Splunk SPLK-1001 Dumps

Creating a pivot table.

Clicking on the visualizations tab.

Viewing your report in a dashboard.

Clicking on any field value in the table.

index

action

_time

host

Use earliest=-1d@d latest=@d

Set a real-time search over a 24-hour window

Use the time range picket to select “Yesterday”

Use the time range picker to select “Last 24 hours”

Lookup fields cannot be used in searches

Lookups contain static data available in the index

Lookups add more fields to results returned by a search

Lookups pull data at index time and add them to search results

Click field in field sidebar -> click YES on the pop-up dialog on upper right side -> check now field should

be visible in the list of selected fields.

Not possible.

Only CLI changes will enable it.

Click Settings -> Find field option -> Drop down select field -> enable selected field -> check now field

should be visible in the list of selected fields.

To sort field values in descending order

To return only fields containing five or fewer values

To find the least common values of a field in a dataset

To find the fields with the fewest number of values across a dataset

The lookup must be configured to run automatically.

The contents of the lookup file must be copied and pasted into the search bar.

The lookup file must be uploaded to Splunk and a lookup definition must be created.

The lookup file must be uploaded to the etc/apps/lookups folder for automatic ingestion.

False

True

True

False

No

Yes

True

False

Designed to cater numerous use cases and empower Splunk.

We can not install Splunk App.

Allows multiple workspaces for different use cases/user roles.

It is collection of different Splunk config files like data inputs, UI and Knowledge Object.

earliest=

latest=

beginning=

ending=

All the above

Only 3rd and 4th

index=security failure | stats sum as “Event Count”

index=security failure | stats count as “Event Count”

index=security failure | stats count by “Event Count”

index=security failure | stats dc(count) as “Event Count”

Props

CLI

Splunk Web

savedsearches.conf

Splunk apps and add-ons

indexes.conf

inputs.conf

Index Forwarders (IF)

Universal Forwarders (UF)

Super Forwarder (SF)

Heavy Forwarders (HF)

Acceleration, schedule, permissions

The report’s name, schedule, permissions

The report’s name, acceleration, schedule

The report’s name, acceleration, permissions

In chronological order.

Randomly by default.

In reverse chronological order.

Alphabetically according to field name.

To sort field values in descending order.

To return only fields containing five of fewer values.

To find the least common values of a field in a dataset.

To find the fields with the fewest number of values across a dataset.

Indexing

Searching

Parsing

Settings

Input

Forwarders

Deployment Server

Indexer

Knowledge Objects

Index

Search Head

top

stats

table

percent

Automatically correlates related fields

Converts field values into numerical values

Calculates statistics on data that matches the search criteria

Analyzes numerical fields for their ability to predict another discrete field

Can be accessed by Apps > Search & Reporting.

Provides default interface for searching and analyzing logs.

Enables the user to create knowledge object, reports, alerts and dashboards.

It only gives us search functionality.

No

Yes

search heads

indexers

forwarders

ASCII Character order.

Reverse chronological order.

Alphanumeric order.

Chronological order.

Only data where the error field is present and does not contain a value will be displayed.

Only data with a value in the field error will be displayed.

Only data that does not contain the error field will be displayed.

Only data where the value of the field error does not equal an asterisk (*) will be displayed.

CSV, JSON, PDF

CSV, XML JSON

Raw Events, XML, JSON

Raw Events, CSV, XML, JSON

the_questionnaire _pedia

the_questionnaire pedia

the_questionnaire_pedia

the_questionnaire Pedia

user

source

location

sourcelp

Dashboards

Metadata only

Non-interesting fields

Field descriptions

A number to the right of the field name.

A # symbol to the left of the field name.

A lowercase n to the left of the field name.

A lowercase n to the right of the field name.

Select the time range always.

Try to specify index values.

Include as many search terms as possible.

Never select time range.

Try to use * with every search term.

Inclusion is generally better than exclusion.

Try to keep specific search terms.

Any newly created dashboard will include that report.

There are no benefits to creating dashboard panels from reports.

It makes the dashboard more efficient because it only has to run one search string.

Any change to the underlying report will affect every dashboard that utilizes that report.

By scheduling a report.

By creating a link to the job.

By changing the job settings.

By changing the time range picker to more than 7 days.

False

True

Splunk Enterprise Security Suite

Searching and Reporting

Reporting and Searching

Splunk apps for Security

Real-time

10 Minutes

Overnight Download

30 Minutes

Median(X)

Eval by X

Fields(X)

Values(X)

dc(field)

count(field)

count-by(field)

distinct-count(field)

sourcetype=firewall | rare num=15 dest_ip

sourcetype=firewall | rare last=15 dest_ip

sourcetype=firewall | rare count=15 dest_ip

sourcetype=firewall | rare limit=15 dest_ip

To differentiate between structured and unstructured events in the data

To sort the events returned by the search command in chronological order

To zoom in and zoom out. although this does not change the scale of the chart

To show peaks and/or valleys in the timeline, which can indicate spikes in activity or downtime

B. host=WWW3

C. host=WWW*

D. Host=WWW3

error | table action, src, dest

error | tabular action, src, dest

error | stats table action, src, dest

error | table column=action column=src column=dest

| lookup products.csv

inputlookup products.csv

I inputlookup products.csv

| lookup definition products.csv

Line charts are optimal for single and multiple series.

Line charts are optimal for single series when using Fast mode.

Line charts are optimal for multiple series with 3 or more columns.

Line charts are optimal for multiseries searches with at least 2 or more columns.

Preset - Relative: 30-seconds ago

Relative - Earliest: 30-seconds ago, Latest: Now

Real-time - Earliest: 30-seconds ago, Latest: Now

Advanced - Earliest: 30-seconds ago, Latest: Now

Top values by time

Rare values by time

Events with top value fields

Events with rare value fields

True

False

No events will be returned.

Splunk will prompt you to specify an index.

All non-indexed events to which the user has access will be returned.

Events from every index searched by default to which the user has access will be returned.

You can modify the search string in the panel, and you can change and configure the visualization.

You can modify the search string in the panel, but you cannot change and configure the visualization.

You cannot modify the search string in the panel, but you can change and configure the visualization.

You cannot modify the search string in the panel, and you cannot change and configure the visualization.

Splunk automatically discovers only numeric fields

Splunk automatically discovers only alphanumeric fields

Splunk automatically discovers only manually configured fields

Splunk automatically discovers only fields directly related to the search results

False

True

No

Yes

New events based on the current time range picker

The same events based on the current time range picker

The same events from when the original search was executed

New events in addition to the same events from the original search

Search head, GPU, streamer

Search head, indexer, forwarder

Search head, SQL database, forwarder

Search head, SSD, heavy weight agent

Export the results to CSV format

Add the Job results to a dashboard

Schedule the Job to re-run in 10 minutes

Change Job Lifetime from 10 minutes to 7 days.

No

Yes

None of the above

Indexing Phase

Parsing Phase

Input Phase

License Metering

Chronological

Reverser chronological

ASCIE

Alphabetical

error AND (fail AND 400)

error OR (fail and 400)

error AND (fail OR 400)

error OR fail OR 400

User

Alerting

Power

Admin

A field that appears in any event

A field that appears in every event

A field that appears in the top 10 events

A field that appears in at least 20% of the events

Lookups can be time based

Search results can be used to populate a lookup table

Splunk DB Connect can be used to populate a lookup table from relational databases

Output from a script can be used to populate a lookup table

Lookup have a 10mg maximum size limit

Dashboards

Searches

Webhooks

Reports

Sourcetype=access_combined

Sourcetype=Access_Combined

sourcetype=Access_Combined

SOURCETYPE=access_combined

dedup

rename

sort -

fields +

True

False

Yes

No

Index

Search Head

Indexer

Forwarder

True

False

2

4

1

3