Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
227 Cards in this Set
- Front
- Back
|
"case(X,"Y",…)"
|
Takes pairs of arguments X and Y, where X arguments are Boolean expressions. When evaluated to TRUE, the arguments return the corresponding Y argument.
You can stack these in series to have multiple x and y comparisons in one - ex. (x, y, x, z, ....) |
|
|
… | lookup usertogroup user output group
|
For each event, use the lookup table usertogroup to locate the matching “user” value from the event. Output the group field value to the event
|
|
|
3 Key Splunk Functional Components
|
Search Head (SH) - Indexer - Data Inputs
|
|
|
3 main methods to create viusalizations
|
1. Select field from fileds sidebar 2. Use Pivot interface 3. use SPL in search bar with Statistica and Visualizations tabs
|
|
|
4 Primary Indexes
|
Main - _audit - _internal - _thefishbucket
|
|
|
A knowledge object that enables you to search for events that contain particular field values
|
Tag
|
|
|
Addcoltotals
|
| addcoltotals adds row/column totals - Example |addtotals labelfield=product_name col=true
|
|
|
Add-on
|
data feed - modular inputs - scripts or other mechanism for data colleciton - does not include UI
|
|
|
Alias
|
Alternate name you assign to FIELD. You can use field aliasing to normalize field names
|
|
|
App
|
Sets of Dashboards - views - searches used to support a particular buiness need or to solve a particular use case or type of problem
|
|
|
Benefits of Index Clustering
|
Data Availability - Data Fidelity - Data Recovery
|
|
|
Best way to improve search performance
|
Limit Time
|
|
|
Bloom Filter
|
Splunk Enterprise uses bloom filters to decrease the time it requires to retrieve events from the index
|
|
|
Boolean Operators are case sensitive
|
TRUE
|
|
|
Calculated Fields
|
Calculated field operations are in the middle of the search-time operation sequence so they cannot reference lookups, event types or tags.
|
|
|
Can be a text document, a configuration file, an entire stack trace, and so on.
|
Event
|
|
|
Can represent a multi-step business-related activity, such as all events related to a single customer session on a retail website.
|
Transaction
|
|
|
Can you apply aliases to field lookups?
|
Yes
|
|
|
Clauses used with Top Command
|
limit - countfield - percentfield - showcount -showperc - useother - otherStr
|
|
|
Coalesce function
|
If you do not want the calculated field to override existing fields when the eval statement returns null
|
|
|
Command adds fields based on looking at the value in an event, referencing a lookup table, and adding the fields in matching rows in the lookup table to your event.
|
lookup
|
|
|
Command calculates aggregate statistics over a dataset, similar to SQL aggregation.
|
stats
|
|
|
Command calculates the value of a new field based on other fields, whether numerically, by concatenation, or through Boolean logic
|
eval command
|
|
|
Command can be used to create new fields by using regular expressions to extracting patterned data in other fields.
|
rex
|
|
|
Command creates tabular data output suitable for charting
|
chart command
|
|
|
Comparison Operators
|
=
=! < > |
|
|
Config to receive content from Deployment Server
|
deploymentclient.conf
|
|
|
Configuration Files
|
System Settings - Authentication - Index Mapping - Deployment & Cluster Configs - Knowledge Object and save searches
|
|
|
Configure inputs - forwarders - file monitoring
|
inputs.conf
|
|
|
Configure regex-based host & source overrides
|
transforms.conf
|
|
|
Create Report 2 ways
|
Search and Pivot
|
|
|
Data Classification
|
Alerts - events types - transactions
|
|
|
Data Enrichment
|
Lookups - Reports - Transforms - Views - Workflows - Data Normalization - Data Models
|
|
|
Data Enrichment
|
Lookups and workflow actions
|
|
|
Data Inputs
|
Files and Directories - Network Events - Windows Sources - Scripted Inputs - Modular Inputs
|
|
|
Data Interpretation
|
fields - fields extractions - macros - search commands
|
|
|
Data Interpretation
|
Fields and Field Extraction
|
|
|
Data Layer
|
C/C++ Server - accesses and processes and indexes streaming data and handles searches
|
|
|
Data Models
|
Make use of lookups - transactions - search time field extractions
|
|
|
Data Models
|
Encode domain knowledge needed for specialized searches
|
|
|
Data Models
|
Representation of datasets wich drive the pivot tool
|
|
|
Data Models
|
A data model is a hierarchically structured search-time mapping of semantic knowledge about one or more datasets. Data models drive the Pivot tool. They enable users of Pivot to create compelling reports and dashboards without designing the searches that generate them.
|
|
|
Data Models
|
Representative of 1 or more Datasets
|
|
|
Dataset
|
a collection of data that you define and maintain for a specific business purpose. It is represented as a table, with fields for columns and field values for cells.
|
|
|
Dataset constraints
|
filter out events that aren't relevant to the dataset.
|
|
|
Default Search Mode
|
Smart
|
|
|
Default Selected Search Fields
|
Host - Source - SourceType
|
|
|
Determines how a forwarder sends data to receiving Splunk instance
|
outputs.conf
|
|
|
Distributed Search
|
Horizontal scaling by distributing the indexing and searching load across multiple indexers - makes possible searching large volumes
|
|
|
Django Bindings
|
Provides DJango tags to create Splunk Views and Search Managers
|
|
|
endswith
|
Form transaction that ends with specific terms or field values or events
|
|
|
erex
|
Builds regex for you
|
|
|
Eval
|
The eval command calculates an expression and puts the resulting value into a destination field. If this destination field matches a field name that already exists, it overwrites the existing field value with the results of the eval expression. The eval command evaluates mathematical, string, and boolean expressions.
|
|
|
Eval Command
|
Arithmetic - Concatenation - Boolean Example stats sume(sc_bytes) as Bytes by usage |eval bandwidth=Bytes/1024/1024 This creates a new field named "bandwidth"
|
|
|
Eval Command IF Function
|
Takes 3 arguments - if(x y z)
x = Boolean y = is the if value and must be in quotes if not a number z = else value |
|
|
Event
|
Single Record within the data
|
|
|
Event types
|
Data Classificaiton
|
|
|
Event types can have tags
|
TRUE
|
|
|
Events Types
|
Group together sets of events discovered through searches
|
|
|
Example Search Clause
|
as
|
|
|
Example Search Command
|
stats
|
|
|
Example Search Function
|
Sum()
|
|
|
Example Search Term
|
sourcetype=acc* status=503
|
|
|
Exlcude Fields in Search by
|
using "fields" followed by field names or "-fieldname"
By listing field names, you are excluding all other fields. By using -fieldname you are excluding only those "-" listed fields. |
|
|
Extracted Fields
|
Good for rarely used fields
|
|
|
Facilitate event categorization using the full power of the search command, meaning you can use Boolean expressions, wildcards, field values, phrases, and so on.
|
event types
|
|
|
Field Extraction
|
Allow you to include/exclude specific fields
|
|
|
Fields are case sensitive
|
TRUE
|
|
|
Fields Format Command
|
Formats values without changing the underlying value characteristics - same function as eval
|
|
|
fillnul Command
|
replace null values with zero or specified value - for example "|fillnull values="nothing to see here" would replace null value with "nothing to see here"
|
|
|
Filtering command returns the first count results. permits a search to stop retrieving events from disk when it finds the desired number of results.
|
head
|
|
|
Groups events that meet various constraints into transactions—collections of events, possibly from multiple sources.
|
Transaction
|
|
|
head/tail
|
Returns the first/last N results
|
|
|
Heat map
|
Highlights outstanding values
|
|
|
High and low values
|
Highlights max and min of non zero values
|
|
|
Host
|
Hostname or IP address from where the data originates
|
|
|
How are Interesting Values identified?
|
Value is in at least 20% of the searched events
|
|
|
How do you interface with Splunk?
|
REST API
|
|
|
How do you monitor Windows Performance?
|
Forwarder or WMI
|
|
|
How many reports are available for character feilds?
|
3 - 1. Top Values 2. Top Values by Time 3. Rare Values
|
|
|
How to get data into Splunk
|
1. Splunk Settings 2. Apps 3. CLI 4. Editing Config Files
|
|
|
HTML and JavaScript
|
Convert Simple XML to HTML and JavaScript that accesses the SplunkJS Stack - Provides full layout control
|
|
|
inputlookup in search
|
|inputlookup http_status.csv
|
|
|
Is an argument to a command that runs its own search, returning those results to the parent command as the argument value.
|
subsearch
|
|
|
Keyword arguments to the search command are case-sensitive
|
FALSE
|
|
|
Let you quickly visualize a data pattern without creating a separate line chart.
|
sparkline
|
|
|
Makes your data more understandable and less ambiguous
|
Tags
|
|
|
Manipulate field values at search time using
|
Eval Commands |
|
|
maxpause
|
max total time between events
|
|
|
maxspan
|
max total time between earlist and latest events
|
|
|
MultiKV
|
Used to extract fields from table formated events
|
|
|
Normalization
|
Assign tags to field values . Alias - assign to exisiting field name
|
|
|
Phase 1
|
Collect and Index
|
|
|
Phase 2
|
Search and Investigate
|
|
|
Phase 3
|
Add Knowledge
|
|
|
Phase 4
|
Monitor and Alert
|
|
|
Phase 5
|
Report and Analyze
|
|
|
Pivot Table requires a data model first
|
True - You need a data model first or Instant Pivot will create one for you.
|
|
|
Power User Role
|
Create KOs and Share Data
|
|
|
Provides a way to scale your deployment by separating the search management and presentation layer from the indexing and search retrieval layer
|
Distributed Search
|
|
|
Rare Search Term
|
Same as Top
|
|
|
Refers to the table, chart, or other visualization you create
|
Pivot
|
|
|
Regex
|
Python or Perl Style Expression
|
|
|
Rename Command
|
Rename Arguement Field Name. Example -Rename IP as HostName
|
|
|
Report
|
Views - Provide access to and displays data using search boxes fields and charts
|
|
|
Report Definition
|
At minimum, a report definition includes the search string and the time range associated with the search (expressed in terms of relative time modifiers).
|
|
|
REST API
|
Used to Configure and Manage Splunk Instance - Create and Run Searches - Create Applications
|
|
|
REST API
|
Address endpoint such as Apps - Users - Searches - Jobs - Indexes - Inputs - more
|
|
|
Returns a table of results where each row represents a single unique combination of the values of the group-by fields"
|
stats |
|
|
rex
|
Regex - Regular Expression built by user
|
|
|
Runs its own search and returns the results to the parent command as the argument value
|
Subsearch
|
|
|
Search Best Practice
|
Be as specific as possible
|
|
|
Search Best Practice
|
Exclusion is better than inclusion
|
|
|
Search Best Practice
|
Filter Early
|
|
|
Search Best Practices
|
Filter out results as soon as possible before calculations. Use field-value pairs, before the first pipe. Filter out unnecessary fields as soon as possible in the search. Postpone commands that process over the entire result set (non streaming commands) as late as possible in your search. Some of these commands are: dedup, sort, and stats.Use post processing searches in dashboards. Use summary indexing, and report and data model acceleration features.
|
|
|
Search Boolean Operators
|
NOT - OR - AND
|
|
|
Search Events Listing is in what order?
|
Reverse Chronological (newest first)
|
|
|
Search Events Result time is based o what?
|
User Time Zone
|
|
|
Search Mode - Fast
|
Speeds up searches by limiting the types of data returned by the search.
|
|
|
Search Mode - Smart
|
The default setting, toggles search behavior based on whether your search contains transforming commands. For transforming searches, it behaves like Fast mode. For searches without transforming commands, it behaves like Verbose mode.
|
|
|
Search Mode - Verbose
|
Returns as much event information as possible, at the expense of slower search performance.
|
|
|
Search Modes
|
1. Fast 2. Smart 3. Verbose
|
|
|
Search Terms are Case Sensitive
|
FALSE
|
|
|
Server Layer
|
Python & DJango - Use Splunk SDK for Python to directly write code
|
|
|
Shows details about your search, such as the execution costs of your search, debug messages, and search job properties.
|
Job Inspector
|
|
|
Simple XML
|
Default Dashboards - Chart Customization - Dynaminc Drilldowns - Access to custom CSS and JavaScript files - Custom behaviors & visualizations using SplunkJS stack libraries
|
|
|
SImple XML Extensions
|
Customize the layout of dashboards - new visualizations - dashbaord behaviors
|
|
|
Source
|
Name of file - stream or data input
|
|
|
Sourcetype
|
Type of data
|
|
|
Sourcetype is not required
|
FALSE - sourcetype must be defined
|
|
|
SPL Filtering Results
|
search, where, dedup, head, tail
|
|
|
SPL Filtering, Modifying, and Adding Fields
|
fields, replace, eval, rex, lookup
|
|
|
SPL Grouping Results
|
Transaction
|
|
|
SPL Reporting Results
|
top/rare,estats, chart, timechart
|
|
|
SPL Search Components
|
Search Terms+Commands+Functions+Arguments+Clauses
|
|
|
SPL Sorting Results
|
sort
|
|
|
Splunk Index
|
raw data + Index Files
|
|
|
Splunk Web Architecture
|
Client Layer - Server Layer - Data Layer
|
|
|
startswith
|
Form transaction that start with specific terms or field values or events
|
|
|
Static Functions are case sensitive
|
FALSE
|
|
|
Stats Command
|
Count - DistinctCount - Sum - avg - list - Values
|
|
|
Stats Count Command
|
| stats count(action) as ActionEvents for example - stats count as "Total Sales by vendors" by product_name
|
|
|
Stats List
|
|stats list(Asset) as "Company Assets" by Employee - Returns a row for each employee and a list of their assets
|
|
|
Stats Sparkline
|
|stats sparkline(count, 24h) as "Page Hits" by uri
|
|
|
Stats Sum
|
|stats sum(price) as "Gross Sales" by product_name
|
|
|
Steps to create lookup
|
Add lookup file then add lookup definition - Add Automatic Lookup to make searching easier
|
|
|
Stores saved searches
|
savedsearches.conf
|
|
|
Summary indexing
|
A method of search acceleration. The results from a summary-indexing optimized search are stored in a special format that cannot be modified before the final transformation is performed.
|
|
|
Table Command
|
Builds table made up from fields used in argument list
|
|
|
Tag
|
Enable you to assign names to specific field and value combinations
|
|
|
The subsearch is run first
|
TRUE
|
|
|
This command removes subsequent results that match specified criteria
|
dedup
|
|
|
TImestamp
|
date/time of the event
|
|
|
TImestamp recognition - event segmentation - host & source mathcing
|
props.conf
|
|
|
Top Command
|
Returns count or percent
|
|
|
tostring function
|
Converts numerical values to string. For example - |eval totoal_list_price = "$" + tostring(to_list_price)
|
|
|
transaction
|
Groups search results into transactions
|
|
|
Transaction Command
|
Allows you to correlate related events on a field or list of fields that span time
|
|
|
Transaction vs Stats
|
Transactions correlates events or when events need to be grouped on start and end values (think "time") while Stats used when you want to see the results of a calculation and group events on field value
|
|
|
Transactions
|
are collections of conceptually-related events that span time
|
|
|
Transforming Commands
|
Create Statics and Visualizations
(think "transforming data into something visual") |
|
|
Two interfaces to manage data
|
1. Home App 2. Splunk Settings
|
|
|
Two primary ways that Splunk helps with categorizing data
|
tagging and event types
|
|
|
Two ways to gather Windows Inputs
|
WMI or Forwarder
|
|
|
Use CIM to ensure
|
Common Information Model - Multiple Apps can co-exist on a single Splunk Deployment. Object Permissions can be set to global for use of mutliple apps. Easier and more effecient correlation of data from different sources and source types
|
|
|
Used to send content to indexeers to sync SH
|
Deployment Server
|
|
|
Uses POST - GET - DELETE over HTTPS
|
REST API
|
|
|
Verify lookup using what
|
inputlookup - "| inputlookup yourlookupname"
|
|
|
What 2 fields do Transaction Commands creates
|
duration and event count
|
|
|
What are 3 permissions
|
Private - Shared in App - Global
|
|
|
What are table headers?
|
Field Names
|
|
|
What are table results
|
Values
|
|
|
What does each row in a table represent?
|
An event
|
|
|
What does the "#" represent next to the field?
|
Number Value
|
|
|
What does the "a" represent next to the field?
|
String Value
|
|
|
What is a lookup
|
Static CSV or Python Script
|
|
|
What is always extracted unless removed?
|
_raw and _time
|
|
|
What search mode is "TOP" command executed in?
|
SMART Search Mode
|
|
|
What search panel shows which files (or other sources) your data came from?
|
Sources
|
|
|
When are aliases applied
|
After field extraction but before lookups
(makes sense, you cannot assign an alias unless it has been extracted and why do you want to alias? to normalize your data to use later... ie lookups) |
|
|
When are Fields extracted from the raw text for the event?
|
Search Time
|
|
|
When using the "TOP" command, where are results displayed?
|
Stats Tab
|
|
|
When you have a choice between Stats and Transactions, you should use which one?
|
Stats because stats is faster and more effecient
|
|
|
Who can create Data Models?
|
Admin and Power User Roles
|
|
|
Workflow Action
|
Interaction between fields and other apps or web
|
|
|
Workflow Action
|
Enable interactions between fields in your data and other applications or web resources
|
|
|
You can create your own sourcetype
|
TRUE - Automatic - Manual - or From a list
|
|
|
You cannot base an event type on a search that
|
Includes a pipe operator after a simple search. Includes a subsearch. Is defined by a simple search that uses the savedsearch command to reference a report name.
|
|
|
Fields and field extractions
|
Data interpretation
(You are making sense of the data index by identifying your data) |
|
|
Event types
|
Data Classification
(You are making sense of events by giving them a name) |
|
|
Lookups and workflow actions
|
Data Enrichment
(You are adding value to existing data) |
|
|
Tags and aliases
|
Normalization
(You are standardizing your data for use) |
|
|
CIM object permissiona can be used in multiple apps TRUE/FALSE
|
TRUE
|
|
|
Naming Conventions
|
FORMAT of the name: Group - Search Type - Platform - Category - Time Interval - Description
|
|
|
Lookup fields retrieved from the lookup file are the ____ fields.
|
Output
|
|
|
The lookup field from the event is the ____ field.
|
Input
|
|
|
What command is used to load lookup results?
|
inputlookup
|
|
|
What lookup command do you use when you do not want to overwrite existing fields?
|
OUTPUTNEW
|
|
|
The output lookup fields persist for all searches TRUE/FALSE
|
FALSE - They persist for the current search only
|
|
|
You can edit automatic lookups TRUE/FALSE
|
FALSE - You can only Edit Permissions, Clone, Delete or Move
|
|
|
When creating a field alias, what is the first "field aliases" value?
|
The value of the existing field
|
|
|
A new alias replaces the original field in the "interesting fields" side bar TRUE/FALSE
|
False - Both appear
|
|
|
You can edit Field Aliases TRUE/FALSE
|
FALSE - You can only Edit Permissions, Clone, Delete or Move
|
|
|
How do you use a Calculated Field?
|
Using the eval command
|
|
|
You can use calculated fields on output fields from lookup tables TRUE/FALSE
|
FALSE - They can only be used on extracted fields
|
|
|
You cannot edit Calculated Fields TRUE/FALSE
|
TRUE - You can only Edit Permissions, Clone, Delete or Move
|
|
|
What is used to manage extracted fields?
|
Field Extraction Manager
|
|
|
Two field extractor (FX) methods
|
Regex and Delimeter
|
|
|
3 Options to extract fields
|
1 Settings 2 Fields Sidebar 3 Event Actions
|
|
|
You cannot edit Tags TRUE/FALSE
|
FALSE - You can edit tags and even change the tag name
|
|
|
Data Models consists of what 3 types of objects?
|
Events, searches, transactions. This can be seen on the left panel when creating data models.
|
|
|
What are the Data Model Events Constraints?
|
Constraints are the search broken down into a hierarchy. You are building a hierarchy where each constraint inherits the parent search string.
|
|
|
What are the 3 Data Model Events
|
1. Event objects that contain constraints and attributes 2. Constraints are the search broken down into a hierarchy 3 Attributes are the fields and properties associated with the events
|
|
|
Data Model Event Object Attributes are inherited from parent objects TRUE/FALSE
|
TRUE
|
|
|
What are Data Model Event Object Attributes?
|
The fields you want to include in the object
|
|
|
What are Data Model Search Objects?
|
Searches that include transforming commands to define the dataset they represent
|
|
|
Can Data Model Search Objects have attributes?
|
Yes
|
|
|
What are the Data Model Transaction Objects?
|
Enable the creation of objects that represent transactions and use fields that have already been added to the model using search or event objects
|
|
|
What must you have when creating data models before you can start adding transaction objects?
|
At least one event or search
(hard to have transactions without events) |
|
|
How can you use Data Model Attributes in a Pivot?
|
Splits for rows and columns or to filter events
(what are attributes? fields) |
|
|
What Data Models cannot be accelerated?
|
Private Data Models
|
|
|
What Data Models cannot be edited
|
Accelerated Data Models
|
|
|
What are the 2 kinds of Splunk Searches? |
RAW Event Searches and Transforming Searches |
|
|
What are Transforming Searches |
Transforming searches are searches that perform some type of statisticalcalculation against a set of results |
|
|
When you use the timechart command, what do the X and Y axis represent? |
X always = time Y = other values |
|
|
Withthe chart command, what keyword do you use to determine what field takes the x-axis? |
over keyword Example: sourcetype=access_* | chart avg(clientip) over date_wday.
date_wday is the x-axis |
|
|
What search command can you use to split your results? |
Use the "by" command. When you see the "by" command, think split by. Example: sourcetype=access_* | chart count over ssl_type by host. Where ssl_type is the x axis of a stacked bar chart split by host. |
