as “Event Count”

index=security failure | stats count as “Event Count”

index=security failure | stats count by “Event Count”

index=security failure | stats dc(count) as “Event Count”

True

False

Description_Group_Object

Group_Description_Object

Group_Object_Description

Object_Group_Description

You can modify the search string in the panel, and you can change and configure the visualization.

You can modify the search string in the panel, but you cannot change and configure the visualization.

You cannot modify the search string in the panel, but you can change and configure the visualization.

You cannot modify the search string in the panel, and you cannot change and configure the visualization.

dc(field)

count(field)

count-by(field)

distinct-count(field)

_raw

host

_host

index

Any search can be saved as a report

Only searches that generate visualizations

Only searches containing a transforming command

Only searches that generate statistics or visualizations

Line charts are optimal for single and multiple series.

Line charts are optimal for single series when using Fast mode.

Line charts are optimal for multiple series with 3 or more columns.

Line charts are optimal for multiseries searches with at least 2 or more columns.

Executes a new search.

Filters current search results.

Moves to past or future events.

Expands the time range of the search.

index==main status!==200

index=main NOT status=200

index==main NOT status==200

index-main status!=200

A number to the right of the field name.

A # symbol to the left of the field name.

A lowercase n to the left of the field name.

A lowercase n to the right of the field name.

To differentiate between structured and unstructured events in the data

To sort the events returned by the search command in chronological order

To zoom in and zoom out. although this does not change the scale of the chart

To show peaks and/or valleys in the timeline, which can indicate spikes in activity or downtime

Lists all values of a given field.

Lists unique values of a given field.

Returns a count of unique values for a given field.

Returns the number of events that match the search.

index=security sourcetype=linux secure (invalid OR failed) | stats count as

"Potential Issues"

index=security sourcetype=linux secure (invalid OR failed) | stats as

"Potential Issues"

index—security sourcetype=linux secure (invalid OR failed) | count stats as

"Potential Issues"

index—security sourcetype=linux secure (invalid OR failed) | count as "Potential Issues"

time

_time

EventTime

timestamp

To sort field values in descending order.

To return only fields containing five of fewer values.

To find the least common values of a field in a dataset.

To find the fields with the fewest number of values across a dataset.

Save the search as a report and use it in multiple dashboards as needed

Save the search as a dashboard panel for each dashboard that needs the data

Save the search as a scheduled alert and use it in multiple dashboards as needed

Export the results of the search to an XML file and use the file as the basis of the dashboards

False

True

Yes

No