Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

splunk > examtopics > Flashcards

examtopics Flashcards

1
Q

Which delimiters can the Field Extractor (FX) detect? (Choose all that apply.)
* A. Tabs
* B. Pipes
* C. Spaces
* D. Commas

A

A. Tabs
B. Pipes
C. Spaces
D. Commas

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What does the Splunk Common Information Model (CIM) add-on include? (Choose all that apply.)
* A. Custom visualizations
* B. Pre-configured data models
* C. Fields and event category tags
* D. Automatic data model acceleration

A

B. Pre-configured data models
C. Fields and event category tags

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Which of the following is true about the Splunk Common Information Model (CIM)?
* A. The CIM contains 28 pre-configured datasets.
* B. The data models included in the CIM are configured with data model acceleration turned on.
* C. The data models included in the CIM are configured with data model acceleration turned off.
* D. The CIM is an app that needs to run on the indexer.

A

C. The data models included in the CIM are configured with data model acceleration turned off.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Which of the following statements describes calculated fields?
* A. Calculated fields are only used on fields added by lookups.
* B. Calculated fields are a shortcut for repetitive and complex eval commands.
* C. Calculated fields are a shortcut for repetitive and complex calc commands.
* D. Calculated fields automatically calculate the simple moving average for indexed fields.

A

B. Calculated fields are a shortcut for repetitive and complex eval commands.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

In the following eval statement, what is the value of description if the status is 503? index=main | eval description=case(status==200, “OK”, status==404, “Not found”, status==500, “Internal Server Error”)
* A. The description field would contain no value.
* B. The description field would contain the value 0.
* C. The description field would contain the value “Internal Server Error”.
* D. This statement would produce an error in Splunk because it is incomplete.

A

A. The description field would contain no value

(F2 s.112)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

A user wants to create a new field alias for a field that appears in two sourcetypes.
How many field aliases need to be created?
* A. One.
* B. Two.
* C. It depends on whether the original fields have the same name.
* D. It depends on whether the two sourcetypes are associated with the same index.

A

B. Two.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Which of the following statements about tags is true?
* A. Tags are case insensitive.
* B. Tags are created at index time.
* C. Tags can make your data more understandable.
* D. Tags are searched by using the syntax tag::<fieldname>

A

C. Tags can make your data more understandable

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Consider the following search:
index=web sourcetype=access_combined
The log shows several events that share the same JSESSIONID value (SD421K26502F783). View the events as a group.
From the following list, which search groups events by JSESSIONID?
* A. index=web sourcetype=access_combined | transaction JSESSIONID | search SD42IK26502F783
* B. index=web sourcetype=access_combined | highlight JSESSIONID | search SD421K26502F783
* C. index=web sourcetype=access_combined SD42IK26502F783 | table JSESSIONID
* D. index=web sourcetype=access_combined JSESSIONID <SD421K26502F783>

A
  • A. index-web sourcetype=access_combined | transaction JSESSIONID | search SD42IK26502F783
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Data models are composed of one or more of which of the following datasets? (Choose all that apply.)
* A. Events datasets
* B. Search datasets
* C. Transaction datasets
* D. Any child of event, transaction, and search datasets

A

A. Events datasets
B. Search datasets
C. Transaction datasets

NOT D. MAX CONFIRMED NOT D, I REPEAT, NOT D
(Max verkar vara väldigt säker på det här)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is the correct syntax to find events associated with a tag?
* A. tag::<field>=<value>
* B. tags=<value>
* C. tags::<field>=<value>
* D. tag=<value>

A

D. tag=<value>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

When defining a macro, what are the required elements?
* A. Name and a validation error message.
* B. Definition and arguments.
* C. Name and arguments.
* D. Name and definition.

A

D. Name and definition

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Which of the following statements describe the search below? (Choose all that apply.) index=main | transaction clientip host maxspan=30s maxpause=5s
* A. Events in the transaction occurred within 5 seconds.
* B. It groups events that share the same clientip and host.
* C. The first and last events are no more than 5 seconds apart.
* D. The first and last events are no more than 30 seconds apart

A

B. It groups events that share the same clientip and host.
D. The first and last events are no more than 30 seconds apart

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What information must be included when using the datamodel command?
* A. status field
* B. Multiple indexes
* C. Data model field name.
* D. Data model dataset name.

A

D. Data model dataset name

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Data model fields can be added using the Auto-Extracted method.
Which of the following statements describe Auto-Extracted fields? (Choose all that apply.)
* A. Auto-Extracted fields can be hidden in Pivot.
* B. Auto-Extracted fields can have their data type changed.
* C. Auto-Extracted fields can be given a friendly name for use in Pivot.
* D. Auto-Extracted fields can be added if they already exist in the dataset with constraints.

A

All

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Which type of visualization shows relationships between discrete values in three dimensions?
* A. Pie chart
* B. Line chart
* C. Bubble chart
* D. Scatter chart

A

C. Bubble chart

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Where are the descriptions of the data models that come with the Splunk Common Information Model (CIM) Add-on documented?
* A. Pivot users manual.
* B. Search and reporting user manual.
* C. CIM Add-on manual.
* D. Data model command reference guide.

A

C. CIM Add-on manual.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Which of the following searches show a valid use of a macro? (Choose all that apply.)
* A. index=main source=mySource oldField=* | `makeMyField(oldField)`| table _time newField
* B. index=main source=mySource oldField=* | stats if(`makeMyField(oldField)`) | table _time newField
* C. index=main source=mySource oldField=* | eval newField=`makeMyField(oldField)`| table _time newField
* D. index=main source=mySource oldField=* | “`newField(`makeMyField(oldField)`)`” | table _time newField

A

A, B, C tycker Zeff är korrekt

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Which of the following statements about macros is true? (Choose all that apply.)
* A. Arguments are defined at execution time.
* B. Arguments are defined when the macro is created.
* C. Argument values are used to resolve the search string at execution time.
* D. Argument values are used to resolve the search string when the macro is created.

A

B. Arguments are defined when the macro is created.
C. Argument values are used to resolve the search string at execution time.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Which group of users would most likely use pivots?
* A. Users
* B. Architects
* C. Administrators
* D. Knowledge Managers

A

A. Users.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Which of the following actions can the eval command perform?
* A. Remove fields from results.
* B. Create or replace an existing field.
* C. Group transactions by one or more fields.
* D. Save SPL commands to be reused in other searches.

A

B. Create or replace an existing field.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

When multiple event types with different color values are assigned to the same event, what determines the color displayed for the event?
* A. Rank
* B. Weight
* C. Priority
* D. Precedence

A

C.Priority

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

In which of the following scenarios is an event type more effective than a saved search?
* A. When a search should always include the same time range.
* B. When a search needs to be added to other users’ dashboards.
* C. When the search string needs to be used in future searches.
* D. When formatting needs to be included with the search string.

A

C. When the search string needs to be used in future searches.

(F2 s.207)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

When using timechart, how many fields can be listed after a by clause?
* A. 0, because timechart doesn’t support using a by clause.
* B. 1, because _time is already implied as the x-axis.
* C. 2, because one field would represent the x-axis and the other would represent the y-axis.
* D. There is no limit specific to timechart.

A

B. 1, because _time is already implied as the x-axis.

(F2 s.67)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

When using | timechart by host, which field is represented in the x-axis?
* A. date
* B. host
* C. time
* D. _time

A

D. _time
(P.57, part2)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Which of the following searches would return a report of sales by product_name?
* A. chart sales by product_name
* B. chart sum(price) as sales by product_name
* C. stats sum(price) as sales over product_name
* D. timechart list(sales), values(product_name)

A

B. chart sum(price) as sales by product_name

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Which of the following eval command functions is valid?
* A. int()
* B. count()
* C. print()
* D. tostring()

A

D. tostring()

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

When should transaction be used?
* A. Only in a large distributed Splunk environment.
* B. When calculating results from one or more fields.
* C. When event grouping is based on start/end values.
* D. When grouping events results in over 1000 events in each group.

A

C. When event grouping is based on start/end values.
(p.135 part 2)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

When is a GET workflow action needed?
* A. To send field values to an external resource.
* B. To retrieve information from an external resource.
* C. To use field values to perform a secondary search.
* D. To define how events flow from forwarders to indexes.

A

B. To retrieve information from an external resource

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

The Field Extractor (FX) is used to extract a custom field. A report can be created using this custom field. The created report can then be shared with other people in the organization.
If another person in the organization runs the shared report and no results are returned, why might this be? (Choose all that apply.)
* A. Fast mode is enabled.
* B. The dashboard is private.
* C. The extraction is private.
* D. The person in the organization running the report does not have access to the index.

A

C. The extraction is private.
D. The person in the organization running the report does not have access to the index.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Which of the following statements about event types is true? (Choose all that apply.)
* A. Event types can be tagged.
* B. Event types must include a time range.
* C. Event types categorize events based on a search.
* D. Event types can be a useful method for capturing and sharing knowledge.

A

A. Event types can be tagged.
C. Event types categorize events based on a search.
D. Event types can be a useful method for capturing and sharing knowledge.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

A user wants to convert numeric field values to strings and also to sort on those values.
Which command should be used first, the eval or the sort?
* A. It doesn’t matter whether eval or sort is used first.
* B. Convert the numeric to a string with eval first, then sort.
* C. Use sort first, then convert the numeric to a string with eval.
* D. You cannot use the sort command and the eval command on the same field.

A

C. Use sort first, then convert the numeric to a string with eval.
(p.107, part2)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Which of the following statements about tags is true? (Choose all that apply.)
* A. Tags are case-insensitive.
* B. Tags are based on field/value pairs.
* C. Tags categorize events based on a search.
* D. Tags are designed to make data more understandable.

A

B. Tags are based on field/value pairs.
D. Tags are designed to make data more understandable

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Which workflow action method can be used when the action type is set to link?
A. GET
B. PUT
C. Search
D. UPDATE

A

A. GET

(Kan vara POST också, s.223 F2)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Which of the following knowledge objects represents the output of an eval expression?
* A. Eval fields
* B. Calculated fields
* C. Field extractions
* D. Calculated lookups

A

B. Calculated fields

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

Which Knowledge Object does the Splunk Common Information Model (CIM) use to normalize data, in addition to field aliases, event types, and tags?
* A. Macros
* B. Lookups
* C. Workflow actions
* D. Field extractions

A

B. Lookups
might be D. Field extractions aswell if this is a multi-answer question

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Which of the following statements describe the command below? (Choose all that apply.) sourcetype=access_combined | transaction JSESSIONID
* A. An additional field named maxspan is created.
* B. An additional field named duration is created.
* C. An additional field named eventcount is created.
* D. Events with the same JSESSIONID will be grouped together into a single event.

A

B. An additional field named duration is created.
C. An additional field named eventcount is created.
D. Events with the same JSESSIONID will be grouped together into a single event.

(F2 s.126+129)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

Which of the following statements describe calculated fields? (Choose all that apply.)
* A. Calculated fields can be used in the search bar.
* B. Calculated fields can be based on an extracted field.
* C. Calculated fields can only be applied to host and sourcetype.
* D. Calculated fields are shortcuts for performing calculations using the eval command.

A

A. Calculated fields can be used in the search bar.
D. Calculated fields are shortcuts for performing calculations using the eval command.

(p.188 part 2)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

Information needed to create a GET workflow action includes which of the following? (Choose all that apply.)
* A. A name for the workflow action.
* B. A URI where the user will be directed at search time.
* C. A label that will appear in the Event Action menu at search time.
* D. A name for the URI where the user will be directed at search time.

A

A. A name for the workflow action.
C. A label that will appear in the Event Action menu at search time.

(F2 s.219-220)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

Which of the following statements describe the search string below?
| datamodel Application_State All_Application_State search
* A. Events will be returned from dataset named Application_State.
* B. Events will be returned from the data model named Application_State.
* C. Events will be returned from the data model named All_Application_State.
* D. No events will be returned because the pipe should occur after the datamodel command.

A

B. Events will be returned from the data model named Application_State.

kolla tavlan!!!!!!!!

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

What does the following search do?
index=corndog type= mysterymeat action=eaten | stats count as corndog_count by user
* A. Creates a table of the total count of users and split by corndogs.
* B. Creates a table of the total count of mysterymeat corndogs split by user.
* C. Creates a table with the count of all types of corndogs eaten split by user.
* D. Creates a table that groups the total number of users by vegetarian corndogs.

A

B. Creates a table of the total count of mysterymeat corndogs split by user.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

When performing a regular expression (regex) field extraction using the Field Extractor (FX), what happens when the require option is used?
* A. The regex can no longer be edited.
* B. The field being extracted will be required for all future events.
* C. The events without the required field will not display in searches.
* D. Only events with the required string will be included in the extraction.

A

D. Only events with the required string will be included in the extraction.

(F2 s.158)

42
Q

Which of the following searches will return events containing a tag named Privileged?
* A. tag=Priv
* B. tag=Priv*
* C. tag=priv*
* D. tag=privileged

A

B. tag=Priv*

(case sensitive, F2 s.197)

43
Q

Which of the following statements describes macros?
A. A macro is a reusable search string that must contain the full search.
B. A macro is a reusable search string that must have a fixed time range.
C. A macro is a reusable search string that may have a flexible time range.
D. A macro is a reusable search string that must contain only a portion of the search.

A

C. A macro is a reusable search string that may have a flexible time range.

44
Q

Which of the following statements describe data model acceleration? (Choose all that apply.)
* A. Root events cannot be accelerated.
* B. Accelerated data models cannot be edited.
* C. Private data models cannot be accelerated.
* D. You must have administrative permissions or the accelerate_datamodel capability to accelerate a data model.

A

B. Accelerated data models cannot be edited.
C. Private data models cannot be accelerated.
D. You must have administrative permissions or the accelerate_datamodel capability to accelerate a data model.

(F2 s.265)

45
Q

What is required for a macro to accept three arguments?
* A. The macro’s name ends with (3).
* B. The macro’s name starts with (3).
* C. The macro’s argument count setting is 3 or more.
* D. Nothing, all macros can accept any number of arguments.

A

A. The macro’s name ends with (3).

46
Q

Where are the results of eval commands stored?
* A. In a field.
* B. In an index.
* C. In a KV Store.
* D. In a database.

A

A. In a field.

(F2 s.97)

47
Q

A data model consists of which three types of datasets?
* A. Constraint, field, value.
* B. Events, searches, transactions.
* C. Field extraction, regex, delimited.
* D. Transaction, session ID, metadata.

A

B. Events, searches, transactions.

48
Q

Which of the following statements would help a user choose between the transaction and stats commands?
* A. stats can only group events using IP addresses.
* B. The transaction command is faster and more efficient.
* C. There is a 1000 event limitation with the transaction command.
* D. Use stats when the events need to be viewed as a single correlated event.

A

C. There is a 1000 event limitation with the transaction command.

49
Q

When using the Field Extractor (FX), which of the following delimiters will work? (Choose all that apply.)
* A. Tabs
* B. Pipes
* C. Colons
* D. Spaces

A

A. Tabs
B. Pipes
C. Colons
D. Spaces

50
Q

What do events in a transaction have in common?
* A. All events in a transaction must have the same timestamp.
* B. All events in a transaction must have the same sourcetype.
* C. All events in a transaction must have the exact same set of fields.
* D. All events in a transaction must be related by one or more fields.

A

D. All events in a transaction must be related by one or more fields.

51
Q

In what order are the following knowledge objects/configurations applied?
* A. Field Aliases, Field Extractions, Lookups
* B. Field Extractions, Field Aliases, Lookups
* C. Field Extractions, Lookups, Field Aliases
* D. Lookups, Field Aliases, Field Extractions

A

B. Field Extractions, Field Aliases, Lookups

52
Q

What other syntax will produce exactly the same results as | chart count over vendor_action by user?
* A. | chart count by vendor_action, user
* B. | chart count over vendor_action, user
* C. | chart count by vendor_action over user
* D. | chart count over user by vendor_action

A

A. | chart count by vendor_action, user

53
Q

Which of the following statements describes Search workflow actions?
* A. By default, Search workflow actions will run as a real-time search.
* B. Search workflow actions can be configured as scheduled searches.
* C. The user can define the time range of the search when created the workflow action.
* D. Search workflow actions cannot be configured with a search string that includes the transaction command.

A

C. The user can define the time range of the search when created the workflow action.

54
Q

Which of the following statements describes the use of the Field Extractor (FX)?
* A. The Field Extractor automatically extracts all fields at search time.
* B. The Field Extractor uses PERL to extract fields from the raw events.
* C. Fields extracted using the Field Extractor persist as knowledge objects.
* D. Fields extracted using the Field Extractor do not persist and must be defined for each search.

A

C. Fields extracted using the Field Extractor persist as knowledge objects

(F2 s.151)

55
Q

Which of the following statements describes field aliases?
* A. Field alias names replace the original field name.
* B. Field aliases can be used in lookup file definitions.
* C. Field aliases only normalize data across sources and sourcetypes.
* D. Field alias names are not case sensitive when used as part of a search.

A

B. Field aliases can be used in lookup file definitions.

56
Q

Which workflow uses field values to perform a secondary search?
* A. POST
* B. Action
* C. Search
* D. Sub-search

A

C. Search

57
Q

What is the correct syntax to search for a tag associated with a value on a specific field?
* A. tag=<field>
* B. tag=<field>(<tagname>)
* C. tag=<field>::<tagname>
* D. tag::<field>=<tagname>

A

D. tag::<field>=<tagname>

(F2 s.197)

58
Q

Which of the following statements describes POST workflow actions?
* A. Configuration of a POST workflow action includes choosing a sourcetype.
* B. POST workflow actions can be configured to send email to the URI location.
* C. By default, POST workflow actions are shown in both the event and field menus.
* D. POST workflow actions can be configured to send POST arguments to the URI location.

A

D. POST workflow actions can be configured to send POST arguments to the URI location.

59
Q

Which of the following commands support the same set of functions?
* A. stats, eval, table
* B. search, where, eval
* C. stats, chart, timechart
* D. transaction, chart, timechart

A

C. stats, chart, timechart

60
Q

What is a limitation of searches generated by workflow actions?
* A. Searches generated by workflow actions cannot use macros.
* B. Searches generated by workflow actions must be less than 256 characters long.
* C. Searches generated by workflow actions must run in the same app as the workflow action.
* D. Searches generated by workflow actions run with the same permissions as the user running them.

A

D. Searches generated by workflow actions run with the same permissions as the user running them.

61
Q

Which of the following statements describe the Common Information Model (CIM)? (Choose all that apply.)
* A. CIM is a methodology for normalizing data.
* B. CIM can correlate data from different sources.
* C. The Knowledge Manager uses the CIM to create knowledge objects.
* D. CIM is an app that can coexist with other apps on a single Splunk deployment.

A

A. CIM is a methodology for normalizing data.
B. CIM can correlate data from different sources.

62
Q

Which of the following statements about data models and pivot are true? (Choose all that apply.)
* A. They are both knowledge objects.
* B. Data models are created out of datasets called pivots.
* C. Pivot requires users to input SPL searches on data models.
* D. Pivot allows the creation of data visualizations that present different aspects of a data model.

A

D. Pivot allows the creation of data visualizations that present different aspects of a data model.

63
Q

When using the transaction command, what does the argument maxspan do?
* A. Sets the maximum total time between events in a transaction.
* B. Sets the maximum length of all the events within a transaction.
* C. Sets the maximum total time between the earliest and latest events in a transaction.
* D. Sets the maximum length that any single event can reach to be included in the transaction.

A

C. Sets the maximum total time between the earliest and latest events in a transaction.

64
Q

Which are valid ways to create an event type? (Choose all that apply.)
* A. By using the searchtypes command in the search bar.
* B. By editing the event_type stanza in the props.conf file.
* C. By going to the Settings menu and clicking Event Types > New.
* D. By selecting an event in search results and clicking Event Actions > Build Event Type.

A

C. By going to the Settings menu and clicking Event Types > New.
D. By selecting an event in search results and clicking Event Actions > Build Event Type.

65
Q

Which statement is true?
* A. Pivot is used for creating datasets.
* B. Data models are randomly structured datasets.
* C. Pivot is used for creating reports and dashboards.
* D. In most cases, each Splunk user will create their own data model.

A

C. Pivot is used for creating reports and dashboards.

(F2 s.229-230)

66
Q

In most large Splunk environments, what is the most efficient command that can be used to group events by fields?
* A. join
* B. stats
* C. streamstats
* D. transaction

A

B. stats

67
Q

To identify all of the contributing events within a transaction that contain at least one REJECT event, which syntax is correct?
* A. index=main REJECT | transaction sessionid
* B. index=main | transaction sessionid | search REJECT
* C. index=main | transaction sessionid | where transaction=reject
* D. index=main | transaction sessionid | where transaction=”REJECT*”

A

B. index=main | transaction sessionid | search REJECT
(p.133 part 2)

68
Q

Which of the following data models are included in the Splunk Common Information Model (CIM) add-on? (Choose all that apply.)
* A. Alerts
* B. Email
* C. Databases
* D. User permissions

A

A. Alerts
B. Email
C. Databases

(F2 s.273)

69
Q

Which of the following are required to create a POST workflow action?
* A. Label, URI, search string.
* B. XML attributes, URI, name.
* C. Label, URI, post arguments.
* D. URI, search string, time range picker.

A

C. Label, URI, post arguments.

70
Q

Which of the following statements describes POST workflow actions?
* A. POST workflow actions are always encrypted.
* B. POST workflow actions cannot use field values in their URI.
* C. POST workflow actions cannot be created on custom sourcetypes.
* D. POST workflow actions can open a web page in either the same window or a new window.

A

D. POST workflow actions can open a web page in either the same window or a new window.

71
Q

When should you use the transaction command instead of the stats command?
* A. When you need to group on multiple values.
* B. When duration is irrelevant in search results.
* C. When you have over 1000 events in a transaction.
* D. When you need to group based on start and end constraints.

A

D. When you need to group based on start and end constraints.

72
Q

A data model can consist of what three types of datasets?
* A. Pivot, searches, and events.
* B. Pivot, events, and transactions.
* C. Searches, transactions, and pivot.
* D. Events, searches, and transactions.

A

D. Events, searches, and transactions.

(F2 s.231)

73
Q

A calculated field may be based on which of the following?
* A. Lookup tables
* B. Extracted fields
* C. Regular expressions
* D. Fields generated within a search string

A

B. Extracted fields

(F2 s.188)

74
Q

When using the timechart command, how can a user group the events into buckets based on time?
* A. Using the span argument.
* B. Using the duration argument.
* C. Using the interval argument.
* D. Adjusting the fieldformat options.

A

A. Using the span argument.

75
Q

The eval command allows you to do which of the following? (Choose all that apply.)
* A. Format values
* B. Convert values
* C. Perform calculations
* D. Use conditional statements

A

A. Format values
B. Convert values
C. Perform calculations
D. Use conditional statements
With other words: ALL

76
Q

After manually editing a regular expression (regex), which of the following statements is true?
* A. Changes made manually can be reverted in the Field Extractor (FX) UI.
* B. It is no longer possible to edit the field extraction in the Field Extractor (FX) UI.
* C. It is not possible to manually edit a regular expression (regex) that was created using the Field Extractor (FX) UI.
* D. The Field Extractor (FX) UI keeps its own version of the field extraction in addition to the one that was manually edited.

A

B. It is no longer possible to edit the field extraction in the Field Extractor (FX) UI.

77
Q

Which of the following can be used with the eval command tostring function? (Choose all that apply.)
* A. “hex”
* B. “commas”
* C. “decimal”
* D. “duration”

A

A. “hex”
B. “commas”
D. “duration”

(F2 s.105)

78
Q

Which one of the following statements about the search command is true?
* A. It does not allow the use of wildcards.
* B. It treats field values in a case-sensitive manner.
* C. It can only be used at the beginning of the search pipeline.
* D. It behaves exactly like search strings before the first pipe.

A

D. It behaves exactly like search strings before the first pipe.

(F2 s.115)

79
Q

Which of the following statements is true, especially in large environments?
* A. Use the stats command when you need to group events by two or more fields.
* B. The stats command is faster and more efficient than the transaction command.
* C. The transaction command is faster and more efficient than the stats command.
* D. Use the transaction command when you want to see the results of a calculation.

A

B. The stats command is faster and more efficient than the transaction command.

80
Q

Which of the following file formats can be extracted using a delimiter field extraction?
* A. CSV
* B. PDF
* C. XML
* D. JSON

A

A. CSV

81
Q

Which of the following statements describe GET workflow actions?
* A. GET workflow actions must be configured with POST arguments.
* B. Configuration of GET workflow actions includes choosing a sourcetype.
* C. Label names for GET workflow actions must include a field name surrounded by dollar signs.
* D. GET workflow actions can be configured to open the URI link in the current window or in a new window.

A

D. GET workflow actions can be configured to open the URI link in the current window or in a new window.

82
Q

A field alias has been created based on an original field. A search without any transforming commands is then executed in Smart Mode.
Which field name appears in the results?
* A. Both will appear in the All Fields list, but only if the alias is specified in the search.
* B. Both will appear in the Interesting Fields list, but only if they appear in at least 20 percent of events.
* C. The original field only appears in All Fields list and the alias only appears in the Interesting Fields list.
* D. The alias only appears in the All Fields list and the original field only appears in the Interesting Fields list.

A

B. Both will appear in the Interesting Fields list, but only if they appear in at least 20 percent of events.

(p. 186 part2)

83
Q

What is the relationship between data models and pivots?
* A. Data models provide the datasets for pivots.
* B. Pivots and data models have no relationship.
* C. Pivots and data models are the same thing.
* D. Pivots provide the datasets for data models.

A

A. Data models provide the datasets for pivots

(F2 s.229)

84
Q

There are several ways to access the field extractor.
Which option automatically identifies the data type, source type, and sample event?
* A. Event Actions > Extract Fields
* B. Fields sidebar > Extract New Fields
* C. Settings > Field Extractions > New Field Extraction
* D. Settings > Field Extractions > Open Field Extractor

A

A. Event Actions > Extract Fields

85
Q

When can a pipe follow a macro?
* A. A pipe may always follow a macro.
* B. The current user must own the macro.
* C. The macro must be defined in the current app.
* D. Only when sharing is set to global for the macro.

A

A. A pipe may always follow a macro.

86
Q

What are the two parts of a root event dataset?
* A. Fields and variables.
* B. Fields and attributes.
* C. Constraints and fields.
* D. Constraints and lookups.

A

C. Constraints and fields.

87
Q

In which Settings section are macros defined?
* A. Fields
* B. Tokens
* C. Advanced Search
* D. Searches, Reports, Alerts

A

C. Advanced Search

(F2 s.211)

88
Q

Which command can include both an over and a by clause to divide results into sub-groupings?
* A. chart
* B. stats
* C. xyseries
* D. transaction

A

A. chart

89
Q

Which of the following workflow actions can be executed from search results? (Choose all that apply.)
* A. GET
* B. POST
* C. LOOKUP
* D. Search

A

A. GET
B. POST
D. Search

90
Q

Which of the following is a function of the Splunk Common Information Model (CIM)?
* A. Normalizing data across a Splunk deployment.
* B. Providing templates for reports and dashboards.
* C. Algorithmically shifting events to other indexes.
* D. Reingesting previously indexed data with new field names.

A

A. Normalizing data across a Splunk deployment.

91
Q

What does the transaction command do?
* A. Groups a set of transactions based on time.
* B. Creates a single event from a group of events.
* C. Separates two events based on one or more values.
* D. Returns the number of credit card transactions found in the event logs.

A

B. Creates a single event from a group of events.

92
Q

If no value is specified with the fillnull command, what default value will be used?
* A. 0
* B. N/A
* C. ג€”
* D. NULL

A

A. 0

(F2 s.119)

93
Q

How does a user display a chart in stack mode?
* A. By using the stack command.
* B. By turning on the Use Trellis Layout option.
* C. By changing Stack Mode in the Format menu.
* D. You cannot display a chart in stack mode, only a timechart.

A

C. By changing Stack Mode in the Format menu

(F2 s.44)

94
Q

Calculated fields can be based on which of the following?
* A. Tags
* B. Extracted fields
* C. Output fields for a lookup
* D. Fields generated from a search string

A

B. Extracted fields

95
Q

Which of the following is one of the pre-configured data models included in the Splunk Common Information Model (CIM) add-on?
* A. Access
* B. Accounting
* C. Authorization
* D. Authentication

A

D. Authentication

(F2 s.273)

96
Q

When creating a Search workflow action, which field is required?
* A. Search string
* B. Data model name
* C. Permission setting
* D. An eval statement

A

A. Search string

(F2 s.225, se bild)

97
Q

Which of the following is the correct way to use the datamodel command to search fields in the Web data model within the Web dataset?
* A. | datamodel Web Web search | fields Web*
* B. | search datamodel Web Web | fields Web*
* C. | datamodel Web Web fields | search Web*
* D. datamodel=Web | search Web | fields Web*

A

A. | datamodel Web Web search | fields Web*

(F2 s.279)

98
Q

What does the fillnull command replace null values with, if the value argument is not specified?
* A. 0
* B. N/A
* C. NaN
* D. NULL

A

A. 0

99
Q

Which of the following statements would help a user choose between the transaction and stats commands?
* A. stats can only group events using IP addresses.
* B. The transaction command is faster and more efficient.
* C. There is a 1000 event limitation with the transaction command.
* D. Use stats when the events need to be viewed as a single correlated event.

A

C. There is a 1000 event limitation with the transaction command.

100
Q

By default, how is acceleration configured in the Splunk Common Information Model (CIM) add-on?
* A. Turned off.
* B. Turned on.
* C. Determined automatically based on the sourcetype.
* D. Determined automatically based on the data source.

A

A. Turned off

(F2 s.273)

splunk (3 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions