Result Modification

Question 1

Which statement(s) about appendpipe is false?

• The subpipeline is executed only when Splunk reaches the appendpipe command
• appendpipe transforms results and adds new lines to the bottom of the results set because appendpipe is always the last command to be executed x
• appendpipe transforms results and adds new lines to the bottom of the results set without overwriting original results
• Only one appendpipe can exist in a search because the search head can only process two searches simultaneously

Answer 1

Only one appendpipe can exist in a search because the search head can only process two searches simultaneously

Question 2

___ is the process of organizing data to appear similar across all records, making the information easier to search.

• Segmentation
• Collating
• Splunkification
• Normalization

Answer 2

Normalization

Question 3

True or False: If there is an appendpipe in a search, its subpipeline will always be executed last.

• TRUE
• FALSE

Answer 3

False

Question 4

Which of these tostring expressions will format the PROFIT field in the USD currency format, $x,xxx?

• | eval PROFIT = tostring(“$x,xxx”,PROFIT)
• | eval PROFIT = tostring(PROFIT,”$”.”commas”)
• | eval PROFIT = tostring(PROFIT,”$x,xxx”)
• | eval PROFIT = “$”.tostring(PROFIT,”commas”)

Answer 4

eval PROFIT = “$”.tostring(PROFIT,”commas”)

Question 5

True or False: eventstats and streamstats support multiple stats functions, just like stats.

FALSE

TRUE

Answer 5

True

Question 6

Which command uses a template subsearch to replace the values of specific fields?

• replace
• foreach
• eval
• none; commands only use functions to replace field values, not templates or subsearches

Answer 6

foreach

Question 7

Which two commands when used together are equivalent to chart <fieldA> over <filedB> by <fieldC>? Select all that apply.</fieldC></filedB></fieldA>

* stats <fieldA> by <fieldB>,<fieldC> followed by additional commands and then untable <fieldB> <fieldC> <fieldA>
* stats <fieldA> by <fieldB>,<fieldC> followed by additional commands and then xyseries <fieldB> <fieldC> <fieldA>
* stats <fieldA> by <fieldB>,<fieldC> followed by untable <fieldB> <fieldC> <fieldA> 
* stats <fieldA> by <fieldB>,<fieldC> followed by xyseries <fieldB> <fieldC> <fieldA>

Answer 7

stats <fieldA> by <fieldB>,<fieldC> followed by additional commands and then xyseries <fieldB> <fieldC> <fieldA>
stats <fieldA> by <fieldB>,<fieldC> followed by xyseries <fieldB> <fieldC> <fieldA>

Question 8

True or False: The foreach command can be used without a subsearch.

FALSE

TRUE

Answer 8

False

Question 9

Which of these expressions will accurately normalize values from the OperatingSys and CompSys fields into a new field called OS?

• | eval OS = coalesce(OperatingSys,CompSys)
• | eval OS = case(OperatingSys=OperatingSys,”OS”,CompSys=CompSys,”OS”,true(),”OS”)
• | eval replace(OperatingSys OR CompSys,OS”

Answer 9

eval OS = coalesce(OperatingSys,CompSys)

Question 10

You would use the ___ function to convert a string to uppercase and the ___ function to convert a string to lowercase.

• uppercase(), lowercase()
• lowercase(), uppercase()
• lower(), upper()
• upper(), lower()

Answer 10

upper(), lower()