Splunk Enterprise — Q&A — 2

4 min readApr 21, 2022

Table of Contents

  1. Preface
  2. Splunk Events
  3. Splunk SPL (Search Processing Language)
  4. Splunk Commands
  5. Debrief

1. Preface

I only made this blog in order to provide common Q&A information to anyone interested in using Splunk. It is also great as a reference. Please visit splunk for the official learning courses

Splunk Q&A Study Guide

Part 1

Part 2

Part 3

2. Splunk Events

What is highlighted in the event list after you run a search?

The text we searched for

In what order are events returned?

Reversed chronological order, showing the newest events first

While time is normalized in your index to a consistent format, what is the time for events based off?

It is based off the time zone set in your user account

What is located at the bottom of each event?

Selected fields with the default being host, source, and sourcetype

What happens when you roll over text in events?

They will become highlighted and you will be able to either add that text to the search, exclude it form the search, or create a new search and you will be able to open the new redefined search into a new window using the arrows

What information do you get from selecting the info button next to an event?

We can see all the extracted fields for the event with check marks next to the selected fields and there are drop down choices for Event actions and field actions

Event Actions
Field Actions

3. Splunk SPL (Search Processing Language)

What symbol returns any event following a text query?

The * symbol is used, a wildcard

Are search text case sensitive?


What booleans can be used with multiple terms?

NOT, OR, and AND

What is implied when there is no boolean such as: failed password

AND is implied as it is not in quotations to respresent a string

What is the order of evaluation for booleans and how are the controlled?

  1. NOT 2. OR 3. AND

They can be controlled with parenthesis

How can exact phrases be search?

By places the text in quotes

How do you search for phrases already in quotes?

Use a backslash to escape them: info=”user \”dante\” not in database”

4. Splunk Commands

How many components does Splunks’ SPL have?

5 — Search Terms, Commands, Functions, Arguments, and Clauses

What do commands do?

Tells Splunk what we want to do with the search results including: creating charts, computing statistics, and formatting

What do Functions do?

Explains how we want to chart, compute, and evaluate the results

What are arguments?

They are the variables that we want to apply to the function

What are Clauses?

They explain how we want results grouped, or defined

In what order do you commence a search?

Search terms | search component

Name the term, command, function, argument, and clause in: fail | stat count(usage) as Visits

Term — fail

command — stat

function — count

argument — usage

clause — as

What is a pipe used for?

It is used to tell splunk to pass the current results onto the next component

At what step can the search command be used to filter results?

At anytime in the search pipeline

Are command names, clauses, and fucntions case sensitive?

No, not unless it references a specific value

After time, what are the best fields to use in order to produce better results?

Index, source, host, and sourcetype

What is good practice in regards to inclusion/exclusion in searching?

Inclusion is generally better than exclusion

Searching for “access denied” is better than searching for NOT “access granted”

What should you use instead of wild cards when possible?

Using OR, IN

“user-admin OR user=administrator”

user IN (admin, administrator)

What is a benefit of filtering early on in the search query?

It limits the number of events making future manipulations of the data faster


I hoped this helped answer some general starter questions for anyone just learning Splunk. I really enjoyed doing and this and will be making more in the future as it is also helping me study the basics.

Splunk Q&A Study Guide

Part 1

Part 2

Part 3




Experienced Cyber Security/Intelligence Analyst with a demonstrated history of working in the US Military and IT industry.