CCNA Splunk Basics Questions

32 of 107 questions · Page 2/2 · Splunk Basics topic · Answers revealed

76
MCQhard

The exhibit shows log output from a Splunk search head. What is the most likely performance issue indicated?

A.The 'error_count' search is inefficient, consuming high CPU for few results.
B.The 'login_failures' search is scanning too many events.
C.The search head is overloaded due to multiple simultaneous searches.
D.There are duplicate search job IDs (SIDs) conflicting.
AnswerA

80% CPU for 1000 events is excessive.

Why this answer

Option C is correct because the 'error_count' search scanned only 1000 events and returned 10 events, yet consumed 80% CPU, indicating it is inefficient. Option A is wrong because 'login_failures' scanned many events but consumed only 20% CPU, which is proportional. Option B is wrong because there is no indication of duplicate SIDs.

Option D is wrong because the search head is the same for both.

77
MCQeasy

Which of the following is the default time range in a new Splunk search?

A.Last 24 hours
B.All time
C.Last 7 days
D.Real-time
AnswerB

Default time range.

Why this answer

When you open a new search in Splunk, the default time range is set to 'All time' (no time filter), meaning the search will scan all indexed data unless you explicitly specify a time range. This is because Splunk defaults to showing all available events to avoid inadvertently excluding data, and it is the user's responsibility to narrow the search scope.

Exam trap

Splunk often tests the misconception that Splunk defaults to a recent time range like 'Last 24 hours' to be helpful, but the actual default is 'All time' to ensure no data is missed without explicit user input.

How to eliminate wrong answers

Option A is wrong because 'Last 24 hours' is a common preset but not the default; it must be selected manually or via a saved search. Option C is wrong because 'Last 7 days' is another preset that is not the default; it is often used for longer-term analysis but requires explicit selection. Option D is wrong because 'Real-time' is a special search mode that continuously streams events, but it is not the default; the default is a historical search over all time.

78
MCQeasy

To create a real-time dashboard panel showing errors in the last 30 minutes, which time range setting should be used?

A.Real-time
B.Last 30 minutes
C.Real-time (30 minutes)
D.All time
AnswerC

This sets a real-time window of 30 minutes.

Why this answer

Option C is correct because a real-time dashboard panel that shows errors in the last 30 minutes requires a 'Real-time' time range with a specific window of 30 minutes. In Splunk, the 'Real-time (30 minutes)' setting continuously updates the panel to show events from the current time back 30 minutes, which is exactly what is needed for monitoring recent errors as they occur.

Exam trap

The trap here is that candidates often confuse 'Last 30 minutes' (a static historical search) with 'Real-time (30 minutes)' (a continuously updating real-time search), leading them to select Option B instead of the correct real-time window setting.

How to eliminate wrong answers

Option A is wrong because 'Real-time' without a window (e.g., 'Real-time (30 seconds)') defaults to a very short rolling window (typically 10 seconds or 30 seconds), which would not cover the last 30 minutes of data. Option B is wrong because 'Last 30 minutes' is a historical time range that does not update in real-time; it shows a static snapshot of the past 30 minutes from the time the search was run, not a continuously updating view. Option D is wrong because 'All time' searches the entire indexed data, which is not limited to the last 30 minutes and does not provide real-time updates.

79
MCQeasy

A support technician is troubleshooting a user who cannot see the 'Field sidebar' and 'Timeline' in the Search & Reporting app. The user says that when they run a search, they only see the results in a table format, but no side panels or timeline below the search bar. The technician checks the user's settings and finds that the user's default app is set to 'Search & Reporting'. The technician then looks at the user's browser and notices that the user has a very small browser window. What is the most likely cause of the missing panels?

A.The user's default app is set incorrectly.
B.The user has disabled the timeline in their preferences.
C.The browser window is too small, causing panels to be hidden by the responsive interface.
D.The user's role does not have permission to view the timeline.
AnswerC

Correct: Small windows hide side panels in Splunk Web.

Why this answer

Option D is correct because Splunk Web responsive design may hide side panels if the browser window is too small; the technician observed the small window. Option A is incorrect because the default app is correct. Option B is incorrect because there is no such setting as 'show timeline' in user preferences.

Option C is incorrect because the role does not affect the presence of these UI elements; they are universal.

80
Matchingmedium

Match each Splunk search command to its primary function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Compute statistics on search results

Evaluate expression and create new fields

Extract fields using regular expressions

Group related events into transactions

Create time-based chart of statistics

Why these pairings

These are common transforming commands in Splunk.

81
MCQmedium

A company has a distributed Splunk environment with a single search head and 4 indexers. The data volume is approximately 50 GB per day across various sourcetypes. Users frequently run searches that span 'All time' (from the time picker), and these searches are taking significantly longer than expected. The search head shows high CPU usage during these searches, while indexers are moderately loaded. The administrator has verified that all indexers are healthy and that there are no network bottlenecks. The data is raw log data with minimal field extractions. Which course of action will most effectively improve search performance for these 'All time' searches?

A.Upgrade the search head to a larger instance with more CPU cores and memory.
B.Increase the number of indexers to 8 to distribute the search load more evenly.
C.Enable summary indexing and use the tstats command for searches over large time ranges.
D.Reduce the data retention period on the indexers from 90 days to 30 days.
AnswerC

Summary indexing pre-calculates statistics (e.g., counts, sums) and stores them in tsidx files, allowing tstats to retrieve results quickly without scanning raw data. This greatly reduces search head CPU and query time.

Why this answer

Summary indexing with tstats allows pre-aggregating data over time, drastically reducing the amount of data scanned for historical searches. This addresses the root cause of scanning large volumes of raw data. Other options either do not directly address the performance issue or would have negative side effects.

82
MCQmedium

A user is trying to create a dashboard in Splunk Web by saving a search as a dashboard panel. The user runs a search that produces a table of results. The user clicks 'Save As' and selects 'Dashboard Panel'. The user then selects an existing dashboard and clicks 'Save'. However, the panel does not appear on the dashboard. The user has confirmed that the dashboard exists and that they have write permission to it. The user also sees no error messages. What is the most likely cause of this issue?

A.The dashboard is locked by another user.
B.The user does not have permission to add panels to the dashboard.
C.The search does not produce statistical data required for a dashboard table panel.
D.The panel was saved but is hidden due to time range settings.
AnswerC

Correct: Only transforming searches can be saved as panels.

Why this answer

Option D is correct because when saving a panel, you can save to a new or existing dashboard, but if the dashboard already has a panel with the same title, the save might fail silently or overwrite? Actually, the most common issue is that the user did not select the correct dashboard or the panel was saved but not visible due to layout. However, a plausible cause is that the search results were not formatted as a proper data table for a dashboard panel. Option A is incorrect because the user has permission.

Option B is incorrect because the dashboard exists. Option C is incorrect because no error was shown. Option D is correct: the search must be a transforming search that produces statistical data to create a table panel; a non-transforming search may not be saved as a table panel.

83
Multi-Selecthard

Which THREE of the following are elements of the Splunk search interface?

Select 3 answers
A.Time Range Picker
B.Visualization Tab
C.Save Button
D.Mode Selector (Fast, Smart, Verbose)
E.Search Bar
AnswersA, D, E

Controls the time window for search results.

Why this answer

Options A, B, and D are correct. Option A is correct: the search bar is the main element. Option B is correct: the time range picker is essential for temporal context.

Option D is correct: the mode selector (Fast, Smart, Verbose) affects search behavior. Option C is wrong because there is no 'Save' button on the search bar; saving is done via the 'Save As' menu. Option E is wrong because 'Visualization' is a tab, not a permanent element of the search interface.

84
Multi-Selectmedium

Which TWO of the following are valid ways to add data to Splunk?

Select 2 answers
A.Deploying a universal forwarder to monitor a log file.
B.Configuring an HTTP Event Collector (HEC) token.
C.Creating an alert that writes results to a summary index.
D.Using the 'Add Data' button in Splunk Web.
E.Typing data directly into the search bar.
AnswersA, B

Forwarders are standard data input methods.

Why this answer

Option A is correct because a universal forwarder is a dedicated Splunk component designed to collect and forward log data to a Splunk indexer. It monitors specified log files, sends data over a secure TCP connection (default port 9997), and is the standard method for scalable, production-grade data ingestion.

Exam trap

The trap here is that candidates confuse the 'Add Data' button (a configuration wizard) with an actual data ingestion method, or mistakenly think summary indexes or the search bar can be used to import raw data into Splunk.

85
MCQmedium

After running a search, the Fields sidebar shows several fields but the analyst wants to see all fields. Which button should they click?

A.The gear icon next to 'Selected Fields'
B.'Add field' button
C.'All fields' button
D.'Show all fields' checkbox
AnswerA

This opens the field selector to customize displayed fields.

Why this answer

The gear icon next to 'Selected Fields' opens a dialog to add/remove fields from the sidebar.

86
MCQhard

A user runs a search but sees no results, even though they know events exist. The search does not show any errors. What is the most likely cause?

A.The time range picker is set to a very narrow or recent window that doesn't include any events.
B.The user is in the wrong app and cannot see any data.
C.The indexer is out of disk space and cannot return results.
D.The search is specifying an incorrect index that doesn't exist.
AnswerA

Time range is a common filter that can exclude all events.

Why this answer

The most likely cause is that the time range picker is set to a very narrow or recent window that does not include any events. Splunk searches are always constrained by the selected time range, and if the time range does not cover the period when the events were indexed, no results will be returned even though the data exists. The absence of search errors confirms the query syntax is valid, but the time filter silently excludes matching events.

Exam trap

The trap here is that candidates often assume a search with no results and no errors must be a data access or index issue, overlooking the time range picker as the silent filter that is the most common cause in real-world Splunk troubleshooting.

How to eliminate wrong answers

Option B is wrong because being in the wrong app only affects which knowledge objects (dashboards, saved searches) are available, not the underlying data; the search would still return events from the specified index regardless of the app context. Option C is wrong because if the indexer were out of disk space, it would not be able to write new data, but existing data would still be searchable and returned; disk space issues typically cause indexing failures, not search result suppression. Option D is wrong because specifying an incorrect index that doesn't exist would cause a search error (e.g., 'No index matched' or 'Unable to find index'), not a silent return of zero results.

87
Multi-Selecthard

Which TWO methods allow a user to share a saved search with other users in the same Splunk instance?

Select 2 answers
A.Schedule the search to run periodically.
B.Copy the search URL from the browser and send it to others.
C.Export the search results and attach them in an email.
D.Set the search's permissions to 'Everyone' or to specific roles.
E.Add the search as a panel in a shared dashboard.
AnswersD, E

Permissions control who can see and use the search.

Why this answer

Option D is correct because Splunk's permission system allows a search owner to set read and edit permissions to 'Everyone' or specific roles, making the saved search accessible to other users in the same instance. Option E is correct because adding a saved search as a panel in a shared dashboard automatically inherits the dashboard's sharing permissions, allowing other users to view and run the search from that dashboard.

Exam trap

Splunk often tests the distinction between sharing the search definition (via permissions or dashboards) versus sharing output or transient links, leading candidates to mistakenly choose options like copying a URL or emailing results.

88
Multi-Selectmedium

Which TWO of the following methods allow a user to switch between apps in Splunk Web?

Select 2 answers
A.Change the app name in the URL to the desired app.
B.Type the app name in the search bar before the query.
C.Use the app dropdown in the top menu bar.
D.Select 'All apps' from the app dropdown.
E.Click on the timeline and select an app.
AnswersA, C

URL can directly navigate to an app.

Why this answer

Option A is correct because Splunk Web uses URL-based routing where the app context is embedded in the path (e.g., /app/search/). Manually changing the app name in the URL directly modifies this context, forcing Splunk to load the specified app's dashboards and data models. This is a valid method for power users who know the exact app name.

Exam trap

Splunk often tests the distinction between navigating to an app (via dropdown or URL) versus merely listing apps (via 'All apps'), causing candidates to mistakenly select 'All apps' as a switching method.

89
MCQeasy

A user runs a search but sees zero results. What is the most common cause for this?

A.The time range picker is set to a period with no data.
B.The search did not specify an index.
C.The source type is incorrect.
D.The search syntax contains a typo.
AnswerA

If the time range is too narrow or future, no events are returned.

Why this answer

Option C is correct because the time range often defaults to a short period. Option A is wrong because search UI does not require index specification by default. Option B is wrong because source types are automatically identified.

Option D is wrong because a syntax error usually generates an error message, not empty results.

90
MCQeasy

From the Splunk Home page, which of the following can be accessed directly?

A.All of the above
B.Settings
C.Search app
D.Dashboards
AnswerA

The Home page contains links to all apps and settings.

Why this answer

The Splunk Home page provides direct access to the Search app, Settings, and Dashboards via its navigation bar and default landing page tiles. Option A is correct because all listed items are accessible from the Home page without requiring additional navigation steps.

Exam trap

Splunk often tests the misconception that the Home page only provides access to the Search app, leading candidates to overlook the direct access to Settings and Dashboards from the same interface.

How to eliminate wrong answers

Option B is wrong because Settings is indeed directly accessible from the Home page via the gear icon or the 'Settings' menu in the top navigation bar, so it is not an incorrect option. Option C is wrong because the Search app is directly accessible from the Home page as the primary search bar and the 'Search & Reporting' app tile. Option D is wrong because Dashboards can be accessed directly from the Home page through the 'Dashboards' link in the navigation or the 'Dashboards' tile.

Since all options are correct, the only valid answer is A.

91
MCQhard

An administrator wants to group all events from a single web session identified by session_id, where the session starts with a 'login' event and ends with a 'logout' event. Which search is correct?

A.index=web | transaction session_id
B.index=web | transaction session_id startswith="login" endswith="logout"
C.index=web | transaction session_id keepevicted=true
D.index=web | transaction session_id maxevents=2
AnswerB

Correct usage; groups sessions based on markers.

Why this answer

The transaction command with startswith and endswith parameters groups events based on field values. The session_id field ties events together.

92
Multi-Selectmedium

Which three options describe features or components of the Splunk default interface that are available to a Core Certified User? (Choose three.)

Select 3 answers
.The Search bar allows users to enter SPL queries and use time range pickers to filter results
.The Data Summary button provides a list of all sourcetypes, hosts, and indexes available to the user
.The Jobs page lists all currently running and completed searches that the user has initiated
.The Distributed Management Console (DMC) is accessible from the Splunk Home page for all users
.The Settings menu includes options to manage users, roles, and authentication methods
.The Alerts menu allows direct modification of alert actions without saving a search

Why this answer

The Search bar, Data Summary button, and Jobs page are all core features of the Splunk default interface available to any user, including a Core Certified User. The Search bar allows entering SPL queries and selecting time ranges to filter results. The Data Summary button provides a list of all sourcetypes, hosts, and indexes accessible to the user.

The Jobs page displays all currently running and completed searches initiated by the user, enabling monitoring and management of search jobs.

Exam trap

Splunk often tests the distinction between features available to all users versus those restricted to administrators, such as the Settings menu and DMC, which are commonly mistaken as universally accessible.

93
MCQeasy

A user wants to search only data from the 'security' index. Which search syntax should they use?

A.source=security
B.sourcetype=security
C.host=security
D.index=security
AnswerD

This correctly limits the search to the security index.

Why this answer

Option D is correct because in Splunk, the `index` field specifies which index to search, and data is organized into indexes. To restrict a search to data from a specific index, you use `index=<index_name>`. Here, `index=security` tells Splunk to only search events stored in the 'security' index, which is the precise syntax required.

Exam trap

The trap here is that candidates often confuse the `index` field with other common metadata fields like `source`, `sourcetype`, or `host`, because all are used to filter data but refer to entirely different attributes of the event.

How to eliminate wrong answers

Option A is wrong because `source=security` would search for events where the source field (typically a file path or network input) is literally named 'security', not the index. Option B is wrong because `sourcetype=security` would match events with a sourcetype value of 'security', which is a data type classification, not an index. Option C is wrong because `host=security` would filter events originating from a host named 'security', which is a network or machine identifier, not an index.

94
MCQmedium

A user needs to quickly find a specific event from last week. Which navigation method is most efficient?

A.Use the 'All Fields' button on the left
B.Click on the Timeline histogram to zoom in
C.Set the time range picker to 'Last 7 days' before running the search
D.Search without a time range, then use Smart Mode
AnswerC

Pre-filtering time reduces result set and speeds up search.

Why this answer

Option D is correct because setting a specific time range narrows the search scope. Option A is wrong because searching all time is unnecessary. Option B is wrong because All Fields is not a filtering method.

Option C is wrong because the Timeline is a visualization, not a navigation method.

95
MCQmedium

An analyst needs to count the number of distinct IP addresses that accessed a server. Which approach is most efficient?

A.| stats count by src_ip
B.| dedup src_ip | stats count
C.| stats dc(src_ip)
D.| fields src_ip | sort | uniq
AnswerC

Directly computes distinct count, most efficient.

Why this answer

`stats dc(src_ip)` directly computes distinct count of src_ip, avoiding unnecessary sorting or dedup.

96
Multi-Selectmedium

Which two tabs are always present in the search results page? (Select TWO)

Select 2 answers
A.Visualization
B.Patterns
C.Events
D.Statistics
E.Fields
AnswersC, D

Always present to show raw events.

Why this answer

The Events and Statistics tabs are always present on the search results page because they represent the two fundamental views of search results: the raw event data (Events) and the tabular summary of statistical calculations (Statistics). Even if a search does not produce events or statistics, these tabs remain visible as placeholders, ensuring consistent navigation.

Exam trap

The trap here is that candidates often confuse the always-present tabs (Events and Statistics) with commonly seen but conditional tabs like Visualization or Patterns, assuming they are permanent because they appear frequently in typical searches.

97
MCQhard

A user runs a search in Splunk Web that returns no results. The user believes data should exist for the current time. Which action most quickly verifies whether the time range is the issue?

A.Change the time range to 'All time' and rerun the search.
B.Open the Job Inspector to see the search time range.
C.Check the time range picker above the search bar.
D.Look at the earliest and latest timestamps in the search bar.
AnswerC

Correct: The time range picker shows the current selection instantly.

Why this answer

Option D is correct because the time range picker is always visible and shows the currently selected range, so glancing at it quickly confirms if it's set correctly. Option A is incorrect because the Job Inspector requires opening a separate window and provides detailed info but is not the quickest. Option B is incorrect because changing the time range to 'All time' will run a new search, taking time to complete.

Option C is incorrect because the search bar does not display the current time range by default; only the time modifiers in the search string.

98
MCQmedium

A Splunk administrator is reviewing the 'Add Data' wizard for a new data source. The admin wants to monitor a log file that is located on the same server where Splunk is installed. The admin navigates to Settings > Add Data and selects 'Monitor' and then 'Files & Directories'. In the file list, the admin sees a checkbox next to each file. The admin selects the desired file and clicks 'Next'. However, the wizard does not proceed to the next page; instead, nothing happens. The admin has confirmed that the file exists and is readable. What is the most likely cause?

A.The admin's Splunk Web session has timed out.
B.The admin did not select a source type for the file.
C.The file is already being monitored by another input.
D.The file is too large and Splunk is processing it.
AnswerA

Correct: A long idle session may need re-login.

Why this answer

Option C is correct because the 'Next' button may be disabled if the file is not valid or the index is not set; but the admin didn't fill in required fields? Actually, the typical flow: after selecting file, you click 'Next' to go to source type settings. But if the file is locked or the index is not set, the button might be grayed. However, most likely the wizard requires a source type selection before proceeding; but the default is 'automatic'.

Option A is plausible but a popup would appear. Option B is a common issue: the Splunk Web session may have timed out. Option D is unlikely because the file is local.

I'll go with B: session timeout.

99
MCQmedium

After running a search, an analyst notices that useful fields are not appearing in the 'Selected Fields' section. What is the most likely reason?

A.The user has manually hidden those fields in the field sidebar.
B.The search is using a transforming command that suppresses field display.
C.The fields are not extracted or indexed in the data.
D.The time range is too wide, causing field extraction to be incomplete.
AnswerC

Fields are only available if they are extracted or indexed.

Why this answer

Fields appear in the 'Selected Fields' section only if they have been extracted and indexed from the raw data. If the data source does not contain the expected field-value pairs, or if no field extraction (such as from a props.conf or a search-time extraction) has been configured, Splunk will not populate those fields. This is the most common cause of missing fields in the interface.

Exam trap

The trap here is that candidates often confuse the 'Selected Fields' section with the 'Interesting Fields' section, or assume that a transforming command like 'stats' hides fields, when in fact the root cause is that the fields were never extracted from the raw data.

How to eliminate wrong answers

Option A is wrong because manually hiding fields in the field sidebar only affects the display of already extracted fields; it does not prevent fields from appearing in the 'Selected Fields' section if they exist. Option B is wrong because transforming commands (e.g., stats, chart, timechart) do not suppress field display; they aggregate data and may change the result set, but the underlying extracted fields remain available in the field sidebar. Option D is wrong because a wide time range does not cause incomplete field extraction; field extraction is based on the data's structure and configuration, not on the time range's breadth.

100
MCQeasy

Refer to the exhibit. A user reports they cannot log in to Splunk Web and sees this error in the logs. What is the most likely cause?

A.The user typed an incorrect username or password.
B.The user's session has expired or the CSRF token is invalid.
C.The Splunk indexer is not responding.
D.The user ran too many searches and hit a limit.
AnswerB

CSRF token validation is session-related.

Why this answer

Option A is correct because CSRF token failures indicate a session or security token issue, often due to an expired or invalid session. Option B is wrong because authentication failed would show a different error. Option C is wrong because too many search jobs would not cause a CSRF error.

Option D is wrong because indexer connectivity issues show different errors.

101
MCQhard

Refer to the exhibit. What does this configuration do?

A.It creates a new sourcetype
B.It clears the host field
C.It enables SSL for the sourcetype
D.It sets the host field based on IP using a transform
AnswerD

The transform name suggests setting host from IP.

Why this answer

This props.conf stanza applies a transform named 'set_host_from_ip' to all events of sourcetype 'my_sourcetype'. Transforms typically modify field values; this one sets the host field based on the source IP.

102
Multi-Selecteasy

Which three of the following actions can be performed from the "Save As" menu in the Search app? (Select THREE)

Select 3 answers
A.Save as alert
B.Save as event type
C.Save as search macro
D.Save as report
E.Save as dashboard panel
AnswersA, D, E

Creates an alert based on the search.

Why this answer

The 'Save As' menu in the Search app provides direct options to persist search results as an alert, a report, or a dashboard panel. 'Save as alert' (A) creates a scheduled search that triggers actions when conditions are met, which is a core feature for proactive monitoring.

Exam trap

Splunk often tests the distinction between actions available directly from the search results interface versus those requiring navigation to Settings, leading candidates to mistakenly select 'event type' or 'search macro' as valid 'Save As' options.

103
MCQhard

Refer to the exhibit. A user runs this search but receives an error. What is the most likely cause?

A.The 'rename' command cannot be used before 'convert'.
B.The 'timeformat' argument is only valid for the 'strftime' function.
C.The 'ctime' function can only be used with the 'eval' command.
D.The 'convert' command requires the field specification before the time format.
AnswerD

The syntax is 'convert <type>(<field>) [as <newfield>] [timeformat=...]' timeformat comes after the function.

Why this answer

The convert command syntax requires the type function (e.g., ctime) before any optional parameters like timeformat. The correct order is 'convert ctime(Time) timeformat="%Y-%m-%d"'. Placing timeformat first causes a syntax error.

104
Multi-Selecthard

Which THREE of the following are standard components of the Splunk Web Search interface? (Choose three.)

Select 3 answers
A.Commands bar
B.Field sidebar
C.Timeline
D.Job Inspector
E.Search bar
AnswersB, C, E

Correct: The field sidebar shows extracted fields.

Why this answer

Options A, B, and C are correct because the search bar, timeline, and field sidebar are always present in the Search & Reporting app. Option D is incorrect because the Job Inspector is a separate popup that appears only when clicked. Option E is incorrect because there is no 'Commands bar' in the standard interface; search commands are typed in the search bar.

105
MCQmedium

An administrator notices that a user's search is timing out after 60 seconds. The search needs up to 5 minutes to complete. What should the administrator do?

A.Reduce the time range of the search to run faster.
B.Adjust the 'Search Results Retention' in the user's account preferences.
C.Change the search to a real-time search to avoid timeout.
D.Increase the 'Search Timeout' setting in system settings.
AnswerB

This setting controls how long Splunk waits for results before timing out.

Why this answer

Option B is correct because the 'Search Results Retention' setting in a user's account preferences controls how long Splunk waits for a search to complete before timing out. By default, this is set to 60 seconds, but increasing it to 5 minutes allows the search to run to completion without being terminated prematurely.

Exam trap

The trap here is that candidates often confuse the user-level 'Search Results Retention' timeout with a non-existent global 'Search Timeout' setting, or incorrectly assume that reducing the time range or switching to real-time search is a valid workaround for a long-running historical search.

How to eliminate wrong answers

Option A is wrong because reducing the time range may not address the underlying issue if the search inherently requires up to 5 minutes to process the necessary data; it could also produce incomplete results. Option C is wrong because real-time searches do not have a timeout in the same way, but they continuously run and consume resources, and changing to real-time does not solve the timeout problem for a historical search that needs 5 minutes. Option D is wrong because there is no 'Search Timeout' setting in system settings; the timeout is controlled per user via the 'Search Results Retention' preference, not a global system parameter.

106
Multi-Selecteasy

Which TWO of the following are valid ways to navigate from a search result to a dashboard?

Select 2 answers
A.Drag a field from the Fields sidebar to the dashboard canvas.
B.Click the 'Dashboard' button on the search bar.
C.Click 'Open in Dashboard' from the search actions menu (ellipsis).
D.Save the search as a report, then add the report to a dashboard panel.
E.Right-click on the timeline and select 'Open in Dashboard'.
AnswersC, D

Available if user has permissions and using Dashboards feature.

Why this answer

Options A and D are correct. Option A: Save search as a report and then add report to dashboard. Option D: Use the 'Open in Dashboard' option directly from the search menu (if using Splunk Dashboards app).

Option B is wrong because there is no 'Dashboard' button on the search bar. Option C is wrong because you cannot directly open a dashboard from the timeline. Option E is wrong because you cannot directly create a dashboard from the fields sidebar.

107
MCQeasy

A user wants to quickly see the count of events per source type over the last hour without performing a search. Which Splunk Web feature provides this information with the fewest clicks?

A.Click the Field sidebar in the Search app.
B.Navigate to Settings > Data Inputs to view event counts.
C.Use the Data Summary page on the Splunk Home page.
D.Use the Search & Reporting app and run a search with | stats count by sourcetype.
AnswerC

Correct: Data Summary provides quick event counts per source type.

Why this answer

Option A is correct because the Data Summary page on the Splunk Home page shows a breakdown of events by source type, host, and source, with counts, without requiring a search. Option B is incorrect because the Search & Reporting app requires entering a search. Option C is incorrect because Settings > Data Inputs is for configuration, not data viewing.

Option D is incorrect because the Field sidebar appears only during a search.

← PreviousPage 2 of 2 · 107 questions total

Ready to test yourself?

Try a timed practice session using only Splunk Basics questions.