SPLK-1001 Sample Questions Answers

To group the results by one or more fields.

To compute numerical statistics on each field.

To specify how the values in a list are delimited.

To partition the input data based on the split-by fields.

stdev

dev

count deviation

by standarddev

To differentiate between structured and unstructured events in the data

To sort the events returned by the search command in chronological order

To zoom in and zoom out. although this does not change the scale of the chart

To show peaks and/or valleys in the timeline, which can indicate spikes in activity or downtime

True

False

Splunk User Behavior Analytics (UBA)

Splunk IT Service Intelligence (ITSI)

Splunk Enterprise Security (ES)

Splunk Analytics Security (AS)

Time summary

Time range picker

Search time picker

Data source time statistics

count stats vendor_action

count stats (vendor_action)

stats count (vendor_action)

stats vendor_action (count)

input

output

Red

Blue

Orange

Highlighted

host

index

source

sourcetype

Yes

No

Open new search.

Exclude the item from search.

None of the above.

Add the item to search

index

action

_time

host

True

False

Forwarders

Deployment Server

Indexer

Knowledge Objects

Index

Search Head

True

False

True

False

Only continuous monitoring.

Only One-time monitoring.

None of the above.

Both One-time and continuous monitoring

3

2

4

1

No

Yes

Your search must transform event data into Excel file format first.

Your search must transform event data into XML formatted data first.

Your search must transform event data into statistical data tables first.

Your search must transform event data into JSON formatted data first.

True

False

The search will fail. The proper top command format is top limit=3 instead of top 3.

The top three most common values in statusCode will be displayed for each user.

Only the top three overall most common values in statusCode will be displayed.

The percentage field will be displayed in the results.

No

Yes

sourcetype=access_* | maximum totals by bytes

sourcetype=access_* | avg (bytes)

sourcetype=access_* | stats max(bytes)

sourcetype=access_* | max(bytes)

No

Yes

It is only available to Admins.

Such feature does not exist in Splunk.

Shows options to complete the search string

the_questionnaire _pedia

the_questionnaire pedia

the_questionnaire_pedia

the_questionnaire Pedia

Reports are best named using many numbers so they can be more easily sorted.

Use a consistent naming convention so they are easily separated by characteristics such as group and object.

Name reports as uniquely as possible with no overlap to differentiate them from one another.

Any naming convention is fine as long as you keep an external spreadsheet to keep track.

Password

Port number

Username

Data access

Search head, GPU, streamer

Search head, indexer, forwarder

Search head, SQL database, forwarder

Search head, SSD, heavy weight agent

You can modify the search string in the panel, and you can change and configure the visualization.

You can modify the search string in the panel, but you cannot change and configure the visualization.

You cannot modify the search string in the panel, but you can change and configure the visualization.

You cannot modify the search string in the panel, and you cannot change and configure the visualization.

Hosts

Sourcetypes

Sources

Indexes

Sourcetype=access_* |sum bytes by host

Sourcetype=access_* |stats sum(categorylD) by host

Sourcetype=access_* |sum(bytes) by host

Sourcetype=access_* |stats sum by host

h

day

mon

yr

y

w

week

Yes

No

f*il

*fail

fail*

*fail*

status_code !=404

status_code>=400

status_code<=404

status code>403 status_code<405

Any search can be saved as a report

Only searches that generate visualizations

Only searches containing a transforming command

Only searches that generate statistics or visualizations

True

False

index

action

clientip

sourcetype

Only HF

No

Yes

Returns the least common field values of a given field in the results.

Returns the most common field values of a given field in the results.

Returns the top 10 field values of a given field in the results.

Returns the lowest 10 field values of a given field in the results.

Table

Raw

Pie Chart

List

Attributes

Constraints

True

False

lookup command

inputlookup command

Settings > Lookups > Input

Settings > Lookups > Upload

False

True

Click All Fields and select the field to add it to Selected Fields.

Click Interesting Fields and select the field to add it to Selected Fields.

Click Selected Fields and select the field to add it to Interesting Fields.

This scenario isn’t possible because all fields returned from a search always appear in the fields sidebar.

Splunk will re-run the search job in Verbose Mode to prioritize the new Selected Field

Splunk will highlight related fields as a suggestion to add them to the Selected Fields list.

Custom selections will replace the Interesting Fields that Splunk populated into the list at search time

The selected field and its corresponding values will appear underneath the events in the search results

Top values by time

Rare values by time

Events with top value fields

Events with rare value fields

Automatically correlates related fields

Converts field values into numerical values

Calculates statistics on data that matches the search criteria

Analyzes numerical fields for their ability to predict another discrete field

Save the search as a report and use it in multiple dashboards as needed

Save the search as a dashboard panel for each dashboard that needs the data

Save the search as a scheduled alert and use it in multiple dashboards as needed

Export the results of the search to an XML file and use the file as the basis of the dashboards

Time

Fast mode

Sourcetype

Selected Fields

=

>

!

*

Sourcetype=access_combined

Sourcetype=Access_Combined

sourcetype=Access_Combined

SOURCETYPE=access_combined

A field that appears in any event

A field that appears in every event

A field that appears in the top 10 events

A field that appears in at least 20% of the events

OR

AND

NOT

NAND

All search jobs are saved for 10 days

All search jobs are saved for 10 hours

All search jobs are saved for 10 weeks

All search jobs are saved for 10 minutes

Forwarders

Indexer

Heavy Forwarders

Search head

5 minutes

1 minute

10 minutes

60 minutes

Chronological

Reverser chronological

ASCIE

Alphabetical

dc(field)

count(field)

count-by(field)

distinct-count(field)

search heads

indexers

forwarders

Dashboards must have a unique dashboard ID within a permission's context.

Splunk dashboards consist of one or more panels displaying data visually in a useful way.

Splunk dashboards may not be directly created from search results without first creating a report.

Splunk dashboard panels can be populated by reports.

Parentheses

@ or # symbols

Quotation marks

Relational operators such as =, <, or >

True

False

Creating a pivot table.

Clicking on the visualizations tab.

Viewing your report in a dashboard.

Clicking on any field value in the table.

(index=netfw failure) AND index=netops warn OR critical

(index=netfw failure) OR (index=netops (warn OR critical))

(index=netfw failure) AND (index=netops (warn OR critical))

(index=netfw failure) OR index=netops OR (warn OR critical)

error | table action, src, dest

error | tabular action, src, dest

error | stats table action, src, dest

error | table column=action column=src column=dest