Splunk Power User SPLK-1002 - Quizs from Splunk eLearning

When using the following search arguments, what will be returned? | timechart count span=1h #. events in the last 24 hours. chart of events in 1 hour chunks. events with a duration of 1 hour.

The ________ and ________ time modifiers will override the time range picker in a historical report. #. latest. earliest. last. first.

What will the strftime function return when using the %H argument with the _time field? Select all that apply. #. time of raw event in UTC. hour of the event generated at index time. convert the hour into your local time based on your time zone setting of your Splunk web sessions.

Which of the following are default time fields? Select all that apply. #. date_hour. date_mday. date_day. date_year.

@timeUnit will always round up and go forward through time. #. TRUE. FALSE.

date_time always reflects your local time zone and not the time/date from raw events. #. FALSE. TRUE.

Choose the search that will sort events into one minute groups. Select all that apply. #. | bin _time span=1m. | bin span=1minutes. | bin span=1minute. | bin _time span=1mins.

Using earliest=-30d@d latest=@d is how to return results from the last 30 days up to the current moment. #. TRUE. FALSE.

Which of these functions lists ALL values of the field X? #. values(X). list(X).

True or False: Using an OVER and a BY clause with the chart command will create a multiseries data series. #. TRUE. FALSE.

True or False: The timechart command will always have _time as the X-axis. #. TRUE. FALSE.

If you use the stats command with two functions and a BY clause, which function is the BY clause applied to? #. both functions. the first function. both functions if they are both aggregate functions. the second function.

True or False: Use useother=false with the chart command if you want to hide the OTHER column. #. FALSE. TRUE.

To display the least common values of a field, use the ___ command. #. top. timechart with common=f option. rare. stats.

Which eval function would you use to round numerical values? #. tonumber. roundvalue. round. commas.

When you use the stats command with a BY clause, what is returned? #. numerical statistics on each field if and only if all of the values of that field are numerical. a statistical output for each value of the named field. one row. an error message because you did not include a statistical function.

True or False: You can use wildcards (*) with the rename command to rename multiple fields that match a pattern. #. FALSE. TRUE.

Which of these eval functions takes no arguments? #. min. random. pow. max.

True or False: The pow(X,Y) eval function returns Y to the power of X. #. FALSE. TRUE.

When renaming fields with spaces or special characters, use the rename command and include the new field name in ___. #. None of the above. double quotes. parenthesis. single quotes.

By default, the sort command lists results in ___ order. #. descending. ascending.

True or False: Only one field can be created when using the eval command. #. TRUE. FALSE.

When using the top command, add the BY clause to ___. #. specify which search mode to return results by. return a percentage of events. return results grouped by the field you specify in the BY clause. specify how many results to return.

Which of the following functions can be used to filter NULL values? #. isnotnull. usenull=f. usenull=t. isnull.

The _____ command replaces NULL values in fields. #. isnotnull. isnull. null. fillnull.

True or False: Temporary fields created by using eval can be referenced in the search pipeline following creation. #. TRUE. FALSE.

What is the order of Boolean Expression of Evaluation for the where and eval commands? #. AND, NOT, Expressions with parenthesis, OR. Expressions with parenthesis, NOT, AND, OR. AND, OR, NOT, Expressions with parenthesis. NOT, AND, OR, Expressions with parenthesis.

Which are the Boolean operators that can be used by the eval command? Select all that apply. #. OR. NAND. XOR. AND.

True or False: Specify a wildcard by using the * character with the where command. #. FALSE. TRUE.

Which eval function is the best option for masking data? #. validate. case. replace. isnotnull.

The _____ command calculates an expression and puts the resulting value into a new or existing field. #. eval. where. fillnull. replace.

True or False: When using the eval command, all field values are treated in a case-sensitive manner and must be double-quoted. #. TRUE. FALSE.

True or False: The where command filters results and only keeps events where the expression evaluates to TRUE. #. TRUE. FALSE.

True or False: eval cannot exist as an expression. #. FALSE. TRUE.

True or False: The case function will return NULL if no expressions evaluate to TRUE. #. FALSE. TRUE.

The where command interprets unquoted or single-quoted strings as _______ and double-quoted strings as _______. #. field values, fields. integers, field values. fields, field values. field values, integers.

Which of the following functions must be used with the in function? Select all that apply. #. if. validate. case. sum.

Which of these fillnull expressions will replace NULL data with the string "NOT FOUND"? #. | fillnull NOTFOUND=true. | fillnull value="NOT FOUND". | fillnull.

Which command uses a template subsearch to replace the values of specific fields? #. eval. foreach. replace. none; commands only use functions to replace field values, not templates or subsearches.

Which of these tostring expressions will format the PROFIT field in the USD currency format, $x,xxx? #. | eval PROFIT = tostring("$x,xxx",PROFIT). | eval PROFIT = tostring(PROFIT,"$x,xxx"). | eval PROFIT = tostring(PROFIT,"$"."commas"). | eval PROFIT = "$".tostring(PROFIT,"commas").

Which statement(s) about appendpipe is false? #. appendpipe transforms results and adds new lines to the bottom of the results set without overwriting original results. The subpipeline is executed only when Splunk reaches the appendpipe command. appendpipe transforms results and adds new lines to the bottom of the results set because appendpipe is always the last command to be executed. Only one appendpipe can exist in a search because the search head can only process two searches simultaneously.

True or False: The foreach command can be used without a subsearch. #. TRUE. FALSE.

_____ is the process of organizing data to appear similar across all records, making the information easier to search. #. Splunkification. Normalization. Collating. Segmentation.

You would use the _____ function to convert a string to uppercase and the _____ function to convert a string to lowercase. #. uppercase(), lowercase(). upper(), lower(). lower(), upper(). lowercase(), uppercase().

True or False: eventstats and streamstats support multiple stats functions, just like stats. #. FALSE. TRUE.

True or False: If there is an appendpipe in a search, its subpipeline will always be executed last. #. TRUE. FALSE.

Which two commands when used together are equivalent to chart <fieldA> over <fieldB> by <fieldC>? Select all that apply. #. stats <fieldA> by <fieldB>,<fieldC> followed by untable <fieldB> <fieldC> <fieldA>. stats <fieldA> by <fieldB>,<fieldC> followed by xyseries <fieldB> <fieldC> <fieldA>. stats <fieldA> by <fieldB>,<fieldC> followed by additional commands and then untable <fieldB> <fieldC> <fieldA>. stats <fieldA> by <fieldB>,<fieldC> followed by additional commands and then xyseries <fieldB> <fieldC> <fieldA>.

Which of these expressions will accurately normalize values from the OperatingSys and CompSys fields into a new field called OS? #. | eval replace(OperatingSys OR CompSys,OS". | eval OS = coalesce(OperatingSys,CompSys). | eval OS = case(OperatingSys=OperatingSys,"OS",CompSys=CompSys,"OS",true(),"OS").

Transactions contain the ______ field contents and the ______ of the earliest member. #. source, timestamp. host, timestamp. _raw, timestamp. _time, timestamp.

Which fields are added to raw events by the transaction command? Select all that apply. #. duration. index. eventcount. _time.

The ______ option controls the maximum total time between the earliest and latest events. #. minpause. maxspan. maxpause. span.

Which of the following are options for the transaction command? Select all that apply. #. startswith. maxevents. endswith. maxpause.

True or False: The transaction command is resource intensive. #. TRUE. FALSE.

When present in a search pipeline, a subsearch is executed ______ and it sends its ______ to the main search. #. last, results. first, results. last, search query. first, search query.

Which of the following statements about subsearches are true? #. Multiple searches can be used. They can be nested. They are great for filtering data. They can not be nested.

The append command attaches results of a subsearch to the ______ of current results. #. append command does not attach to the current results. start. end.

If a search and a subsearch produce the same number of results in the same order, it is safe to use this command. Otherwise, you will get misleading results. #. union. transaction. append. appendcols.

The _____ command combines results from two or more datasets and returns a single result set. #. join. union. append.

Field aliases are applied after __________ and before __________. Select all that apply. #. field extractions, lookups. lookups, field extractions. tags, field extractions. field extractions, tags.

To search for a tag associated with a value on a specific field, select the correct string. #. tag=user::privileged. tag=user=privileged. tag=user::privileged. tag::user=privileged.

Which of the following are ways you can create an event type. Select all that apply. #. Run a search, then save as Event Type. From event details, select Event Actions > Build Event Type. Settings > Event types > "New Event Type".

Select all knowledge objects. #. users. field aliases. lookups. workflow actions.

Which workflow actions require you to specify if the behavior should open in a new window or current window? Select all that apply. #. POST. PUT. GET. Search.

Which function is used to send field values externally in Workflow Actions? #. GET. PUT. POST. Search.

Which statement best describes the function of a Workflow Action #. Sends field values to an external source. Allows users to interact with web resources. Retrieves information from an external source. Uses field values to perform a secondary search.

True or False: Splunk knowledge objects can only be used privately. #. FALSE. TRUE.

When adding arguments to a macro, include the number of arguments in ______ #. Dollar signs with the search definition. Parentheses before the macro name. Parentheses after the macro name. Using the pipe function.

To perform a secondary search, use a __________ workflow action #. Search. PUT. GET. POST.

Which statements best describe an Event Type. Select all that apply. #. Can be used to normalize field names, tags and field extractions. tags, field extractions. Categorizes events based on search constraints. Allow users to interact with web resources.

If you have a tag label called "homeoffice" associated with the field/value pair system_ip=<your ip address>, when you run a search using the tag=homeoffice constraint, what events will be returned? #. events with the value of the system_ip field equal to your ip address. field lookup table. events from _internal.

Surround the macro name with the ______ when executing the macro in search. #. Double quote character. Dollar sign. Single quote character. Backtick character.

When using regex for field extraction, what's the first thing you have to do in the Field Extractor? #. Provide a Field Name. Set the Extractions Name and set permissions. Select a value to extract. Edit the regular expression.

Which of the following character delimiters are supported for a delimited field extraction? #. space. pipe. tab. comma.

There are three ways to get to the Field Extractor (FX). Select all that apply. #. Fields sidebar. Event Actions menu. Settings menu. Auto-Extract Fields Workflow.

True or False. Fields can be extracted only after indexing is complete. #. TRUE. FALSE.

Use this field extraction method when fields are separated by spaces, commas, or characters. #. regex field extractions. rename field extractions. delimited field extractions.

Which of the following statements are true about a Regex "capture"? #. Defined with a matching parentheses: ( ). Can be referenced with a given name using: ?<name>. Captures a matching pattern. Allows the Regex to be case insensitive.

True or False: If you manually edit the regular expression in the Field Extractor Utility then you will not be able to go back to validate the results. #. FALSE. TRUE.

Which of the following strings match this Regular Expression: c.t #. c.t. cat. c#t. c99t.

Which of the following Regex operator can most severely impact performance, and may be considered "greedy"? #. . (period). * (asterisk). + (plus sign). \ (backslash).

Which of the following statements describe data models? Select all that apply. #. Can only be designed by users with the admin role. Must contain at least one of each dataset: Events, Searches, and Transactions. Can be used by the Pivot interface to generate reports and dashboard panels. A knowledge object that applies information structure to raw data.

Data models can include which of the following elements? Select all that apply. #. constraints. event object hierarchy. inherited and extracted fields.

Which of the following is required to enable data model acceleration? #. All 3 root dataset types: events, search, and transaction. A private data model. A user role with the accelerate_datamodel capability. A user accessing a data model dataset in Pivot.

All event datasets can contain which of the following? Select all that apply. #. Children. Purchases. Constraints. Fields.

Which feature helps users collaborate when working with data models? #. Splunk user integration, such as LDAP. Creating data models in the Search & Reporting app. Downloading and uploading data models. The data model "clone" functionality.

What is true about Pivot? Select all that apply. #. Alternate method to access data without using search language. Requires the use of simplified search language. Requires use of datasets. Quick way to design visualizations of data using Splunk Web.

When creating a data model, which of the following is true? Select all that apply. #. The process fails if you are not logged in as an admin user. Only the Search & Reporting and Monitoring Console apps can be selected. Splunk highly recommends overriding the default ID to prevent confusion. As the title is entered an ID is automatically generated.

True or False: You can only split a pivot with a maximum of one row or column. #. TRUE. FALSE.

To add a Root Event Dataset, what field is required to be manually added? #. Dataset ID. Duration maxpause maxspan. Dataset Name.

A data model can consist of the following three types of datasets. Select all that apply. #. events. searches. transactions. Pivot reports.

By default, the sort command lists results in __________ order. #. ascending. descending.

When adding fields to a dataset, which of the following creates a new field based on an expression that you define? #. Lookup. Geo IP. Eval Expression. Auto-Extracted.

What do Pivots require to create visualizations in Splunk? Select all that apply. #. data models. lookups. web filters. spreadsheets.

What occurs when setting a field flag to Hidden? #. Constraints will ignore the use of this field. Only events that contain the field are returned. The field is not displayed to Pivot users when they select the dataset in Pivot. The field doesn't have to appear in every event.

True or False: A constraint inherited by the children dataset from the parent dataset can be removed. #. FALSE. TRUE.

By default, which of the following roles are required to share knowledge objects?. Manager. Admin. Power. User.

When a search is run, in what order are events returned?. Alphanumeric order. Chronological order. Reverse chronological order. Reverse alphanumeric order.

Which Splunk infrastructure component stores ingested data?. Data models. Datasets. Index. Dashboards.

Which of the following searches will return results containing the terms failed, password, or failed password?. failed password OR "failed password". fail*. failed OR password. failed OR password OR "failed password".

What determines the timestamp shown on returned events in a search?. The time zone where the event originated. Timestamps are displayed in epoch time. Timestamps are displayed in Greenwich Mean Time. The time zone defined in user settings.

By default, who is able to view a saved report?. Any user with a power or admin role. Any user with the viewreports capability. The user who created it or any user with an admin role. The user who created it.

Which of the following booleans can be used in a search?. OR. NOT. AND. ALSO.

Which command can be used to further filter results in a search?. search. subsearch. subset. filter.

What is the most efficient way to limit search results returned?. time. source. index. host.

By default, how long does a search job remain active?. 7 days. 30 minutes. 10 minutes.

Which of the following searches will return results containing the words fail, failure, or failed?. fail*. *fail. fail. fail+.

Which search mode behaves differently depending on the type of search being run?. Variable. Verbose. Fast. Smart.

Which character is used in a search before a command?. A pipe (|). A tilde (~). A quotation mark ("). A backtick (`).

What are the default roles in Splunk Enterprise?. Admin. User. Power. Manager.

To remove fields from a search, you would use the ____________ command. fields+. +fields. -fields. fields-.

True or False: Fields are knowledge objects. FALSE. TRUE.

Which of the following fields are default selected fields?. host. index. source. sourcetype.

At search time, __________ extracts fields from raw event data. field discovery. field extractor. fields command.

In the Fields sidebar, Interesting Fields occur in at least ____________ of resulting events. 20%. 50%. 10%. 3%.

True or False: Once you rename a field, the new field name must be used in the rest of the search string. TRUE. FALSE.

At search time, if an event has an equal (=) sign, the data to the left is treated as a __________ and the data to the right is treated as a __________. lookup, sourcetype. field name, sourcetype. field name, value. lookup, value.

The fields command allows you to do which of the following? Select all that apply. Include fields (fields). Include fields (fields +). Exclude fields (fields -).

Which type of default map visualization uses shading to represent relative metrics?. Choropleth Map. Cluster Map. Shading Map. Marker Map.

Which command can be used to exclude fields from search results?. exclude. dedup. fields. remove.

Which command changes the appearance of field values?. fieldformat. rename. fields. format.

Which command removes duplicate field values in search results?. dedup. exclude. remove. fields.

Which clause can be used with the top command to specify a number of values to return?. limit. values. return. resultcount.

How can the order of columns in a table be changed?. By dragging and dropping in the table interface. By selecting the "Move column" option in a column header's dropdown. By changing the order of fields specified in the fields command. By changing the order of fields specified in the table command.

Which clause can be used with the rare command to specify whether or not a percentage column is created?. displayperc. percentage. showperc. perccol.

Which clause can be used with the top command to change the name of the count column?. countname. countfield. colname. colheader.

Which of the following commands can return a count of all events matching search criteria over a specified time period?. stats. match. count. where.

Which argument can be used with the geostats command to control the column count?. latfield. longfield. globallimit. collimit.

In a single series data table, which column provides the x-axis values for a visualization?. The second column. The first column. The third column. The fourth column.

When using the timechart command, which axis represents time?. The axis is specified using the as clause. The axis is specified using the by clause. Y-axis. X-axis.

Which argument can be used with the timechart command to specify the time range to use when grouping events?. range. timerange. timespan. span.

How many columns are displayed in a visualization by default when using the chart command?. 10. 5. 3. 20.

Which optional argument of the addtotals command changes the label for row totals in a table?. label. fieldname. rowlabel. fieldformat.

Which scheduled report setting helps determine when concurrent reports will run?. Report Order. Schedule Order. Schedule Priority. Report Priority.

Select the two valid types of alerts. Scheduled. Email. Real-time. Text message (SMS).

Which of the following user roles are able to display a report in the app in which it was created?. The user who created the report. Power. Admin. User.

Which alert setting allows you to control how many alert actions are taken when trigger conditions are met?. Schedule Window. Limit. Throttle. Schedule Priority.

Which alert action allows you to send an event to your Splunk deployment for indexing?. Create event. Generate log. Generate event. Log event.

Which scheduled alert type will continuously run in the background?. Interval. Automatic. Constant. Real-time.

Which of the following prebuilt alert actions can be triggered when a report is run?. Send a text message (SMS). Output results to a lookup. Run a secondary report. Send an email.

What is a primary benefit of scheduling reports?. Scheduling a report reduces the demand that concurrently running reports can put on your system hardware. Scheduled reports take precedence over all other activity in your environment. When a scheduled report is run, all existing search jobs are terminated. Dashboard panels require scheduled reports in order to display up-to-date content.

Which Edit setting allows a report to be displayed to users outside of your organization?. Permissions. Enable. HTML. Embed.

If a dashboard panel is powered by a scheduled report, how frequently will its contents update?. Dashboard panels will update based on the dashboard's time range picker. Dashboard panels cannot be linked to scheduled reports. The dashboard panel updates based on the underlying report's scheduling settings. The dashboard panel updates any time the dashboard is opened or manually refreshed.

Which of the following user roles are able to display a report in all apps?. Power. User. The user who created the report. Admin.

When are actions triggered for a real-time alert?. Within a 60 second window of its cron schedule. As soon as the related report is run. Within a five minute window of its cron schedule. As soon as alert conditions are met.

Which scheduled report setting allows you to define a time range for a report to run if it is delayed?. Report Window. Schedule Window. Schedule Time Range. Report Time Range.

Which alert action allows you to send a message to an external chat room?. API call. Output to text. Output to chat. Webhook.

When a data source is added to a dashboard it is ____________________. removed when the visualization it is linked to is deleted. listed on the Searches, Reports, and Alerts page. not removed when the visualization it is linked to is deleted.

Which is the new dashboard framework?. Splunk Web Framework (SplunkJS). Classic Dashboards (Simple XML). Dashboard Studio (JSON).

What does refreshType: delay do?. Prevents refresh. Starts counting when the search is dispatched. Starts counting down when the search is done.

What source code is used for Dashboard Studio dashboards?. XML. JSON. Java.

What does a base search do?. The base search gathers statistics for downline processing by a chain search. The base search gathers all chain search results for presentation. The base search performs processing of chain search results.

What does accelerating data models do?. Creates time-series index (TSIDX) files. Accelerates all fields in the data model. Limits the search time range to 30 minutes or less.

Which property is required in the chart options stanza for an event annotation?. annotationX. annotation_time. annotationLabel.

The tstats command ____________________. is a generating command. supports wildcards in field values in aggregate functions of BY clauses. performs statistical queries on indexed fields in tsidx files.

When using the ds.test data source type, where are columns and fields stanzas placed?. In the encoding stanza of the visualization. In the visualization stanza. In the data stanza under options for the data source.

What is wireframing?. Adding interactivity to a dashboard. Preliminary drawings that define a dashboard's interface and interactive elements. Using code to link dashboard visualizations.

Which of the following can be a primary data source?. Annotation. Saved search (report). Chain search. Mock Data. Inline search.

Where is the unique ID for a data source referenced?. The visualization's dataSources stanza. The Dashboard Definition dataSources section. Both the Dashboard Definition dataSources section and the visualization dataSources stanza.

What source code is used for classic dashboards?. Simple XML. HTML. JSON.

What does accelerating reports do?. Creates summaries to speed search completion time. Periodically ages out data. Can use event sampling.

The dashboard studio has which types of layouts?. Absolute. Grid. Row and Column.

What are the two dashboard workflows?. Save search results to a dashboard. Click Prototype on the Dashboards page. Click Create Dashboard on the Dashboards page.

Which data source types are controlled by a time range input?. ds.search. ds.savedSearch. ds.chain. ds.test.

What is a global search?. A dashboard with a base search. A dashboard with multiple chain searches. A dashboard with a single base search and chain searches that drive all the visualizations.

What is the dashboard definition?. Five sections in the JSON source code of a Dashboard Studio dashboard. A .conf file that defines a dashboard. Text added to the top of a dashboard beneath the title.

Which data source type can only be added using the source editor?. ds.test. ds.search. ds.savedSearch. ds.chain.

Which property is required in the chart options stanza to add a color to an event annotation?. annotation_time. annotationColor. annotationX.

Which features are only available in absolute layouts?. Gridlines. Background images. Charts.

What does using the tstats command with summariesonly=t argument do?. Generates results from summarized data. Generates results from both summarized and non-summarized data. Enables using tstats with a base search.

Settings in dashboard defaults section ____________________. are overridden by component-level settings. override component-level settings. can be used only for query parameters.

The unique ID for an input requires which prefix?. input. input_. in_.

Where are dynamic coloring object properties set for a visualization?. The visualization's options stanza. The visualization's context stanza. The dashboard definition's layout section.

When setting tokens on a visualization the Token Value name does what?. Passes the value clicked. Captures the value of the location clicked. Captures the field name of the value or location clicked.

What are the two types of custom drilldowns?. Dynamic Drilldown. Contextual Drilldown. Data Drilldown.

When using dynamic coloring, thresholding refers to what?. Color for a range of data values. The lowest data value to have dynamic color. The highest data value to have dynamic color.

What does a contextual drilldown do?. Sets tokens to pass values from a user click to another dashboard. Specifies a relative or absolute path to a URL. Sets tokens to pass values from a user click to another visualization on the same dashboard.

What is a dynamic input?. An input populated by search results. An input that uses a time range. An input that use tokens.

What can a dynamic drilldown do?. Set tokens to pass values from a user click to visualizations on the same dashboard. Set tokens to pass values from a user click to another dashboard. Specify a relative or absolute path to a URL.

What is a cascading input?. An input with a populating search that includes a token from another input. Multiple inputs that use similar populating searches. An input with static values and a populating search.

When setting tokens on a visualization the Token Value row.<field_name>.value does what?. Captures the field name of the value or location clicked. Captures the value in the specified series of the location clicked. Captures the value of the location clicked.

To create a Single Value Icon visualization, start by adding which visualization to a dashboard?. Icon. Single Value Radial. Single Value. Shape.

How are tokens referenced?. <myToken>. myToken. $myToken$.

What is Dynamic Options Syntax?. An operating system. The code structure for a dashboard in Dashboard Studio. The written code for visualizations in Dashboard Studio.

In a contextual drilldown, a token is set with one visualization and added where in another visualization?. The token is referenced to the second visualization's JSON source in the options stanza. The token is referenced in the second visualizations drilldown settings. The token is added to the search that drives the second visualization.

What behavior does a dashboard with inputs have when a Submit button is set to false? (select all that apply). It requires the button to be clicked for input selection to take effect. It will not display the Submit button. An input is automatically refreshed when a selection is made.

Which elements of a single value visualization can have dynamic color?. Trend. Sparkline. Background. Major value.

What elements of a Single Value Icon can be dynamically colored? (select all that apply). Major Value. Icon. Major Value and Icon. Trend.

Where are the formatting options set for a visualization?. The dashboard definition's layout section. The visualization's context stanza. The visualization's options stanza.

When using a dynamic drilldown to pass a token to another dashboard, which value must match between the source and destination dashboards?. Token Name. myToken. Token Value.

What is the maximum number of items a dropdown or multiselect can display?. 100. 1000. 50. 500.

What types of inputs are available in Dashboard Studio?. time range, multiselect, dropdown, text, number, checkbox. time range, multiselect, dropdown, text, number, radio, checkbox. time range, multiselect, dropdown, text, number.

What is dynamic coloring?. A color palette pop-up window. Coloring a visualization based on search results. Custom color palettes.

When setting tokens on a visualization, the Token Value value does what?. Captures the field name of the value or location clicked. Captures the value of the location clicked. Passes the value clicked.

What are the default tokens set by a time range input?. $global_time.newest$, $global_time.oldest$. $time.newest$, $time.oldest$. $time.latest$, $time.earliest$. $global_time.latest$, $global_time.earliest$.

True or False: When using the outputlookup command, you can use the lookup's filename or definition. TRUE. FALSE.

True or False: Access lookup data by including a subsearch in the basic search with the inputlookup command. FALSE. TRUE.

If using | return <field>, the search will return: All values of <field>. All values of <field> as field-value pairs. The 1st <field> value. The 1st <field> and its value as a key-value pair.

Which of these inputlookup expressions is invalid?. | inputlookup file.csv. | inputlookup file.csv.gz. | inputlookup map.kml. | inputlookup map_lookup.

Which return expression would return the first 3 values of the IP field as key-value pairs?. | return 3 IP. | return IP limit=3. | return 3 $IP. | return $IP limit=3.

What character should wrap a subsearch?. ( ) Parentheses. " " Quotes. { } Curly braces. [ ] Brackets.

What command should you use if you want to write the results of a search to a lookup?. createinapp. outputlookup. inputlookup. lookup.

If using | return $<field>, the search will return: All values of <field>. All values of <field> as field-value pairs. The 1st <field> value. The 1st <field> and its value as a key-value pair.

True or False: Subsearches are always executed first. TRUE. FALSE.

Complete the lookup expression. The lookup should output IP, EMAIL, and DEPT values as ip, email, and dept. These lookup output fields should overwrite existing fields. | lookup newEmployees.csv USERNAME as Username <missing>. | lookup newEmployees.csv USERNAME as Username OUTPUTNEW IP as ip, EMAIL as email, DEPT as dept. | lookup newEmployees.csv USERNAME as Username OUTPUTNEW lower(IP,EMAIL,DEPT). | lookup newEmployees.csv USERNAME as Username OUTPUT lower(IP,EMAIL,DEPT). | lookup newEmployees.csv USERNAME as Username OUTPUT IP as ip, EMAIL as email, DEPT as dept.

True or False: Subsearch results are combined with an AND Boolean and attached to the outer search with an OR Boolean. TRUE. FALSE.

What fields will be added to the event data when this lookup expression is executed? | lookup knownusers.csv user. Any field that begins with "user" from knownusers.csv. All fields from knownusers.csv. No fields will be added because the user field already exists in the events. Only the user field from knownusers.csv.

Subsearches work best if they produce a large or small dataset? (Hint: Subsearches pass results to the outer search for filtering.). large. small.

True or False: The eval function mvsort sorts values lexicographically. Therefore, assuming UTF-8 encoding, numbers are sorted based on the first digit, numbers are sorted before letters, and uppercase letters are sorted before lowercase letters. TRUE. FALSE.

True or False: mvcount is a multivalue eval function that counts the number of values for a specified field. FALSE. TRUE.

Use the eval function ___ to concatenate the values of a multivalue field with a specified delimiter and output a single-value field. mvjoin.

True or False: If no output argument is defined for the spath command, the extracted data will be written to the value of the path argument. FALSE. TRUE.

Which stats function would you use if you wanted to list all field values for a field?. list. values.

For table-formatted events, the ___ command creates an event for each table row. multikv. eval. spath. list.

The path argument of the spath command can contain one or more ___ separated by periods. location steps. field values. IP Addresses. options.

Use the eval function ___ to concatenate the values of two multivalue fields with a delimiter. mvzip.

The eval function ___ filters a multivalue field based on an arbitrary Boolean expression. mvfilter.

Which eval function will create a multivalue field by separating a single-value field based on a delimiter?. values. list. makemv. split.

Which eval function performs an operation over the values of a specified multivalue field and outputs a multivalue field as the result?. mvmap. mvmath. mvstats. mveval.

The eval function ____ reads an array of a specified multivalue field and returns the value contained in the specified array position. mvindex.

The multivalue command ___ takes a multivalue field and creates a separate event for each value. mvexpand.

Which multivalue command converts an existing single-value field into a multivalue field based on a delimiter or regex?. split. multikv. makemv. spath.

Which eval function would you use to sort values of a multivalue field?. mvfilter. mvsort. mvindex. split.

Where can comments be placed in a search?. Comments must be placed at the beginning of a search. Comments can be placed anywhere inside a search. Comments can be placed anywhere, provided they follow a pipe. Comments must be placed at the end of a search.

When is a bucket's bloom filter created?. When a TSIDX file is created. When a bucket rolls from hot to warm. When a search is run. When a bucket rolls from warm to cold.

Which directive can be used in a search to bypass minor breakers inside the supplied argument?. RETURN. LISPY. INCLUDE. TERM.

Which of the following breakers would be used first in segmentation?. Hyphens. Periods. Colons. Commas.

Which of the following expressions builds a search-time bloom filter?. A macro expression. A regular expression. An eval expression. A lispy expression.

Which of the following syntaxes signify a comment in SPL?. (comment). ::comment::. `comment`. ```comment```.

Which component of a bucket stores raw event data?. Posting List. Journal. Lexicon. TSIDX files.

Where should the makeresults command be placed within a search?. The makeresults command can be used anywhere in a search. The makeresults command must be the first command in a search. The makeresults command must be the final command in a search. The makeresults command can be used anywhere after initial terms in a search.

Which architectural component of a Splunk deployment initiates a search?. Forwarder. Search Head. Index. Indexer.

After Splunk tokenizes terms at index time, where are the tokens stored?. In a frozen bucket. In the lexicon. In a bloom filter. In the posting list.

Where in the search pipeline are transforming commands executed?. Inside a hot bucket. Inside a warm bucket. On the indexer. On the search head.

If a search begins with a distributable streaming command, where is it first executed?. It depends on whether or not the command is a transforming command. On the indexer. On the search head. It depends on whether or not the command is a centralized command.

Which of the following conditions could cause a lispy expression to not create tokens?. A wildcard at the end of a search. A minor breaker in the middle of a search. A wildcard at the beginning of a search. A major breaker in the middle of a search.

Which of the following commands generates temporary search results?. genresults. resultgen. makeresults. tempresults.

Which component of the Search Job Inspector shows how long a search took to execute?. Execution Costs. Execution Time Range. Header. Search Job Properties.

Which component stores acceleration summaries for ad hoc data model acceleration?. the search head and the indexers. the indexers. none of the above. the search head.

True or False: By default, Power and Admin users have the privileges that allow them to accelerate reports. FALSE. TRUE.

If you run the datamodel command by itself, what will Splunk return?. all the data models you have created since Splunk was last restarted. all the data models on your deployment regardless of their permissions. all the data models you have access to.

Which option used with the data model command allows you to search events? (Choose all that apply.). showevents=true. search. flat. search=true.

Which command type is allowed before a transforming command in an accelerated report?. distributable streaming commands. centralized streaming commands. non-streaming commands.

An accelerated report must include a ___ command. transforming.

Report acceleration summaries are stored alongside ___ in the ___. saved reports; search head. buckets; indexes. saved reports; indexes. buckets; search head.

True or False: The tstats command needs to come first in the search pipeline because it is a generating command. TRUE. FALSE.

On the Searches, Reports, and Alerts page, you will see a ___ if your report is accelerated. green checkmark. yellow lightning bolt. pink cloud. nothing, you need to look at the report properties to see if the report is accelerated.

What is the proper syntax to include if you want to search a data model acceleration summary called "mydatamodel" with tstats?. search IN(datamodel=mydatamodel). from datamodel=mydatamodel. within "mydatamodel". by datamodel=mydatamodel.

Which of the following file types can be uploaded to create a lookup?. CSV. XLS. XML. PDF.

When a user has left your organization, what happens to their knowledge objects?. A power user can reassign them to another user. They are automatically reassigned to a power user. An admin can reassign them to another user. They are automatically reassigned to an admin.

Where can you find a list of all fields returned from events?. The fields posting list. The fields sidebar. The fields dropdown. The fields library.

Which of the following methods can be used to manually extract fields?. The Regular Expression Generator. The Event Type Builder. Delimiters. Regular Expressions, or RegEx.

Which two of the following knowledge object types can contain an eval expression?. Workflow actions. Calculated fields. Macros. Field aliases.

What are the primary functions of a workflow action?. Communicating with an external source using the HTTP POST method. Passing information to external deployments to query additional indexes. Passing information back to Splunk to run a secondary search. Communicating with an external source using the HTTP GET method.

Which knowledge object type can communicate with external sources using the HTTP GET and POST methods?. Search actions. Field extractions. Lookups. Workflow actions.

By default, when a knowledge object is created, who can access its contents?. The user who created it or a user with an admin role. Any user in the environment. Any power user in the environment. Any user of the app in which it was created.

Which knowledge object type can store entire search strings, including commands?. Calculated fields. Macros. Event types. Tags.

Which knowledge object type can be searched in Pivot?. Event types. Data types. Dashboards. Data models.

Which of the following user roles can create knowledge objects?. Power User. Admin. User. Super User.

By default, what user role is required to make a knowledge object available to all apps?. Admin. Power User. Super User. User.

Which knowledge object type can contain an eval expression?. Calculated fields. Field aliases. Tags. Event types.

What are the three predefined sharing options for a knowledge object?. Shared in app. Private. Shared in all apps. Blocked in app.

Which knowledge objects can be scheduled to execute at specific times?. Reports. Alerts. Workflow actions. Macros.

What file types are supported as Geospatial Lookup Files?. ZIP. TAR/TAR.GZ. KMZ. KML.

True or False: To create a new lookup table file, navigate in Splunk Web to New Lookup Table Files, and then copy and paste the CSV data directly into the web form. FALSE. TRUE.

Which of the following are valid use cases for Lookups?. Adding user names associated with a workstation ID. Adding sale prices for products. Adding descriptions for HTTP status codes. Adding event types and tags.

File-based lookups populate your events with fields pulled from _________ files. KMZ (Keyhole Markup language Zipped). CSV (comma-separated values). KV Store collection. Python script.

Splunk ships with the external_lookup.py script. What steps need to happen next, so the external lookup can be used in search?. The external lookup needs to be defined. The Python Upgrade Readiness App must be installed. The script needs to be moved to an appropriate directory. The script must be modified to match your lookup file.

Lookups comes before Tags in the search-time operation sequence. True or False: Lookups can reference Tags. TRUE. FALSE.

Which of the following is true of a CSV file used for a lookup. The first row represents field names. The first column represents the input field. The first column represents field names. The first column represents the output fields.

File-based lookups pull data from standalone files at ___________ and add it to search results. search time. index time. _time.

True or False. You must upload a lookup file for both file-based and KV store lookups. TRUE. FALSE.

Use KV Store lookups for large sets of data that require updates. TRUE. FALSE.

Which of the following is true of creating File-Based lookup definitions?. Lookups are always case insensitive. Lookups are always case sensitive. You can optionally configure time-based lookups. A lookup table file must be created prior to a lookup definition.

What command should you use if you want to write the results of a search to a KV Store lookup?. lookup outputnew. inputlookup. outputlookup. lookup output.

In Splunk, there are up to 3 steps involved to create a lookup. Select all that apply. Create an "Automatic Lookup" definition to have the lookup run automatically. Download from Lookup Library. Upload the lookup data file. Create a lookup definition.

What are some of the available lookup types in Splunk?. Geospatial. External. Calculated Fields. KV Store.

What is the definition of SVG?. Simple Vector Graphic: HTML-based file. Splunk Vector Graphic: JSON-based file. Scalable Vector Graphic: XML-based file. Scalable Vector Graphic: JSON-based file.

Which user roles by default can upload or delete images?. user. sc_admins. admin. power.

Using the globallimit argument with geostats does what?. Generates statistics in geographic bins. Controls column count (the number of series). Limits data to 1000 rows. Controls zoom level.

What is a choropleth map?. Metrics as shaded geographic regions. Regions shaded according to the pattern of a metric. Metrics shaded with color. A scatter plot.

What does the geostats command do?. Generates marker clusters. Adds IP location values. Generates statistics clustered into geographic bins. Adds latitude and longitude values.

Uploaded images are kept where?. User account. Embedded in the dashboard. KV Store. App.

In Dashboard Studio, what are the two data configurations required for the choropleth map type?. Area IDs and Area Values. Area Values and Color. Area IDs and Tooltip fields. Tooltip fields and Color.

When assigning a search to a Choropleth SVG, assign what to the first column of search results?. d. path id. count.

What types of cluster maps are available in Splunk?. Marker and Heat Maps. Bubble and Marker Maps. Cluster and Cadastral Maps. Choropleth and Topographic Maps.

With a choropleth map on the Search Page, the sequential color mode does what?. Adds color with light to dark shades of a single hue. Adds color by category value. Adds color with shades of one of two hues corresponding to high or low metrics. Adds color by default.

What color mode is only available for choropleth maps using the Dashboard Source Editor?. matchValue. gradient. rangeValue. divergent.

What options are available in the Interactivity editor?. Set tokens, link to a search, link to a dashboard, or link to a report. Link to a custom URL, set tokens, link to a dashboard, link to a report, link to a search. Link to a custom URL, set tokens, link to a dashboard, use an eval expression, and link to a search. Link to a search, link to a dashboard, link to a report.

What method can be used to create a cluster map?. geostats command. geostats and table commands. geostats command and data with latitude and longitude values. table command.

What is the color mode option available in Dashboard Studio choropleth maps?. Gradient. Categorical. Range value. Sequential.

With a choropleth map on the Search Page, the divergent color mode does what?. Adds color by category value. Adds color by default. Adds color by value. Adds color by high and low values.

The table command is used to create which map type?. SVG maps. Marker maps. Bubble maps. Choropleth maps.

What color modes are available for choropleth maps on the Search page?. Gradient, Divergent, Segment. Sequential, Divergent, Gradient. Sequential, Divergent, Gradient. Categorical,, Divergent, Gradient.

Which of these can be changed in the cluster map format menu?. Tooltip text. Map tile source. Default geobin. Marker color.

When assigning a search to a Choropleth SVG, which search results define determine the fill color?. Third column named color. First column of tabular data. Second column named count. First column named colors.

Which fields are added by the iplocation command?. latitude, longitude, City, Country, Region. lat, lon. lat, lon, City, Country, Region. latitude, longitude.

What options are available in the Dashboard Editor for custom data point colors on cluster maps?. Custom marker color. Custom color for specific values or regions. Pantone color libraries for marker color. Custom marker and tooltip color.

Saving a choropleth map from the Search page to Dashboard Studio does what?. Converts the Search page default colors to Dashboard Studio default colors. Prompts the user to choose default colors. Prompts the user to choose default colors and color mode. Retains the default color palette used by the Search page.

With a choropleth map on the Search Page, the categorical color mode does what?. Adds color by category value. Adds color by value. Adds color by high and low values. Adds color by default.

What are the names of applications that can create SVG files?. Microsoft PowerPoint. Inkscape. Adobe Illustrator.

Which argument is used with the geom command to name a field in the events with the featureId values?. geoFeature. featureCollection. featureId. featureIdField.

What are the requirements for a choropleth map in Dashboard Studio?. IP address fields, geojson file, and geom command. Data with geographic coordinates, transforming search, and geom command. Geojson file, geom command, iplocation command, and a geospatial lookup. Transforming search, geom command, and a geospatial lookup.

What options are available in the Dashboard Studio Editor for customizing maps?. Custom markers. Map tile set. Background Color. Zoom. Interactivity. Scale.

What is the predefined token row.geo_bounds.<orientation> used for?. Exact latitude and longitude of a user click. Outer boundaries of all clustered locations a marker represents. Inner boundaries of all the clustered locations a marker represents. Marker latitude and longitude wildcards.

What predefined tokens are available for maps in Dashboard Studio?. row.geo_bounds.<orientation>. click.lat.value, click.lon.value, click.boundaries. click.lat.name, click.lon.name, click.bounds.<orientation>. click.lat.value, click.lat.name, click.lon.name, click.lon.value.

Use the binspanlat, binspanlong and maxzoom level arguments to do what?. Control the zoom level. Control column count. Generate location data from IP addresses. Produce one result for each binned location.

What are the two data configurations required to assign color ranges to a choropleth SVG?. Area values. Area colors. Color ranges. Area IDs.

Which command generates statistics clustered into geographic bins?. stats command. geostats command. table command. iplocation command.

What is Dynamic Options Syntax?. Code used in Dashboard Studio for visualization options. Source code for a search query. Source code for tokens. Code used in Classic Dashboards for visualization options.

What color modes are available for both choropleth and marker maps using the Dashboard Source Editor?. rangeValue. matchValue. gradient. divergent.

In Dashboard Studio what are the three map layer types available?. Cluster, Marker, Choropleth. Choropleth, SVG, Cluster. Bubble, Marker, Choropleth. Bubble, Choropleth, Cluster.

What elements and attributes are required for a Choropleth SVG in Splunk?. d: the shape of the SVG outline. polygon: defines a closed shape. fill: a field for color reference. path id: the area defined data in. marker: defines a graphic.