SPLK-1003 Advanced Searching and Statistics • Complete Question Bank
Complete SPLK-1003 Advanced Searching and Statistics question bank — all 0 questions with answers and detailed explanations.
Refer to the exhibit. | inputlookup user_roles.csv | eval role=if(like(user, "admin%"), "admin", "user") | search role=admin | stats count by role
Refer to the exhibit. index=web sourcetype=access_combined | rex field=_raw "(?<ip>\d+\.\d+\.\d+\.\d+)" | top ip
Refer to the exhibit. ``` index=web sourcetype=access_combined | rex "(?<ip>\d+\.\d+\.\d+\.\d+) (?<method>\w+) (?<uri>[^ ]+)" | stats count by uri, method | sort - count | head 5 ```
Refer to the exhibit.
```
index=web sourcetype=access_combined
| rex field=_raw "(?<method>GET|POST|PUT|DELETE) (?<url>\S+)"
| eval category = case(
match(url, "^/api/"), "API",
match(url, "^/images/"), "Images",
1==1, "Other"
)
| stats count by category
```A Splunk administrator runs the following search to identify the top 5 users by total bytes transferred:
index=proxy sourcetype=webproxy | stats sum(bytes) as total_bytes by user | sort - total_bytes | head 5
The search returns results, but the numbers seem inflated. On closer inspection, the 'bytes' field is a string type. What must be done to correct the search?
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag a concept onto its matching description — or click a concept then click the description.
Calculates aggregate statistics on search results
Extracts fields using regular expressions
Creates or modifies fields using expressions
Groups events into transactions based on common fields
Enriches events with external data from a lookup table
Drag a concept onto its matching description — or click a concept then click the description.
Pipes output of one command to the next
Excludes events that match the following term
Matches events that contain either term
Matches events that contain both terms (default)
Groups terms to control evaluation order
Drag a concept onto its matching description — or click a concept then click the description.
Displays results in a tabular format
Visualizes data as a chart (e.g., bar, line, pie)
Shows statistical summaries like count, avg, sum
A collection of panels with visualizations
Triggers actions based on search results
index=web sourcetype=access_combined status=500 | stats count by clientip | where count > 10 | eval severity = if(count > 100, "high", "low")
index=main sourcetype=syslog | rex field=_raw "User (?<user>\w+) logged in from (?<ip>\d+\.\d+\.\d+\.\d+)" | search ip="10.0.*" | table user, ip
index=main sourcetype=linux_secure "Failed password" | stats count by user | sort -count | head 5
A Splunk administrator is troubleshooting a search that uses the transaction command to group login and logout events. The search runs but returns no results even though both types of events exist. The events are separated by at most 5 minutes. The current transaction command is:
`index=auth (action=login OR action=logout) | transaction action maxspan=10m maxpause=2s`
What is the most likely cause?
A search is used to calculate the 95th percentile of response times for each application, and then to find applications where the 95th percentile exceeds 5000 ms. The current search is:
`index=perf sourcetype=app_response | stats perc95(response_time) by app | where perc95(response_time) > 5000`
This search fails with an error. What is the most likely reason?
A Splunk search uses a subsearch to find the top 10 client IPs and then retrieve all events from those IPs. The subsearch is:
`index=web sourcetype=access | search [ top clientip | fields clientip ]`
What does this search return?
Refer to the exhibit. `index=web sourcetype=access | eval category=case(status<300, "success", status<400, "redirect", status<500, "client_error", status<600, "server_error") | stats count by category | sort - count`
index=web | eval status_category=case(status>=500, "Server Error", status>=400, "Client Error", 1=1, "Other") | stats count by status_category
index=network sourcetype=firewall | fields src_ip, dest_ip, action, bytes | iplocation src_ip | stats sum(bytes) as total_bytes by dest_ip, Country | sort - total_bytes | head 10
index=security sourcetype=windows_logon | eval logon_hour=strftime(_time, "%H") | stats count by logon_hour, user | eventstats avg(count) as avg_count by logon_hour | where count > avg_count * 2
index=web sourcetype=access | search status=404 | timechart count by host
| inputlookup server_list.csv | fields server_name, location | join type=left server_name [search index=main sourcetype=status | stats latest(status) as current_status by server_name ] | table server_name, location, current_status
index=security sourcetype=firewall | eval src_ip=if(isnull(src_ip), nat_ip, src_ip) | transaction src_ip, dest_port maxspan=5m maxpause=1m | search eventcount>10 | table src_ip, dest_port, duration, eventcount
Refer to the exhibit. ``` index=main sourcetype=access_combined | rex field=uri_path "/api/(?<api_version>v[0-9]+)/.*" | stats count by api_version ```
Refer to the exhibit. ``` index=main | timechart span=1h count by host limit=5 | eval total=count_1+count_2+count_3+count_4+count_5 ```
Refer to the exhibit. ``` | tstats summariesonly=t count from datamodel=Authentication.Authentication where Authentication.action=failure by Authentication.src ```
index=web sourcetype=access_combined | stats count by status, uri_path | eval status_group=case(status>=500,"5xx", status>=400,"4xx", status>=300,"3xx", status>=200,"2xx") | timechart span=1h count by status_group
| eventstats avg(duration) as overall_avg | stats avg(duration) as user_avg by user | where user_avg > overall_avg
index=web sourcetype=access_combined | timechart span=1h count by status | untable _time, status, count | eventstats sum(count) as total by _time | eval pct = round(count/total*100,2) | table _time, status, pct