Using Splunk

Data is broken into single events by:

Sourcetype
Host
Number of files
The ~ character

A selected field persists for subsequent searches

True
False

A time range picker can be included in a report

True
False

Which of these are not a core component of Splunk Enterprise?

Collect and index data

Search and investigate not this
Add knowledge not this
Compress and archive

Searching & Reporting

When using the chart command, the x-axis should always be numeric

True
False

This stats function wil list all fields values for a given field

Avg
Value not this
List
Count

Results of eval commands always replace the existing field

True
False

What command makes the search return unlimited results

Limit=10000 - not this

 Limit=None
Limit=all
Limit=0

Which of these is not a field created with the transaction command?

Eventcount
Maxcount
Duration

When results contain a single value, these visualizations can be used

Single value
Pie chart
Gauges
Trendline

When one of these is not a stats function?

Addtotals
Avg
List
Count
sum

Knowledge Objects

Input fields are automatically generated with a lookup command

true
false

Even types do not show up in the field list

true
false

____ are based on searches that run on a schedules interval or in real-time

event types
macros not this
tags
alerts

Root search objects do not benefit from acceleration

true
false

Which roles can create knowledge objects shared across all apps?
 User
Power
Admin

What attributes can be added to an object?

Auto-extracted
Eval expression
Lookup
Reg expression
Geo ip
Search

Data models are closely realted to the pivot interface

True
false

Splunk Infastructure

In a windows environment, a local system user will have access to

only data that is has been given specific access to

all data on the local system
data on other windows machines

A splunk enterprise deployment typically has ____ processing tiers

3
4
5
6

Event are written to disk during the ____ segment of the data pipeline.

Data input not this

Parsing
Indexing
Search

Any editing of .conf files should be done in the _______ directory:

Local
Etc not this, wtf
Var
Default

The license meter takes place at data ____ time:

 Indexing
Parsing
Search not this

This data is not metered during indexing

Splunk internal logs

Data forwarded using the universal forwarder
Data forwarded using the heavy forwarder
Filed indexed using a local system user on a Windows Server

Properties in the ___ file allow you to configure how data is transformed as it is processed

Transforms.conf
Alter.conf
Props.conf
Mutate.conf

The maximum size for an index setting can be over written by other settings

True
false

The following are splunk enterprise processing tiers

data input
indexing
search management
forward parsing
event eviction
file upload

Parsing and indexing are both part of the ____ processing tier

data input
indexing
search management not this

The segment of the data pipeline that stores users knowledge objects is the ______ segment

data input
parsing
indexing not this
search

Event separation happens during the _____ segment of the data pipeline

parsing