Splunk Enterprise — Q&A — 2

Table of Contents

1. Preface

2. Splunk Events

What is highlighted in the event list after you run a search?

In what order are events returned?

While time is normalized in your index to a consistent format, what is the time for events based off?

What is located at the bottom of each event?

What happens when you roll over text in events?

What information do you get from selecting the info button next to an event?

Event Actions
Field Actions

3. Splunk SPL (Search Processing Language)

What symbol returns any event following a text query?

Are search text case sensitive?

What booleans can be used with multiple terms?

What is implied when there is no boolean such as: failed password

What is the order of evaluation for booleans and how are the controlled?

How can exact phrases be search?

How do you search for phrases already in quotes?

4. Splunk Commands

How many components does Splunks’ SPL have?

What do commands do?

What do Functions do?

What are arguments?

What are Clauses?

In what order do you commence a search?

Name the term, command, function, argument, and clause in: fail | stat count(usage) as Visits

What is a pipe used for?

At what step can the search command be used to filter results?

Are command names, clauses, and fucntions case sensitive?

After time, what are the best fields to use in order to produce better results?

What is good practice in regards to inclusion/exclusion in searching?

What should you use instead of wild cards when possible?

What is a benefit of filtering early on in the search query?

Debrief

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Dante E. Mata

Dante E. Mata

Experienced Cyber Intelligence Analyst with a demonstrated history of working in the US Military and IT industry with a focus in Cyber Security.