Splunk SPLK-1001 Splunk Core Certified User Exam Practice Test

True

False

Median(X)

Eval by X

Fields(X)

Values(X)

No

Yes

2, 1, 3

1, 2, 3

2, 3, 1

3, 2, 1

5 minutes

1 minute

10 minutes

60 minutes

To sort field values in descending order

To return only fields containing five or fewer values

To find the least common values of a field in a dataset

To find the fields with the fewest number of values across a dataset

host

owner

bytes

action

#

%

a

a#

In chronological order.

Randomly by default.

In reverse chronological order.

Alphabetically according to field name.

True

False

Alerts are based on searches that are either run on a scheduled interval or in real-time.

Alerts are based on searches and when triggered will only send an email notification.

Alerts are based on searches and require cron to run on scheduled interval.

Alerts are based on searches that are run exclusively as real-time.

Export the results to CSV format

Add the Job results to a dashboard

Schedule the Job to re-run in 10 minutes

Change Job Lifetime from 10 minutes to 7 days.

All events that either have a host of www3 or a status of 503.

All events with a host of www3 that also have a status of 503

We need more information: we cannot tell without knowing the time range

We need more information a search cannot be run without specifying an index

Dashboards

Searches

Webhooks

Reports

Parentheses

@ or # symbols

Quotation marks

Relational operators such as =, <, or >

Only data where the error field is present and does not contain a value will be displayed.

Only data with a value in the field error will be displayed.

Only data that does not contain the error field will be displayed.

Only data where the value of the field error does not equal an asterisk (*) will be displayed.

Lookups can be time based

Search results can be used to populate a lookup table

Splunk DB Connect can be used to populate a lookup table from relational databases

Output from a script can be used to populate a lookup table

Lookup have a 10mg maximum size limit

Any newly created dashboard will include that report.

There are no benefits to creating dashboard panels from reports.

It makes the dashboard more efficient because it only has to run one search string.

Any change to the underlying report will affect every dashboard that utilizes that report.

Yes

No

Table

Raw

Pie Chart

List

OR

NOT

AND

XOR

limit, count

limit, showpercent

limits, countfield

showperc, countfield

Hosts

Sourcetypes

Sources

Indexes

No

Yes

True

False

latest=-2h

earliest=-2h

latest=-2hour@d

earliest=-2hour@d

a base search for the object

fields for the object

host

index

source

sourcetype

True

False

index!=Security

Index-security

Index=Security

index=Security

@

&

*

#

(index=netfw failure) AND index=netops warn OR critical

(index=netfw failure) OR (index=netops (warn OR critical))

(index=netfw failure) AND (index=netops (warn OR critical))

(index=netfw failure) OR index=netops OR (warn OR critical)

The new result after selecting the range by dragging filters the events and displays the most recent first.

There is no functionality like click and drag in Splunk's timeline.

Using this option executes a new query.

This doesn't execute a new query

<=

=

!=

>

?=

No

Yes

Cloned panel

Inline panel

Report panel

Prebuilt panel

Splunk will re-run the search job in Verbose Mode to prioritize the new Selected Field

Splunk will highlight related fields as a suggestion to add them to the Selected Fields list.

Custom selections will replace the Interesting Fields that Splunk populated into the list at search time

The selected field and its corresponding values will appear underneath the events in the search results

2

4

1

3

index=* “failed password”

“failed password” index=*

(index=* OR index=security) “failed password”

index=security “failed password”

ASCII Character order.

Reverse chronological order.

Alphanumeric order.

Chronological order.

Search & Reporting is the only app that can be set as the default application.

Full names can only be changed by accounts with a Power User or Admin role.

Time zones are automatically updated based on the setting of the computer accessing Splunk.

Full name, time zone, and default app can be defined by clicking the login name in the Splunk bar.

Use earliest=-1d@d latest=@d

Set a real-time search over a 24-hour window

Use the time range picket to select “Yesterday”

Use the time range picker to select “Last 24 hours”

No events will be returned.

Splunk will prompt you to specify an index.

All non-indexed events to which the user has access will be returned.

Events from every index searched by default to which the user has access will be returned.

Returns the least common field values of a given field in the results.

Returns the most common field values of a given field in the results.

Returns the top 10 field values of a given field in the results.

Returns the lowest 10 field values of a given field in the results.

True

False

True

False

Only A, B

Router and Switch Logs

Firewall and Web Server Logs

Only C

Database logs

All firewall, web server, database, router and switch logs

Events

Patterns

Statistics

Visualization

Chronological

Reverser chronological

ASCIE

Alphabetical

users

power users

administrators

CTRL + Enter

Shift + Enter

Space + Enter

ALT + Enter

index=a index=b

(index=a OR index=b)

index=(a & b)

index = a, b

Automatic

Smart

Fast

Verbose

3

2

4

1

Real-time

10 Minutes

Overnight Download

30 Minutes

count, sum, add

count, sum, less

sum, avg, values

sum, values, table

When Splunk encounters a syntax error in a search

When a trigger action meets the predefined conditions

When an event in a search matches up with a data model

When results of a search meet a specifically defined condition

Reports are best named using many numbers so they can be more easily sorted.

Use a consistent naming convention so they are easily separated by characteristics such as group and object.

Name reports as uniquely as possible with no overlap to differentiate them from one another.

Any naming convention is fine as long as you keep an external spreadsheet to keep track.

limit

useperc

addtotals

fieldcount

To sort field values in descending order.

To return only fields containing five of fewer values.

To find the least common values of a field in a dataset.

To find the fields with the fewest number of values across a dataset.

True

False

Both field names and field values ARE case sensitive.

Field names ARE case sensitive; field values are NOT.

Field values ARE case sensitive; field names ARE NOT.

Both field names and field values ARE NOT case sensitive.

OR

AND

NOT

NAND

Indexer

Forwarder

Search head

Deployment server

Source type

At least five columns

Timestamp

Input filed

Saving the item to a report

Adding the item to the search.

Adding the item to a dashboard

Saving the search to a JSON file.

Splunk Enterprise Security Suite

Searching and Reporting

Reporting and Searching

Splunk apps for Security

The lookup must be configured to run automatically.

The contents of the lookup file must be copied and pasted into the search bar.

The lookup file must be uploaded to Splunk and a lookup definition must be created.

The lookup file must be uploaded to the etc/apps/lookups folder for automatic ingestion.

search heads

indexers

forwarders

Timeline shows distribution of events specified in the time range in the form of bars.

Single click to see the result for particular time period.

You can click and drag across the bar for selecting the range.

This is default view and you can't make any changes to it.

You can hover your mouse for details like total events, time and date.

No

Yes

Only HTTP Event Collector (HEC) and TCP/UDP

None of the above

Only TCP/UDP

Only Scripts

Filed & Directories, HTTP Event Collector (HEC), TCP/UDP and Scripts

No

Yes