Pass Your Splunk SPLK-1002 Exam Easy!

Splunk SPLK-1002 Splunk Core Certified Power User exam dumps vce, practice test questions, study guide & video training course to study and pass quickly and easily. Splunk SPLK-1002 Splunk Core Certified Power User exam dumps & practice test questions and answers. You need avanset vce exam simulator in order to study the Splunk SPLK-1002 certification exam dumps & Splunk SPLK-1002 practice test questions in vce format.

Introduction to Splunk Enterprise

21. Splunk GUI Overview : Part 5

Let's continue with our discussion of understanding the Splunk Web Interface. So now this is a basic search. As we all know, it is searching for its local audit logs. After this, there is an event that selected these many events," and below that there is something called a timeline. This timeline is nothing like Facebook's timeline. This is a different timeline that displays the distribution of events over the chosen 60-minute period. If you see a selected 60-minute window for the first half of the duration, there are no events. That means my Splunk instance was down. There were no events because my Splunk instance was down. After 30 minutes, I purchased these many audit events in my log and distributed them over a period of every minute for the last 60 minutes. This scale is auto-calculated based on the time period you choose. If you choose 30 days, each bar represents one day. If you choose 60 minutes, each bar represents 1 minute. If you select 15 minutes, it is automatically calculated by Splunk to fit it in your browser screens so that the events are spread across from beginning to end within this timeline; if you click on one of the bars, everything changes. You can see there are a total of 3,004 and 786 events. However, 385 people were chosen. That means there were a lot of things going on right now. From the longer bar, we can see that there is a lot of activity. This minute only contains 385 events. If I click that, it will display only events related to that time. So, if you want me to come out, click "Deselect," and if you want to select another timeframe using the timeline, you can select and zoom to selection so that it will just zoom in and display only those events, which will be spread across multiple more. So it says the total timeline is 1 minute. So this one minute has been divided into milliseconds. This is how it works. Let me zoom out now. We are back to our last 60 minutes of searching. Now we understand how to use the timeline. Let us go one step below. There are three different menus below that timeline. These are referred to as the events menu. All these three conditions are part of this events menu, which you can use to modify this view or settings. Here, there is a list option that is by default selected. If you choose Raw, you can see there will be a change in this display. If you see Raw, these are the actual logs that have been received from your remote data sources. These remote data sources are sending this information to Splunk, and it is passing this information. This is the raw log file. If you extract this, or if you go to your remote machine and check the logs, this is how it will be. It will be plain text, and every line will be parsed similarly to this. If you click on List, it shows your actual log file along with time and three fields. Displayed below, it says host, source, and source type. Host, Source, and Source Type are by default known as selected fields. For all data sources in Splunk, whichever you are integrating, whether it be a scripted database or a Windows machine, exchange servers, Linux machines, or lock servers, these three fields are mandatory, and by default, these three fields will be selected. When you say "selected fields," they will be displayed right next to your event in the list form. If you click on "table," it will display the time and the selected fields as part of the table. It will not display your complete event until you expand. So if you expand any event you'll be able tosee the complete event and the fields which it contain. Let me minimise this via the selected fields. Let's say I need to add one of these fields to selected fields. So how can I add that? It's simple. Just click on "actions." There is selected yes or no. When I click on S, it will automatically update, and you can see my action field begin to populate as shown in the table. If I don't want tables, you can select "List." It will come back to our default view where audit shows the complete logs with the selected fields as part of the next line.

22. Splunk GUI Overview : Part 6

That is with the first menu The second is the format. ne is the row number most of the self explanatory ifI click on no the row numbers are off as youcan see beginning stage they do don't seem to have anyvalue or add any value during your analysis but probably itmight add value for few of the people who want tokeep track of how many events have occurred during this windowbut there are much better ways of fetching those information thatis row number we'll disable it there are wrapped results it'sself explanatory it's like any text editor to wrap the logsor not if the logs are too lengthier it will bewrapped something like this it has been wrapped into three linesbut still it is a single line event so the maxlines to display by default it is five lines if youwant you can choose and at any time if you arenot able to see more than five lines all you haveto do is there will be expand off here if youhave larger events which are more than three lines as ofnow we don't have any so there will be expand option here you can expand to see the full event even drilldown there is something called full. Inner and outer you can choose how to drill down theevents it's like selecting this event it is like if Iclick now it will update user is equal to admin inmy search query that is my full share inner it selectsonly individual fields if I select full it selects the completeuser is equal to admin wherever I move the cursor acrossuntil the next field but whereas outer it is like wheneverI click it selects the complete field as you can seeif I put even in between the complete text it selectsthe full one whereas the full it selects the cursor fromthe place where I start until where I end in thenext field that is with this menu and number of eventsto display it will start from ten and you can increaseup to 50 if you want to see more events inyour search page and if we come to our left fieldsyou can see there are two columns one is hide fieldswhich can hide and give you more space to view theevents and show fields which will pop it back again sothere are all fields which leads to all the extracted fieldsand sometimes if you are not able to find your fieldin this make sure you are selecting all fields because 1%of the values or the presence in the logs let's sayI'm having 100 events and my field is in just oneevent it will be hidden from this so that you needto make sure you select all fields to even identify those1% of the fields there are two columns in this oneis selected fields and interesting fields. The selected fields, as we discussed, will be displayed right under your events in the list view of the events, and the interesting fields, or the automatically extracted or manually extracted fields, will be from the SplunkAdmin or Splunk architect who is designing this, and they extracted this information and made it available. These interesting fields are extracted from the logs in Splunk as "auto-extracted" as of now, and you can make them a selected field by clicking on this link. One more key piece of information is you cansee on the fields left side there is somethingnamed as a asterisks pound sign and asterisks onthe right side there are numerical numbers. What it represents is that if you see an A, it represents the field value as an alpha-numeric value. That means it contains numbers and alphabets. Whenever you see alpha right next to thefield it is represented or it is understandablethat it is alpha numerical value. If you see the source type, it says audit trail. Here, it says just the alphabetical value. But even if you have numbers, it works. So that is one way of saying that itcan handle alpha numeric values similarly source similarly host. Host is probably the best example here because it contains both the numbers and the alphabet that are part of the host name. If you see some other fields like date underscoretime, m, day, and R, these are numeric values. These fields will never have alphabetical values by their names. It is clear that these are the date fields. But to understand what this symbol, an alpha-numeric symbol, means, this represents the acceptable field values that it can handle. On the right side, there are some digits that are represented. These represent the unique values can see dataunderscore second, that means it has 60 values. Of course, each minute has 60 seconds. It starts from zero to 59. So it has 60 unique values and is present in almost all the events. Date will be part of all the events thatsays it is existing in 100% of the event. From this fields menu, you'll get the field name and distinct values, and the percentage coverage of events that we got from our search result. We will then see the reports menu, where it shows the quick options to create visualization. Let me say the top values of the second; it will give me automatic visualization. By default, it says to use a bar chart. If you click the bar chart, you'll get other recommended views. If you look at other visualisations, if it fits, you can use it, but always stick with the recommendation for a better presentation because it already knows what kind of data is available for presenting. So that's probably the best value to display. These are some of the options that you can figure out from the Splunk Web interface. As I already informed you, you'll be getting access to a Splunk demo session as a part of the complete package purchase of this tutorial. Try to get into the package deal, and you'll have access to 30 days. You can experiment with your instance. You'll have some kind of dedicated instance. You can search, create visualisations, create alerts, and report all this stuff. And you can probably even practise your search queries.

23. Splunk Searching Basics : Part 1

In the previous video, we went through the complete UI of Splunk. Now let's understand how Splunksearch works before searching. Keep in mind that you should never use all time unless absolutely necessary. Because if you use an all-time search, it just kills our plank resources; if you choose all-time, it just searches for the data that is available on Splunk from the time of its implementation or probably even beyond that if we have indexed the older data. So it just kills the resources, like CPU and RAM, on the searches and puts a heavy load on your index because it searches for a longer duration. To be sure, only use all time when absolutely necessary. I'll perform some of the basic searches for Splunk on the internal audit logix. I'll keep it for 60 minutes, and an index called underscore audit is where all the internal logs of Splunk are stored. I'll just type "index = audit" and "underscore = audit" and hit enter. As soon as I hit enter, I got 4000+ events for the last 1 hour. This means there were these many events generated during the last 60 minutes. You can also refer to this to see from which time it is offering a 60-minute window, from present to the last 60 minutes. Now that I have narrowed down my search to just searching for indexes equal to audit in Splunk, I can do the free-form search I need to search for an error. So I entered errors. It will display all the errors in the last 16 minutes. As of now, there has been nothing found in the last 60 minutes. Let me run for the last 24 hours. In the last 24 hours, there was one error. It exactly matches my free-form search or the keyword search, which I perform. You can also use wildcard searches. Let's say, er, star. It reports anything that matches with "Errstar." As you can see, there is one error and one star. These are basically the searches that I'm running. It is auditing the searches that I'm running. It keeps track of the searches. So in the last 24 hours, we have three events that are matching, starting with Err, which is a wildcard search. Let me search for capital "Err." This is a case-sensitive capital or small-case error in the free-form search Splunk. They both mean the same. It gives me the same results, which are matching error keywords. But if you use quotes or if you use a fieldname in capitals, it always refers to the code names. Here, even with the codes for the errors, it still finds me with the same results. Allow me to search by selecting a field to search in. Actions are equal to searches in the last 24 hours. So we have four events that match. In the last 24 hours, action was equal to search. What will happen if I search for capital action. Let me repeat my search now. I'm using the upper case and value search to find a field called action. This is probably one of your questions. When you are taking the certification for Splunk power users or Splunk users, make sure you understand the capitalization that is mentioned for the field name. It says the results were not found, but we saw therewas a field named Action but it is with smaller case. So this shows that field names are case sensitive.The field name should be typed as it is. If it starts with a capital A, it should be a capital A. If it's all small, you should type all small. As you can see, we searched with small caseactions and received eight events that matched our search query. Let's see what happens if I change the value of the field to capital letters. This is a guaranteed question. When you are thinking of Splunk power users or Splunk user certification, you will get this question. They will give an example such as "action is equal to searching one in small letters and one in caps," and they will state whether or not these both yield the same result." Is it true or false? Of course, it is false. We've already seen that capital fieldnames differ from lower case fieldnames, even though the values are the same. They will also provide quotes. We have even validated that scenario with quotes. Also it will not look for case sensitivevalues but whereas feels they are case sensitive.

24. Splunk Searching Basics : Part 2

Now we have seen some of the basic searches. Let us see some of the most common searches for visualization. The most commonly used searches are our search commands; one is "top." Let me say "top." By default, it displays ten if you want 20 or, let's say, I limit it to five. So it displays only the top five actions. limit is equal to five. It displays just the top five actions. This means that in the last 24 hours, these are the topaction values that are present in the locks of the audit. There are 949 searches, 325 accelerations, and these are some of the other functions of Splunk that it has invoked internally. Now we are at the top. It provided me statistics, so each statistic by default invoked the visualisation function. I had previously chosen piecharts for my other demonstration. So it is showing me my pie chart. Let me change it to other recommended forms. It shows a column chart. If I want a bar chart, I can just click and select a bar chart. Let's say I'm able to see the values here only if I move my cursor next to the selected bar. It shows me what the action is and what the count is. Let's say I want to see the account. You can click on "Format, show data values." It will display each value right next to the bar. Similarly, if you want to display values in a pie chart, you must use a column chart or a pie chart with no formatting options. You have other methods to display the values, which we will discuss, such as how to search in Splunk, a comprehensive and diverse module that covers almost 140+ commands. As I write a small query, it may appear advanced, but trust me, it will become much easier over time. I'm attempting to add this action here, along with search and add these values. I'll also do an action called action plus for concatenating the string from search and 949, the search plus 949, for the display. So after searching, I need a blank space, and I'm adding one more plus to my count into it.As you can see, it says "Search 981." If you want to still make it look good, you can add some text saying count ease or count colon, which makes it presentable. search count is 989. There are many ways you can play around with Splunk. We'll go over them one by one throughout the course so that when you finish, you'll be able to take Splunk Power User, Splunk User, and Splunk Admin Problems, as well as Splunk Art Tech. also because we will be building our own Amazon AWS enterprise-level multi-site clustering environment in the cloud. After this, you will probably have had one complete experience of going through the real-life scenario of implementing this plan. Now let's come back to our search query. I've added Abrasive for better presentation, and I can see the search count is 1000. If I go to Visualization, I can see my pie charts right there. Now, these are some of the ways you can experiment with Splunk when you get access to our demo environment in the cloud, which will be part of the package or free access for all of you as part of the complete package of this course. This is one command. Let's see what happens with the Stats command, for which I'm counting by the same action field. If you see the difference between statistics and count, Now we have 51 values where Top displays only the top ten values by default, whereas that displays everything. You can sort them by count, or you have a sort command for doing that. You can sort by count, which sorts ascending or descending values. This kind of information will be covered in the later part of the tutorial. Because we've already seen top, another likely quick command would berare. Let's see rare. What it does is give us the lowest values in the last 24 hours for the Action field. These are some of the least important values, or the bottom ten, of the Action values.

25. Splunk Licensing

We have previously explained what Splunk is, how it works, what the components are, and how they perform. We will see now how licencing in Splunk works. Splunk licencing is unlike that of any other product. The licence is based on dataingested into Splunk per day. When I say per day, it is not like the last 24 hours; it is per day. That is from till midnight tothe next day until midnight. The licence is, for example, measured as 10 GB per day or 100 GB per day. And it can range from ten GB to a couple of TVs per day. The size of a Splunk licence is the amount of data that has been processed by Splunk and stored in Splunk within a span of one complete date. That is how the splunk charge or splunk licencing works. There are three different types of licenses. One is the free license, which we have seen in previous sections of the tutorial, where when we download a package, we get a 500 MB per day licence for 60 days. The second one is the Splunk Developer License, which is 10 GB per day. And also, if you develop an app and submit it to the portal once it is verified or published, you will get a preapproved 50 GB licence per day, which you can use to learn or explore Splunk. In the later part, we'll see how we can get a Splunk Developer License so that we can use it for our own learning purposes. You can probably go ahead and set up your own enterprise plank environment in the Amazon cloud. The third one is the Splunk License enterpriseLicense which is commercial version of Splunk licensingwhich most of the organisations are using. It ranges from ten GB to probably petabytes per day in those kinds of scenarios. And the licencing cost—if you see the cost, it's like if I buy one GB per day, it might cost me $1,000. Yes, $1,000. But if you go by this as a rough estimate, this is not the actual figure. So it might cost up to, say, $1,000 per GB. So if I go with ten GB, it could cost me $9,000 or more. There is a discount of 10%. So the more licence you buy, the costreduces per GB just as the information.

Go to testing centre with ease on our mind when you use Splunk SPLK-1002 vce exam dumps, practice test questions and answers. Splunk SPLK-1002 Splunk Core Certified Power User certification practice test questions and answers, study guide, exam dumps and video training course in vce format to help you study with ease. Prepare with confidence and study using Splunk SPLK-1002 exam dumps & practice test questions and answers vce from ExamCollection.