Splunk Enterprise — Q&A — 2
Table of Contents
- Splunk Events
- Splunk SPL (Search Processing Language)
- Splunk Commands
I only made this blog in order to provide common Q&A information to anyone interested in using Splunk. It is also great as a reference. Please visit splunk for the official learning courses
Splunk Q&A Study Guide
2. Splunk Events
What is highlighted in the event list after you run a search?
The text we searched for
In what order are events returned?
Reversed chronological order, showing the newest events first
While time is normalized in your index to a consistent format, what is the time for events based off?
It is based off the time zone set in your user account
What is located at the bottom of each event?
Selected fields with the default being host, source, and sourcetype
What happens when you roll over text in events?
They will become highlighted and you will be able to either add that text to the search, exclude it form the search, or create a new search and you will be able to open the new redefined search into a new window using the arrows
What information do you get from selecting the info button next to an event?
We can see all the extracted fields for the event with check marks next to the selected fields and there are drop down choices for Event actions and field actions
3. Splunk SPL (Search Processing Language)
What symbol returns any event following a text query?
The * symbol is used, a wildcard
Are search text case sensitive?
What booleans can be used with multiple terms?
NOT, OR, and AND
What is implied when there is no boolean such as: failed password
AND is implied as it is not in quotations to respresent a string
What is the order of evaluation for booleans and how are the controlled?
- NOT 2. OR 3. AND
They can be controlled with parenthesis
How can exact phrases be search?
By places the text in quotes
How do you search for phrases already in quotes?
Use a backslash to escape them: info=”user \”dante\” not in database”
4. Splunk Commands
How many components does Splunks’ SPL have?
5 — Search Terms, Commands, Functions, Arguments, and Clauses
What do commands do?
Tells Splunk what we want to do with the search results including: creating charts, computing statistics, and formatting
What do Functions do?
Explains how we want to chart, compute, and evaluate the results
What are arguments?
They are the variables that we want to apply to the function
What are Clauses?
They explain how we want results grouped, or defined
In what order do you commence a search?
Search terms | search component
Name the term, command, function, argument, and clause in: fail | stat count(usage) as Visits
Term — fail
command — stat
function — count
argument — usage
clause — as
What is a pipe used for?
It is used to tell splunk to pass the current results onto the next component
At what step can the search command be used to filter results?
At anytime in the search pipeline
Are command names, clauses, and fucntions case sensitive?
No, not unless it references a specific value
After time, what are the best fields to use in order to produce better results?
Index, source, host, and sourcetype
What is good practice in regards to inclusion/exclusion in searching?
Inclusion is generally better than exclusion
Searching for “access denied” is better than searching for NOT “access granted”
What should you use instead of wild cards when possible?
Using OR, IN
“user-admin OR user=administrator”
user IN (admin, administrator)
What is a benefit of filtering early on in the search query?
It limits the number of events making future manipulations of the data faster
I hoped this helped answer some general starter questions for anyone just learning Splunk. I really enjoyed doing and this and will be making more in the future as it is also helping me study the basics.
Splunk Q&A Study Guide