Splunk Core Certified User & Splunk Fundamentals 1
T/F: A) Indexers
Machine data is always structured. - - B) Deployment Maker
False. C) Search Heads
D) Forwarders
Machine data can be structured or unstructured. E) Distributors - -A) Indexers
C) Search Heads
D) Forwarders
Machine data makes up for more than ___% of
the data accumulated by organizations. - -
90 _________ define what users can do in Splunk.
A) Tokens
T/F: B) Disk permissions
Machine data is only generated by web servers. - C) Roles - -C) Roles
-False
This role will only see their own knowledge
Search requests are processed by the objects and those that have been shared with
___________. - -Indexers them.
A) User
Search strings are sent from the _________. - B) Power
-Search Head C) Admin - -A) User
In most Splunk deployments, ________ serve as T/F:
the primary way data is supplied for indexing. - You can launch and manage apps from the home
-Forwarders app. - -True
Which of these is *not* a main component of What are the three main default roles in Splunk
Splunk? Enterprise?
A) Search and investigate. *(Select all that apply.)*
B) Compress and archive.
C) Add knowledge. A) King
D) Collect and index data. - -B) Compress B) User
C) Manager
and archive
D) Admin
E) Power - -B) User
What are the three main processing components D) Admin
of Splunk? E) Power
*(Select all that apply.)*
Which apps ship with Splunk Enterprise?
,Splunk Core Certified User & Splunk Fundamentals 1
*(Select all that apply.)*
In most production environments,
A) Home App _____________ will be used as your the source
B) Sideview Utils of data input. - -Forwarders
C) Search & Reporting
D) DB Connect - -A) Home App
C) Search & Reporting How is the *asterisk* used in Splunk search?
A) As a wildcard.
The default username and password for a newly B) To make a nose for your clown emoticon.
installed Splunk instance is: C) As a place holder.
D) To add up numbers. - -A) As a wildcard.
A) username and password
B) admin and changeme
C) admin and 12345 Which following search mode toggles behavior
D) buttercup and rawks - -B) admin and based on the type of search being run?
changeme
A) Smart
B) Fast
Files indexed using the *upload* input option get C) Verbose - -A) Smart
indexed _____.
A) Each time Splunk restarts. T/F:
B) Every hour. When zooming in on the event time line, a new
C) On every search. search is run. - -False
D) Once. - -D) Once.
T/F:
T/F: These searches will return the same results...
The monitor input option will allow you to
continuously monitor files. - -True failed password
failed AND password - -True
Splunk knows where to break the event, where
the time stamp is located and how to
automatically create field value pairs using these. A search job will remain active for _____ minutes
after it is run.
A) Line breaks
B) Source types A) 5
C) File names - -B) Source types B) 10
C) 30
D) 60
Splunk uses ______________ to categorize the E) 90 - -B) 10
type of data being indexed. - -sourcetype
, Splunk Core Certified User & Splunk Fundamentals 1
What attributes describe the field below?
(Select your answer.)
a dest 4
A) %
(Select all that apply.) B) ^
A) It contains 4 values. C) @
B) It contains numerical values. D) &
C) It cannot be used in a search. E) * - -C) @
D) It contains string values. - -A) It
contains 4 values.
D) It contains string values. T/F:
Time to search can only be set by the time range
picker. - -False
T/F:
Wildcards cannot be used with field searches. -
-False What is the most efficient way to filter events in
Splunk?
T/F: A) By time.
Field values are case sensitive. - -False B) Using booleans.
C) With an asterisk. - -A) By time.
Which is not a comparison operator in Splunk?
T/F:
(Select your answer.) As a general practice, exclusion is better than
inclusion in a Splunk search. - -False
A) >
B) ?=
C) <= Having separate indexes allows:
D) !=
E) = - -?= *(Select all that apply.)*
A) Faster Searches.
Field names are ________. B) Ability to limit access.
C) Multiple retention policies. - -A) Faster
*(Select all that apply.)* Searches.
B) Ability to limit access.
A) Always capitalized. C) Multiple retention policies.
B) Not important in Splunk.
C) Case sensitive.
D) Case insensitive. - -C) Case sensitive Would the ip column be removed in the results of
this search? Why or why not?
This symbol is used in the "Advanced" section of sourcetype=a* | rename ip as "User" | fields - ip
the time range picker to round down to nearest
unit of specified time. A) Yes, because a pipe was used between
T/F: A) Indexers
Machine data is always structured. - - B) Deployment Maker
False. C) Search Heads
D) Forwarders
Machine data can be structured or unstructured. E) Distributors - -A) Indexers
C) Search Heads
D) Forwarders
Machine data makes up for more than ___% of
the data accumulated by organizations. - -
90 _________ define what users can do in Splunk.
A) Tokens
T/F: B) Disk permissions
Machine data is only generated by web servers. - C) Roles - -C) Roles
-False
This role will only see their own knowledge
Search requests are processed by the objects and those that have been shared with
___________. - -Indexers them.
A) User
Search strings are sent from the _________. - B) Power
-Search Head C) Admin - -A) User
In most Splunk deployments, ________ serve as T/F:
the primary way data is supplied for indexing. - You can launch and manage apps from the home
-Forwarders app. - -True
Which of these is *not* a main component of What are the three main default roles in Splunk
Splunk? Enterprise?
A) Search and investigate. *(Select all that apply.)*
B) Compress and archive.
C) Add knowledge. A) King
D) Collect and index data. - -B) Compress B) User
C) Manager
and archive
D) Admin
E) Power - -B) User
What are the three main processing components D) Admin
of Splunk? E) Power
*(Select all that apply.)*
Which apps ship with Splunk Enterprise?
,Splunk Core Certified User & Splunk Fundamentals 1
*(Select all that apply.)*
In most production environments,
A) Home App _____________ will be used as your the source
B) Sideview Utils of data input. - -Forwarders
C) Search & Reporting
D) DB Connect - -A) Home App
C) Search & Reporting How is the *asterisk* used in Splunk search?
A) As a wildcard.
The default username and password for a newly B) To make a nose for your clown emoticon.
installed Splunk instance is: C) As a place holder.
D) To add up numbers. - -A) As a wildcard.
A) username and password
B) admin and changeme
C) admin and 12345 Which following search mode toggles behavior
D) buttercup and rawks - -B) admin and based on the type of search being run?
changeme
A) Smart
B) Fast
Files indexed using the *upload* input option get C) Verbose - -A) Smart
indexed _____.
A) Each time Splunk restarts. T/F:
B) Every hour. When zooming in on the event time line, a new
C) On every search. search is run. - -False
D) Once. - -D) Once.
T/F:
T/F: These searches will return the same results...
The monitor input option will allow you to
continuously monitor files. - -True failed password
failed AND password - -True
Splunk knows where to break the event, where
the time stamp is located and how to
automatically create field value pairs using these. A search job will remain active for _____ minutes
after it is run.
A) Line breaks
B) Source types A) 5
C) File names - -B) Source types B) 10
C) 30
D) 60
Splunk uses ______________ to categorize the E) 90 - -B) 10
type of data being indexed. - -sourcetype
, Splunk Core Certified User & Splunk Fundamentals 1
What attributes describe the field below?
(Select your answer.)
a dest 4
A) %
(Select all that apply.) B) ^
A) It contains 4 values. C) @
B) It contains numerical values. D) &
C) It cannot be used in a search. E) * - -C) @
D) It contains string values. - -A) It
contains 4 values.
D) It contains string values. T/F:
Time to search can only be set by the time range
picker. - -False
T/F:
Wildcards cannot be used with field searches. -
-False What is the most efficient way to filter events in
Splunk?
T/F: A) By time.
Field values are case sensitive. - -False B) Using booleans.
C) With an asterisk. - -A) By time.
Which is not a comparison operator in Splunk?
T/F:
(Select your answer.) As a general practice, exclusion is better than
inclusion in a Splunk search. - -False
A) >
B) ?=
C) <= Having separate indexes allows:
D) !=
E) = - -?= *(Select all that apply.)*
A) Faster Searches.
Field names are ________. B) Ability to limit access.
C) Multiple retention policies. - -A) Faster
*(Select all that apply.)* Searches.
B) Ability to limit access.
A) Always capitalized. C) Multiple retention policies.
B) Not important in Splunk.
C) Case sensitive.
D) Case insensitive. - -C) Case sensitive Would the ip column be removed in the results of
this search? Why or why not?
This symbol is used in the "Advanced" section of sourcetype=a* | rename ip as "User" | fields - ip
the time range picker to round down to nearest
unit of specified time. A) Yes, because a pipe was used between
