1) Which search would return events from the access_combined sourcetype? a) Sourcetype=access_combined b) Sourcetype=Access_Combined c) sourcetype=Access_Combined d) SOURCETYPE=access_combined 2) Which of the following index searches would provide the most efficient search performance? a) index=* b) index=web OR index=s* c) (index=web OR index=sales) d) *index=sales AND index=web* 3) What is a suggested Splunk best practice for naming reports? a) Reports are best named using many numbers so they can be more easily sorted. b) Use a consistent naming convention so they are easily separated by characteristics such as group and object. c) Name reports as uniquely as possible with no overlap to differentiate them from one another. d) Any naming convention is fine as long as you keep an external spreadsheet to keep track. 4) In a deployment with multiple indexes, what will happen when a search is run and an index is not specified in the search string? a) No events will be returned. b) Splunk will prompt you to specify an index. c) All non-indexed events to which the user has access will be returned. d) Events from every index searched by default to which the user has access will be returned. 5) When looking at a statistics table, what is one way to drill down to see the underlying events? a) Creating a pivot table. b) Clicking on the visualizations tab. c) Viewing your report in a dashboard. d) Clicking on any field value in the table. 6) In the Splunk interface, the list of alerts can be filtered based on which characteristics? a) App, Owner, Severity, and Type b) App, Owner, Priority, and Status c) App, Dashboard, Severity, and Type d) App, Time Window, Type, and Severity 7) What are the steps to schedule a report? a) After saving the report, click Schedule. b) After saving the report, click Event Type. c) After saving the report, click Scheduling. d) After saving the report, click Dashboard Panel. 8) In the fields sidebar, what indicates that a field is numeric? a) A number to the right of the field name. b) A # symbol to the left of the field name. c) A lowercase n to the left of the field name. d) A lowercase n to the right of the field name. 9) Which of the following are functions of the stats command? a) count, sum, add b) count, sum, less c) sum, avg, values d) sum, values, table 10) At index time, in which field does Splunk store the timestamp value? a) time b) _time c) EventTime d) timestamp 11) Which of the following is a best practice when writing a search string? a) Include all formatting commands before any search terms. b) Include at least one function as this is a search requirement. c) Include the search terms at the beginning of the search string. d) Avoid using formatting clauses, as they add too much overhead. 12) What type of search can be saved as a report? a) Any search can be saved as a report. b) Only searches that generate visualizations. c) Only searches containing a transforming command. d) Only searches that generate statistics or visualizations. 13) What can be included in the All Fields option in the sidebar? a) Dashboards b) Metadata only c) Non-interesting fields d) Field descriptions 14) When viewing the results of a search, what is an Interesting Field? a) A field that appears in any event. b) A field that appears in every event. c) A field that appears in the top 10 events. d) A field that appears in at least 20% of the events. 15) When a Splunk search generates calculated data that appears in the Statistics tab, in what formats can the results be exported? a) CSV, JSON, PDF b) CSV, XML, JSON c) Raw Events, XML, JSON d) Raw Events, CSV, XML, JSON 16) Which search matches the events containing the terms `error` and `fail`? a) index=security Error Fail b) index=security error OR fail c) index=security error failure d) index=security NOT error NOT fail 17) Which of the following is an option after clicking an item in search results? a) Saving the item to a report. b) Adding the item to the search. c) Adding the item to a dashboard. d) Saving the Search to a JSON file. 18) Which of the following fields is stored with the events in the index? a) user b) source c) location d) sourceIp 19) Which of the following is the recommended way to create multiple dashboards displaying data from the same search? a) Save the search as a report and use it in multiple dashboards as needed. b) Save the search as a dashboard panel for each dashboard that needs the data. c) Save the search as a scheduled alert and use it in multiple dashboards as needed. d) Export the results of the search to an XML file and use the file as the basis of the dashboards. 20) What does the following specified time range do? earliest=-72h@h latest=@d a) Look back 3 days ago and prior. b) Look back 72 hours, up to one day ago. c) Look back 72 hours, up to the end of today. d) Look back from 3 days ago, up to the beginning of today. 21) Which events will be returned by the following search string? host=www3 status=503 a) All events that either have a host of www3 or a status of 503. b) All events with a host of www3 that also have a status of 503. c) We need more information; we cannot tell without knowing the time range. d) We need more information; a search cannot be run without specifying an index. 22) What does the stats command do? a) Automatically correlates related fields. b) Converts field values into numerical values. c) Calculates statistics on data that matches the search criteria. d) Analyzes numerical fields for their ability to predict another discrete field. 23) Which is primary function of the timeline located under the search bar? a) To differentiate between structured and unstructured events in the data. b) To sort the events returned by the search command in chronological order. c) To zoom in and zoom out, although this does not change the scale of the chart. d) To show peaks and/or valleys in the timeline, which can indicate spikes in activity or downtime. 24) What can be configured using the Edit Job Settings menu? a) Export the result to CSV format. b) Add the Job results to a dashboard. c) Schedule the Job to re-run in 10 minutes. d) Change Job Lifetime from 10 minutes to 7 days. 25) Which command is used to validate a lookup file? a) | lookup products.csv b) inputlookup products.csv c) | inputlookup products.csv d) | lookup_definition products.csv 26) Which statement is true about the top command? a) It returns the top 10 results. b) It displays the output in table format. c) It returns the count and percent columns per row. d) All of the above. 27) How can another user gain access to a saved report? a) The owner of the report can edit permissions from the Edit dropdown. b) Only users with an Admin or Power User role can access other users' reports. c) Anyone can access any reports marked as public within a shared Splunk deployment. d) The owner of the report must clone the original report and save it to their user account. 28) What is the primary use for the rare command? a) To sort field values in descending order. b) To return only fields containing five of fewer values. c) To find the least common values of a field in a dataset. d) To find the fields with the fewest number of values across a dataset. 29) What happens when a field is added to the Selected Fields list in the fields sidebar? a) Splunk will re-run the search job in Verbose Mode to prioritize the new Selected Field. b) Splunk will highlight related fields as a suggestion to add them to the Selected Fields list. c) Custom selections will replace the Interesting Fields that Splunk populated into the list at search time. d) The selected field and its corresponding values will appear underneath the events in the search results. 30) By default, which of the following is a Selected Field? a) action b) clientip c) categoryId d) sourcetype 31) According to Splunk best practices, which placement of the wildcard results in the most efficient search? a) f*il b) *fail c) fail* d) *fail* 32) Which command automatically returns percent and count columns when executing searches? a) top b) stats c) table d) percent 33) Which of the following describes lookup files? a) Lookup fields cannot be used in searches. b) Lookups contain static data available in the index. c) Lookups add more fields to results returned by a search. d) Lookups pull data at index time and add them to search results. 34) Which search string is the most efficient? a) -failed password b) -failed password* c) index=* -failed password d) index=security -failed password 35) Which search string matches only events with the status_code of 404? a) status_code!=404 b) status_code>=400 c) status_code<=404 d) status_code>403 status_code<405 36) ______________ transforms raw data into events and distributes the results into an index. a) Index b) Search Head c) Indexer d) Forwarder 37) Documentations for Splunk can be found at docs.splunk.com a) True b) False 38) Which component of Splunk is primarily responsible for saving data? a) Search Head b) Heavy Forwarder c) Indexer d) Universal Forwarder 39) Universal forwarder is recommended for forwarding the logs to indexers. a) False b) True 40) Splunk apps are used for following (Choose three) : a) Designed to cater numerous use cases and empower Splunk. b) We can not install Splunk App. c) Allows multiple workspaces for different use cases/user roles. d) It is a collection of different Splunk config files like data inputs, UI and Knowledge Object. 41) Three basic components of Splunk are (Choose three) : a) Forwarders b) Deployment Server c) Indexer d) Knowledge Objects e) Index f) Search Head 42) What is Splunk? a) Splunk is a software platform to search, analyze and visualize the machine-generated data. b) Database management tool. c) Security Information and Event Management (SIEM). d) Cloud based application that helps in analyzing logs. 43) We should use heavy forwarder for sending event-based data to Indexers. a) False b) True 44) Splunk Enterprise is used as a Scalable service in Splunk Cloud. a) True b) False 45) Which component of Splunk let us write SPL query to find the required data? a) Forwarders b) Indexer c) Heavy Forwarders d) Search head 46) All components are installed and administered in Splunk Enterprise on-premise. a) True b) False 47) Log filtering/parsing can be done from _____________. a) Index Forwarders (IF) b) Universal Forwarders (UF) c) Super Forwarder (SF) d) Heavy Forwarders (HF) 48) Which is the default app for Splunk Enterprise? a) Splunk Enterprise Security Suite b) Searching and Reporting c) Reporting and Searching d) Splunk apps for Security 49) What kind of logs can Splunk Index? a) Only A, B b) Router and Switch Logs c) Firewall and Web Server Logs d) Only C e) Database logs f) All firewall, web server, database, router and switch logs 50) What is the correct syntax to find events associated with a tag? a) tag:<field>=<value> b) tags=<value> c) tags:<field>=<value> d) tag=<value>
0%
Splunk Exam Topics 51-100
Share
Share
Share
by
Sundaystudies
Voc/Tech
University
CS
Science
Edit Content
Print
Embed
More
Assignments
Leaderboard
Show more
Show less
This leaderboard is currently private. Click
Share
to make it public.
This leaderboard has been disabled by the resource owner.
This leaderboard is disabled as your options are different to the resource owner.
Revert Options
Quiz
is an open-ended template. It does not generate scores for a leaderboard.
Log in required
Visual style
Fonts
Subscription required
Options
Switch template
Show all
More formats will appear as you play the activity.
Open results
Copy link
QR code
Delete
Continue editing:
?
