Splunk Questions

by Posted on
  • Searches returns a SINGLE VALUE representing the number of items purchased?

sourcetype=access_* action=purchase | stats count

  • What kind of charts represent a series in a single bar with multiple sections.

Stacked (sourcetype=access_combined action=purchase | tamechart count(product_name) by categoryID).

Creating Visualizations

  • What will appear on the x-axis.

SEARCH: status NOT 200 | chart count over status

The eval command rewrites data in fields in the index. Eval allows you to calculate and manipulate filed values in your report. Useful for calculation such as add, subtract, multiple, divide. Eval does not re-write event data in the index

  • What are valid with the transaction command? Maxpause, startswith, maxspan, endswith

A transaction is any group of related events that span time. Events can come from multiple application or hosts. The events are grouped into transaction based on the values of this field list. If a quoted list of filed is specified events are grouped together if they have the same vale for each of the fields..

Common constraints: <maxspan> | <maxpause> | <maxevents> | <startswith> | <endswith> | <keepevicted>

  • Which users can create objects that are shared across ALL apps.

AdministratorsGlobal Object persist globally across all apps (Admin can created)

  • A field can only have one field alias or many?

A way to normalized data over several sources. Multiple aliases can be applied to one field. Applied after field extractions, before lookups.

  • The knowledge objects apply to a set of fields with similar data?

Field alias – server source type contain some type of username filed. You want to normalize this filed to make a data correlation and searching easier.

Field extractions created using which are re-usable in multiple searches.

IFX : Graphic UI, Generate regex for you, persist as knowledge objects, Re-usable in multiple searches.

Macros are useful when searches or reports use.

Macros – Useful when you frequently run searches or reports with similar search syntax, The time range is selected at search time, Macros can be a full search string or a portion of a search that can be reused in multiple place, Allows you to define one or more arguments within the search segment, Pass values to the search string when using the macro.

  • What are the data model object types?

Data Model consist of 3 types of objects: 1 Events, 2: Searches, 3 Transactions

  • Provide a set of fields that pivot users can work with?

Data Model Events : Events have constraints and attributes. Constraints are essentially the search broken down into a hierarchy and attributes are the fields and knowledge associated with events.

Attributes are the fields you want to include with the events. Like constraints, attributes are inherited from parent objects. Pivot – Using Attributes: Attributes are also available for use as filters.

  • To create a LOOKUP attribute in a data model, the lookup definition must already exist.

Lookups and Workflow Actions: data enrichment. Adding attribute – Lookups : Leverage an existing lookup definition to add fields to your event object . Lookup table must have global permissions. Configure the lookup attribute in the same way as an automatic lookup.

  • Knowledge objects can be reused?

Create knowledge objects to add value to your data – can be reused and shared. Knowledge Objects are tools you use to discover and analyze various aspects of your data.

Fields and Field extraction Data interpretation
Event Types Data classification
Lookup and Workflow Actions

Data enrichment

Tags and Aliases Normalization
Data Models

representation of datasets which drives the Pivot Tools

  • This field in an event specifies the NAME of the input file or stream.

Source: name of the file, stream or other input.

  • Matching search terms are highlighted in Splunk search results.

Matching results are returned immediately: Displayed in reverse chronological order (newest first). Matching search terms are highlighted.

  • These two searches will match all the same events.

SEARCH 1: login failure
SEARCH 2: “login failure”

Phrases: login AND failure

Phrases: “login failure” (different then login AND failure).

  • These kinds of fields are identified in your data at SEARCH time.

default fields and data-specific fields

  • A field must have a value in at least 20% of the results to be an interesting field in the fields sidebar.
  • These 2 searches will return exactly the same results;

SEARCH 1: user=ROOT

SEARCH 2: USER=ROOT

Fields are case sensitive

Creating Reports and Visualizations

  • Running a saved report

Reports are saved searches. Running a report returns fresh results each time you run it. Reports can be shared and added to dashboards. You can edit saved reports or create a new report using Save As. There are two ways to create a report: Pivot or Search.

  • Which of the following option for reports?

To edit a report’s underlying search , select Edit – > Open in Search. You can then edit and re-save, not save or save-as a new report. You can also edit the description, permission, schedule, and acceleration, or you can clone or delete the report. Adding a time range picker allows you to adjust the time range of the report when you run it.

  • Pivot enables users to quickly design reports.

Pivot enable you to quickly design reports that present different aspect of your data in the format tables and charts (visualization). You can generate pivot with a simple-to-use interface. The underlying data structure is a data model 1) Data models are build by power user and administrator. 2) Building the underlying data model requires knowledge of the search language and a solid understanding of your data. After a data model has been build, it can be accessed by end users, allowing them to interact with the data by clicking the data itself instead of typing search language instruction.

  • The fields command has a + and – option.

Field extraction is one of the most costly parts of a search. Fields commands allows you to include or exclude specified fields in your search report.

To include, use fields (default + is implied) Occur before field extraction and improve performance.

To exclude, use fields – Occurs after filed extraction, No performance benefit, Exclude fields used in search to make the table/display easier to read.

  • The command allows you to extract fields at search time, however, these fields do not persist as knowledge objects.

Rex command – No UI, you must write regex, Only persist for the duration of the search, Do not persist as knowledge objects, Good for rarely used fields.

  • The ‘as’ clause can be used with this command.

Stats –calculates statics on the events that match your criteria.

Sourcetype=vendor_sales | stats count as “Number of Retail Store Purchase”

  • By default, the top command returns these fields as part of the output

top – displays the most common values of a filed. The top commands find the most common values of a given filed in the result set. By default, returns top 10 results. The output display in table format. Automatically returns count and percent columns. Adding limit=# after the top command return the specified number of results. Limit=0 returns unlimited results.

  • Searche returns a table showing the number of each product purchased?

sourcetype=access_* action=purchase | stats count by productId

Published by Upen Patel