Splunk Core Certified User Exam
Questions With All Correct Detailed
Answers A+ Pass
What does the search and reporting app do in splunk? - Answer- Creates knowledge
objects, reports, and dashboards
The seven main components in splunk searching and reporting? - Answer- 1. Splunk
bar
2. App bar
3. Search bar
4. Time range picker
5. How to search panel
6. What to search panel
7. Search History
What does the time range picker do? - Answer- Allow search by preset times, relative
times. Real time (earliest, latest), date range. Retrieve events over a specific time
period.
Limiting search by ___________ is key to faster results and is a best practice - Answer-
time
The time range picker is set to _________ by default. - Answer- All-time
Search jobs are available for ____ minutes by default. - Answer- 10
________ commands create statistics and visualizations. - Answer- Transforming
________ tab is default tab for searches - Answer- Event
The three main search modes? - Answer- Fast, Verbose, and Smart
_______ mode has discovery off for event searches. No event or field data for stats
searches. - Answer- Fast
______ search mode has all events and field data; switches to this mode after
visualization - Answer- Verbose
______ mode (default-based on search string data) has field discovery ON for event
searches. No event or field data for stats searches. - Answer- Smart
,What does the "Job V" action button do - Answer- Edits job settings, sends jobs to the
background, inspects and deletes job.
Saved searches are set to ______ by default. - Answer- private
Timestamp seen in events is based on______setting in user account profile - Answer-
time zone
List the three booleans - Answer- AND OR NOT
________boolean is used if none is implied - Answer- AND
Exact phrases use______ - Answer- quotes
Three main roles in splunk? (3) - Answer- Admin, Power, User
Installs apps, creates knowledge objects for all users (what apps a user will see by
default) - Answer- Admin
Power User abilities: - Answer- Creates and shares knowledge objects for users of app,
real-time searches
Only sees own knowledge objects and those shared to them - Answer- User
Use a _______ for searching a string with quotes in the string - Answer- Backslash
Example: info="user "chrisV4" not in database" info="user\"chrisV4\" not in database "
The three default search fields automatically selected are - Answer- Source, Host,
Sourcetype
_______ fields that appear by default are host, sourcetype, source - Answer- Selected
_______ fields have values in at least 20% of the events - Answer- Interesting
Clicking on a field shows a list of _______, ________, and ________. - Answer- values,
count, and percentage
These fields can launch a quick report by clicking on them (4) - Answer- top values, top
values by time, rare values, events with this field
Use ______ to limit search to only one sourcetype - Answer- sourcetype=
(T/F) Using NOT and != would return the same results. - Answer- True
Use _______ to nest boolean searches - Answer- parenthesis
,______ is better than exclusion - Answer- inclusion
When creating reports you can edit, clone, embed, and delete under the ______ tab -
Answer- report
Top command returns top ____ results with a count and percentage - Answer- 10
What are the three ways to create visualizations? - Answer- 1. Select a field from the
fields sidebar
2. Use the pivot interface
3. Use the Splunk search language commands in the search bar with statistics and
visualization tabs
Save visual reports as _______ or _______ - Answer- report or dashboard pannel
________ is an action that a saved search triggers based on the results of the search -
Answer- Alert
________ designs reports into a simple interface without having to craft a search string
- Answer- Pivot
The default time value for pivot is ______ - Answer- all the time
The data model is the framework and the ______ is the interface to the data - Answer-
pivot
_______ object is the main source of data - Answer- Root
_______ object acts like an AND boolean - Answer- Child
(T/F) An instant pivot allows instant access to data without having a data model -
Answer- True
alerts use a _______ search to check for events. - Answer- saved
Adjust the ______ type to configure how often the search runs - Answer- alert
Use ________ alerts to check for events on a regular basis - Answer- Scheduled
_______ alerts monitor for events continuously - Answer- Real-time
An _______ action can notify you of a triggered alert and help you start responding to it
- Answer- alert
______ is the most efficient filter - Answer- Time
, Search terms are case sensitive or case insensitive.
(components of search language) - Answer- Case insensitive
______ tell Splunk what we want to do with results (ex. stats)
(components of search language) - Answer- Commands
______ are variables to apply to function (ex. Product name)
(components of search language) - Answer- Arguments
_____ is used to pass current results to the next search component - Answer- A pipe
(T/F) Search command works from left to right - Answer- True
(T/F) Once an item is filtered out it is no longer available in the search string - Answer-
True
_____ command includes or excludes fields from search results. - Answer- Fields
Exclude a field by using ______ symbol - Answer- minus (-)
(T/F) Primary fields _time and _raw will always be extracted, but can also be removed
by using the minus symbol - Answer- True
Field_____happens after field______only affecting displayed results. - Answer-
exclusion, extraction
________ command retains searched data in a tabulated format - Answer- table
(T/F) In regards to a rename command, once a field is renamed the original name is
available to later search commands - Answer- F
This command removes events with duplicate values - Answer- dedup
This command displays results in ascending or descending order. - Answer- sort
This command combines fields from external sources to searched events, based on
event field - Answer- Lookup
This command produces statistics of a search result - Answer- stats command
This command shows the number of events matching search criteria - Answer- stats
count
This command is the sum of numerical value - Answer- stats sum command
Questions With All Correct Detailed
Answers A+ Pass
What does the search and reporting app do in splunk? - Answer- Creates knowledge
objects, reports, and dashboards
The seven main components in splunk searching and reporting? - Answer- 1. Splunk
bar
2. App bar
3. Search bar
4. Time range picker
5. How to search panel
6. What to search panel
7. Search History
What does the time range picker do? - Answer- Allow search by preset times, relative
times. Real time (earliest, latest), date range. Retrieve events over a specific time
period.
Limiting search by ___________ is key to faster results and is a best practice - Answer-
time
The time range picker is set to _________ by default. - Answer- All-time
Search jobs are available for ____ minutes by default. - Answer- 10
________ commands create statistics and visualizations. - Answer- Transforming
________ tab is default tab for searches - Answer- Event
The three main search modes? - Answer- Fast, Verbose, and Smart
_______ mode has discovery off for event searches. No event or field data for stats
searches. - Answer- Fast
______ search mode has all events and field data; switches to this mode after
visualization - Answer- Verbose
______ mode (default-based on search string data) has field discovery ON for event
searches. No event or field data for stats searches. - Answer- Smart
,What does the "Job V" action button do - Answer- Edits job settings, sends jobs to the
background, inspects and deletes job.
Saved searches are set to ______ by default. - Answer- private
Timestamp seen in events is based on______setting in user account profile - Answer-
time zone
List the three booleans - Answer- AND OR NOT
________boolean is used if none is implied - Answer- AND
Exact phrases use______ - Answer- quotes
Three main roles in splunk? (3) - Answer- Admin, Power, User
Installs apps, creates knowledge objects for all users (what apps a user will see by
default) - Answer- Admin
Power User abilities: - Answer- Creates and shares knowledge objects for users of app,
real-time searches
Only sees own knowledge objects and those shared to them - Answer- User
Use a _______ for searching a string with quotes in the string - Answer- Backslash
Example: info="user "chrisV4" not in database" info="user\"chrisV4\" not in database "
The three default search fields automatically selected are - Answer- Source, Host,
Sourcetype
_______ fields that appear by default are host, sourcetype, source - Answer- Selected
_______ fields have values in at least 20% of the events - Answer- Interesting
Clicking on a field shows a list of _______, ________, and ________. - Answer- values,
count, and percentage
These fields can launch a quick report by clicking on them (4) - Answer- top values, top
values by time, rare values, events with this field
Use ______ to limit search to only one sourcetype - Answer- sourcetype=
(T/F) Using NOT and != would return the same results. - Answer- True
Use _______ to nest boolean searches - Answer- parenthesis
,______ is better than exclusion - Answer- inclusion
When creating reports you can edit, clone, embed, and delete under the ______ tab -
Answer- report
Top command returns top ____ results with a count and percentage - Answer- 10
What are the three ways to create visualizations? - Answer- 1. Select a field from the
fields sidebar
2. Use the pivot interface
3. Use the Splunk search language commands in the search bar with statistics and
visualization tabs
Save visual reports as _______ or _______ - Answer- report or dashboard pannel
________ is an action that a saved search triggers based on the results of the search -
Answer- Alert
________ designs reports into a simple interface without having to craft a search string
- Answer- Pivot
The default time value for pivot is ______ - Answer- all the time
The data model is the framework and the ______ is the interface to the data - Answer-
pivot
_______ object is the main source of data - Answer- Root
_______ object acts like an AND boolean - Answer- Child
(T/F) An instant pivot allows instant access to data without having a data model -
Answer- True
alerts use a _______ search to check for events. - Answer- saved
Adjust the ______ type to configure how often the search runs - Answer- alert
Use ________ alerts to check for events on a regular basis - Answer- Scheduled
_______ alerts monitor for events continuously - Answer- Real-time
An _______ action can notify you of a triggered alert and help you start responding to it
- Answer- alert
______ is the most efficient filter - Answer- Time
, Search terms are case sensitive or case insensitive.
(components of search language) - Answer- Case insensitive
______ tell Splunk what we want to do with results (ex. stats)
(components of search language) - Answer- Commands
______ are variables to apply to function (ex. Product name)
(components of search language) - Answer- Arguments
_____ is used to pass current results to the next search component - Answer- A pipe
(T/F) Search command works from left to right - Answer- True
(T/F) Once an item is filtered out it is no longer available in the search string - Answer-
True
_____ command includes or excludes fields from search results. - Answer- Fields
Exclude a field by using ______ symbol - Answer- minus (-)
(T/F) Primary fields _time and _raw will always be extracted, but can also be removed
by using the minus symbol - Answer- True
Field_____happens after field______only affecting displayed results. - Answer-
exclusion, extraction
________ command retains searched data in a tabulated format - Answer- table
(T/F) In regards to a rename command, once a field is renamed the original name is
available to later search commands - Answer- F
This command removes events with duplicate values - Answer- dedup
This command displays results in ascending or descending order. - Answer- sort
This command combines fields from external sources to searched events, based on
event field - Answer- Lookup
This command produces statistics of a search result - Answer- stats command
This command shows the number of events matching search criteria - Answer- stats
count
This command is the sum of numerical value - Answer- stats sum command
