Exam4Training

Splunk SPLK-1002 Splunk Core Certified Power User Online Training

Question #1

Which of the following Statements about macros is true? (select all that apply)

  • A . Arguments are defined at execution time.
  • B . Arguments are defined when the macro is created.
  • C . Argument values are used to resolve the search string at execution time.
  • D . Argument values are used to resolve the search string when the macro is created.

Reveal Solution Hide Solution

Correct Answer: B, C
B, C

Explanation:

A macro is a way to save a commonly used search string as a variable that you can reuse in other searches1. When you create a macro, you can define arguments that are placeholders for values that you specify at execution time1. The argument values are used to resolve the search string when the macro is invoked, not when it is created1. Therefore, statements B and C are true, while statements A and D are false.

Question #2

What is required for a macro to accept three arguments?

  • A . The macro’s name ends with (3).
  • B . The macro’s name starts with (3).
  • C . The macro’s argument count setting is 3 or more.
  • D . Nothing, all macros can accept any number of arguments.

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

To create a macro that accepts arguments, you must include the number of arguments in parentheses at the end of the macro name1. For example, my_macro(3) is a macro that accepts three arguments. The number of arguments in the macro name must match the number of arguments in the definition1. Therefore, option A is correct, while options B, C and D are incorrect.

Question #3

Which of the following statements describes POST workflow actions?

  • A . POST workflow actions are always encrypted.
  • B . POST workflow actions cannot use field values in their URI.
  • C . POST workflow actions cannot be created on custom sourcetypes.
  • D . POST workflow actions can open a web page in either the same window or a new.

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

A workflow action is a link that appears when you click an event field value in your search results1. A workflow action can open a web page or run another search based on the field value1. There are two types of workflow actions: GET and POST1. A GET workflow action appends the field value to the end of a URI and opens it in a web browser1. A POST workflow action sends the field value as part of an HTTP request to a web server1. You can configure a workflow action to open a web page in either the same window or a new window1. Therefore, option D is correct, while options A, B and C are incorrect.

Question #4

Which of the following searches show a valid use of macro? (Select all that apply)

  • A . index=main source=mySource oldField=* |’makeMyField(oldField)’| table _time newField
  • B . index=main source=mySource oldField=* | stats if(‘makeMyField(oldField)’) | table _time newField
  • C . index=main source=mySource oldField=* | eval newField=’makeMyField(oldField)’| table _time newField
  • D . index=main source=mySource oldField=* | "’newField(‘makeMyField(oldField)’)’" | table _time newField

Reveal Solution Hide Solution

Correct Answer: A, C
A, C

Explanation:

Reference: https://answers.splunk.com/answers/574643/field-showing-an-additional-and-not-visible-value-1.html

To use a macro in a search, you must enclose the macro name and any arguments in single quotation marks1. For example, ‘my_macro(arg1,arg2)’ is a valid way to use a macro with two arguments. You can use macros anywhere in your search string where you would normally use a search command or expression1. Therefore, options A and C are valid searches that use macros, while options B and D are invalid because they do not enclose the macros in single quotation marks.

Question #5

Which of the following workflow actions can be executed from search results? (select all that apply)

  • A . GET
  • B . POST
  • C . LOOKUP
  • D . Search

Reveal Solution Hide Solution

Correct Answer: A, B, D
A, B, D

Explanation:

As mentioned before, there are two types of workflow actions: GET and POST1. Both types of workflow actions can be executed from search results by clicking on an event field value that has a workflow action configured for it1. Another type of workflow action is Search, which runs another search based on the field value1. Therefore, options A, B and D are correct, while option C is incorrect because LOOKUP is not a type of workflow action.

Question #6

Which of the following is the correct way to use the data model command to search field in the data model within the web dataset?

  • A . | datamodel web search | filed web *
  • B . | Search datamodel web web | filed web*
  • C . | datamodel web web field | search web*
  • D . Datamodel=web | search web | filed web*

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

The data model command allows you to run searches on data models that have been accelerated1. The syntax for using the data model command is | datamodel <model_name> <dataset_name> [search <search_string>]1. Therefore, option A is the correct way to use the data model command to search fields in the data model within the web dataset. Options B and C are incorrect because they do not follow the syntax for the data model command. Option D is incorrect because it does not use the data model command at all.

Question #7

Which of the following searches will return events contains a tag name Privileged?

  • A . Tag= Priv
  • B . Tag= Pri*
  • C . Tag= Priv*
  • D . Tag= Privileged

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

Reference: https://docs.splunk.com/Documentation/PCI/4.1.0/Install/PrivilegedUserActivity

A tag is a descriptive label that you can apply to one or more fields or field values in your events1. You can use tags to simplify your searches by replacing long or complex field names or values with short and simple tags1. To search for events that contain a tag name, you can use the tag keyword followed by an equal sign and the tag name1. You can also use wildcards (*) to match partial tag names1. Therefore, option B is correct because it will return events that contain a tag name that starts with Pri. Options A and D are incorrect because they will only return events that contain an exact tag name match. Option C is incorrect because it will return events that contain a tag name that starts with Priv, not Privileged.

Question #8

Which of the following statements describes this search?

sourcetype=access_combined I transaction JSESSIONID | timechart avg (duration)

  • A . This is a valid search and will display a timechart of the average duration, of each transaction event.
  • B . This is a valid search and will display a stats table showing the maximum pause among transactions.
  • C . No results will be returned because the transaction command must include the startswith and endswith options.
  • D . No results will be returned because the transaction command must be the last command used in the search pipeline.

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

This search uses the transaction command to group events that share a common value for JSESSIONID into transactions1. The transaction command assigns a duration field to each transaction, which is the difference between the latest and earliest timestamps of the events in the transaction1. The search then uses the timechart command to create a time-series chart of the average duration of each transaction1. Therefore, option A is correct because it describes the search accurately. Option B is incorrect because the search does not use the stats command or the pause field. Option C is incorrect because the transaction command does not require the startswith and endswith options, although they can be used to specify how to identify the beginning and end of a transaction1. Option D is incorrect because the transaction command does not have to be the last command in the search pipeline, although it is often used near the end of a search1.

Question #9

Calculated fields can be based on which of the following?

  • A . Tags
  • B . Extracted fields
  • C . Output fields for a lookup
  • D . Fields generated from a search string

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

Reference: https://docs.splunk.com/Documentation/Splunk/8.0.3/Knowledge/definecalcfields

A calculated field is a field that you create based on the value of another field or fields1. You can use calculated fields to enrich your data with additional information or to transform your data into a more useful format1. Calculated fields can be based on extracted fields, which are fields that are extracted from your raw data using various methods such as regular expressions, delimiters, or key-value pairs1. Therefore, option B is correct, while options A, C and D are incorrect because tags, output fields for a lookup, and fields generated from a search string are not types of extracted fields.

Question #10

Based on the macro definition shown below, what is the correct way to execute the macro in a search string?

  • A . Convert_sales (euro, , 79)”
  • B . Convert_sales (euro, , .79)
  • C . Convert_sales ($euro,$$,s79$
  • D . Convert_sales ($euro, $$,S,79$)

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

Reference: https://docs.splunk.com/Documentation/Splunk/8.0.3/Knowledge/Usesearchmacros

The correct way to execute the macro in a search string is to use the format macro_name($arg1$, $arg2$, …) where $arg1$, $arg2$, etc. are the arguments for the macro. In this case, the macro name is convert_sales and it takes three arguments: currency, symbol, and rate. The arguments are enclosed in dollar signs and separated by commas. Therefore, the correct way to execute the macro is convert_sales($euro$, $$, .79).

Question #11

When multiple event types with different color values are assigned to the same event, what determines the color displayed for the events?

  • A . Rank
  • B . Weight
  • C . Priority
  • D . Precedence

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

Reference: https://docs.splunk.com/Documentation/SplunkCloud/8.0.2003/Knowledge/Defineeventtypes When multiple event types with different color values are assigned to the same event, the color displayed for the events is determined by the priority of the event types. The priority is a numerical value that indicates how important an event type is. The higher the priority, the more important the event type. The event type with the highest priority will determine the color of the event.

Question #12

Which of the following statements describes the command below (select all that apply)

Sourcetype=access_combined | transaction JSESSIONID

  • A . An additional filed named maxspan is created.
  • B . An additional field named duration is created.
  • C . An additional field named eventcount is created.
  • D . Events with the same JSESSIONID will be grouped together into a single event.

Reveal Solution Hide Solution

Correct Answer: B, C, D
B, C, D

Explanation:

The command sourcetype=access_combined | transaction JSESSIONID does three things:

It filters the events by the sourcetype access_combined, which is a predefined sourcetype for Apache web server logs.

It groups the events by the field JSESSIONID, which is a unique identifier for each user session.

It creates a single event from each group of events that share the same JSESSIONID value. This single event will have some additional fields created by the transaction command, such as duration, eventcount, and startime.

Therefore, the statements B, C, and D are true.

Question #13

Which of the following can be used with the eval command tostring function (select all that apply)

  • A . ‘’hex’’
  • B . ‘’commas’’
  • C . ‘’Decimal’’
  • D . ‘’duration’’

Reveal Solution Hide Solution

Correct Answer: A, B, D
A, B, D

Explanation:

https://docs.splunk.com/Documentation/Splunk/8.1.0/SearchReference/ConversionFunctions#tostri ng.28X.2CY.29

The tostring function in the eval command converts a numeric value to a string value. It can take an optional second argument that specifies the format of the string value. Some of the possible formats are:

hex: converts the numeric value to a hexadecimal string.

commas: adds commas to separate thousands in the numeric value.

duration: converts the numeric value to a human-readable duration string, such as “2h 3m 4s”.

Therefore, the formats A, B, and D can be used with the tostring function.

Question #14

Which of the following statements about tags is true?

  • A . Tags are case insensitive.
  • B . Tags are created at index time.
  • C . Tags can make your data more understandable.
  • D . Tags are searched by using the syntax tag:: <fieldneme>

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

Tags are aliases or alternative names for field values in Splunk. They can make your data more understandable by using common or descriptive terms instead of cryptic or technical terms. For example, you can tag a field value such as “200” with “OK” or “success” to indicate that it is a HTTP status code for a successful request. Tags are case sensitive, meaning that “OK” and “ok” are different tags. Tags are created at search time, meaning that they are applied when you run a search on your data. Tags are searched by using the syntax tag::<tagname>, where <tagname> is the name of the tag you want to search for.

Question #15

Which of the following statements about data models and pivot are true? (select all that apply)

  • A . They are both knowledge objects.
  • B . Data models are created out of datasets called pivots.
  • C . Pivot requires users to input SPL searches on data models.
  • D . Pivot allows the creation of data visualizations that present different aspects of a data model.

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

Data models and pivot are both knowledge objects in Splunk that allow you to analyze and visualize your data in different ways. Data models are collections of datasets that represent your data in a structured and hierarchical way. Data models define how your data is organized into objects and fields. Pivot is a user interface that allows you to create data visualizations that present different aspects of a data model. Pivot does not require users to input SPL searches on data models, but rather lets them select options from menus and forms. Data models are not created out of datasets called pivots, but rather pivots are created from datasets in data models.

Question #16

When using the Field Extractor (FX), which of the following delimiters will work? (select all that apply)

  • A . Tabs
  • B . Pipes
  • C . Colons
  • D . Spaces

Reveal Solution Hide Solution

Correct Answer: A, B, D
A, B, D

Explanation:

Reference: https://docs.splunk.com/Documentation/Splunk/8.0.3/Knowledge/FXSelectMethodstep https://community.splunk.com/t5/Splunk-Search/Field-Extraction-Separate-on-Colon/m-p/29751

The Field Extractor (FX) is a tool that helps you extract fields from your data using delimiters or regular expressions. Delimiters are characters or strings that separate fields in your data.

Some of the delimiters that will work with FX are:

Tabs: horizontal spaces that align text in columns.

Pipes: vertical bars that often indicate logical OR operations.

Spaces: blank characters that separate words or symbols.

Therefore, the delimiters A, B, and D will work with FX.

Question #17

Which of the following describes the Splunk Common Information Model (CIM) add-on?

  • A . The CIM add-on uses machine learning to normalize data.
  • B . The CIM add-on contains dashboards that show how to map data.
  • C . The CIM add-on contains data models to help you normalize data.
  • D . The CIM add-on is automatically installed in a Splunk environment.

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

The Splunk Common Information Model (CIM) add-on is a Splunk app that contains data models to help you normalize data from different sources and formats. The CIM add-on defines a common and consistent way of naming and categorizing fields and events in Splunk. This makes it easier to correlate and analyze data across different domains, such as network, security, web, etc. The CIM add-on does not use machine learning to normalize data, but rather relies on predefined field names and values. The CIM add-on does not contain dashboards that show how to map data, but rather provides documentation and examples on how to use the data models. The CIM add-on is not automatically installed in a Splunk environment, but rather needs to be downloaded and installed from Splunkbase.

Question #18

What does the transaction command do?

  • A . Groups a set of transactions based on time.
  • B . Creates a single event from a group of events.
  • C . Separates two events based on one or more values.
  • D . Returns the number of credit card transactions found in the event logs.

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

The transaction command is a search command that creates a single event from a group of events that share some common characteristics. The transaction command can group events based on fields, time, or both. The transaction command can also create some additional fields for each transaction, such as duration, eventcount, startime, etc. The transaction command does not group a set of transactions based on time, but rather groups a set of events into a transaction based on time. The transaction command does not separate two events based on one or more values, but rather joins multiple events based on one or more values. The transaction command does not return the number of credit card transactions found in the event logs, but rather creates transactions from the events that match the search criteria.

Question #19

Which of the following statements describe data model acceleration? (select all that apply)

  • A . Root events cannot be accelerated.
  • B . Accelerated data models cannot be edited.
  • C . Private data models cannot be accelerated.
  • D . You must have administrative permissions or the accelerate_dacamodel capability to accelerate a data model.

Reveal Solution Hide Solution

Correct Answer: B, C, D
B, C, D

Explanation:

Data model acceleration is a feature that speeds up searches on data models by creating and storing summaries of the data model datasets1. To enable data model acceleration, you must have administrative permissions or the accelerate_datamodel capability1. Therefore, option D is correct. Accelerated data models cannot be edited unless you disable the acceleration first1. Therefore, option B is correct. Private data models cannot be accelerated because they are not visible to other users1. Therefore, option C is correct. Root events can be accelerated as long as they are not based on a search string1. Therefore, option A is incorrect.

Question #20

A user wants to convert numeric field values to strings and also to sort on those values.

Which command should be used first, the eval or the sort?

  • A . It doesn’t matter whether eval or sort is used first.
  • B . Convert the numeric to a string with eval first, then sort.
  • C . Use sort first, then convert the numeric to a string with eval.
  • D . You cannot use the sort command and the eval command on the same field.

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

The eval command is used to create new fields or modify existing fields based on an expression2. The sort command is used to sort the results by one or more fields in ascending or descending order2. If you want to convert numeric field values to strings and also sort on those values, you should use the sort command first, then use the eval command to convert the values to strings2. This way, the sort command will use the original numeric values for sorting, rather than the converted string values which may not sort correctly. Therefore, option C is correct, while options A, B and D are incorrect.

Question #21

The Field Extractor (FX) is used to extract a custom field. A report can be created using this custom field. The created report can then be shared with other people in the organization.

If another person in the organization runs the shared report and no results are returned, why might this be? (select all that apply)

  • A . Fast mode is enabled.
  • B . The dashboard is private.
  • C . The extraction is private-
  • D . The person in the organization running the report does not have access to the index.

Reveal Solution Hide Solution

Correct Answer: C, D
C, D

Explanation:

The Field Extractor (FX) is a tool that helps you extract fields from your events using a graphical interface2. You can create a report using a custom field extracted by the FX and share it with other users in your organization2. However, if another user runs the shared report and no results are returned, there could be two possible reasons. One reason is that the extraction is private, which means that only you can see and use the extracted field2. To make the extraction available to other users, you need to make it global or app-level2. Therefore, option C is correct. Another reason is that the other user does not have access to the index where the events are stored2. To fix this issue, you need to grant the appropriate permissions to the other user for the index2. Therefore, option D is correct. Options A and B are incorrect because they are not related to the field extraction or the report.

Question #22

Which of the following data model are included In the Splunk Common Information Model (CIM) add-on? (select all that apply)

  • A . Alerts
  • B . Email
  • C . Database
  • D . User permissions

Reveal Solution Hide Solution

Correct Answer: A, B, C
A, B, C

Explanation:

Reference: https://docs.splunk.com/Documentation/CIM/4.15.0/User/Overview

The Splunk Common Information Model (CIM) add-on is a collection of pre-built data models and knowledge objects that help you normalize your data from different sources and make it easier to analyze and report on it3. The CIM add-on includes several data models that cover various domains such as Alerts, Email, Database, Network Traffic, Web and more3. Therefore, options A, B and C are correct because they are names of some of the data models included in the CIM add-on. Option D is incorrect because User permissions is not a name of a data model in the CIM add-on.

Question #23

A field alias has been created based on an original field. A search without any transforming commands is then executed in Smart Mode.

Which field name appears in the results?

  • A . Both will appear in the All Fields list, but only if the alias is specified in the search.
  • B . Both will appear in the Interesting Fields list, but only if they appear in at least 20 percent of events.
  • C . The original field only appears in All Fields list and the alias only appears in the Interesting Fields list.
  • D . The alias only appears in the All Fields list and the original field only appears in the Interesting Fields list.

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

A field alias is a way to assign an alternative name to an existing field without changing the original field name or value2. You can use field aliases to make your field names more consistent or descriptive across different sources or sourcetypes2. When you run a search without any transforming commands in Smart Mode, Splunk automatically identifies and displays interesting fields in your results2. Interesting fields are fields that appear in at least 20 percent of events or have high variability among values2. If you have created a field alias based on an original field, both the original field name and the alias name will appear in the Interesting Fields list if they meet these criteria2. However, only one of them will appear in each event depending on which one you have specified in your search string2. Therefore, option B is correct, while options A, C and D are incorrect.

Question #24

When performing a regular expression (regex) field extraction using the Field Extractor (FX), what happens when the require option is used?

  • A . The regex can no longer be edited.
  • B . The field being extracted will be required for all future events.
  • C . The events without the required field will not display in searches.
  • D . Only events with the required string will be included in the extraction.

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

The Field Extractor (FX) allows you to use regular expressions (regex) to extract fields from your events using a graphical interface or by manually editing the regex2. When you use the FX to perform a regex field extraction, you can use the require option to specify a string that must be present in an event for it to be included in the extraction2. This way, you can filter out events that do not contain the required string and focus on the events that are relevant for your extraction2. Therefore, option D is correct, while options A, B and C are incorrect.

Question #25

Which group of users would most likely use pivots?

  • A . Users
  • B . Architects
  • C . Administrators
  • D . Knowledge Managers

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

Reference: https://docs.splunk.com/Documentation/Splunk/8.0.3/Pivot/IntroductiontoPivot

A pivot is a tool that allows you to create reports and dashboards using data models without writing any SPL commands2. You can use pivots to explore, filter, split and visualize your data using a graphical interface2. Pivots are designed for users who want to analyze and report on their data without having to learn the SPL syntax or the underlying structure of the data2. Therefore, option A is correct, while options B, C and D are incorrect because they are not the typical group of users who would use pivots.

Question #26

When using timechart, how many fields can be listed after a by clause?

  • A . because timechart doesn’t support using a by clause.
  • B . because _time is already implied as the x-axis.
  • C . because one field would represent the x-axis and the other would represent the y-axis.
  • D . There is no limit specific to timechart.

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

The timechart command is used to create a time-series chart of statistical values based on your search results2. You can use the timechart command with a by clause to split the results by one or more fields and create multiple series in the chart2. However, you can only list one field after the by clause when using the timechart command because _time is already implied as the x-axis of the chart2. Therefore, option B is correct, while options A, C and D are incorrect.

Question #27

What is the correct syntax to search for a tag associated with a value on a specific fields?

  • A . Tag-<field?
  • B . Tag<filed(tagname.)
  • C . Tag=<filed>::<tagname>
  • D . Tag::<filed>=<tagname>

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

Reference: https://docs.splunk.com/Documentation/Splunk/8.0.3/Knowledge/TagandaliasfieldvaluesinSplunkW eb

A tag is a descriptive label that you can apply to one or more fields or field values in your events2. You can use tags to simplify your searches by replacing long or complex field names or values with short and simple tags2. To search for a tag associated with a value on a specific field, you can use the following syntax: tag::<field>=<tagname>2. For example, tag::status=error will search for events where the status field has a tag named error. Therefore, option D is correct, while options A, B and C are incorrect because they do not follow the correct syntax for searching tags.

Question #28

What functionality does the Splunk Common Information Model (CIM) rely on to normalize fields with different names?

  • A . Macros.
  • B . Field aliases.
  • C . The rename command.
  • D . CIM does not work with different names for the same field.

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

The Splunk Common Information Model (CIM) add-on helps you normalize your data from different sources and make it easier to analyze and report on it3. One of the functionalities that the CIM add-on relies on to normalize fields with different names is field aliases3. Field aliases allow you to assign an alternative name to an existing field without changing the original field name or value2. By using field aliases, you can map different field names from different sources or sourcetypes to a common field name that conforms to the CIM standard3. Therefore, option B is correct, while options A, C and D are incorrect.

Question #29

When should you use the transaction command instead of the scats command?

  • A . When you need to group on multiple values.
  • B . When duration is irrelevant in search results..
  • C . When you have over 1000 events in a transaction.
  • D . When you need to group based on start and end constraints.

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

The transaction command is used to group events into transactions based on some common characteristics, such as fields, time, or both. The transaction command can also specify start and end constraints for the transactions, such as a field value that indicates the beginning or the end of a transaction. The stats command is used to calculate summary statistics on the events, such as count, sum, average, etc. The stats command cannot group events based on start and end constraints, but only on fields or time buckets. Therefore, the transaction command should be used instead of the stats command when you need to group events based on start and end constraints.

Question #30

Which of the following statements describes field aliases?

  • A . Field alias names replace the original field name.
  • B . Field aliases can be used in lookup file definitions.
  • C . Field aliases only normalize data across sources and sourcetypes.
  • D . Field alias names are not case sensitive when used as part of a search.

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

Field aliases are alternative names for fields in Splunk. Field aliases can be used to normalize data across different sources and sourcetypes that have different field names for the same concept. For example, you can create a field alias for src_ip that maps to clientip, source_address, or any other field name that represents the source IP address in different sourcetypes. Field aliases can also be used in lookup file definitions to map fields in your data to fields in the lookup file. For example, you can use a field alias for src_ip to map it to ip_address in a lookup file that contains geolocation information for IP addresses. Field alias names do not replace the original field name, but rather create a copy of the field with a different name. Field alias names are case sensitive when used as part of a search, meaning that src_ip and SRC_IP are different fields.

Question #31

What does the following search do?

  • A . Creates a table of the total count of users and split by corndogs.
  • B . Creates a table of the total count of mysterymeat corndogs split by user.
  • C . Creates a table with the count of all types of corndogs eaten split by user.
  • D . Creates a table that groups the total number of users by vegetarian corndogs.

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

The search string below creates a table of the total count of mysterymeat corndogs split by user. | stats count by user | where corndog=mysterymeat.

The search string does the following:

It uses the stats command to calculate the count of events for each value of the user field. The stats command creates a table with two columns: user and count.

It uses the where command to filter the results by the value of the corndog field. The where command only keeps the rows where corndog equals mysterymeat.

Therefore, the search string creates a table of the total count of mysterymeat corndogs split by user.

Question #32

Which of the following statements describes Search workflow actions?

  • A . By default. Search workflow actions will run as a real-time search.
  • B . Search workflow actions can be configured as scheduled searches,
  • C . The user can define the time range of the search when created the workflow action.
  • D . Search workflow actions cannot be configured with a search string that includes the transaction command

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

Search workflow actions are custom actions that run a search when you click on a field value in your search results. Search workflow actions can be configured with various options, such as label name, search string, time range, app context, etc. One of the options is to define the time range of the search when creating the workflow action. You can choose from predefined time ranges, such as Last 24 hours, Last 7 days, etc., or specify a custom time range using relative or absolute time modifiers. Search workflow actions do not run as real-time searches by default, but rather use the same time range as the original search unless specified otherwise. Search workflow actions cannot be configured as scheduled searches, as they are only triggered by user interaction. Search workflow actions can be configured with any valid search string that includes any search command, such as transaction.

Question #33

What do events in a transaction have In common?

  • A . All events In a transaction must have the same timestamp.
  • B . All events in a transaction must have the same sourcetype.
  • C . All events in a transaction must have the exact same set of fields.
  • D . All events in a transaction must be related by one or more fields.

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

Reference: https://docs.splunk.com/Documentation/Splunk/8.0.3/Knowledge/Abouttransactions

A transaction is a group of events that share some common characteristics, such as fields, time, or both. A transaction can be created by using the transaction command or by defining an event type with transactiontype=true in props.conf. Events in a transaction have one or more fields in common that relate them to each other. For example, you can create a transaction based on JSESSIONID, which is a unique identifier for each user session in web logs. Events in a transaction do not have to have the same timestamp, sourcetype, or exact same set of fields. They only have to share one or more fields that define the transaction.

Question #34

Which of the following statements describe GET workflow actions?

  • A . GET workflow actions must be configured with POST arguments.
  • B . Configuration of GET workflow actions includes choosing a sourcetype.
  • C . Label names for GET workflow actions must include a field name surrounded by dollar signs.
  • D . GET workflow actions can be configured to open the URT link in the current window or in a new window

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

GET workflow actions are custom actions that open a URL link when you click on a field value in your search results. GET workflow actions can be configured with various options, such as label name, base URL, URI parameters, app context, etc. One of the options is to choose whether to open the URL link in the current window or in a new window. GET workflow actions do not have to be configured with POST arguments, as they use GET method to send requests to web servers. Configuration of GET workflow actions does not include choosing a sourcetype, as they do not generate any data in Splunk. Label names for GET workflow actions must include a field name surrounded by dollar signs, as this indicates the field value that will be used to replace the variable in the URL link.

Question #35

Data model are composed of one or more of which of the following datasets? (Select all that apply.)

  • A . Events datasets
  • B . Search datasets
  • C . Transaction datasets
  • D . Any child of event, transaction, and search datasets

Reveal Solution Hide Solution

Correct Answer: A, B, C
A, B, C

Explanation:

Reference: https://docs.splunk.com/Documentation/Splunk/8.0.3/Knowledge/Aboutdatamodels

Data models are collections of datasets that represent your data in a structured and hierarchical way. Data models define how your data is organized into objects and fields.

Data models can be composed of one or more of the following datasets:

Events datasets: These are the base datasets that represent raw events in Splunk. Events datasets can be filtered by constraints, such as search terms, sourcetypes, indexes, etc.

Search datasets: These are derived datasets that represent the results of a search on events or other datasets. Search datasets can use any search command, such as stats, eval, rex, etc., to transform the data.

Transaction datasets: These are derived datasets that represent groups of events that are related by fields, time, or both. Transaction datasets can use the transaction command or event types with transaction type=true to create transactions.

Question #36

Which are valid ways to create an event type? (select all that apply)

  • A . By using the searchtypes command in the search bar.
  • B . By editing the event_type stanza in the props.conf file.
  • C . By going to the Settings menu and clicking Event Types > New.
  • D . By selecting an event in search results and clicking Event Actions > Build Event Type.

Reveal Solution Hide Solution

Correct Answer: C, D
C, D

Explanation:

Event types are custom categories of events that are based on search criteria. Event types can be used to label events with meaningful names, such as error, success, login, logout, etc. Event types can also be used to create transactions, alerts, reports, dashboards, etc. Event types can be created in two ways:

By going to the Settings menu and clicking Event Types > New. This will open a form where you can enter the name, description, search string, app context, and tags for the event type.

By selecting an event in search results and clicking Event Actions > Build Event Type. This will open a dialog box where you can enter the name and description for the event type. The search string will be automatically populated based on the selected event.

Event types cannot be created by using the searchtypes command in the search bar, as this command does not exist in Splunk. Event types can also be created by editing the event_type stanza in the transforms.conf file, not the props.conf file.

Question #37

Which of the following statements describe the search string below?

| datamodel Application_State All_Application_State search

  • A . Evenrches would return a report of sales by state.
  • B . Events will be returned from the data model named Application_State.
  • C . Events will be returned from the data model named All_Application_state.
  • D . No events will be returned because the pipe should occur after the datamodel command

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

The search string below returns events from the data model named Application_State.

| datamodel Application_State All_Application_State search

The search string does the following:

It uses the datamodel command to access a data model in Splunk. The datamodel command takes two arguments: the name of the data model and the name of the dataset within the data model. It specifies the name of the data model as Application_State. This is a predefined data model in Splunk that contains information about web applications.

It specifies the name of the dataset as All_Application_State. This is a root dataset in the data model that contains all events from all child datasets.

It uses the search command to filter and transform the events from the dataset. The search command can use any search criteria or command to modify the results.

Therefore, the search string returns events from the data model named Application_State.

Question #38

What is the relationship between data models and pivots?

  • A . Data models provide the datasets for pivots.
  • B . Pivots and data models have no relationship.
  • C . Pivots and data models are the same thing.
  • D . Pivots provide the datasets for data models.

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

The relationship between data models and pivots is that data models provide the datasets for pivots. Data models are collections of datasets that represent your data in a structured and hierarchical way. Data models define how your data is organized into objects and fields. Pivots are user interfaces that allow you to create data visualizations that present different aspects of a data model. Pivots let you select options from menus and forms to create charts, tables, maps, etc., without writing any SPL code. Pivots use datasets from data models as their source of data. Pivots and data models are not the same thing, as pivots are tools for visualizing data models. Pivots do not provide datasets for data models, but rather use them as inputs.

Therefore, only statement A is true about the relationship between data models and pivots.

Question #39

What are the two parts of a root event dataset?

  • A . Fields and variables.
  • B . Fields and attributes.
  • C . Constraints and fields.
  • D . Constraints and lookups.

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

Reference: https://docs.splunk.com/Documentation/SplunkLight/7.3.5/GettingStarted/Designdatamodelobjects

A root event dataset is the base dataset for a data model that defines the source or sources of the data and the constraints and fields that apply to the data1. A root event dataset has two parts: constraints and fields1. Constraints are filters that limit the data to a specific index, source, sourcetype, host or search string1. Fields are the attributes that describe the data and can be extracted, calculated or looked up1. Therefore, option C is correct, while options A, B and D are incorrect.

Question #40

In which of the following scenarios is an event type more effective than a saved search?

  • A . When a search should always include the same time range.
  • B . When a search needs to be added to other users’ dashboards.
  • C . When the search string needs to be used in future searches.
  • D . When formatting needs to be included with the search string.

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

Reference: https://answers.splunk.com/answers/4993/eventtype-vs-saved-search.html

An event type is a way to categorize events based on a search string that matches the events2. You can use event types to simplify your searches by replacing long or complex search strings with short and simple event type names2. An event type is more effective than a saved search when the search string needs to be used in future searches because it allows you to reuse the search string without having to remember or type it again2. Therefore, option C is correct, while options A, B and D are incorrect because they are not scenarios where an event type is more effective than a saved search.

Question #41

How does a user display a chart in stack mode?

  • A . By using the stack command.
  • B . By turning on the Use Trellis Layout option.
  • C . By changing Stack Mode in the Format menu.
  • D . You cannot display a chart in stack mode, only a timechart.

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

A chart is a graphical representation of your search results that shows the relationship between two or more fields2. You can display a chart in stack mode by changing the Stack Mode option in the Format menu2. Stack mode allows you to stack multiple series on top of each other in a chart to show the cumulative values of each series2. Therefore, option C is correct, while options A, B and D are incorrect because they are not ways to display a chart in stack mode.

Question #42

Which of the following statements about event types is true? (select all that apply)

  • A . Event types can be tagged.
  • B . Event types must include a time range,
  • C . Event types categorize events based on a search.
  • D . Event types can be a useful method for capturing and sharing knowledge.

Reveal Solution Hide Solution

Correct Answer: A, C, D
A, C, D

Explanation:

Reference: https://www.edureka.co/blog/splunk-events-event-types-and-tags/

As mentioned before, an event type is a way to categorize events based on a search string that matches the events2. Event types can be tagged, which means that you can apply descriptive labels to event types and use them in your searches2. Therefore, option A is correct. Event types categorize events based on a search string, which means that you can define an event type by specifying a search string that matches the events you want to include in the event type2. Therefore, option C is correct. Event types can be a useful method for capturing and sharing knowledge, which means that you can use event types to organize your data into meaningful categories and share them with other users in your organization2. Therefore, option D is correct. Event types do not have to include a time range, which means that you can create an event type without specifying a time range for the events2. Therefore, option B is incorrect.

Question #43

In what order arc the following knowledge objects/configurations applied?

  • A . Field Aliases, Field Extractions, Lookups
  • B . Field Extractions, Field Aliases, Lookups
  • C . Field Extractions, Lookups, Field Aliases
  • D . Lookups, Field Aliases, Field Extractions

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

Reference: https://docs.splunk.com/Documentation/Splunk/8.0.3/Knowledge/WhatisSplunkknowledge

Knowledge objects are entities that you create to add knowledge to your data and make it easier to search and analyze2. Some examples of knowledge objects are field extractions, field aliases and lookups2. Field extractions are methods that extract fields from your raw data using various techniques such as regular expressions, delimiters or key-value pairs2. Field aliases are ways to assign alternative names to existing fields without changing the original field names or values2. Lookups are ways to enrich your data with additional information from external sources such as CSV files or databases2. The order in which these knowledge objects/configurations are applied is as follows: field extractions, field aliases and then lookups2. This means that Splunk first extracts fields from your raw data, then applies any aliases to the extracted fields and then performs any lookups on the aliased fields2. Therefore, option B is correct, while options A, C and D are incorrect.

Question #44

Which of the following knowledge objects represents the output of an eval expression?

  • A . Eval fields
  • B . Calculated fields
  • C . Field extractions
  • D . Calculated lookups

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

Reference: https://docs.splunk.com/Splexicon:Calculatedfield

The eval command is used to create new fields or modify existing fields based on an expression2. The output of an eval expression is a calculated field, which is a field that you create based on the value of another field or fields2. You can use calculated fields to enrich your data with additional information or to transform your data into a more useful format2. Therefore, option B is correct, while options A, C and D are incorrect because they are not names of knowledge objects that represent the output of an eval expression.

Question #45

A calculated field maybe based on which of the following?

  • A . Lookup tables
  • B . Extracted fields
  • C . Regular expressions
  • D . Fields generated within a search string

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

As mentioned before, a calculated field is a field that you create based on the value of another field or fields2. A calculated field can be based on extracted fields, which are fields that are extracted from your raw data using various methods such as regular expressions, delimiters or key-value pairs2. Therefore, option B is correct, while options A, C and D are incorrect because they are not types of fields that a calculated field can be based on.

Question #46

Which of the following eval command function is valid?

  • A . Int ()
  • B . Count ( )
  • C . Print ()
  • D . Tostring ()

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

The eval command supports a number of functions that you can use in your expressions to perform calculations, conversions, string manipulations and more2. One of the eval command functions is tostring(), which converts a numeric value to a string value2. Therefore, option D is correct, while options A, B and C are incorrect because they are not valid eval command functions.

Question #47

Which one of the following statements about the search command is true?

  • A . It does not allow the use of wildcards.
  • B . It treats field values in a case-sensitive manner.
  • C . It can only be used at the beginning of the search pipeline.
  • D . It behaves exactly like search strings before the first pipe.

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

Reference: https://docs.splunk.com/Documentation/SplunkCloud/8.0.2003/Search/Usethesearchcommand

The search command is used to filter or refine your search results based on a search string that matches the events2. The search command behaves exactly like search strings before the first pipe, which means that you can use the same syntax and operators as you would use in the initial part of your search2. Therefore, option D is correct, while options A, B and C are incorrect because they are not true statements about the search command.

Question #48

What does the Splunk Common Information Model (CIM) add-on include? (select all that apply)

  • A . Custom visualizations
  • B . Pre-configured data models
  • C . Fields and event category tags
  • D . Automatic data model acceleration

Reveal Solution Hide Solution

Correct Answer: BC
BC

Explanation:

The Splunk Common Information Model (CIM) add-on is a collection of pre-built data models and knowledge objects that help you normalize your data from different sources and make it easier to analyze and report on it3. The CIM add-on includes pre-configured data models that cover various domains such as Alerts, Email, Database, Network Traffic, Web and more3. Therefore, option B is correct. The CIM add-on also includes fields and event category tags that define the common attributes and labels for the data models3. Therefore, option C is correct. The CIM add-on does not include custom visualizations or automatic data model acceleration. Therefore, options A and D are incorrect.

Question #49

Which of the following file formats can be extracted using a delimiter field extraction?

  • A . CSV
  • B . PDF
  • C . XML
  • D . JSON

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

A delimiter field extraction is a method of extracting fields from data that uses a character or a string to separate fields in each event. A delimiter field extraction can be performed by using the Field Extractor (FX) tool or by editing the props.conf file. A delimiter field extraction can be applied to any file format that uses a delimiter to separate fields, such as CSV, TSV, PSV, etc. A CSV file is a comma-separated values file that uses commas as delimiters. Therefore, a CSV file can be extracted using a delimiter field extraction.

Question #50

Which of the following statements describes macros?

  • A . A macro is a reusable search string that must contain the full search.
  • B . A macro is a reusable search string that must have a fixed time range.
  • C . A macro Is a reusable search string that may have a flexible time range.
  • D . A macro Is a reusable search string that must contain only a portion of the search.

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

Reference: https://docs.splunk.com/Documentation/Splunk/8.0.3/Knowledge/Definesearchmacros

A macro is a reusable search string that can contain any part of a search, such as search terms, commands, arguments, etc. A macro can have a flexible time range that can be specified when the macro is executed. A macro can also have arguments that can be passed to the macro when it is executed. A macro can be created by using the Settings menu or by editing the macros.conf file. A macro does not have to contain the full search, but only the part that needs to be reused. A macro does not have to have a fixed time range, but can use a relative or absolute time range modifier. A macro does not have to contain only a portion of the search, but can contain multiple parts of the search.

Question #51

Which of the following statements describe calculated fields? (select all that apply)

  • A . Calculated fields can be used in the search bar.
  • B . Calculated fields can be based on an extracted field.
  • C . Calculated fields can only be applied to host and sourcetype.
  • D . Calculated fields are shortcuts for performing calculations using the eval command.

Reveal Solution Hide Solution

Correct Answer: A, B, D
A, B, D

Explanation:

Reference: https://docs.splunk.com/Documentation/Splunk/8.0.3/Knowledge/definecalcfields

Calculated fields are fields that are created by performing calculations on existing fields using the eval command. Calculated fields can be used in the search bar to filter and transform events based on the calculated values. Calculated fields can also be based on an extracted field, which is a field that is extracted from raw data using various methods, such as regex, delimiters, lookups, etc. Calculated fields are not shortcuts for performing calculations using the eval command, but rather results of performing calculations using the eval command. Calculated fields can be applied to any field in Splunk, not only host and sourcetype.

Therefore, statements A, B, and D are true about calculated fields.

Question #52

Which delimiters can the Field Extractor (FX) detect? (select all that apply)

  • A . Tabs
  • B . Pipes
  • C . Spaces
  • D . Commas

Reveal Solution Hide Solution

Correct Answer: B, C, D
B, C, D

Explanation:

Reference: https://docs.splunk.com/Documentation/Splunk/8.0.3/Knowledge/FXSelectMethodstep

The Field Extractor (FX) is a tool that helps you extract fields from your data using delimiters or regular expressions. Delimiters are characters or strings that separate fields in your data. The FX can detect some common delimiters automatically, such as pipes (|), spaces ( ), commas (,), semicolons (;), etc. The FX cannot detect tabs (t) as delimiters automatically, but you can specify them manually in the FX interface.

Question #53

Which of the following statements is true, especially in large environments?

  • A . Use the scats command when you next to group events by two or more fields.
  • B . The stats command is faster and more efficient than the transaction command
  • C . The transaction command is faster and more efficient than the stats command.
  • D . Use the transaction command when you want to see the results of a calculation.

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

Reference: https://answers.splunk.com/answers/103/transaction-vs-stats-commands.html

The stats command is faster and more efficient than the transaction command, especially in large environments. The stats command is used to calculate summary statistics on the events, such as count, sum, average, etc. The stats command can group events by one or more fields or by time buckets. The stats command does not create new events from groups of events, but rather creates new fields with statistical values. The transaction command is used to group events into transactions based on some common characteristics, such as fields, time, or both. The transaction command creates new events from groups of events that share one or more fields. The transaction command also creates some additional fields for each transaction, such as duration, eventcount, startime, etc. The transaction command is slower and more resource-intensive than the stats command because it has to process more data and create more events and fields.

Question #54

Which of the following are required to create a POST workflow action?

  • A . Label, URI, search string.
  • B . XMI attributes, URI, name.
  • C . Label, URI, post arguments.
  • D . URI, search string, time range picker.

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

POST workflow actions are custom actions that send a POST request to a web server when you click on a field value in your search results. POST workflow actions can be configured with various options, such as label name, base URL, URI parameters, post arguments, app context, etc. One of the options that are required to create a POST workflow action is post arguments. Post arguments are key-value pairs that are sent in the body of the POST request to provide additional information to the web server. Post arguments can include field values from your data by using dollar signs around the field names.

Question #55

Which of the following statements describe the search below? (select all that apply)

Index=main I transaction clientip host maxspan=30s maxpause=5s

  • A . Events in the transaction occurred within 5 seconds.
  • B . It groups events that share the same clientip and host.
  • C . The first and last events are no more than 5 seconds apart.
  • D . The first and last events are no more than 30 seconds apart.

Reveal Solution Hide Solution

Correct Answer: ABD
ABD

Explanation:

The search below groups events by two or more fields (clientip and host), creates transactions with start and end constraints (maxspan=30s and maxpause=5s), and calculates the duration of each transaction.

index=main | transaction clientip host maxspan=30s maxpause=5s

The search does the following:

It filters the events by the index main, which is a default index in Splunk that contains all data that is not sent to other indexes.

It uses the transaction command to group events into transactions based on two fields: clientip and host. The transaction command creates new events from groups of events that share the same clientip and host values.

It specifies the start and end constraints for the transactions using the maxspan and maxpause arguments. The maxspan argument sets the maximum time span between the first and last events in a transaction. The maxpause argument sets the maximum time span between any two consecutive events in a transaction. In this case, the maxspan is 30 seconds and the maxpause is 5 seconds, meaning that any transaction that has a longer time span or pause will be split into multiple transactions.

It creates some additional fields for each transaction, such as duration, eventcount, startime, etc. The duration field shows the time span between the first and last events in a transaction.

Question #56

Given the macro definition below, what should be entered into the Name and Arguments fileds to correctly configured the macro?

  • A . The macro name is sessiontracker and the arguments are action, JESSIONID.
  • B . The macro name is sessiontracker(2) and the arguments are action, JESSIONID.
  • C . The macro name is sessiontracker and the arguments are $action$, $JESSIONID$.
  • D . The macro name is sessiontracker(2) and the Arguments are $action$, $JESSIONID$.

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

Reference: https://docs.splunk.com/Documentation/Splunk/8.0.3/Knowledge/Definesearchmacros

The macro definition below shows a macro that tracks user sessions based on two arguments: action and JSESSIONID.

sessiontracker(2)

The macro definition does the following:

It specifies the name of the macro as sessiontracker. This is the name that will be used to execute the macro in a search string.

It specifies the number of arguments for the macro as 2. This indicates that the macro takes two arguments when it is executed.

It specifies the code for the macro as index=main sourcetype=access_combined_wcookie

action=$action$ JSESSIONID=$JSESSIONID$ | stats count by JSESSIONID. This is the search string that will be run when the macro is executed. The search string can contain any part of a search, such as search terms, commands, arguments, etc. The search string can also include variables for the arguments using dollar signs around them. In this case, action and JSESSIONID are variables for the arguments that will be replaced by their values when the macro is executed.

Therefore, to correctly configure the macro, you should enter sessiontracker as the name and action, JSESSIONID as the arguments. Alternatively, you can use sessiontracker(2) as the name and leave the arguments blank.

Question #57

After manually editing; a regular expression (regex), which of the following statements is true?

  • A . Changes made manually can be reverted in the Field Extractor (FX) UI.
  • B . It is no longer possible to edit the field extraction in the Field Extractor (FX) UI.
  • C . It is not possible to manually edit a regular expression (regex) that was created using the Field Extractor (FX) UI.
  • D . The Field Extractor (FX) UI keeps its own version of the field extraction in addition to the one that was manually edited.

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

After manually editing a regular expression (regex) that was created using the Field Extractor (FX) UI, it is no longer possible to edit the field extraction in the FX UI. The FX UI is a tool that helps you extract fields from your data using delimiters or regular expressions. The FX UI can generate a regex for you based on your selection of sample values or you can enter your own regex in the FX UI. However, if you edit the regex manually in the props.conf file, the FX UI will not be able to recognize the changes and will not let you edit the field extraction in the FX UI anymore. You will have to use the props.conf file to make any further changes to the field extraction. Changes made manually cannot be reverted in the FX UI, as the FX UI does not keep track of the changes made in the props.conf file. It is possible to manually edit a regex that was created using the FX UI, as long as you do it in the props.conf file.

Therefore, only statement B is true about manually editing a regex.

Question #58

What does the fillnull command replace null values with, it the value argument is not specified?

  • A . 0
  • B . N/A
  • C . NaN
  • D . NULL

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

Reference: https://answers.splunk.com/answers/653427/fillnull-doesnt-work-without-specfying-a-field.html

The fillnull command is a search command that replaces null values with a specified value or 0 if no value is specified. Null values are values that are missing, empty, or undefined in Splunk. The fillnull command can replace null values for all fields or for specific fields. The fillnull command can take an optional argument called value that specifies the value to replace null values with. If no value argument is specified, the fillnull command will replace null values with 0 by default.

Question #59

To identify all of the contributing events within a transaction that contains at least one REJECT event, which syntax is correct?

  • A . Index-main | REJECT trans sessionid
  • B . Index-main | transaction sessionid | search REJECT
  • C . Index=main | transaction sessionid | whose transaction=reject
  • D . Index=main | transaction sessionid | where transaction=reject’’

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

The transaction command is used to group events that share a common value for one or more fields into transactions2. The transaction command assigns a transaction ID to each group of events and creates new fields such as duration, eventcount and eventlist for each transaction2. To identify all of the contributing events within a transaction that contains at least one REJECT event, you can use the following syntax: index=main | transaction sessionid | search REJECT2. This search will first group the events by sessionid, then filter out the transactions that do not contain REJECT in any of their events2. Therefore, option B is correct, while options A, C and D are incorrect because they do not follow the correct syntax for using the transaction command or the search command.

Question #60

Which of the following actions can the eval command perform?

  • A . Remove fields from results.
  • B . Create or replace an existing field.
  • C . Group transactions by one or more fields.
  • D . Save SPL commands to be reused in other searches.

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

The eval command is used to create new fields or modify existing fields based on an expression2. The eval command can perform various actions such as calculations, conversions, string manipulations and more2. One of the actions that the eval command can perform is to create or replace an existing field with a new value based on an expression2. For example, | eval status=if(status="200","OK","ERROR") will create or replace the status field with either OK or ERROR depending on the original value of status2. Therefore, option B is correct, while options A, C and D are incorrect because they are not actions that the eval command can perform.

Question #61

Which of the following statements describe the Common Information Model (CIM)? (select all that apply)

  • A . CIM is a methodology for normalizing data.
  • B . CIM can correlate data from different sources.
  • C . The Knowledge Manager uses the CIM to create knowledge objects.
  • D . CIM is an app that can coexist with other apps on a single Splunk deployment.

Reveal Solution Hide Solution

Correct Answer: A, B, C
A, B, C

Explanation:

Reference: https://docs.splunk.com/Documentation/CIM/4.15.0/User/Overview

The Common Information Model (CIM) is a methodology for normalizing data from different sources and making it easier to analyze and report on it3. The CIM defines a common set of fields and tags for various domains such as Alerts, Email, Database, Network Traffic, Web and more3. One of the statements that describe the CIM is that it is a methodology for normalizing data, which means that it provides a standard way to name and structure data from different sources so that they can be compared and correlated3. Therefore, option A is correct. Another statement that describes the CIM is that it can correlate data from different sources, which means that it enables you to run searches and reports across data from different sources that share common fields and tags3. Therefore, option B is correct. Another statement that describes the CIM is that the Knowledge Manager uses the CIM to create knowledge objects, which means that the person who is responsible for creating and managing knowledge objects such as data models, field aliases, tags and event types can use the CIM as a guide to make their knowledge objects consistent and compatible with other apps and add-ons3. Therefore, option C is correct. Option D is incorrect because it does not describe the CIM but rather one of its components.

Question #62

Data model fields can be added using the Auto-Extracted method.

Which of the following statements describe Auto-Extracted fields? (select all that apply)

  • A . Auto-Extracted fields can be hidden in Pivot.
  • B . Auto-Extracted fields can have their data type changed.
  • C . Auto-Extracted fields can be given a friendly name for use in Pivot.
  • D . Auto-Extracted fields can be added if they already exist in the dataset with constraints.

Reveal Solution Hide Solution

Correct Answer: ABCD
ABCD

Explanation:

Data model fields are fields that describe the attributes of a dataset in a data model2. Data model fields can be added using various methods such as Auto-Extracted, Evaluated or Lookup2. Auto-Extracted fields are fields that are automatically extracted from your raw data using various techniques such as regular expressions, delimiters or key-value pairs2. Auto-Extracted fields can be hidden in Pivot, which means that you can choose whether to display them or not in the Pivot interface2. Therefore, option A is correct. Auto-Extracted fields can have their data type changed, which means that you can specify whether they are strings, numbers, booleans or timestamps2. Therefore, option B is correct. Auto-Extracted fields can be given a friendly name for use in Pivot, which means that you can assign an alternative name to them that is more descriptive or user-friendly than the original field name2. Therefore, option C is correct. Auto-Extracted fields can be added if they already exist in the dataset with constraints, which means that you can include them in your data model even if they are already extracted from your raw data by applying filters or constraints to limit the scope of your dataset2. Therefore, option D is correct.

Question #63

When creating a Search workflow action, which field is required?

  • A . Search string
  • B . Data model name
  • C . Permission setting
  • D . An eval statement

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

Reference: https://docs.splunk.com/Documentation/Splunk/8.0.3/Knowledge/Setupasearchworkflowaction

A workflow action is a link that appears when you click an event field value in your search results2. A workflow action can open a web page or run another search based on the field value2. There are two types of workflow actions: GET and POST2. A GET workflow action appends the field value to the end of a URI and opens it in a web browser2. A POST workflow action sends the field value as part of an HTTP request to a web server2. When creating a Search workflow action, which is a type of GET workflow action that runs another search based on the field value, the only required field is the search string2. The search string defines the search that will be run when the workflow action is clicked2. Therefore, option A is correct, while options B, C and D are incorrect because they are not required fields for creating a Search workflow action.

Question #64

Selected fields are displayed ______each event in the search results.

  • A . below
  • B . interesting fields
  • C . other fields
  • D . above

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

Selected fields are fields that you choose to display in your search results by clicking on them in the Fields sidebar or by using the fields command2. Selected fields are displayed below each event in the search results, along with their values2. Therefore, option A is correct, while options B, C and D are incorrect because they are not places where selected fields are displayed.

Question #65

A space is an implied _____ in a search string.

  • A . OR
  • B . AND
  • C . ()
  • D . NOT

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

A space is an implied AND in a search string, which means that it acts as a logical operator that returns events that match both terms on either side of the space2. For example, status=200 method=GET will return events that have both status=200 and method=GET2. Therefore, option B is correct, while options A, C and D are incorrect because they are not implied by a space in a search string.

Question #66

Which of the following search control will not re-rerun the search? (Select all that apply.)

  • A . zoom out
  • B . selecting a bar on the timeline
  • C . deselect
  • D . selecting a range of bars on the timelines

Reveal Solution Hide Solution

Correct Answer: B, C, D
B, C, D

Explanation:

The timeline is a graphical representation of your search results that shows the distribution of events over time2. You can use the timeline to zoom in or out of a specific time range or to select one or more bars on the timeline to filter your results by that time range2. However, these actions will not re-run the search, but rather refine the existing results based on the selected time range2. Therefore, options B, C and D are correct, while option A is incorrect because zooming out will re-run the search with a broader time range.

Question #67

Highlighted search terms indicate _________ search results in Splunk.

  • A . Display as selected fields.
  • B . Sorted
  • C . Charted based on time
  • D . Matching

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

Highlighted search terms indicate matching search results in Splunk, which means that they show which parts of your events match your search string2. For example, if you search for error OR fail, Splunk will highlight error or fail in your events to show which events match your search string2.

Therefore, option D is correct, while options A, B and C are incorrect because they are not indicated by highlighted search terms.

Question #68

When you mouse over and click to add a search term this (these. Boolean operator(s) is (are. not implied. (Select all that apply).

  • A . OR
  • B . ( )
  • C . AND
  • D . NOT

Reveal Solution Hide Solution

Correct Answer: ABD
ABD

Explanation:

When you mouse over and click to add a search term from the Fields sidebar or from an event in your search results, Splunk automatically adds the term to your search string with an implied AND operator2. However, this does not apply to some Boolean operators such as OR, NOT and parentheses (). These operators are not implied when you add a search term and you have to type them manually if you want to use them in your search string2. Therefore, options A, B and D are correct, while option C is incorrect because AND is implied when you add a search term.

Question #69

The time range specified for a historical search defines the ____________ questionable on ans

  • A . Amount of data shown on the timeline as data streams in
  • B . Amount of data fetched from index matching that time range
  • C . Time range for the static results

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

The time range specified for a historical search defines the amount of data fetched from the index matching that time range2. A historical search is a search that runs over a fixed period of time in the past2. When you run a historical search, Splunk searches the index for events that match your search string and fall within the specified time range2. Therefore, option B is correct, while options A and C are incorrect because they are not what the time range defines for a historical search.

Question #70

Using the export function, you can export search results as __________.( Select all that apply)

  • A . Xml
  • B . Json
  • C . Html
  • D . A php file

Reveal Solution Hide Solution

Correct Answer: A, B
A, B

Explanation:

Using the export function, you can export search results as XML or JSON2. The export function allows you to save your search results in a structured format that can be used by other applications or tools2. You can use the output_mode parameter to specify whether you want to export your results as XML or JSON2. Therefore, options A and B are correct, while options C and D are incorrect because they are not formats that you can export your search results as.

Question #71

The fields sidebar does not show________. (Select all that apply.)

  • A . interesting fields
  • B . selected fields
  • C . all extracted fields

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

The fields sidebar is a panel that shows the fields that are present in your search results2. The fields sidebar does not show all extracted fields, which are fields that are extracted from your raw data using various methods such as regular expressions, delimiters or key-value pairs2. The fields sidebar only shows selected fields and interesting fields2. Selected fields are fields that you choose to display in your search results by clicking on them in the fields sidebar or by using the fields command2. Interesting fields are fields that appear in at least 20 percent of events or have high variability among values2. Therefore, option C is correct, while options A and B are incorrect because they are types of fields that the fields sidebar does show.

Question #72

Splunk alerts can be based on search that run______. (Select all that apply.)

  • A . in real-time
  • B . on a regular schedule
  • C . and have no matching events

Reveal Solution Hide Solution

Correct Answer: A, B
A, B

Explanation:

Splunk alerts can be based on searches that run in real-time or on a regular schedule3. An alert is a way to monitor your data and get notified when certain conditions are met3. You can create an alert by specifying a search and a triggering condition3. You can also specify how often you want to run the search and how you want to receive the alert notifications3. You can run the alert search in real-time, which means that it continuously monitors your data as it streams into Splunk3. Alternatively, you can run the alert search on a regular schedule, which means that it runs at fixed intervals such as every hour or every day3. Therefore, options A and B are correct, while option C is incorrect because it is not a way to run an alert search.

Question #73

Which of the following about reports is/are true?

  • A . Reports are knowledge objects.
  • B . Reports can be scheduled.
  • C . Reports can run a script.
  • D . All of the above.

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

A report is a way to save a search and its results in a format that you can reuse and share with others2. A report is also a type of knowledge object, which is an entity that you create to add knowledge to your data and make it easier to search and analyze2. Therefore, option A is correct. A report can be scheduled, which means that you can configure it to run at regular intervals and send the results to yourself or others via email or other methods2. Therefore, option B is correct. A report can run a script, which means that you can specify a script file to execute when the report runs and use it to perform custom actions or integrations2. Therefore, option C is correct. Therefore, option D is correct because all of the above statements are true for reports.

Question #74

Select this in the fields sidebar to automatically pipe you search results to the rare command

  • A . events with this field
  • B . rare values
  • C . top values by time
  • D . top values

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

The fields sidebar is a panel that shows the fields that are present in your search results2. The fields sidebar has two sections: selected fields and interesting fields2. Selected fields are fields that you choose to display in your search results by clicking on them in the fields sidebar or by using the fields command2. Interesting fields are fields that appear in at least 20 percent of events or have high variability among values2. For each field in the fields sidebar, you can select one of the following options: events with this field, rare values, top values by time or top values2. If you select rare values, Splunk will automatically pipe your search results to the rare command, which shows the least common values of a field2. Therefore, option B is correct, while options A, C and D are incorrect because they do not pipe your search results to the rare command.

Question #75

A report scheduled to run every 15 mins. but takes 17 mins. to complete is in danger of being_____.

  • A . skipped or deferred
  • B . automatically accelerated
  • C . deleted
  • D . all of the above

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

A report that is scheduled to run every 15 minutes but takes 17 minutes to complete is in danger of being skipped or deferred2. This means that Splunk may skip some scheduled runs of the report if they overlap with previous runs that are still in progress or defer them until the previous runs are finished2. This can affect the accuracy and timeliness of the report results and notifications2. Therefore, option A is correct, while options B, C and D are incorrect because they are not consequences of a report taking longer than its schedule interval.

Question #76

Which of the following are valid options to speed up reports? (Select all the apply.)

  • A . Edit permissions
  • B . Edit description
  • C . Edit acceleration
  • D . Edit schedule

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

One of the valid options to speed up reports is to edit acceleration, which means that you can enable summary indexing or data model acceleration for your reports to improve their performance2. Summary indexing allows you to create reports that run over large amounts of data by storing the results of scheduled searches in a summary index and using that index for faster reporting2. Data model acceleration allows you to create reports that use data models by creating and storing summaries of the data model datasets and using them for faster reporting2. Therefore, option C is correct, while options A, B and D are incorrect because they are not options to speed up reports.

Question #77

Which of the following statements are true for this search? (Select all that apply.)

SEARCH: sourcetype=access* |fields action productld status

  • A . is looking for all events that include the search terms: fields AND action AND productld AND status
  • B . users the table command to improve performance
  • C . limits the fields are extracted
  • D . returns a table with 3 columns

Reveal Solution Hide Solution

Correct Answer: C
Question #78

Use the dedup command to _____.

  • A . Rename a field in the index
  • B . remove duplicate values
  • C . provide an additional alias for the field that can
  • D . be used in the search criteria

Reveal Solution Hide Solution

Correct Answer: B
Question #79

We can use the rename command to _____ (Select all that apply.)

  • A . Change indexed fields
  • B . Exclude fields from our search results
  • C . Extract new fields from our data using regular expressions
  • D . Give a field a new name at search time

Reveal Solution Hide Solution

Correct Answer: D
Question #80

The limit attribute will___________.

  • A . override default of 10
  • B . only work with top command
  • C . override default of 20
  • D . override default of 15

Reveal Solution Hide Solution

Correct Answer: A

Question #81

This function of the stats command allows you to identify the number of values a field has.

  • A . max
  • B . distinct_count
  • C . fields
  • D . count

Reveal Solution Hide Solution

Correct Answer: D
Question #82

This function of the stats command allows you to return the sample standard deviation of a field.

  • A . stdev
  • B . dev
  • C . count deviation
  • D . by standarddev

Reveal Solution Hide Solution

Correct Answer: A
Question #83

Which of the following commands will show the maximum bytes?

  • A . sourcetype=access_* | maximum totals by bytes
  • B . sourcetype=access_* | avg (bytes)
  • C . sourcetype=access_* | stats max(bytes)
  • D . sourcetype=access_* | max(bytes)

Reveal Solution Hide Solution

Correct Answer: C
Question #84

Which of the following searches will show the number of categoryld used by each host?

  • A . Sourcetype=access_* |sum bytes by host
  • B . Sourcetype=access_* |stats sum(categorylD. by host
  • C . Sourcetype=access_* |sum(bytes) by host
  • D . Sourcetype=access_* |stats sum by host

Reveal Solution Hide Solution

Correct Answer: B
Question #85

This clause is used to group the output of a stats command by a specific name.

  • A . Rex
  • B . As
  • C . List
  • D . By

Reveal Solution Hide Solution

Correct Answer: B
Question #86

This function of the stats command allows you to return the middle-most value of field X.

  • A . Median(X)
  • B . Eval by X
  • C . Fields(X)
  • D . Values(X)

Reveal Solution Hide Solution

Correct Answer: A
Question #87

When a search returns __________, you can view the results as a list.

  • A . a list of events
  • B . transactions
  • C . statistical values

Reveal Solution Hide Solution

Correct Answer: C
Question #88

Clicking a SEGMENT on a chart, ________.

  • A . drills down for that value
  • B . highlights the field value across the chart
  • C . adds the highlighted value to the search criteria

Reveal Solution Hide Solution

Correct Answer: C
Question #89

Use this command to use lookup fields in a search and see the lookup fields in the field sidebar.

  • A . inputlookup
  • B . lookup

Reveal Solution Hide Solution

Correct Answer: B
Question #90

It is mandatory for the lookup file to have this for an automatic lookup to work.

  • A . Source type
  • B . At least five columns
  • C . Timestamp
  • D . Input filed

Reveal Solution Hide Solution

Correct Answer: D

Question #91

These users can create global knowledge objects. (Select all that apply.)

  • A . users
  • B . power users
  • C . administrators

Reveal Solution Hide Solution

Correct Answer: B, C
Question #92

This is what Splunk uses to categorize the data that is being indexed.

  • A . sourcetype
  • B . index
  • C . source
  • D . host

Reveal Solution Hide Solution

Correct Answer: A
Question #93

This is what Splunk uses to categorize the data that is being indexed.

  • A . Host
  • B . Sourcetype
  • C . Index
  • D . Source

Reveal Solution Hide Solution

Correct Answer: B
Question #94

By default search results are not returned in ________ order.

  • A . Chronological
  • B . Reverser chronological
  • C . ASCIE
  • D . Alphabetical

Reveal Solution Hide Solution

Correct Answer: A, D
Question #95

The stats command will create a _____________ by default.

  • A . Table
  • B . Report
  • C . Pie chart

Reveal Solution Hide Solution

Correct Answer: A
Question #96

Which is not a comparison operator in Splunk

  • A . <=
  • B . =
  • C . !=
  • D . >
  • E . ?=

Reveal Solution Hide Solution

Correct Answer: E
E

Explanation:

A comparison operator is a symbol that compares two values and returns a Boolean result (true or false)2. Splunk supports various comparison operators such as <, >, =, !=, <=, >=, IN and LIKE2. However, ?= is not a valid comparison operator in Splunk and will cause a syntax error if used in a search string2. Therefore, option E is correct, while options A, B, C and D are incorrect because they are valid comparison operators in Splunk

Question #97

Which of the following is NOT a stats function:

  • A . sum
  • B . addtotals
  • C . count
  • D . avg

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

The stats command is used to calculate summary statistics for your search results such as count, sum, avg, min, max and more2. The stats command supports various functions that you can use to perform calculations on your fields2. However, addtotals is not a stats function but a separate command that adds a row or column with the total of the values in each group2. Therefore, option B is correct, while options A, C and D are incorrect because they are valid stats functions.

Question #98

If a search returns ____________ it can be viewed as a chart.

  • A . timestamps
  • B . statistics
  • C . events
  • D . keywords

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

If a search returns statistics, it can be viewed as a chart2. Statistics are tabular data that show the relationship between two or more fields2. You can create statistics by using commands such as stats, chart or timechart2. You can view statistics as a chart by selecting the Visualization tab in the Search app and choosing a chart type such as column, line or pie2. Therefore, option B is correct, while options A, C and D are incorrect because they are not types of data that can be viewed as a chart.

Question #99

In this search, __________ will appear on the y-axis. SEARCH: sourcetype=access_combined status! = 200 | chart count over host

  • A . status
  • B . host
  • C . count

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

In this search, count will appear on the y-axis2. This search uses the chart command to create a chart of the count of events over host for events that have status not equal to 2002. The chart command creates a table with one column for each value of the field after the over clause and one row for each value of the field after the by clause (if any)2. The values in the table are calculated by applying the function before the over clause to the events in each group2. In this case, the chart command creates a table with one column for each host and one row for the count of events for each host. The y-axis of the chart shows the values of the count function applied to each host. Therefore, option C is correct, while options A and B are incorrect because they appear on the x-axis or as labels of the chart.

Question #100

The timechart command buckets data in time intervals depending on:

  • A . the number of events returned
  • B . the selected time range
  • C . the type of visualization selected

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

The timechart command buckets data in time intervals depending on the selected time range2. The timechart command is similar to the chart command but it automatically groups events into time buckets based on the _time field2. The size of the time buckets depends on the time range that you select for your search. For example, if you select Last 24 hours as your time range, Splunk will use 30-minute buckets for your timechart. If you select Last 7 days as your time range, Splunk will use 4-hour buckets for your timechart2. Therefore, option B is correct, while options A and C are incorrect because they are not factors that affect the size of the time buckets.

Exit mobile version