Splunk Power User SPLK-1002 Exam

Which of the following Statements about macros is true? (select all that apply). A. Arguments are defined at execution time. B. Arguments are defined when the macro is created. C. Argument values are used to resolve the search string at execution time. D. Argument values are used to resolve the search string when the macro is created.

What is required for a macro to accept three arguments?. A. The macro's name ends with (3). B. The macro's name starts with (3). C. The macro's argument count setting is 3 or more. D. Nothing, all macros can accept any number of arguments.

Which of the following statements describes POST workflow actions?. A. POST workflow actions are always encrypted. B. POST workflow actions cannot use field values in their URI. C. POST workflow actions cannot be created on custom sourcetypes. D. POST workflow actions can open a web page in either the same window or a new .

Which of the following searches show a valid use of macro? (Select all that apply). A. index=main source=mySource oldField=* |'makeMyField(oldField)'| table _time newField. B. index=main source=mySource oldField=* | stats if('makeMyField(oldField)') | table _timenewField. C. index=main source=mySource oldField=* | eval newField='makeMyField(oldField)'| table _timenewField. D. index=main source=mySource oldField=* | "'newField('makeMyField(oldField)')'" | table _timenewField.

Which of the following workflow actions can be executed from search results? (select all that apply). A. GET. B. POST. C. LOOKUP. D. Search.

Which of the following is the correct way to use the data model command to search field in the data model within the web dataset?. A. | datamodel web search | filed web *. B. | Search datamodel web web | filed web*. C. | datamodel web web field | search web*. D. Datamodel=web | search web | filed web*.

Which of the following searches will return events contains a tag name Privileged?. A. Tag= Priv. B. Tag= Pri*. C. Tag= Priv*. D. Tag= Privileged.

Which of the following statements describes this search? sourcetype=access_combined I transaction JSESSIONID | timechart avg (duration). A. This is a valid search and will display a timechart of the average duration, of each transaction event. B. This is a valid search and will display a stats table showing the maximum pause among transactions. C. No results will be returned because the transaction command must include the startswith and endswith options. D. No results will be returned because the transaction command must be the last command used in the search pipeline.

Calculated fields can be based on which of the following?. A. Tags. B. Extracted fields. C. Output fields for a lookup. D. Fields generated from a search string.

Based on the macro definition shown below, what is the correct way to execute the macro in a search string?. A. Convert_sales (euro, €, 79)â€. B. Convert_sales (euro, €, .79). C. Convert_sales ($euro,$€$,s79$. D. Convert_sales ($euro, $€$,S,79$).

When multiple event types with different color values are assigned to the same event, what determines the color displayed for the events?. A. Rank. B. Weight. C. Priority. D. Precedence.

Which of the following statements describes the command below (select all that apply) Sourcetype=access_combined | transaction JSESSIONID. A. An additional filed named maxspan is created. B. An additional field named duration is created. C. An additional field named eventcount is created. D. Events with the same JSESSIONID will be grouped together into a single event.

Which of the following can be used with the eval command tostring function (select all that apply). A. ‘’hex’’. B. ‘’commas’’. C. ‘’Decimal’’. D. ‘’duration’’.

Which of the following statements about tags is true?. A. Tags are case insensitive. B. Tags are created at index time. C. Tags can make your data more understandable. D. Tags are searched by using the syntax tag: : <fieldneme>.

Which of the following statements about data models and pivot are true? (select all that apply). A. They are both knowledge objects. B. Data models are created out of datasets called pivots. C. Pivot requires users to input SPL searches on data models. D. Pivot allows the creation of data visualizations that present different aspects of a data model.

When using the Field Extractor (FX), which of the following delimiters will work? (select all that apply). A. Tabs. B. Pipes. C. Colons. D. Spaces.

Which of the following describes the Splunk Common Information Model (CIM) add-on?. A. The CIM add-on uses machine learning to normalize data. B. The CIM add-on contains dashboards that show how to map data. C. The CIM add-on contains data models to help you normalize data. D. The CIM add-on is automatically installed in a Splunk environment.

What does the transaction command do?. A. Groups a set of transactions based on time. B. Creates a single event from a group of events. C. Separates two events based on one or more values. D. Returns the number of credit card transactions found in the event logs.

Which of the following statements describe data model acceleration? (select all that apply). A. Root events cannot be accelerated. B. Accelerated data models cannot be edited. C. Private data models cannot be accelerated. D. You must have administrative permissions or the accelerate_dacamodel capability to accelerate a data model.

A user wants to convert numeric field values to strings and also to sort on those values. Which command should be used first, the eval or the sort?. A. It doesn't matter whether eval or sort is used first. B. Convert the numeric to a string with eval first, then sort. C. Use sort first, then convert the numeric to a string with eval. D. You cannot use the sort command and the eval command on the same field.

The Field Extractor (FX) is used to extract a custom field. A report can be created using this custom field. The created report can then be shared with other people in the organization. If another person in the organization runs the shared report and no results are returned, why might this be? (select all that apply). A. Fast mode is enabled. B. The dashboard is private. C. The extraction is privateD. The person in the organization running the report does not have access to the index.

Which of the following data model are included In the Splunk Common Information Model (CIM) add-on? (select all that apply). A. Alerts. B. Email. C. Database. D. User permissions.

A field alias has been created based on an original field. A search without any transforming commands is then executed in Smart Mode. Which field name appears in the results?. A. Both will appear in the All Fields list, but only if the alias is specified in the search. B. Both will appear in the Interesting Fields list, but only if they appear in at least 20 percent of events. C. The original field only appears in All Fields list and the alias only appears in the Interesting Fields list. D. The alias only appears in the All Fields list and the original field only appears in the Interesting Fields list.

When performing a regular expression (regex) field extraction using the Field Extractor (FX), what happens when the require option is used?. A. The regex can no longer be edited. B. The field being extracted will be required for all future events. C. The events without the required field will not display in searches. D. Only events with the required string will be included in the extraction.

Which group of users would most likely use pivots?. A. Users. B. Architects. C. Administrators. D. Knowledge Managers.

When using timechart, how many fields can be listed after a by clause?. A. because timechart doesn't support using a by clause. B. because _time is already implied as the x-axis. C. because one field would represent the x-axis and the other would represent the y-axis. D. There is no limit specific to timechart.

What is the correct syntax to search for a tag associated with a value on a specific fields?. A. Tag-<field?. B. Tag<filed(tagname.). C. Tag=<filed>::<tagname>. D. Tag::<filed>=<tagname>.

What functionality does the Splunk Common Information Model (CIM) rely on to normalize fields with different names?. A. Macros. B. Field aliases. C. The rename command. D. CIM does not work with different names for the same field.

When should you use the transaction command instead of the scats command?. A. When you need to group on multiple values. B. When duration is irrelevant in search results. . C. When you have over 1000 events in a transaction. D. When you need to group based on start and end constraints.

Which of the following statements describes field aliases?. A. Field alias names replace the original field name. B. Field aliases can be used in lookup file definitions. C. Field aliases only normalize data across sources and sourcetypes. D. Field alias names are not case sensitive when used as part of a search.

What does the following search do?. A. Creates a table of the total count of users and split by corndogs. B. Creates a table of the total count of mysterymeat corndogs split by user. C. Creates a table with the count of all types of corndogs eaten split by user. D. Creates a table that groups the total number of users by vegetarian corndogs.

Which of the following statements describes Search workflow actions?. A. By default. Search workflow actions will run as a real-time search. B. Search workflow actions can be configured as scheduled searches,. C. The user can define the time range of the search when created the workflow action. D. Search workflow actions cannot be configured with a search string that includes the transaction command.

What do events in a transaction have In common?. A. All events In a transaction must have the same timestamp. B. All events in a transaction must have the same sourcetype. C. All events in a transaction must have the exact same set of fields. D. All events in a transaction must be related by one or more fields.

Which of the following statements describe GET workflow actions?. A. GET workflow actions must be configured with POST arguments. B. Configuration of GET workflow actions includes choosing a sourcetype. C. Label names for GET workflow actions must include a field name surrounded by dollar signs. D. GET workflow actions can be configured to open the URT link in the current window or in a new window.

Data model are composed of one or more of which of the following datasets? (select all that apply.). A. Events datasets. B. Search datasets. C. Transaction datasets. D. Any child of event, transaction, and search datasets.

Which are valid ways to create an event type? (select all that apply). A. By using the searchtypes command in the search bar. B. By editing the event_type stanza in the props.conf file. C. By going to the Settings menu and clicking Event Types > New. D. By selecting an event in search results and clicking Event Actions > Build Event Type.

Which of the following statements describe the search string below? | datamodel Application_State All_Application_State search. A. Evenrches would return a report of sales by state. B. Events will be returned from the data model named Application_State. C. Events will be returned from the data model named All_Application_state. D. No events will be returned because the pipe should occur after the datamodel command.

What is the relationship between data models and pivots?. A. Data models provide the datasets for pivots. B. Pivots and data models have no relationship. C. Pivots and data models are the same thing. D. Pivots provide the datasets for data models.

What are the two parts of a root event dataset?. A. Fields and variables. B. Fields and attributes. C. Constraints and fields. D. Constraints and lookups.

In which of the following scenarios is an event type more effective than a saved search?. A. When a search should always include the same time range. B. When a search needs to be added to other users' dashboards. C. When the search string needs to be used in future searches. D. When formatting needs to be included with the search string.

How does a user display a chart in stack mode?. A. By using the stack command. B. By turning on the Use Trellis Layout option. C. By changing Stack Mode in the Format menu. D. You cannot display a chart in stack mode, only a timechart.

Which of the following statements about event types is true? (select all that apply). A. Event types can be tagged. B. Event types must include a time range,. C. Event types categorize events based on a search. D. Event types can be a useful method for capturing and sharing knowledge.

In what order arc the following knowledge objects/configurations applied?. A. Field Aliases, Field Extractions, Lookups. B. Field Extractions, Field Aliases, Lookups. C. Field Extractions, Lookups, Field Aliases. D. Lookups, Field Aliases, Field Extractions.

Which of the following knowledge objects represents the output of an eval expression?. A. Eval fields. B. Calculated fields. C. Field extractions. D. Calculated lookups.

A calculated field maybe based on which of the following?. A. Lookup tables. B. Extracted fields. C. Regular expressions. D. Fields generated within a search string.

Which of the following eval command function is valid?. A. Int (). B. Count ( ). C. Print (). D. Tostring ().

Which one of the following statements about the search command is true?. A. It does not allow the use of wildcards. B. It treats field values in a case-sensitive manner. C. It can only be used at the beginning of the search pipeline. D. It behaves exactly like search strings before the first pipe.

What does the Splunk Common Information Model (CIM) add-on include? (select all that apply). A. Custom visualizations. B. Pre-configured data models. C. Fields and event category tags. D. Automatic data model acceleration.

Which of the following file formats can be extracted using a delimiter field extraction?. A. CSV. B. PDF. C. XML. D. JSON.

Which of the following statements describes macros?. A. A macro is a reusable search string that must contain the full search. B. A macro is a reusable search string that must have a fixed time range. C. A macro Is a reusable search string that may have a flexible time range. D. A macro Is a reusable search string that must contain only a portion of the search.

Which of the following statements describe calculated fields? (select all that apply). A. Calculated fields can be used in the search bar. B. Calculated fields can be based on an extracted field. C. Calculated fields can only be applied to host and sourcetype. D. Calculated fields are shortcuts for performing calculations using the eval command.

Which delimiters can the Field Extractor (FX) detect? (select all that apply). A. Tabs. B. Pipes. C. Spaces. D. Commas.

Which of the following statements is true, especially in large environments?. A. Use the scats command when you next to group events by two or more fields. B. The stats command is faster and more efficient than the transaction command. C. The transaction command is faster and more efficient than the stats command. D. Use the transaction command when you want to see the results of a calculation.

Which of the following are required to create a POST workflow action?. A. Label, URI, search string. B. XMI attributes, URI, name. C. Label, URI, post arguments. D. URI, search string, time range picker.

Which of the following statements describe the search below? (select all that apply) Index=main I transaction clientip host maxspan=30s maxpause=5s. A. Events in the transaction occurred within 5 seconds. B. It groups events that share the same clientip and host. C. The first and last events are no more than 5 seconds apart. D. The first and last events are no more than 30 seconds apart.

Given the macro definition below, what should be entered into the Name and Arguments fileds to correctly configured the macro?. A. The macro name is sessiontracker and the arguments are action, JESSIONID. B. The macro name is sessiontracker(2) and the arguments are action, JESSIONID. C. The macro name is sessiontracker and the arguments are $action$, $JESSIONID$. D. The macro name is sessiontracker(2) and the Arguments are $action$, $JESSIONID$.

After manually editing; a regular expression (regex), which of the following statements is true?. A. Changes made manually can be reverted in the Field Extractor (FX) UI. B. It is no longer possible to edit the field extraction in the Field Extractor (FX) UI. C. It is not possible to manually edit a regular expression (regex) that was created using the Field Extractor (FX) UI. D. The Field Extractor (FX) UI keeps its own version of the field extraction in addition to the one that was manually edited.

What does the fillnull command replace null values with, it the value argument is not specified?. A. 0. B. N/A. C. NaN. D. NULL.

To identify all of the contributing events within a transaction that contains at least one REJECT event, which syntax is correct?. A. Index-main | REJECT trans sessionid. B. Index-main | transaction sessionid | search REJECT. C. Index=main | transaction sessionid | whose transaction=reject. D. Index=main | transaction sessionid | where transaction=reject’’.

Which of the following actions can the eval command perform?. A. Remove fields from results. B. Create or replace an existing field. C. Group transactions by one or more fields. D. Save SPL commands to be reused in other searches.

Which of the following statements describe the Common Information Model (CIM)? (select all that apply). A. CIM is a methodology for normalizing data. B. CIM can correlate data from different sources. C. The Knowledge Manager uses the CIM to create knowledge objects. D. CIM is an app that can coexist with other apps on a single Splunk deployment.

Data model fields can be added using the Auto-Extracted method. Which of the following statements describe Auto-Extracted fields? (select all that apply). A. Auto-Extracted fields can be hidden in Pivot. B. Auto-Extracted fields can have their data type changed. C. Auto-Extracted fields can be given a friendly name for use in Pivot. D. Auto-Extracted fields can be added if they already exist in the dataset with constraints.

When creating a Search workflow action, which field is required?. A. Search string. B. Data model name. C. Permission setting. D. An eval statement.

Selected fields are displayed ______each event in the search results. A. below. B. interesting fields. C. other fields. D. above.

A space is an implied _____ in a search string. A. OR. B. AND. C. (). D. NOT.

Which of the following search control will not re-rerun the search? (Select all that apply.). A. zoom out. B. selecting a bar on the timeline. C. deselect. D. selecting a range of bars on the timelines.

Highlighted search terms indicate _________ search results in Splunk. A. Display as selected fields. B. Sorted. C. Charted based on time. D. Matching.

When you mouse over and click to add a search term this (thesE. Boolean operator(s) is(arE. not implied. (Select all that apply). A. OR. B. ( ). C. AND. D. NOT.

The time range specified for a historical search defines the ____________ .------questionable on ans. A. Amount of data shown on the timeline as data streams in. B. Amount of data fetched from index matching that time range. C. Time range for the static results.

Using the export function, you can export search results as __________.( Select all that apply). A. Xml. B. Json. C. Html. D. A php file.

The fields sidebar does not show________. (Select all that apply.). A. interesting fields. B. selected fields. C. all extracted fields.

Splunk alerts can be based on search that run______. (Select all that apply.). A. in real-time. B. on a regular schedule. C. and have no matching events.

Which of the following about reports is/are true?. A. Reports are knowledge objects. B. Reports can be scheduled. C. Reports can run a script. D. All of the above.

Select this in the fields sidebar to automatically pipe you search results to the rare command. A. events with this field. B. rare values. C. top values by time. D. top values.

A report scheduled to run every 15 mins. but takes 17 mins. to complete is in danger of being_____. A. skipped or deferred. B. automatically accelerated. C. deleted. D. all of the above.

Which of the following are valid options to speed up reports? (Select all the apply.). A. Edit permissions. B. Edit description. C. Edit acceleration. D. Edit schedule.

Which of the following statements are true for this search? (Select all that apply.) SEARCH: sourcetype=access* |fields action productld status. A. is looking for all events that include the search terms: fields AND action AND productld AND status. B. users the table command to improve performance. C. limits the fields are extracted. D. returns a table with 3 columns.

Use the dedup command to _____. A. Rename a field in the index. B. remove duplicate values. C. provide an additional alias for the field that can D.be used in the search criteria.

We can use the rename command to _____ (Select all that apply.). A. Change indexed fields. B. Exclude fields from our search results. C. Extract new fields from our data using regular expressions. D. Give a field a new name at search time.

The limit attribute will___________. A. override default of 10. B. only work with top command. C. override default of 20. D. override default of 15.

This function of the stats command allows you to identify the number of values a field has. A. max. B. distinct_count. C. fields. D. count.

This function of the stats command allows you to return the sample standard deviation of a field. A. stdev. B. dev. C. count deviation. D. by standarddev.

Which of the following commands will show the maximum bytes?. A. sourcetype=access_* | maximum totals by bytes. B. sourcetype=access_* | avg (bytes). C. sourcetype=access_* | stats max(bytes). D. sourcetype=access_* | max(bytes).

Which of the following searches will show the number of categoryld used by each host?. A. Sourcetype=access_* |sum bytes by host. B. Sourcetype=access_* |stats sum(categorylD. by host. C. Sourcetype=access_* |sum(bytes) by host. D. Sourcetype=access_* |stats sum by host.

This clause is used to group the output of a stats command by a specific name. A. Rex. B. As. C. List. D. By.

This function of the stats command allows you to return the middle-most value of field X. A. Median(X). B. Eval by X. C. Fields(X). D. Values(X).

When a search returns __________, you can view the results as a list. A. a list of events. B. transactions. C. statistical values.

Clicking a SEGMENT on a chart, ________. A. drills down for that value. B. highlights the field value across the chart. C. adds the highlighted value to the search criteria.

Use this command to use lookup fields in a search and see the lookup fields in the field sidebar. A. inputlookup. B. lookup.

It is mandatory for the lookup file to have this for an automatic lookup to work. A. Source type. B. At least five columns. C. Timestamp. D. Input filed.

These users can create global knowledge objects. (Select all that apply.). A. users. B. power users. C. administrators.

This is what Splunk uses to categorize the data that is being indexed. A. sourcetype. B. index. C. source. D. host.

By default search results are not returned in ________ order. A. Chronological. B. Reverser chronological. C. ASCIE. D. Alphabetical.

The stats command will create a _____________ by default. A. Table. B. Report. C. Pie chart.

Which is not a comparison operator in Splunk. A. <=. B. =. C. !=. D. >. E. ?=.

Which of the following is NOT a stats function: A. sum. B. addtotals. C. count. D. avg.

If a search returns ____________ it can be viewed as a chart. A. timestamps. B. statistics. C. events. D. keywords.

In this search, __________ will appear on the y-axis. SEARCH: sourcetype=access_combined status!=200 | chart count over host. A. status. B. host. C. count.

The timechart command buckets data in time intervals depending on: A. the number of events returned. B. the selected time range. C. the type of visualization selected.

Which of these search strings is NOT valid: A. index=web status=50* | chart count over host, status. B. index=web status=50* | chart count over host by status. C. index=web status=50* | chart count by host, status.

Which command is used to create choropleth maps?. A. geostats. B. cluster. C. geom.

which of the following are valid options with the chart command. A. useother. B. usenull. C. fillfield. D. usefiled.

The gauge command: A. creates a single-value visualization. B. allows you to set colored ranges for a single-value visualization. C. creates a radial gauge visualization.

What will you learn from the results of the following search? sourcetype=cisco_esa | transaction mid, dcid, icid | timechart avg(duration). A. The average time elapsed during each transaction for all transactions. B. The average time for each event within each transaction. C. The average time between each transaction.

Which of these is NOT a field that is automatically created with the transaction command?. A. maxcount. B. duration. C. eventcount.

How many ways are there to access the Field Extractor Utility?. A. 3. B. 4. C. 1. D. 5.

When extracting fields, we may choose to use our own regular expressions. A. True. B. False.

Field aliases are used to __________ data. A. clean. B. transform. C. calculate. D. normalize.

What is the correct way to name a macro with two arguments?. A. us_sales2. B. us_sales(1,2). C. us_sale,2. D. us_sales(2).

When using a field value variable with a Workflow Action, which punctuation mark will escape the data. A. *. B. !. C. ^. D. #.

__________ datasets can be added to root dataset to narrow down the search. A. parent. B. extracted. C. event. D. child.

Which function should you use with the transaction command to set the maximum total time between the earliest and latest events returned?. A. maxpause. B. endswith. C. maxduration. D. maxspan.

The eval command 'if' function requires the following three arguments (in order): A. Boolean expression, result if true, result if false. B. Result if true, result if false, boolean expression. C. Result if false, result if true, boolean expression. D. Boolean expression, result if false, result if true.

Which search would limit an "alert" tag to the "host" field?. A. tag=alert. B. host::tag::alert. C. tag==alert. D. tag::host=alert.

The transaction command allows you to __________ events across multiple sources. A. duplicate. B. correlate. C. persist. D. tag.

which of the following commands are used when creating visualizations(select all that apply.). A. Geom. B. Choropleth. C. Geostats. D. iplocation.

For choropleth maps,splunk ships with the following KMZ files (select all that apply). A. States of the United States. B. States and provinces of the united states and Canada. C. Countries of the European Union. D. Countries of the World.

Complete the search, …. | _____ failure>successes. A. Search. B. Where. C. If. D. Any of the above.

These kinds of charts represent a series in a single bar with multiple sections. A. Multi-Series. B. Split-Series. C. Omit nulls. D. Stacked.

These allow you to categorize events based on search terms. Select your answer. A. Groups. B. Event Types. C. Macros. D. Tags.

In the Field Extractor Utility, this button will display events that do not contain extracted fields. Select your answer. A. Selected-Fields. B. Non-Matches. C. Non-Extractions. D. Matches.

During the validation step of the Field Extractor workflow: Select your answer. A. You can remove values that aren't a match for the field you want to define. B. You can validate where the data originated from. C. You cannot modify the field extraction.

Which of the following search modes automatically returns all extracted fields in the fields sidebar?. A. Fast. B. Smart. C. Verbose.

Where are the results of eval commands stored?. A. In a field. B. In an index. C. In a KV Store. D. In a database.

What other syntax will produce exactly the same results as | chart count over vendor_action by user?. A. | chart count by vendor_action, user. B. | chart count over vendor_action, user. C. | chart count by vendor_action over user. D. | chart count over user by vendor_action.

Which of the following statements would help a user choose between the transaction and stats commands?. A. state can only group events using IP addresses. B. The transaction command is faster and more efficient. C. There is a 1000 event limitation with the transaction command. D. Use state when the events need to be viewed as a single event.

When can a pipe follow a macro?. A. A pipe may always follow a macro. B. The current user must own the macro. C. The macro must be defined in the current app. D. Only when sharing is set to global for the macro.

Which of the following statements describes the use of the Filed Extractor (FX)?. A. The Field Extractor automatically extracts all field at search time. B. The Field Extractor uses PERL to extract field from the raw events. C. Field extracted using the Extracted persist as knowledge objects. D. Fields extracted using the Field Extractor do not persist and must be defined for each search.

Which of the following searches would return a report of sales by product-name?. A. chart sales by product_name. B. chart sum(price) as sales by product_name. C. stats sum(price) as sales over product_name. D. timechart list(sales), values(product_name).

A data model consists of which three types of datasets?. A. Constraint, field, value. B. Events, searches, transactions. C. Field extraction, regex, delimited. D. Transaction, session ID, metadata.

Which workflow uses field values to perform a secondary search?. A. POST. B. Action. C. Search. D. Sub-Search.

When using the transaction command, what does the argument maxspan do?. A. Sets the maximum total time between events in a transaction. B. Sets the maximum length of all events within a transaction. C. Sets the maximum total time between the earliest and latest events in a transaction. D. Sets the maximum length that any single event can reach to be included in the transaction.

In most large Splunk environments, what is the most efficient command that can be used to group events by fields/. A. join. B. stats. C. streamstats. D. transaction.

Which knowledge Object does the Splunk Common Information Model (CIM) use to normalize dat a. in addition to field aliases, event types, and tags?. A. Macros. B. Lookups. C. Workflow actions. D. Field extractions.

Which of the following searches would create a graph similar to the one below?. A. index_internal seourcetype=Savesplunker | fields sourcetype, status | transaction status maxspan-id | start count states. B. index_internal seourcetype=Savesplunker | fields sourcetype, status | transaction status maxspan-id | chart count states by -time. C. index_internal seourcetype=Savesplunker | fields sourcetype, status | transaction status maxspan-id | timechart count by status. D. None of these searches would generate a similart graph.

Information needed to create a GET workflow action includes which of the following? (select all that apply.). A. A name of the workflow action. B. A URI where the user will be directed at search time. C. A label that will appear in the Event Action menu at search time. D. A name for the URI where the user will be directed at search time.

By default, how is acceleration configured in the Splunk Common Information Model (CIM) add-on?. A. Turned off. B. Turned on. C. Determined automatically based on the sourcetype. D. Determined automatically based on the data source.

Which of the following statements about tags is true? (select all that apply.). A. Tags are case-insensitive. B. Tags are based on field/vale pairs. C. Tags categorize events based on a search. D. Tags are designed to make data more understandable.

There are several ways to access the field extractor. Which option automatically identifies data type, source type, and sample event?. A. Event Actions > Extract Fields. B. Fields sidebar > Extract New Field. C. Settings > Field Extractions > New Field Extraction. D. Settings > Field Extractions > Open Field Extraction.

Which statement is true?. A. Pivot is used for creating datasets. B. Data model are randomly structured datasets. C. Pivot is used for creating reports and dashboards. D. In most cases, each Splunk user will create their own data model.

When should transaction be used?. A. Only in a large distributed Splunk environment. B. When calculating results from one or more fields. C. When event grouping is based on start/end values. D. When grouping events results in over 1000 events in each group.

When using | timchart by host, which filed is representted in the x-axis?. A. date. B. host. C. time. D. -time.

What is a limitation of searches generated by workflow actions?. A. Searches generated by workflow action cannot use macros. B. Searches generated by workflow actions must be less than 256 characters long. C. Searches generated by workflow action must run in the same app as the workflow action. D. Searches generated by workflow action run with the same permissions as the user running them.

Which workflow action method can be used the action type is set to link?. A. GET. B. PUT. C. Search. D. UPDATE.

When using | timechart by host, which field is represented in the x-axis?. A. date. B. host. C. time. D. _time.

Which of the following commands support the same set of functions?. A. stats, eval, table. B. search, where, eval. C. stats, chart, timechart. D. transaction, chart, timechart.

The eval command allows you to do which of the following? (Choose all that apply.). A. Format values. B. Convert values. C. Perform calculations. D. Use conditional statements.

When using the timechart command, how can a user group the events into buckets based on time?. A. Using the span argument. B. Using the duration argument. C. Using the interval argument. D. Adjusting the fieldformat options.

Which type of visualization shows relationships between discrete values in three dimensions?. A. Pie chart. B. Line chart. C. Bubble chart. D. Scatter chart.

Which of the following is a function of the Splunk Common Information Model (CIM)?. A. Normalizing data across a Splunk deployment. B. Providing templates for reports and dashboards. C. Algorithmically shifting events to other indexes. D. Reingesting previously indexed data with new field names.

What information must be included when using the datamodel command?. A. status field. B. Multiple indexes. C. Data model field name. D. Data model dataset name.

A data model can consist of what three types of datasets?. A. Pivot, searches, and events. B. Pivot, events, and transactions. C. Searches, transactions, and pivot. D. Events, searches, and transactions.

When is a GET workflow action needed?. A. To send field values to an external resource. B. To retrieve information from an external resource. C. To use field values to perform a secondary search. D. To define how events flow from forwarders to indexes.

Which command can include both an over and a by clause to divide results into sub-groupings?. A. chart. B. stats. C. xyseries. D. transaction.

A user wants to create a new field alias for a field that appears in two sourcetypes. How many field aliases need to be created?. A. One. B. Two. C. It depends on whether the original fields have the same name. D. It depends on whether the two sourcetypes are associated with the same index.

In the following eval statement, what is the value of description if the status is 503? index=main | eval description=case(status==200, "OK", status==404, "Not found", status==500, "Internal Server Error"). A. The description field would contain no value. B. The description field would contain the value 0. C. The description field would contain the value "Internal Server Error". D. This statement would produce an error in Splunk because it is incomplete.

In which Settings section are macros defined?. A. Fields. B. Tokens. C. Advanced Search. D. Searches, Reports, Alerts.

Which of the following statements describes calculated fields?. A. Calculated fields are only used on fields added by lookups. B. Calculated fields are a shortcut for repetitive and complex eval commands. C. Calculated fields are a shortcut for repetitive and complex calc commands. D. Calculated fields automatically calculate the simple moving average for indexed fields.

Which of the following is one of the pre-configured data models included in the Splunk Common Information Model (CIM) add-on?. A. Access. B. Accounting. C. Authorization. D. Authentication.

What happens when a user edits the regular expression (regex) field extraction generated in the Field Extractor (FX)?. A. There is a limit to the number of fields that can be extracted. B. The user is unable to preview the extractions. C. The extraction is added at index time. D. The user is unable to return to the automatic field extraction workflow.

Consider the following search: Index=web sourcetype=access_combined The log shows several events that share the same JSESSIONID value (SD404K289O2F151). View the events as a group. From the following list, which search groups events by JSESSIONID?. A. index=web sourcetype=access_combined SD404K289O2F151 I table JSESSIONID. B. index=web sourcetype=access_combined JSESSIONID <SD404K289O2F151>. C. index=web sourcetype=access_combined I highlight JSESSIONID I search SD404K289O2F151. D. index-web sourcetype=access_combined I transaction JSESSIONID I search SD404K289O2F151.

Data models are composed of one or more of which of the following datasets? (select all that apply). A. Transaction datasets. B. Events datasets. C. Search datasets. D. Any child of event, transaction, and search datasets.

Which of the following searches will return events containing a tag named Privileged?. A. tag=Priv. B. tag=Priv*. C. tag=priv*. D. tag=privileged.

What does the fillnull command replace null values with, if the value argument is not specified?. A. 0. B. N/A. C. NaN. D. NULL.

How is a Search Workflow Action configured to run at the same time range as the original search?. A. Set the earliest time to match the original search. B. Select the same time range from the time-range picker. C. Select the "Use the same time range as the search that created the field listing" checkbox. D. Select the "Overwrite time range with the original search" checkbox.

What is the Splunk Common Information Model (CIM)?. A. The CIM is a prerequisite that any data source must meet to be successfully onboarded into Splunk. B. The CIM provides a methodology to normalize data from different sources and source types. C. The CIM defines an ecosystem of apps that can be fully supported by Splunk. D. The CIM is a data exchange initiative between software vendors.

What is the correct format for naming a macro with multiple arguments?. A. monthly_sales(argument 1, argument 2, argument 3). B. monthly_sales(3). C. monthly_sales[3]. D. monthly_sales[argument 1, argument 2, argument 3).

Which of the following searches show a valid use of a macro? (Choose all that apply.). A. index=main source=mySource oldField=* |’makeMyField(oldField)’| table _time newField. B. index=main source=mySource oldField=* | stats if(‘makeMyField(oldField)’) | table _time newField. C. index=main source=mySource oldField=* | eval newField=’makeMyField(oldField)’| table _time newField. D. index=main source=mySource oldField=* | "’newField(‘makeMyField(oldField)’)’" | table _time newField.

Which of the following statements describes the use of the Field Extractor (FX)?. A. The Field Extractor automatically extracts all fields at search time. B. The Field Extractor uses PERL to extract fields from the raw events. C. Fields extracted using the Field Extractor persist as knowledge objects. D. Fields extracted using the Field Extractor do not persist and must be defined for each search.

Which of the following eval command functions is valid?. A. int(). B. count(). C. print(). D. tostring().

Which method in the Field Extractor would extract the port number from the following event? | 102 - 125.24.20.1 ++++ port 54 - user: admin <web error>. A. Delimiter. B. rex command. C. The Field Extractor tool cannot extract regular expressions. D. Regular expression.

The macro weekly sales (2) contains the search string: index=games | eval ProductSales = $Price$ * $AmountSold$ Which of the following will return results?. A. ‘weekly sales (3)’. B. ‘weekly_sales($3.995, $108)’. C. 'weekly_sales (3.99, 10)’. D. ‘weekly sales (3.99, 10)’.

Which search string would only return results for an event type called success ful_purchases?. A. tag=success ful_purchases. B. Event Type:: successful purchases. C. successful_purchases. D. event type—success ful_purchases.

The macro weekly_sales (2) contains the search string: index—games I eval Product Sales = $price$ $AmountS01d$ Which of the following will return results?. A. ‘weekly_sales(3.99, 10) '. B. ‘weekly_sales($3.99$, $10$). C. 'weekly_sales (3.99, 10). D. ‘weekly_sales(3).

When creating a data model, which root dataset requires at least one constraint?. A. Root transaction dataset. B. Root event dataset. C. Root child dataset. D. Root search dataset.

Which of the following statements describes an event type?. A. A log level measurement: info, warn, error. B. A knowledge object that is applied before fields are extracted. C. A field for categorizing events based on a search string. D. Either a log, a metric, or a trace.

What type of command is eval?. A. Streaming in some modes. B. Report generating. C. Distributable streaming. D. Centralized streaming.

Which of the following is a feature of the Pivot tool?. A. Creates lookups without using SPL. B. Data Models are not required. C. Creates reports without using SPL. D. Datasets are not required.

When used with the timechart command, which value of the limit argument returns all values?. A. limit=*. B. limit=all. C. limit=none. D. limit=0.

Which field extraction method should be selected for comma-separated data?. A. Regular expression. B. Delimiters. C. eval expression. D. table extraction.

What approach is recommended when using the Splunk Common Information Model (CIM) add-on to normalize data?. A. Consult the CIM data model reference tables. B. Run a search using the authentication command. C. Consult the CIM event type reference tables. D. Run a search using the correlation command.

Which of the following is included with the Common Information Model (CIM) add-on?. A. Search macros. B. Event category tags. C. Workflow actions. D. tsidx files.

For the following search, which field populates the x-axis? index=security sourcetype=linux secure | timechart count by action. A. action. B. source type. C. _time. D. time.

In the Field Extractor, when would the regular expression method be used?. A. When events contain JSON data. B. When events contain comma-separated data. C. When events contain unstructured data. D. When events contain table-based data.

Which of the following searches will return all clientip addresses that start with 108?. A. … | where like (clientip, “108.% ). B. … | where (clientip, "108. %"). C. … | where (clientip=108. % ). D. … | search clientip=108.

What are search macros?. A. Lookup definitions in lookup tables. B. Reusable pieces of search processing language. C. A method to normalize fields. D. Categories of search results.

Which of the following options will define the first event in a transaction?. A. startswith. B. with. C. startingwith. D. firstevent.

The timechart command is an example of which of the following command types?. A. Orchestrating. B. Transforming. C. Statistical. D. Generating.

Which type of workflow action sends field values to an external resource (e.g. a ticketing system)?. A. POST. B. Search. C. GET. D. Format.

What fields does the transaction command add to the raw events? (select all that apply). A. count. B. duration. C. eventcount. D. transaction id.

How are event types different from saved reports?. A. Event types cannot be used to organize data into categories. B. Event types include formatting of the search results. C. Event types can be shared with Splunk users and added to dashboards. D. Event types do not include a time range.

When using the transaction command, how are evicted transactions identified?. A. Closed_txn field is set to o, or false. B. Max_txn field is set to O, or false. C. Txn_field is set to 1, or true. D. open_txn field is set to 1, or true.

Which of the following describes the I transaction command?. A. It is an SPL command that groups at least two events together based on shared values in selected fields. B. It allows an exchange of data from one Splunk index to another Splunk index. C. It is an SPL command that groups events together with shared values in selected fields. D. It allows an exchange of data from one Splunk system to another Splunk system.

Which of the following eval commands will provide a new value for host from src if it exists?. A. | eval host = if (isnu11 (src), src, host). B. | eval host = if (NOT src = host, src, host). C. | eval host = if (src = host, src, host). D. | eval host = if (isnotnull (src), src, host).

A macro has another macro nested within it, and this inner macro requires an argument. How can the user pass this argument into the SPL?. A. An argument can be passed through the outer macro. B. An argument can be passed to the outer macro by nesting parentheses. C. There is no way to pass an argument to the inner macro. D. An argument can be passed to the inner macro by nesting parentheses.

Which of the following statements about calculated fields in Splunk is true?. A. Calculated fields cannot be chained together to create more complex fields. B. Calculated fields can be chained together to create more complex fields. C. Calculated fields can only be used in dashboards. D. Calculated fields can only be used in saved reports.

Why would the following search produce multiple transactions instead of one?. A. The maxspan option is not included. B. The transaction command has a limit of 1000 events per transaction. C. The transaction and commands cannot be used together. D. The stats list () function is used.

How is a macro referenced in a search?. A. By using the macroname command. B. By using the macro command. C. By enclosing the macro name in backtick characters (‘). D. By enclosing the macro name in single-quote characters (‘).

Which workflow action type performs a secondary search?. A. POST. B. Drilldown. C. GET. D. Search.

Which of the following objects can a calculated field use as a source?. A. An alias of a field. B. A field added by an automatic lookup. C. The tag field. D. The eventtype field.

Which of the following transforming commands can be used with transactions? chart, timechart, stats, eventstats chart, timechart, stats, diff chart, timeehart, datamodel, pivot chart, timecha:t, stats, pivot. A. chart, timechart, stats, eventstats.

If there are fields in the data with values that are " " or empty but not null, which of the following would add a value?. A. | eval notNULL = if(isnull (notNULL), “0†notNULL). B. | eval notNULL = if(isnull (notNULL), “0â€. C. | eval notNULL = Ҡ| nullfill value=0 notNULL. D. | eval notNULL = Ҡfillnull value=0 notNULL.

Which syntax is used to represent an argument in a macro definition?. A. "argument". B. %argument%. C. ‘argument’. D. $argument$.

Which of the following statements best describes a macro?. A. A macro is a method of categorizing events based on a search. B. A macro is a way to associate an additional (new) name with an existing field name. C. A macro is a portion of a search that can be reused in multiple place. D. A macro is a knowledge object that enables you to schedule searches for specific events.

A field alias is created where field1—fieid2 and the Overwrite Field Values checkbox is selected. What happens if an event only contains values for fieid1?. A. field2 values are removed from the events. B. field1 and field2 values are merged. C. field2 values are unchanged. D. field2 values are replaced with the value of the field1.

Which search retrieves events with the event type web_errors?. A. tag=web_errors. B. eventtype=web_errors. C. eventtype "web errors". D. eventtype (web_errors).

What is the correct syntax to find events associated with a tag?. A. tag:<field>=<value>. B. tags=<value>. C. tags:<field>=<value>. D. tag=<value>.

Which of the following examples would use a POST workflow action?. A. Perform an external IP lookup based on a domain value found in events. B. Use the field values in an HTTP error event to create a new ticket in an external system. C. Launch secondary Splunk searches that use one or more field values from selected events. D. Open a web browser to look up an HTTP status code.

Which field will be used to populate the field if the productName and product:d fields have values for a given event?. A. | eval productINFO=coalesco(productName,productid). B. Both field values will be used and the product INFO field will become a multivalue field for the given event. C. The value for the productName field because it appears first. D. Neither field value will be used and the field will be assigned a NULL value for the given event.

What are the expected results for a search that contains the command | where A=B?. A. Events that contain the string value where A=B. B. Events that contain the string value A=B. C. Events where values of field are equal to values of field B. D. Events where field A contains the string value B.

When would a user select delimited field extractions using the Field Extractor (FX)?. A. When a log file has values that are separated by the same character, for example, commas. B. When a log file contains empty lines or comments. C. With structured files such as JSON or XML. D. When the file has a header that might provide information about its structure or format.

A calculated field is a shortcut for performing repetitive, long, or complex transformations using which of the following commands?. A. transaction. B. lookup. C. stats. D. eval.

A user runs the following search: index—X sourcetype=Y I chart count (domain) as count, sum (price) as sum by product, action usenull=f useother—f Which of the following table headers match the order this command creates?. A. The chart command does not allow for multiple statistical functions. B. Product, sum: addtocart, sum: remove, sum: purchase, count: addtocart, count: remove, count: purchase. C. Product, count: addtocart, count: remove, count: purchase, sum: addtocart, sum: remove, sum: purchase. D. Count: product, sum: product, count: action, sum: action.

Which of the following is true about Pivot?. A. Users can save reports from Pivot. B. Users cannot share visualizations created with Pivot. C. Users must use SPL to find events in a Pivot. D. Users cannot create visualizations with Pivot.

Which tool uses data models to generate reports and dashboard panels without using SPL?. A. Visualization tab. B. Pivot. C. Datasets. D. splunk CIM.

Which knowledge object is used to normalize field names to comply with the Splunk Common Information Model (CIM)?. A. Field alias. B. Event types. C. Search workflow action. D. Tags.

How is an event type created from the search window? (select all that apply). A. In the top right corner, click Save As > Event Type. B. In an event's detail dropdown, click Event Actions > Build Event Type. C. Edit eventtypes.conf and add a new stanza. D. Add | eventtype to the SPL and execute the search.

Consider the following search: index=web sourcetype=access_corabined The log shows several events that share the same jsesszonid value (SD462K101O2F267). View the events as a group. From the following list, which search groups events by jSSESSIONID?. A. index=web sourcetype=access_combined I transaction JSESSZONID I search SD462K101C2F267. B. index=web sourcetype=access_combined SD462K101O2F267 | table JSESSIONID. C. index=web sourcetype=access_combined | highlight JSESSIONID | search SD462K101O2F267. D. index=web sourcetype=access_combined JSESSTONID <SD4€2K101O2F267>.

Which of the following is true about the Splunk Common Information Model (CIM)?. A. The data models included in the CIM are configured with data model acceleration turned off. B. The CIM contains 28 pre-configured datasets. C. The CIM is an app that needs to run on the indexer. D. The data models included in the CIM are configured with data model acceleration turned on.

When defining a macro, what are the required elements?. A. Name and arguments. B. Name and a validation error message. C. Name and definition. D. Definition and arguments.

Which of the following expressions could be used to create a calculated field called gigabytes?. A. eval sc_bytes(10244). B. | eval negabytes=sc_bytes(10244). C. megabytes=sc_bytes(10244). D. sc_bytas(10244).

Consider the the following search run over a time range of last 7 days: index=web sourcetype=access_conbined | timechart avg(bytes) by product_nane Which option is used to change the default time span so that results are grouped into 12 hour intervals?. A. span=12h. B. timespan=12h. C. span=12. D. timespan=12.

What commands can be used to group events from one or more data sources?. A. eval, coalesce. B. transaction, stats. C. stats, format. D. top, rare.

Tags can reference which of the following knowledge objects?. A. Lookups and event types only. B. Extracted fields, field aliases, calculated fields, lookups, and event types. C. Tags cannot reference any of these knowledge objects because tags are the last knowledge objects generated in the search-time operation sequence. D. Extracted fields, calculated fields, and field aliases only.

If a calculated field has the same name as an extracted field, what happens to the extracted field?. A. The calculated field will override the extracted field. B. The calculated and extracted fields will be combined. C. The calculated field will duplicate the extracted field. D. An error will be returned and the search will fail.

Given the following eval statement: ...| eval fieldl - if(isnotnull(fieldl),fieldl,0), field2 = if(isnull<field2>, "NO-VALUE", fieid2) Which of the following is the equivalent using f ilinull?. A. There is no equivalent expression using f ilinull. B. ... t filinull values=(0,"NO-VALUE") fields=(fieldl,field2). C. ... I filinull value=0 fieldl I fillnull fields. D. ... I fillnull fieldl I filinull value="NO-VALUE" field2.

Why are tags useful in Splunk?. A. Tags look for less specific data. B. Tags visualize data with graphs and charts. C. Tags group related data together. D. Tags add fields to the raw event data.

The Splunk Common Information Model (CIM) is a collection of what type of knowledge object?. A. KV Store. B. Lookups. C. Saved searches. D. Data models.

When should the regular expression mode of Field Extractor (FX) be used? (select all that apply). A. For data cleanly separated by a space, a comma, or a pipe character. B. For data in a CSV (comma-separated value) file. C. For data with multiple, different characters separating fields. D. For unstructured data.

Which of the following is true about data model attributes?. A. They cannot be created within the data model. B. They can only be added into a root search dataset. C. They cannot be edited if inherited from a parent dataset. D. They can be added to a dataset from search time field extractions.

Which of the following describes this search? New Search 'third_party_outages(EMEA,-24h)'. A. This search will find all events for the third_party_outages event type that have "EMEA" or "-24h" in the raw event data. B. This search will run the third_party_outages saved search and filter for events containing "EMEA" and "-24h" in the raw event data. C. This search will run the third_party_outages macro and pass the arguments EMEA and -24h to the macro definition. D. This search will find all events in the third_party_outages index with the tags EMEA and -24h.

To create a tag, which of the following conditions must be met by the user?. A. Identify at least one field:value pair. B. Have the Power role at a minimum. C. Be able to edit the sourcetype the tag applies to. D. Must have the tag capability associated with their user role.

Which of the following data models are included in the Splunk Common Information Model (CIM) add-on? (select all that apply). A. User permissions. B. Alerts. C. Databases. D. Email.

When would transaction be used instead of stats?. A. To group events based on a single field value. B. To see results of a calculation. C. To have a faster and more efficient search. D. To group events based on start/end values.

Where are the descriptions of the data models that come with the Splunk Common Information Model (CIM) Add-on documented?. A. Datamodel command reference guide. B. Pivot users manual. C. Search and reporting user manual. D. CIM Add-on manual.

How are arguments defined within the macro search string?. A. Åžarg$. B. 'arg'. C. %arg%. D. "arg".

A user wants to create a workflow action that will retrieve a specific field value from an event and run a search in a new browser window in the user's Splunk instance. What kind of workflow action should they create?. A. A Run workflow action, because the user is running a new search with a specific field value from an event returned in the user's search. B. A Search workflow action, because the user is running a new search with a specific field value from an event returned in the user's search. C. A POST workflow action, because the search is being sent to the user's current Splunk instance. D. A GET workflow action, because a field value needs to be retrieved from the events returned in the user's search.

Which of the following is true about a datamodel that has been accelerated?. A. They can be used with Pivot, the | tstats command, or the | datamodel command. B. They can still be used in the Pivot tool but only with the accelerate_pivot capability. C. They can no longer be used in the Pivot tool. D. They can be used with the |tstats command, but will only return that data which has been accelerated.

How can an existing accelerated data model be edited?. A. An accelerated data model can be edited once its .tsidx file has expired. B. An accelerated data model can be edited from the Pivot tool. C. The data model must be de-accelerated before edits can be made to its structure. D. It cannot be edited. A new data model would need to be created.

Consider the following search: index=web sourcetype=access_combined The log shows several events that share the same JSESSIONID value (SD470K92802F117). View the events as a group. From the following list, which search groups events by JSESSIONID?. A. index=web sourcetype=access_combined | highlight JSESSIONID | search SD470K92802F117. B. index=web sourcetype=access_combined | transaction JSESSIONID | search SD470K92802F117. C. index=web sourcetype=access_combined SD470K92802F117 | table JSESSIONID. D. index=web sourcetype=access_combined JSESSIONID <SD470K92802F117>.

Using the Field Extractor (FX) tool, a value is highlighted to extract and give a name to a new field. Splunk has not successfully extracted that value from all appropriate events. What steps can be taken so Splunk successfully extracts the value from all appropriate events? (select all that apply). A. Select an additional sample event with the Field Extractor (FX) and highlight the missing value in the event. B. Re-ingest the data and attempt to extract from a new dataset. C. Click on the event where the field was not extracted and choose “Change to Delimited". D. Edit the regular expression manually.

Which of the following can be saved as an event type?. A. index-server_472 sourcetype-BETA_494 code-488 I stats count by code. B. index=server_472 sourcetype=BETA_494 code=488 [I inputlookup append=t servercode.csv]. C. index=server_472 sourcetype=BETA_494 code=488 I stats where code > 200. D. index=server_472 sourcetype=BETA_494 code-488.

How could the following syntax for the chart command be rewritten to remove the OTHER category? (select all that apply). A. | chart count over CurrentStanding by Action useother=f. B. | chart count over CurrentStanding by Action usenull-f useother-t. C. | chart count over CurrentStanding by Action limit=10 useother=f. D. | chart count over CurrentStanding by Action limit-10.

Which of the following knowledge objects can reference field aliases?. A. Calculated fields, lookups, event types, and tags. B. Calculated fields and tags only. C. Calculated fields and event types only. D. Calculated fields, lookups, event types, and extracted fields.

What is the purpose of the fillnull command?. A. Replace empty values with a specified value. B. Create a new field based on the values in an existing field. C. Rename a specific field in the search results. D. Replace all values in a specific field with a default value.

When performing a regex field extraction with the Field Extractor (FX), a data type must be chosen before a sample event can be selected. Which of the following data types are supported?. A. index or source. B. sourcetype or host. C. index or sourcetype. D. sourcetype or source.

Which of these stats commands will show the total bytes for each unique combination of page and server?. A. index=web | stats sum (bytes) BY page BY server. B. index=web | stats sum (bytes) BY page server. C. index=web | stats sum(bytes) BY page AND server. D. index=web | stats sum(bytes) BY values (page) values (server).

Two separate results tables are being combined using the |join command. The outer table has the following values: Refer to following Tables The line of SPL used to join the tables is: | join employeeNumber type=outer How many rows are returned in the new table?. A. Zero. B. Five. C. Eight. D. Three.

When using transaction, what is the default maximum span between events?. A. Unlimited. B. 1h. C. 1m. D. 1d.

Which of the following commands connects an additional table of data directly to the right side of the existing table?. A. subsearch. B. update. C. appendcols. D. append.

What are the expected search results from executing the following SPL command? index=network NOT StatusCode=200. A. Every event in the network index that does not have a value in this field. B. Every event in the network index that does not contain a StatusCode of 200 and excluding events that do not have a value in this field. C. Every event in the network index that does not contain a StatusCode of 200, including events that do not have a value in this field. D. No results as the syntax is incorrect, the != field expression needs to be used instead of the NOT operator.

Which of the following is included with the Splunk Common Information Model (CIM) Add-on?. A. Sourcetype definitions from the most popular technology vendors. B. A set of pre-configured data models. C. Scripted inputs to pre-align data with the CIM. D. Dashboards to validate data quality.

To which of the following can a field alias be applied?. A. Data found in a lookup table. B. Either a calculated field or an extracted field. C. Only one single field in a dataset. D. A given host, source, or sourcetype.

Which of the following statements is true about the root dataset of a data model?. A. It can contain transforming commands as long as it is a root search dataset. B. It will automatically contain knowledge objects associated with the base search. C. It must contain the transaction command if it is a root transaction dataset. D. It can only contain a base search with no transforming commands.

A POST workflow action will pass which types of arguments to an external website?. A. Clear text only. B. A mix of clear text strings and variables. C. It can only send raw event data. D. Variables only.

When does the CIM add-on apply preconfigured data models to the data?. A. Search time. B. Index time. C. On a cron schedule. D. At midnight.

How is a variable for a macro defined?. A. Place the variable name inside of curly braces: {variable name}. B. Place the variable name inside of asterisks: variable name. C. Place the variable name inside of dollar signs: $variable name$. D. Place the variable name inside of percentage signs: %variable name%.

For the following search, which command would further filter for only IP addresses present more than five times?. A. index=games I stats count as IP_count by IP B. | where IP_count > 5. B. index=games | search IP_Count > 5. C. index=games | where IP > 5. D. index=games I search IP > 5.

Which of the following searches can be used to define an event type?. A. index=games sourcetype=score [search index=players | fields player_id]. B. index=games sourcetype=score I where score>9999. C. index=games sourcetype=score player=* score>9999. D. index=games sourcetype=score I stats count by player.

When using the Field Extractor (FX) to perform a field extraction, which delimiter can be used?. A. A period or comma. B. A comma. C. A tab or space. D. Any consistent character.

What is the purpose of a calculated field?. A. To automatically add fields to the index using an eval expression rather than manually including an eval command. B. To manually add and remove fields at search time related to statistical functions. C. To automatically add fields at search time using an eval expression rather than manually including an eval command. D. To manually add fields at search time and check for syntax errors.

When creating an event type, which is allowed in the search string?. A. Tags. B. Joins. C. Subsearches. D. Pipes.

When using multiple expressions in a single eval command, which delimiter is used?. A. , (comma). B. I (pipe). C. / (forward slash). D. : (colon).

A Splunk app is configured to extract domain names in web service logs and specify them as a field named domain. What workflow action would return an external IP lookup for the field named domain?. A. POST. B. PUT. C. GET. D. Search.

Which option of the transaction command would be used to specify the maximum time between events in a transaction?. A. maxpause. B. maxspan. C. duration. D. eventcount.

What field must be present in order to use the timechart command?. A. _raw. B. rime. C. _time. D. index.

Which of the following definitions describes a macro named "samplemacro" that accepts two arguments? Questions and Answers PDF. A. Examplemacro [1,2]. B. samplemacro(1,2). C. u amp -CJEUCXG (2). D. samplemacro[2].

What is the correct Boolean order of evaluation for the where command from first to last?. A. NOT, Parentheses, OR, AND. B. AND, Parentheses, NOT, OR. C. Parentheses, NOT, AND, OR. D. Parentheses, NOT, OR, AND.

Why would the transaction command be used instead of the stats command?. A. The transaction command has better search-time performance. B. The transaction command can perform calculations on fields. C. The transaction command keeps the raw data for each event. D. The transaction command is less resource-intensive.

Which of the following is true about data sets used in the Pivot tool?. A. They can only be created from data models. B. They can only be created by users with the Admin role. C. They can only be created from summary indexes. D. They can only be created from saved reports.

Given the following eval statement: ... | eval field1 = if(isnotnull(field1),field1,0), field2 = if(isnull(field2), "NO-VALUE", field2) Which of the following is the equivalent using fillnull?. A. ... | fillnull values=(0,"NO-VALUE") fields=(field1,field2). B. There is no equivalent expression using fillnull Questions and Answers PDF 141/149. C. ... | fillnull field1 | fillnull value="NO-VALUE" field2. D. ... | fillnull value=0 field1 | fillnull field2.

What is needed to define a calculated field?. A. Eval expression. B. Data model. C. Event type. D. Regular expression.

A user wants a table that will show the total revenue made for each product in each sales region. Which would be the correct SPL query to use?. A. index=X sourcetype=Y | chart sum(product) by price AND region. B. index=X | chart sum(price) by product, region. C. index=X | chart total(product) over price by region. D. index=X | chart total(price) by product, region.

How do event types help a user search their data?. A. Event types can optimize data storage. B. Event types improve dashboard performance. C. Event types improve search performance. D. Event types categorize events based on a search string.

What happens to the original field name when a field alias is created?. A. The original field name is not affected by the creation of a field alias. B. The original field name is replaced by the field alias within the index. C. The original field name is italicized to indicate that it is not an alias. D. The original field name still exists in the index but is not visible to the user at search time.

A search contains example(100,200). What is the name of the macro?. A. example(2). B. example(var1,var2). C. example($,$). D. example[2].

Two separate results tables are being combined using the join command. The outer table has the following values: The inner table has the following values: The line of SPL used to join the tables is: join employeeNumber type=outer How many rows are returned in the new table?. A. Three. B. Eight. C. Five. D. Zero.

What is a benefit of installing the Splunk Common Information Model (CIM) add-on?. A. It permits users to create workflow actions to align with industry standards. B. It provides users with a standardized set of field names and tags to normalize data. C. It allows users to create 3-D models of their data and export these visualizations. D. It enables users to itemize their events based on the results of the Search Job Inspector.