SPLK-1002

Which one of the following statements about the search command is true?. A. It does not allow the use of wildcards. B. It treats field values in a case-sensitive manner. C. It can only be used at the beginning of the search pipeline. D. It behaves exactly like search strings before the first pipe.

What will you learn from the results of the following search? sourcetype=cisco_esa | transaction mid, dcid, icid | timechart avg(duration). The average time elapsed during each transaction for all transactions. The average time for each event within each transaction. The average time between each transaction.

A data model consists of which three types of datasets?. Constraint, field, value. Events, searches, transactions. Field extraction, regex, delimited. Transaction, session ID, metadata.

Which of the following knowledge objects can reference field aliases?. Calculated fields, lookups, event types, and tags. Calculated fields and tags only. Calculated fields and event types only. Calculated fields, lookups, event types, and extracted fields.

How could the following syntax for the chart command be rewritten to remove the OTHER category? (select all that apply). | chart count over CurrentStanding by Action useother=f. | chart count over CurrentStanding by Action usenull-f useother-t. | chart count over CurrentStanding by Action limit=10 useother=f. | chart count over CurrentStanding by Action limit-10.

Which of the following commands connects an additional table of data directly to the right side of the existing table?. subsearch. update. appendcols. append.

Use the dedup command to _____. Rename a field in the index. Remove duplicate values. Provide an additional alias for the field that can D.be used in the search criteria.

Using the export function, you can export search results as __________.( Select all that apply). XML. JSON. HTML. A PHP file.

Which search would limit an "alert" tag to the "host" field?. tag=alert. host::tag::alert. tag==alert. tag::host=alert.

This is what Splunk uses to categorize the data that is being indexed. Host. Sourcetype. Index. Source.

Which of the following statements are true for this search? (Select all that apply.) SEARCH: sourcetype=access* | fields action productld status. Is looking for all events that include the search terms: fields AND action AND productld AND status. Users the table command to improve performance. Limits the fields are extracted. Returns a table with 3 columns.

What is the Splunk Common Information Model (CIM)?. The CIM is a prerequisite that any data source must meet to be successfully onboarded into Splunk. The CIM provides a methodology to normalize data from different sources and source types. The CIM defines an ecosystem of apps that can be fully supported by Splunk. The CIM is a data exchange initiative between software vendors.

Which of the following is true about data model attributes?. They cannot be created within the data model. They can only be added into a root search dataset. They cannot be edited if inherited from a parent dataset. They can be added to a dataset from search time field extractions.

What other syntax will produce exactly the same results as | chart count over vendor_action by user?. | chart count by vendor_action, user. | chart count over vendor_action, user. | chart count by vendor_action over user. | chart count over user by vendor_action.

Which of the following commands will show the maximum bytes?. sourcetype=access_* | maximum totals by bytes. sourcetype=access_* | avg (bytes). sourcetype=access_* | stats max(bytes). sourcetype=access_* | max(bytes).

Which of the following are valid options with the chart command. useother. usenull. fillfield. usefiled.

In the Field Extractor Utility, this button will display events that do not contain extracted fields. Select your answer. Selected-Fields. Non-Matches. Non-Extractions. Matches.

The timechart command buckets data in time intervals depending on: The number of events returned. The selected time range. The type of visualization selected.

This is what Splunk uses to categorize the data that is being indexed. sourcetype. index. source. host.

When creating a data model, which root dataset requires at least one constraint?. Root transaction dataset. Root event dataset. Root child dataset. Root search dataset.

Which type of workflow action sends field values to an external resource (e.g. a ticketing system)?. POST. Search. GET. Format.

A macro has another macro nested within it, and this inner macro requires an argument. How can the user pass this argument into the SPL?. An argument can be passed through the outer macro. An argument can be passed to the outer macro by nesting parentheses. There is no way to pass an argument to the inner macro. An argument can be passed to the inner macro by nesting parentheses.

Which of the following searches will return events containing a tag named Privileged?. tag=Priv. tag=Priv*. tag=priv*. tag=privileged.

What is a benefit of installing the Splunk Common Information Model (CIM) add-on?. It permits users to create workflow actions to align with industry standards. It provides users with a standardized set of field names and tags to normalize data. It allows users to create 3-D models of their data and export these visualizations. It enables users to itemize their events based on the results of the Search Job Inspector.

How is a Search Workflow Action configured to run at the same time range as the original search?. Select the "Overwrite time range with the original search" checkbox. Select the "Use the same time range as the search that created the field listing" checkbox. Set the earliest time to match the original search. Select the same time range from the time-range picker.

To which of the following can a field alias be applied?. Data found in a lookup table. Either a calculated field or an extracted field. Only one single field in a dataset. A given host, source, or sourcetype.

When using | timechart by host, which filed is represented in the x-axis?. date. host. time. _time.

How is a Search Workflow Action configured to run at the same time range as the original search?. Set the earliest time to match the original search. Select the same time range from the time-range picker. Select the "Use the same time range as the search that created the field listing" checkbox. Select the "Overwrite time range with the original search" checkbox.

A Splunk app is configured to extract domain names in web service logs and specify them as a field named domain. What workflow action would return an external IP lookup for the field named domain?. POST. PUT. GET. Search.

A user wants a table that will show the total revenue made for each product in each sales region. Which would be the correct SPL query to use?. index=X sourcetype=Y | chart sum(product) by price AND region. index=X | chart sum(price) by product, region. index=X | chart total(product) over price by region. index=X | chart total(price) by product, region.

Which of the following is included with the Splunk Common Information Model (CIM) Add-on?. Sourcetype definitions from the most popular technology vendors. A set of pre-configured data models. Scripted inputs to pre-align data with the CIM. Dashboards to validate data quality.

Which field extraction method should be selected for comma-separated data?. Regular expression. Delimiters. Eval expression. Table extraction.

When a search returns __________, you can view the results as a list. A list of events. Transactions. Statistical values.

__________ datasets can be added to root dataset to narrow down the search. parent. extracted. event. child.

Which of the following is true about data sets used in the Pivot tool?. They can only be created from data models. They can only be created by users with the Admin role. They can only be created from summary indexes. They can only be created from saved reports.

Which of the following eval commands will provide a new value for host from src if it exists?. | eval host = if (isnu11 (src), src, host). | eval host = if (NOT src = host, src, host). | eval host = if (src = host, src, host). | eval host = if (isnotnull (src), src, host).

How is an event type created from the search window? (select all that apply). In the top right corner, click Save As > Event Type. In an event's detail dropdown, click Event Actions > Build Event Type. Edit eventtypes.conf and add a new stanza. Add | eventtype to the SPL and execute the search.

index=main sourcetype=http_log | fillnull value="Unknown" src. Set the values of the src field to null when it is "Unknown". Set all fields with the value of "Unknown" to null. Set the values of the src field to "Unknown" if it is null. Set all fields that are null to "Unknown".

A calculated field may be based on which of the following?. Fields generated within a search string. Lookup tables. Regular expressions. Extracted fields.

Field aliases are used to __________ data. Clean. Transform. Calculate. Normalize.

Which of the following searches show a valid use of macro? (Select all that apply). index=main source=mySource oldField=* |'makeMyField(oldField)'| table _time newField. index=main source=mySource oldField=* | stats if('makeMyField(oldField)') | table _time newField. index=main source=mySource oldField=* | eval newField='makeMyField(oldField)'| table _time newField. index=main source=mySource oldField=* | "'newField('makeMyField(oldField)')'" | table _time newField.

Which of the following statements describes POST workflow actions?. POST workflow actions are always encrypted. POST workflow actions cannot use field values in their URI. POST workflow actions cannot be created on custom sourcetypes. POST workflow actions can open a web page in either the same window or a new.

What do events in a transaction have In common?. All events In a transaction must have the same timestamp. All events in a transaction must have the same sourcetype. All events in a transaction must have the exact same set of fields. All events in a transaction must be related by one or more fields.

Which of the following statements about data models and pivot are true? (select all that apply). They are both knowledge objects. Data models are created out of datasets called pivots. Pivot requires users to input SPL searches on data models. Pivot allows the creation of data visualizations that present different aspects of a data model.

Which of the following Statements about macros is true? (select all that apply). Arguments are defined at execution time. Arguments are defined when the macro is created. Argument values are used to resolve the search string at execution time. Argument values are used to resolve the search string when the macro is created.

Which of the following knowledge objects represents the output of an eval expression?. Eval fields. Calculated fields. Field extractions. Calculated lookups.

Which of the following statements describes Search workflow actions?. By default. Search workflow actions will run as a real-time search. Search workflow actions can be configured as scheduled searches. The user can define the time range of the search when created the workflow action. Search workflow actions cannot be configured with a search string that includes the transaction command.

When creating a Search workflow action, which field is required?. Search string. Data model name. Permission setting. An eval statement.

What is required for a macro to accept three arguments?. The macro's name ends with (3). The macro's name starts with (3). The macro's argument count setting is 3 or more. Nothing, all macros can accept any number of arguments.

How does a user display a chart in stack mode?. By using the stack command. By turning on the Use Trellis Layout option. By changing Stack Mode in the Format menu. You cannot display a chart in stack mode, only a timechart.

Which of the following file formats can be extracted using a delimiter field extraction?. CSV. PDF. XML. JSON.

What are the two parts of a root event dataset?. Fields and variables. Fields and attributes. Constraints and fields. Constraints and lookups.

Data model are composed of one or more of which of the following datasets? (select all that apply.). Events datasets. Search datasets. Transaction datasets. Any child of event, transaction, and search datasets.

Which of the following statements describes macros?. A macro is a reusable search string that must contain the full search. A macro is a reusable search string that must have a fixed time range. A macro Is a reusable search string that may have a flexible time range. A macro Is a reusable search string that must contain only a portion of the search.

Which of the following statements is true, especially in large environments?. Use the scats command when you next to group events by two or more fields. The stats command is faster and more efficient than the transaction command. The transaction command is faster and more efficient than the stats command. Use the transaction command when you want to see the results of a calculation.

Which of the following statements describe the Common Information Model (CIM)? (select all that apply). CIM is a methodology for normalizing data. CIM can correlate data from different sources. The Knowledge Manager uses the CIM to create knowledge objects. CIM is an app that can coexist with other apps on a single Splunk deployment.

Calculated fields can be based on which of the following?. Tags. Extracted fields. Output fields for a lookup. Fields generated from a search string.

What does the fillnull command replace null values with, it the value argument is not specified?. 0. N/A. NaN. NULL.

Which of the following statements describes this search? sourcetype=access_combined I transaction JSESSIONID | timechart avg (duration). This is a valid search and will display a timechart of the average duration, of each transaction event. This is a valid search and will display a stats table showing the maximum pause among transactions. No results will be returned because the transaction command must include the startswith and endswith options. No results will be returned because the transaction command must be the last command used in the search pipeline.

When using the Field Extractor (FX), which of the following delimiters will work? (select all that apply). Tabs. Pipes. Colons. Spaces.

Selected fields are displayed ______each event in the search results. below. interesting fields. other fields. above.

Which of the following are required to create a POST workflow action?. Label, URI, search string. XMI attributes, URI, name. Label, URI, POST arguments. URI, search string, time range picker.

A field alias has been created based on an original field. A search without any transforming commands is then executed in Smart Mode. Which field name appears in the results?. Both will appear in the All Fields list, but only if the alias is specified in the search. Both will appear in the Interesting Fields list, but only if they appear in at least 20 percent of events. The original field only appears in All Fields list and the alias only appears in the Interesting Fields list. The alias only appears in the All Fields list and the original field only appears in the Interesting Fields list.

What functionality does the Splunk Common Information Model (CIM) rely on to normalize fields with different names?. Macros. Field aliases. The rename command. CIM does not work with different names for the same field.

After manually editing; a regular expression (regex), which of the following statements is true?. Changes made manually can be reverted in the Field Extractor (FX) UI. It is no longer possible to edit the field extraction in the Field Extractor (FX) UI. It is not possible to manually edit a regular expression (regex) that was created using the Field Extractor (FX) UI. The Field Extractor (FX) UI keeps its own version of the field extraction in addition to the one that was manually edited.

Which of the following describes the Splunk Common Information Model (CIM) add-on?. The CIM add-on uses machine learning to normalize data. The CIM add-on contains dashboards that show how to map data. The CIM add-on contains data models to help you normalize data. The CIM add-on is automatically installed in a Splunk environment.

Which of the following statements describes field aliases?. Field alias names replace the original field name. Field aliases can be used in lookup file definitions. Field aliases only normalize data across sources and sourcetypes. Field alias names are not case sensitive when used as part of a search.

When multiple event types with different color values are assigned to the same event, what determines the color displayed for the events?. Rank. Weight. Priority. Precedence.

Which of the following statements describe the search below? (select all that apply) Index=main I transaction clientip host maxspan=30s maxpause=5s. Events in the transaction occurred within 5 seconds. It groups events that share the same clientip and host. The first and last events are no more than 5 seconds apart. The first and last events are no more than 30 seconds apart.

Which of the following statements describe calculated fields? (select all that apply). Calculated fields can be used in the search bar. Calculated fields can be based on an extracted field. Calculated fields can only be applied to host and sourcetype. Calculated fields are shortcuts for performing calculations using the eval command.

Which of the following eval command function is valid?. Int (). Count ( ). Print (). Tostring ().

A calculated field may be based on which of the following?. Lookup tables. Extracted fields. Regular expressions. Fields generated within a search string.

Which of the following actions can the eval command perform?. Remove fields from results. Create or replace an existing field. Group transactions by one or more fields. Save SPL commands to be reused in other searches.

Data model fields can be added using the Auto-Extracted method. Which of the following statements describe Auto-Extracted fields? (select all that apply. Auto-Extracted fields can be hidden in Pivot. Auto-Extracted fields can have their data type changed. Auto-Extracted fields can be given a friendly name for use in Pivot. Auto-Extracted fields can be added if they already exist in the dataset with constraints.

To identify all of the contributing events within a transaction that contains at least one REJECT event, which syntax is correct?. Index-main | REJECT trans sessionid. Index-main | transaction sessionid | search REJECT. Index=main | transaction sessionid | whose transaction=reject. Index=main | transaction sessionid | where transaction=reject’’.

Which are valid ways to create an event type? (select all that apply). By using the searchtypes command in the search bar. By editing the event_type stanza in the props.conf file. By going to the Settings menu and clicking Event Types > New. By selecting an event in search results and clicking Event Actions > Build Event Type.

A space is an implied _____ in a search string. OR. AND. (). NOT.

When using timechart, how many fields can be listed after a by clause?. because timechart doesn't support using a by clause. because _time is already implied as the x-axis. because one field would represent the x-axis and the other would represent the y-axis. There is no limit specific to timechart.

Based on the macro definition shown below, what is the correct way to execute the macro in a search string?. Convert_sales (euro, €, 79)”. Convert_sales (euro, €, .79). Convert_sales ($euro,$€$,s79$. Convert_sales ($euro, $€$,S,79$).

Which of the following workflow actions can be executed from search results? (select all that apply). GET. POST. LOOKUP. Search.

Which of the following statements describe the search string below? | datamodel Application_State All_Application_State search. Evenrches would return a report of sales by state. Events will be returned from the data model named Application_State. Events will be returned from the data model named All_Application_state. No events will be returned because the pipe should occur after the datamodel command.

What is the relationship between data models and pivots?. Data models provide the datasets for pivots. Pivots and data models have no relationship. Pivots and data models are the same thing. Pivots provide the datasets for data models.

Which of the following statements describes the command below (select all that apply) Sourcetype=access_combined | transaction JSESSIONID. An additional filed named maxspan is created. An additional field named duration is created. An additional field named eventcount is created. Events with the same JSESSIONID will be grouped together into a single event.