SPLK-1001 Online Practice Questions and Answers

Correct Answer: C

Reference: https://docs.splunk.com/Documentation/Splunk/8.0.3/SearchReference/search

Correct Answer: A

The SPL search specified above will return 10 rows of results by default, as the "top" command specifies a limit of 10 results. The query will search for all events in the security index with a sourcetype of linuxsecure that contain either the terms fail* or invalid and will display the top 10 results according to the src_ip field.

Correct Answer: D

Correct Answer: B

Splunk alerts are based on searches that run on a schedule or in real time. You can use alerts to monitor for and respond to specific events or conditions in your data. Alerts use a saved search to look for events in real time or on a schedule. Alerts trigger when search results meet specific conditions. You can use alert actions to respond when alerts trigger, such as sending an email, running a script, or creating a ticket1. You can create alerts from the Search app, the Alerts page, or the Dashboards app. You can also use the Splunk Web framework to create custom alert actions using Python or JavaScript1. Dashboards, webhooks, and reports are not the basis for Splunk alerts, although they can be related to them. Dashboards are collections of views that display data visually in a variety of ways. You can add alert panels to dashboards to show the status of your alerts2. Webhooks are a type of alert action that send HTTP POST requests to a specified URL when an alert triggers. You can use webhooks to integrate Splunk alerts with external systems or applications3. Reports are saved searches that include additional attributes such as a visualization type, permissions, and an optional description. You can create reports from search results and add them to dashboards as panels. You can also use reports as the basis for scheduled or real-time alerts.

Correct Answer: A

The search query sourcetype=access_combined would return events from the access_combined sourcetype, which is a predefined sourcetype in Splunk that matches the access-common or access-combined Apache logging formats. The sourcetype field is case-sensitive, so using different capitalization such as Access_Combined or ACCESS_COMBINED would not match the exact sourcetype name. The sourcetype field is also a default field that is added by the indexer when it indexes the data, so it does not need to be enclosed in quotation marks.

Correct Answer: A

Correct Answer: C

Correct Answer: C

In the Search and Reporting app, _time is a default selected field. This means that it is always displayed in the events list and table views, unless explicitly deselected. Other default selected fields are host, source, and sourcetype. Index and action are not default selected fields, but they can be added to the list of selected fields by clicking on All Fields4.

Correct Answer: D

Correct Answer: B