Splunk | Dashboards introduction

Classic Dashboard, Dashboard Studio

and the 2nd dashboard is

created from Search

Absolute/Grid is the 2 view types

Grid layout has the view mode first and then

can see edit the search, visualization, code in json for the visualization.

Data Sources, inputs, general layout -> order in which dashboard source code is ordered

json code/file has .viz and .splunk prefixes

dashboard from web page, create dashboard

set private/all aps

Classic or Dashboard studio can be selected.

Edit mode is default from absolute layout.

icons, shapes text options along with background color can be changed.

Grid to absolute or vice versa can be made, but it’s not an innovative idea to change the dashboard studio dashboard.

Grid layout has charts and rows.

Splunk | Search Under the Hood

In Search there are certain commands like each other but have unique functionality.

SEARCH JOB INSPECTOR – trouble shooting the searches.

EXECUTION COSTS – Based on the more time the search time, more the components.

Comments in general used to make a note of what eh search code is intended to be executed as ”’is a sample comment”’

Indexer vs Search head, Splunk uses bloom to find the search terms

Search head is for the centralized streaming and transforming commands

Transforming commands – time charts, stats, chart, top, Rare

Centralized– is made in search head – stateful Streaming commands

Distributable streaming command- eval- executes on indexer

Notes: Rename- distributive-streaming command | Rename to added before stats

Search tokens- event tokens from Segmentation – affect search performances, either improve or not.

Major breakers – Space-new line-carriage return, Comma, exclamation mark

Minor breakers – Symbols like:

Searches– tokens-> Search in address- click search log

Splunk uses lispy expressions to create bloom filters.

AND OR NOT

Hot bucket- stores data as it arrives

Warm bucket- Read only then cold then

Frozen bucket – deletion and archiving

Bucket– journal has the raw data, and the tsi (timeStamp index) file – index keys to journal file has a unique lexicon

  1. Which of the following commands generates temporary search results? make results
  2. Where should the make results command be placed in the search? In the beginning of the search
  3. Which if the following command signified the comment in spl? ”’triple single quotes”’
  4. Where are comments to be placed in the Search? comment can be placed anywhere – in the search
  5. Which component of the search job Inspector shows how long a search took to execute? Header
  6. When is a bucket bloom filter created? When the bucket changes from hot to warm
  7. Which architectural component of a Splunk deployment initiates a search? initiates in Search head – sent to indexer peers!
  8. Which component of a bucket stores raw event data? Journal
  9. Where in the search pipeline are the transforming commands executed? Search head
  10. If a search begins with a distributable streaming command, where is it first executed? indexer– if search head then
  11. After the Splunk tokenizes terms at the index time, where are the tokens stored? tsidx files
  12. Which of the following breakers would be used first in segmentation? major breakers – spaces, new lines, carriage returns, tabs, [],  ! , commas?
  13. Which of the following expressions builds a search-time bloom filter? lispy
  14. Which of the following could cause a lispy expression to not create tokens? wild card in beginning
  15. Which directive is used in a search to bypass minor breakers inside the supplied argument? lispy?\:/-$ — term

Splunk | Introduction to Knowledge objects.

Intro to knowledge objects

Fields – when a search is made the fields are displayed. This helps in narrowing the data which contains only that specific field/keyword. the events,
All the fields can be found in the field side bar, on hover and clicking on the fields specifically, it can be added to the search.

Field extractions

field aliases – normalize data to provide a normal name if the current name is like another field or common!

calculated fields – perform calculations based on existing fields.

lookups – sources like csv can be configured to additional fields and events in search

Event types – same combination over and over- save the search as event type to categorize the data

Tags – key value pairs can be made into tags, can be used in search as event type

note: event types and tags can be also noted in the field side bar

Workflow Actions – interact with external resources to narrow the searches, http get and post to external sources and back to Splunk for secondary searches.

Reports – Repeated search can be saved as reports

Alerts – to receive a notification, search can be saved as alerts

both are used for scheduling

Macros – similar or more complicated syntax – can store entire search strings including commands,

Data models – data sets can be events, can be used in pivot

Name ur objects using Six segmented keys

  1. Group
  2. type
  3. platform
  4. category
  5. time
  6. Description

Primary type of knowledge objects

permissions lay a key role in creating and sharing KO,

  1. private –
  2. Specific App
  3. All apps

When a user creates a ko, it automatically private and only available to that user,

when a power user or admin creates a Ko, it is shared across all users, and has control on other roles by hide/give permissions

only admin has access to allow ko to access across all apps, can edit permissions, can read or edit private objects created by anyone.

Admin can only reassign a ko to user- when the user leaves the org but has knowledge.

 

  1. Primary functions of workflow actions? interact with external resources to narrow the searches
  2. which knowledge objects can have an eval expression? calculated fields
  3. Which knowledge object can communicate to external sources using the HTTP GET and POST methods? workflow actions
  4. knowledge objects to be scheduled and executed at specific times? alerts/reports
  5. By default, what user role is required to make a knowledge object available to all apps? any user
  6. Where can you find the list of fields returned from events? fields sidebar
  7. When a user has left the organization, what haens to the knowledge objects? admin can edit the permission, user level info
  8. which kind of knowledge objects can be searched in pivot? data models
  9. Which are used to manually extract the fields? regex, delimiters like commas, spaces.
  10. Which of the knowledge objects can contain eval?  calculated fields? macros?
  11. Which of the user roles can create knowledge objects? Power user, admin, user
  12. When a ko is crated wo can access its contents? user created and admin
  13. Which of the types can be uploaded to create a lookup? csv
  14. What are the three predefined sharing options for a knowledge object? private, shared in all apps, shared in app
  15. which knowledge object type can store entire search strings including commands? macros

Splunk | Visualizations learning

Few important tips to take note of

Here we can see about Field Extraction and table formatting

| fields – to make searches more efficient, main part of search

  • -fieldname fieldname2 is different for – fieldname fieldname2

it makes search more efficient if the fields are included or excluded.

| table – like fields- but changes data to tabulated format (transforming command)

fields to be used before using the table command

| dedup – to remove duplicate values form the values displayed in the events/rows

  1. count ex:
  2. top, limit: top vendor limit=5
  3. rare
  4. showperc=true/false
  5. otheruser=true

Few of the Stats commands

  1. count ex: stats count as “column name” by field name
  2. distinct count ex:
  3. sum
  4. average
  5. min
  6. max
  7. list
  8. values

Chart

| chart count over status

count of a field can be noted in x axis, y always numeric as the data mentioned in x axis can be displayed based on the count.

Questions and Answers:

  1. Which of the following removes the duplicate? dedup.
  2. In a single series data table, which column provides the x-axis values for the visualization? 1st column?
  3. Which optional argument of the addtotals command changes the label for row totals in a table? label.
  4. Which clause can be used with the top command to change the name of the count column? countfield.
  5. Which clause can be used with the top command to specify a number of values to return? limit.
  6. Which command changes the appearance of field values? fieldformat.
  7. How many columns are displayed by default when using the chart command? 10.
  8. Which type of default map visualization uses shading to represent relative metrics? chloropleth.
  9. Which of the following commands can return a count of all events matching a search criteria over a specific time period? trendline sma/ema/wma
  10. When using the time chart command, which axis represents time? x-axis.
  11. How can the order of columns in a table be changed? By changing the order of fields specified in the table command.
  12. Which argument can be used with the time chart command to specify the time range to use when grouping events? span.
  13. Which clause can be used with the rare command to specify whether a percentage column is created? showperc.
  14. Which command can be used to exclude fields from search results? fields.
  15. Which argument can be used with geostats command to control the column count? globallimit.

ISTQB – Foundation – Sample Questions 2

Reviewing to start on Work product drafts

Early testing is better for the project in dev and in cost savings.

Each dev level has one testing level

Component integration testing- structural, white box,

Impact analysis is used when deciding if a fix is worthwhile.

Functional testing can be performed at any level (4 levels- unit, integration, system integration and acceptance)

ISTQB foundation does not talk about the non-functional as it’s not in scope.

Confirmation testing (retest after the fix has been made) to make sure the issue is not reproduced!

Regression testing is no other parts are impacted by the fix provided in line with the previous statement above (confirmation testing)

impact analysis – fixing the maintenance system is worthwhile.

AB Testing

On Basic words, AB test can be described as a process to allow the team to compare 2 different versions of a feature to learn which is more user friendly and effective and widely used. It helps to derive the business revenue or loss.

For Example: Version A or version B? which could be selected based on specific business measures.

Sample – tell me about yourself for a role

Role:

Ex: Business Analyst, System Analyst

Profile:

I do have a solid 5 years of experience in IT in various technologies and different domains.

The knowledge transition in general in it would be 2 weeks.

 

Strengths:

Workday:

HCM

Finance

P:ayroll

Student/enrollment/Leave

 

Advantages:

I have the knowledge required for this role and I am in touch with the existing team on the tickets that are actively working on.

 

What can i improve

reduce the Gap in the tickets created, analyze on the repeated tickets which does not have a quick resolution,

prioritize and get a solid template of answer to get the tickets resolved quickly.

Roles and Responsibilities

What is expected

What I do every day!