Power User Flashcards by Kelly Martin

Which one of the following statements about the search command is true?

A. It does not allow the use of wildcards.
B. It treats field values in a case-sensitive manner.
C. It can only be used at the beginning of the search pipeline.
D. It behaves exactly like search strings before the first pipe.

D. It behaves exactly like search strings before the first pipe.

How well did you know this?

Not at all

Perfectly

Which of the following actions can the eval command perform?

A. Remove fields from results.
B. Create or replace an existing field.
C. Group transactions by one or more fields.
D. Save SPL commands to be reused in other searches.

B. Create or replace an existing field.

How well did you know this?

Not at all

Perfectly

When can a pipe follow a macro?

A. A pipe may always follow a macro.
B. The current user must own the macro.
C. The macro must be defined in the current app.
D. Only when sharing is set to global for the macro.

A. A pipe may always follow a macro.

How well did you know this?

Not at all

Perfectly

Data models are composed of one or more of which of the following datasets? (Choose all that apply.)

A. Events datasets
B. Search datasets
C. Transaction datasets
D. Any child of event, transaction, and search datasets

A. Events datasets
B. Search datasets
C. Transaction datasets

How well did you know this?

Not at all

Perfectly

When using the Field Extractor (FX), which of the following delimiters will work? (Choose all that apply.)

A. Tabs
B. Pipes
C. Colons
D. Spaces

How well did you know this?

Not at all

Perfectly

Which group of users would most likely use pivots?

A. Users
B. Architects
C. Administrators
D. Knowledge Managers

A. Users

How well did you know this?

Not at all

Perfectly

When multiple event types with different color values are assigned to the same event, what determines the color displayed for the event?

A. Rank
B. Weight
C. Priority
D. Precedence

C. Priority

How well did you know this?

Not at all

Perfectly

Based on the macro definition shown below, what is the correct way to execute the macro in a search string?
Name
Enter the name of the macro. If the search macro takes an argument indicate this by appending the number of arguments to the name. For example: mymacro(2)
[convert_sales(3)]
Definition
Enter the string the search macro expands to when it is referenced in another search. If arguments are included, enclose them in dollar signs. For example: $arg1$
[stats sum(price) as USD by product_name
| eval $currency$=”$symbol$”.tostring(round(USD*$rate$,2), “commas”) | eval USD=”$” + tostring(USD,”commas”)]
[]Use eval-based def?
Arguments
Enter a comma-delimited string of argument names. Argument names may only contain alphanumeric,’_’ and ‘-‘ characters.
[currency,symbol,rate]

A. “convert_sales(euro,ג‚¬,.79)”
B. ‘convert_sales(euro,ג‚¬,.79)’
C. “convert_sales($euro$,$ג‚¬$,$.79$)”
D. ‘convert_sales($euro$,$ג‚¬$,$.79$)’

B. ‘convert_sales(euro,ג‚¬,.79)’

How well did you know this?

Not at all

Perfectly

There are several ways to access the field extractor.Which option automatically identifies the data type, source type, and sample event?

A. Event Actions > Extract Fields
B. Fields sidebar > Extract New Fields
C. Settings > Field Extractions > New Field Extraction
D. Settings > Field Extractions > Open Field Extractor

A. Event Actions > Extract Fields

How well did you know this?

Not at all

Perfectly

Which of the following statements would help a user choose between the transaction and stats commands?

A. stats can only group events using IP addresses.
B. The transaction command is faster and more efficient.
C. There is a 1000 event limitation with the transaction command.
D. Use stats when the events need to be viewed as a single correlated event.

C. There is a 1000 event limitation with the transaction command.

How well did you know this?

Not at all

Perfectly

By default, how is acceleration configured in the Splunk Common Information Model (CIM) add-on?

A. Turned off.
B. Turned on.
C. Determined automatically based on the sourcetype.
D. Determined automatically based on the data source.

A. Turned off.

How well did you know this?

Not at all

Perfectly

Which of the following statements describe the Common Information Model (CIM)? (Choose all that apply.)

A. CIM is a methodology for normalizing data.
B. CIM can correlate data from different sources.
C. The Knowledge Manager uses the CIM to create knowledge objects.
D. CIM is an app that can coexist with other apps on a single Splunk deployment.

A. CIM is a methodology for normalizing data.
B. CIM can correlate data from different sources.
C. The Knowledge Manager uses the CIM to create knowledge objects.

How well did you know this?

Not at all

Perfectly

Which of the following knowledge objects represents the output of an eval expression?

A. Eval fields
B. Calculated fields
C. Field extractions
D. Calculated lookups

B. Calculated fields

How well did you know this?

Not at all

Perfectly

What do events in a transaction have in common?

A. All events in a transaction must have the same timestamp.
B. All events in a transaction must have the same sourcetype.
C. All events in a transaction must have the exact same set of fields.
D. All events in a transaction must be related by one or more fields.

D. All events in a transaction must be related by one or more fields.

How well did you know this?

Not at all

Perfectly

Which delimiters can the Field Extractor (FX) detect? (Choose all that apply.)

A. Tabs
B. Pipes
C. Spaces
D. Commas

How well did you know this?

Not at all

Perfectly

A data model consists of which three types of datasets?

A. Constraint, field, value.
B. Events, searches, transactions.
C. Field extraction, regex, delimited.
D. Transaction, session ID, metadata.

B. Events, searches, transactions.

How well did you know this?

Not at all

Perfectly

Where are the results of eval commands stored?

A. In a field.
B. In an index.
C. In a KV Store.
D. In a database.

A. In a field.

How well did you know this?

Not at all

Perfectly

Which of the following statements describe calculated fields? (Choose all that apply.)

A. Calculated fields can be used in the search bar.
B. Calculated fields can be based on an extracted field.
C. Calculated fields can only be applied to host and sourcetype.
D. Calculated fields are shortcuts for performing calculations using the eval command.

A. Calculated fields can be used in the search bar.
B. Calculated fields can be based on an extracted field.
D. Calculated fields are shortcuts for performing calculations using the eval command.

How well did you know this?

Not at all

Perfectly

Calculated fields can be based on which of the following?

A. Tags
B. Extracted fields
C. Output fields for a lookup
D. Fields generated from a search string

B. Extracted fields

How well did you know this?

Not at all

Perfectly

When should transaction be used?

A. Only in a large distributed Splunk environment.
B. When calculating results from one or more fields.
C. When event grouping is based on start/end values.
D. When grouping events results in over 1000 events in each group.

C. When event grouping is based on start/end values.

How well did you know this?

Not at all

Perfectly

When performing a regular expression (regex) field extraction using the Field Extractor (FX), what happens when the require option is used?

A. The regex can no longer be edited.
B. The field being extracted will be required for all future events.
C. The events without the required field will not display in searches.
D. Only events with the required string will be included in the extraction.

D. Only events with the required string will be included in the extraction.

When using | timechart by host, which field is represented in the x-axis?

A. date
B. host
C. time
D. _time

D. _time

Which of the following is the correct way to use the datamodel command to search fields in the Web data model within the Web dataset?

A. | datamodel Web Web search | fields Web*

Which of the following statements describe the command below? (Choose all that apply.)
sourcetype=access_combined | transaction JSESSIONID

A. An additional field named maxspan is created.
B. An additional field named duration is created.
C. An additional field named eventcount is created.
D. Events with the same JSESSIONID will be grouped together into a single event.

B. An additional field named duration is created.
C. An additional field named eventcount is created.
D. Events with the same JSESSIONID will be grouped together into a single event.

The transaction command adds two fields to the raw events, duration and eventcount.

Which of the following searches will return events containing a tag named Privileged? A. tag=Priv B. tag=Priv* C. tag=priv* D. tag=privileged

B. tag=Priv*

Given the macro def. below, what should be entered into the Name and Arguments fields to correctly config the macro? Dest. app [oidemo] Name* Name of macro. If the search macro takes an argument, indicate this by appending the number of arguments to [ ]<- Def* Enter the string the search macro expands to when it is referenced in another search. If the arguments are included, enclose them [sourcetype=access_combined action=$action$ JSESSIONID=$JSESSIONID$ | stats values(action) as action by JSESSONID Arguments Enter a comma-delimited string of argument names. Arg. names may only have alphanumeric, '_' and '-' characters. [ ] <- A. The name is sessiontracker the arguments are action, JESSIONID. B. The name is sessiontracker(2) the arguments are action, JESSIONID. C. The name is sessiontracker the arguments are $action$, $JESSIONID$. D. The name is sessiontracker(2) the Arguments are $action$, $JESSIONID$

B. The macro name is sessiontracker(2) and the arguments are action, JESSIONID *If your macro have arguments you must specify them in parenthesis after the macro name (like ()) When you specify the arguments you have to tell splunk what are the arguments name (without the $).*

What is required for a macro to accept three arguments? A. The macro's name ends with (3). B. The macro's name starts with (3). C. The macro's argument count setting is 3 or more. D. Nothing, all macros can accept any number of arguments.

A. The macro's name ends with (3). *Enter a unique Name for the search macro. If your search macro includes an argument, append the number of arguments to the name. For example, if your search macro mymacro includes two arguments, name it mymacro(2).*

Which workflow action method can be used when the action type is set to link? A. GET B. PUT C. Search D. UPDATE

A. GET *There are two workflow action types: Link and Search. For link, there are 2 methods: GET and POST. Hence, the answer is GET.*

Which of the following statements about tags is true? (Choose all that apply.) A. Tags are case-insensitive. B. Tags are based on field/value pairs. C. Tags categorize events based on a search. D. Tags are designed to make data more understandable.

B. Tags are based on field/value pairs. D. Tags are designed to make data more understandable. *Answer A says - Tags are case-insensitive. Tags are case sensitive not case-insensitive.*

Which of the following statements about macros is true? (Choose all that apply.) A. Arguments are defined at execution time. B. Arguments are defined when the macro is created. C. Argument values are used to resolve the search string at execution time. D. Argument values are used to resolve the search string when the macro is created.

B. Arguments are defined when the macro is created. C. Argument values are used to resolve the search string at execution time.

Information needed to create a GET workflow action includes which of the following? (Choose all that apply.) A. A name for the workflow action. B. A URI where the user will be directed at search time. C. A label that will appear in the Event Action menu at search time. D. A name for the URI where the user will be directed at search time.

A. A name for the workflow action. B. A URI where the user will be directed at search time. C. A label that will appear in the Event Action menu at search time.

Which of the following can be used with the eval command tostring function? (Choose all that apply.) A. "hex" B. "commas" C. "decimal" D. "duration"

A. "hex" B. "commas" D. "duration"

Which of the following searches show a valid use of a macro? (Choose all that apply.) A. index=main source=mySource oldField=* |'makeMyField(oldField)'| table _time newField B. index=main source=mySource oldField=* | stats if('makeMyField(oldField)') | table _time newField C. index=main source=mySource oldField=* | eval newField='makeMyField(oldField)'| table _time newField D. index=main source=mySource oldField=* | "'newField('makeMyField(oldField)')'" | table _time newField

A. index=main source=mySource oldField=* |'makeMyField(oldField)'| table _time newField C. index=main source=mySource oldField=* | eval newField='makeMyField(oldField)'| table _time newField

A user wants to convert numeric field values to strings and also to sort on those values.Which command should be used first, the eval or the sort? A. It doesn't matter whether eval or sort is used first. B. Convert the numeric to a string with eval first, then sort. C. Use sort first, then convert the numeric to a string with eval. D. You cannot use the sort command and the eval command on the same field.

C. Use sort first, then convert the numeric to a string with eval.

Which Knowledge Object does the Splunk Common Information Model (CIM) use to normalize data, in addition to field aliases, event types, and tags? A. Macros B. Lookups C. Workflow actions D. Field extractions

B. Lookups

Which of the following statements describe data model acceleration? (Choose all that apply.) A. Root events cannot be accelerated. B. Accelerated data models cannot be edited. C. Private data models cannot be accelerated. D. You must have administrative permissions or the accelerate_datamodel capability to accelerate a data model.

B. Accelerated data models cannot be edited. C. Private data models cannot be accelerated. D. You must have administrative permissions or the accelerate_datamodel capability to accelerate a data model. *(page 265) Accelerating a Data Model * You must have administrative permissions or the accelerate_datamodel capability to accelerate a data model * Private data models cannot be accelerated * Accelerated data models cannot be edited. Note * With persistent data model acceleration, all fields Only root events can be accelerated. If there are multiple in the model become "indexed" fields root events, only the first root event is accelerated.*

How does a user display a chart in stack mode? A. By using the stack command. B. By turning on the Use Trellis Layout option. C. By changing Stack Mode in the Format menu. D. You cannot display a chart in stack mode, only a timechart.

C. By changing Stack Mode in the Format menu.

If no value is specified with the fillnull command, what default value will be used? A. 0 B. N/A C. ג€" D. NULL

A. 0

What other syntax will produce exactly the same results as | chart count over vendor_action by user? A. | chart count by vendor_action, user B. | chart count over vendor_action, user C. | chart count by vendor_action over user D. | chart count over user by vendor_action

A. | chart count by vendor_action, user *A is correct, "over" is used for time-based aggregation, while "by" is used for field-based aggregation.*

What are the two parts of a root event dataset? A. Fields and variables. B. Fields and attributes. C. Constraints and fields. D. Constraints and lookups.

C. Constraints and fields. *(Page 232) Data Model Events * Event datasets contain constraints and fields * Constraints are essentially the search broken down into a hierarchy * Fields are properties associated with the events*

When using timechart, how many fields can be listed after a by clause? A. 0, because timechart doesn't support using a by clause. B. 1, because _time is already implied as the x-axis. C. 2, because one field would represent the x-axis and the other would represent the y-axis. D. There is no limit specific to timechart.

B. 1, because _time is already implied as the x-axis

A field alias has been created based on an original field. A search without any transforming commands is then executed in Smart Mode.Which field name appears in the results? A. Both will appear in the All Fields list, but only if the alias is specified in the search. B. Both will appear in the Interesting Fields list, but only if they appear in at least 20 percent of events. C. The original field only appears in All Fields list and the alias only appears in the Interesting Fields list. D. The alias only appears in the All Fields list and the original field only appears in the Interesting Fields list.

B. Both will appear in the Interesting Fields list, but only if they appear in at least 20 percent of events.

Which of the following statements describes macros? A. A macro is a reusable search string that must contain the full search. B. A macro is a reusable search string that must have a fixed time range. C. A macro is a reusable search string that may have a flexible time range. D. A macro is a reusable search string that must contain only a portion of the search.

C. A macro is a reusable search string that may have a flexible time range.

In what order are the following knowledge objects/configurations applied? A. Field Aliases, Field Extractions, Lookups B. Field Extractions, Field Aliases, Lookups C. Field Extractions, Lookups, Field Aliases D. Lookups, Field Aliases, Field Extractions

B. Field Extractions, Field Aliases, Lookups *1. Fields Extractions 2. '' Aliases 3. Calculated '' 4. Lookups 5. Event Types 6. Tags*

In which of the following scenarios is an event type more effective than a saved search? A. When a search should always include the same time range. B. When a search needs to be added to other users' dashboards. C. When the search string needs to be used in future searches. D. When formatting needs to be included with the search string.

C. When the search string needs to be used in future searches.

When using the transaction command, what does the argument maxspan do? A. Sets the maximum total time between events in a transaction. B. Sets the maximum length of all the events within a transaction. C. Sets the maximum total time between the earliest and latest events in a transaction. D. Sets the maximum length that any single event can reach to be included in the transaction.

C. Sets the maximum total time between the earliest and latest events in a transaction.

When creating a Search workflow action, which field is required? A. Search string B. Data model name C. Permission setting D. An eval statement

A. Search string

To identify all of the contributing events within a transaction that contain at least one REJECT event, which syntax is correct? A. index=main REJECT | transaction sessionid B. index=main | transaction sessionid | search REJECT C. index=main | transaction sessionid | where transaction=reject D. index=main | transaction sessionid | where transaction="REJECT*"

B. index=main | transaction sessionid | search REJECT

After manually editing a regular expression (regex), which of the following statements is true? A. Changes made manually can be reverted in the Field Extractor (FX) UI. B. It is no longer possible to edit the field extraction in the Field Extractor (FX) UI. C. It is not possible to manually edit a regular expression (regex) that was created using the Field Extractor (FX) UI. D. The Field Extractor (FX) UI keeps its own version of the field extraction in addition to the one that was manually edited.

B. It is no longer possible to edit the field extraction in the Field Extractor (FX) UI.

Which of the following statements describes POST workflow actions? A. Configuration of a POST workflow action includes choosing a sourcetype. B. POST workflow actions can be configured to send email to the URI location. C. By default, POST workflow actions are shown in both the event and field menus. D. POST workflow actions can be configured to send POST arguments to the URI location.

D. POST workflow actions can be configured to send POST arguments to the URI location.

Power User Flashcards

For Splunk Power User Certification Exam