Summer Special Sale - Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: mxmas70

Home > Splunk > Splunk Core Certified Power User > SPLK-1002

SPLK-1002 Splunk Core Certified Power User Exam Question and Answers

Question # 4

Which of the following searches will show the number of categoryld used by each host?

A.

Sourcetype=access_* |sum bytes by host

B.

Sourcetype=access_* |stats sum(categorylD. by host

C.

Sourcetype=access_* |sum(bytes) by host

D.

Sourcetype=access_* |stats sum by host

Full Access
Question # 5

To create a tag, which of the following conditions must be met by the user?

A.

Identify at least one field:value pair.

B.

Have the Power role at a minimum.

C.

Be able to edit the sourcetype the tag applies to.

D.

Must have the tag capability associated with their user role.

Full Access
Question # 6

A user runs the following search:

index—X sourcetype=Y I chart count (domain) as count, sum (price) as sum by product, action usenull=f useother—f

Which of the following table headers match the order this command creates?

A.

The chart command does not allow for multiple statistical functions.

B.

Product, sum: addtocart, sum: remove, sum: purchase, count: addtocart, count: remove, count: purchase

C.

Product, count: addtocart, count: remove, count: purchase, sum: addtocart, sum: remove, sum: purchase

D.

Count: product, sum: product, count: action, sum: action

Full Access
Question # 7

What happens when a user edits the regular expression (regex) field extraction generated in the Field Extractor (FX)?

A.

There is a limit to the number of fields that can be extracted.

B.

The user is unable to preview the extractions.

C.

The extraction is added at index time.

D.

The user is unable to return to the automatic field extraction workflow.

Full Access
Question # 8

Which of the following eval commands will provide a new value for host from src if it exists?

A.

| eval host = if (isnu11 (src), src, host)

B.

| eval host = if (NOT src = host, src, host)

C.

| eval host = if (src = host, src, host)

D.

| eval host = if (isnotnull (src), src, host)

Full Access
Question # 9

Complete the search, …. | _____ failure>successes

A.

Search

B.

Where

C.

If

D.

Any of the above

Full Access
Question # 10

When should transaction be used?

A.

Only in a large distributed Splunk environment.

B.

When calculating results from one or more fields.

C.

When event grouping is based on start/end values.

D.

When grouping events results in over 1000 events in each group.

Full Access
Question # 11

Select this in the fields sidebar to automatically pipe you search results to the rare command

A.

events with this field

B.

rare values

C.

top values by time

D.

top values

Full Access
Question # 12

Which of these stats commands will show the total bytes for each unique combination of page and server?

A.

index=web | stats sum (bytes) BY page BY server

B.

index=web | stats sum (bytes) BY page server

C.

index=web | stats sum(bytes) BY page AND server

D.

index=web | stats sum(bytes) BY values (page) values (server)

Full Access
Question # 13

A user wants to create a new field alias for a field that appears in two sourcetypes.

How many field aliases need to be created?

A.

One.

B.

Two.

C.

It depends on whether the original fields have the same name.

D.

It depends on whether the two sourcetypes are associated with the same index.

Full Access
Question # 14

For the following search, which field populates the x-axis?

index=security sourcetype=linux secure | timechart count by action

A.

action

B.

source type

C.

_time

D.

time

Full Access
Question # 15

In the Field Extractor, when would the regular expression method be used?

A.

When events contain JSON data.

B.

When events contain comma-separated data.

C.

When events contain unstructured data.

D.

When events contain table-based data.

Full Access
Question # 16

Consider the following search:

Index=web sourcetype=access_combined

The log shows several events that share the same JSESSIONID value (SD404K289O2F151). View the events as a group. From the following list, which search groups events by JSESSIONID?

A.

index=web sourcetype=access_combined SD404K289O2F151 I table JSESSIONID

B.

index=web sourcetype=access_combined JSESSIONID

C.

index=web sourcetype=access_combined I highlight JSESSIONID I search SD404K289O2F151

D.

index-web sourcetype=access_combined I transaction JSESSIONID I search SD404K289O2F151

Full Access
Question # 17

Which of the following statements best describes a macro?

A.

A macro is a method of categorizing events based on a search.

B.

A macro is a way to associate an additional (new) name with an existing field name.

C.

A macro is a portion of a search that can be reused in multiple place

D.

A macro is a knowledge object that enables you to schedule searches for specific events.

Full Access
Question # 18

These kinds of charts represent a series in a single bar with multiple sections

A.

Multi-Series

B.

Split-Series

C.

Omit nulls

D.

Stacked

Full Access
Question # 19

This function of the stats command allows you to return the sample standard deviation of a field.

A.

stdev

B.

dev

C.

count deviation

D.

by standarddev

Full Access
Question # 20

How are arguments defined within the macro search string?

A.

Åžarg$

B.

'arg'

C.

%arg%

D.

"arg"

Full Access
Question # 21

Which method in the Field Extractor would extract the port number from the following event? |

10/20/2022 - 125.24.20.1 ++++ port 54 - user: admin

A.

Delimiter

B.

rex command

C.

The Field Extractor tool cannot extract regular expressions.

D.

Regular expression

Full Access
Question # 22

The macro weekly_sales (2) contains the search string:

index—games I eval Product Sales = $price$ $AmountS01d$

Which of the following will return results?

A.

‘weekly_sales(3.99, 10) '

B.

‘weekly_sales($3.99$, $10$)

C.

'weekly_sales (3.99, 10)

D.

‘weekly_sales(3)

Full Access
Question # 23

Which of the following searches show a valid use of a macro? (Choose all that apply.)

A.

index=main source=mySource oldField=* |’makeMyField(oldField)’| table _time newField

B.

index=main source=mySource oldField=* | stats if(‘makeMyField(oldField)’) | table _time newField

C.

index=main source=mySource oldField=* | eval newField=’makeMyField(oldField)’| table _time newField

D.

index=main source=mySource oldField=* | "’newField(‘makeMyField(oldField)’)’" | table _time newField

Full Access
Question # 24

Which of the following statements describe data model acceleration? (select all that apply)

A.

Root events cannot be accelerated.

B.

Accelerated data models cannot be edited.

C.

Private data models cannot be accelerated.

D.

You must have administrative permissions or the accelerate_dacamodel capability to accelerate a data model.

Full Access
Question # 25

Which of the following searches show a valid use of macro? (Select all that apply)

A.

index=main source=mySource oldField=* |'makeMyField(oldField)'| table _time newField

B.

index=main source=mySource oldField=* | stats if('makeMyField(oldField)') | table _time newField

C.

index=main source=mySource oldField=* | eval newField='makeMyField(oldField)'| table _time newField

D.

index=main source=mySource oldField=* | "'newField('makeMyField(oldField)')'" | table _time newField

Full Access
Question # 26

Which one of the following statements about the search command is true?

A.

It does not allow the use of wildcards.

B.

It treats field values in a case-sensitive manner.

C.

It can only be used at the beginning of the search pipeline.

D.

It behaves exactly like search strings before the first pipe.

Full Access
Question # 27

Which of the following statements describes POST workflow actions?

A.

POST workflow actions are always encrypted.

B.

POST workflow actions cannot use field values in their URI.

C.

POST workflow actions cannot be created on custom sourcetypes.

D.

POST workflow actions can open a web page in either the same window or a new .

Full Access
Question # 28

Which of the following statements describe GET workflow actions?

A.

GET workflow actions must be configured with POST arguments.

B.

Configuration of GET workflow actions includes choosing a sourcetype.

C.

Label names for GET workflow actions must include a field name surrounded by dollar signs.

D.

GET workflow actions can be configured to open the URT link in the current window or in a new window

Full Access
Question # 29

Selected fields are displayed ______each event in the search results.

A.

below

B.

interesting fields

C.

other fields

D.

above

Full Access
Question # 30

Which are valid ways to create an event type? (select all that apply)

A.

By using the searchtypes command in the search bar.

B.

By editing the event_type stanza in the props.conf file.

C.

By going to the Settings menu and clicking Event Types > New.

D.

By selecting an event in search results and clicking Event Actions > Build Event Type.

Full Access
Question # 31

In which of the following scenarios is an event type more effective than a saved search?

A.

When a search should always include the same time range.

B.

When a search needs to be added to other users' dashboards.

C.

When the search string needs to be used in future searches.

D.

When formatting needs to be included with the search string.

Full Access
Question # 32

When using timechart, how many fields can be listed after a by clause?

A.

because timechart doesn't support using a by clause.

B.

because _time is already implied as the x-axis.

C.

because one field would represent the x-axis and the other would represent the y-axis.

D.

There is no limit specific to timechart.

Full Access
Question # 33

Which of the following can be used with the eval command tostring function (select all that apply)

A.

‘’hex’’

B.

‘’commas’’

C.

‘’Decimal’’

D.

‘’duration’’

Full Access
Question # 34

Which of the following statements describes field aliases?

A.

Field alias names replace the original field name.

B.

Field aliases can be used in lookup file definitions.

C.

Field aliases only normalize data across sources and sourcetypes.

D.

Field alias names are not case sensitive when used as part of a search.

Full Access
Question # 35

Which of the following eval command function is valid?

A.

Int ()

B.

Count ( )

C.

Print ()

D.

Tostring ()

Full Access
Question # 36

A user wants to convert numeric field values to strings and also to sort on those values.

Which command should be used first, the eval or the sort?

A.

It doesn't matter whether eval or sort is used first.

B.

Convert the numeric to a string with eval first, then sort.

C.

Use sort first, then convert the numeric to a string with eval.

D.

You cannot use the sort command and the eval command on the same field.

Full Access
Question # 37

After manually editing; a regular expression (regex), which of the following statements is true?

A.

Changes made manually can be reverted in the Field Extractor (FX) UI.

B.

It is no longer possible to edit the field extraction in the Field Extractor (FX) UI.

C.

It is not possible to manually edit a regular expression (regex) that was created using the Field Extractor (FX) UI.

D.

The Field Extractor (FX) UI keeps its own version of the field extraction in addition to the one that was manually edited.

Full Access
Question # 38

Which of the following statements describes this search?

sourcetype=access_combined I transaction JSESSIONID | timechart avg (duration)

A.

This is a valid search and will display a timechart of the average duration, of each transaction event.

B.

This is a valid search and will display a stats table showing the maximum pause among transactions.

C.

No results will be returned because the transaction command must include the startswith and endswith options.

D.

No results will be returned because the transaction command must be the last command used in the search pipeline.

Full Access
Question # 39

Given the macro definition below, what should be entered into the Name and Arguments fileds to correctly configured the macro?

A.

The macro name is sessiontracker and the arguments are action, JESSIONID.

B.

The macro name is sessiontracker(2) and the arguments are action, JESSIONID.

C.

The macro name is sessiontracker and the arguments are $action$, $JESSIONID$.

D.

The macro name is sessiontracker(2) and the Arguments are $action$, $JESSIONID$.

Full Access
Question # 40

When should you use the transaction command instead of the scats command?

A.

When you need to group on multiple values.

B.

When duration is irrelevant in search results. .

C.

When you have over 1000 events in a transaction.

D.

When you need to group based on start and end constraints.

Full Access
Question # 41

Which of the following are required to create a POST workflow action?

A.

Label, URI, search string.

B.

XMI attributes, URI, name.

C.

Label, URI, post arguments.

D.

URI, search string, time range picker.

Full Access
Question # 42

Which of the following statements about event types is true? (select all that apply)

A.

Event types can be tagged.

B.

Event types must include a time range,

C.

Event types categorize events based on a search.

D.

Event types can be a useful method for capturing and sharing knowledge.

Full Access
Question # 43

Which group of users would most likely use pivots?

A.

Users

B.

Architects

C.

Administrators

D.

Knowledge Managers

Full Access
Question # 44

When multiple event types with different color values are assigned to the same event, what determines the color displayed for the events?

A.

Rank

B.

Weight

C.

Priority

D.

Precedence

Full Access
Question # 45

When performing a regular expression (regex) field extraction using the Field Extractor (FX), what happens when the require option is used?

A.

The regex can no longer be edited.

B.

The field being extracted will be required for all future events.

C.

The events without the required field will not display in searches.

D.

Only events with the required string will be included in the extraction.

Full Access
Question # 46

The Field Extractor (FX) is used to extract a custom field. A report can be created using this custom field. The created report can then be shared with other people in the organization. If another person in the organization runs the shared report and no results are returned, why might this be? (select all that apply)

A.

Fast mode is enabled.

B.

The dashboard is private.

C.

The extraction is private-

D.

The person in the organization running the report does not have access to the index.

Full Access
Question # 47

What are the two parts of a root event dataset?

A.

Fields and variables.

B.

Fields and attributes.

C.

Constraints and fields.

D.

Constraints and lookups.

Full Access
Question # 48

Data model are composed of one or more of which of the following datasets? (select all that apply.)

A.

Events datasets

B.

Search datasets

C.

Transaction datasets

D.

Any child of event, transaction, and search datasets

Full Access
Question # 49

Which of the following statements describe the search below? (select all that apply)

Index=main I transaction clientip host maxspan=30s maxpause=5s

A.

Events in the transaction occurred within 5 seconds.

B.

It groups events that share the same clientip and host.

C.

The first and last events are no more than 5 seconds apart.

D.

The first and last events are no more than 30 seconds apart.

Full Access
Question # 50

What functionality does the Splunk Common Information Model (CIM) rely on to normalize fields with different names?

A.

Macros.

B.

Field aliases.

C.

The rename command.

D.

CIM does not work with different names for the same field.

Full Access
Question # 51

Which of the following statements about data models and pivot are true? (select all that apply)

A.

They are both knowledge objects.

B.

Data models are created out of datasets called pivots.

C.

Pivot requires users to input SPL searches on data models.

D.

Pivot allows the creation of data visualizations that present different aspects of a data model.

Full Access
Question # 52

Which of the following statements describes macros?

A.

A macro is a reusable search string that must contain the full search.

B.

A macro is a reusable search string that must have a fixed time range.

C.

A macro Is a reusable search string that may have a flexible time range.

D.

A macro Is a reusable search string that must contain only a portion of the search.

Full Access
Question # 53

When creating a Search workflow action, which field is required?

A.

Search string

B.

Data model name

C.

Permission setting

D.

An eval statement

Full Access
Question # 54

Calculated fields can be based on which of the following?

A.

Tags

B.

Extracted fields

C.

Output fields for a lookup

D.

Fields generated from a search string

Full Access
Question # 55

A calculated field maybe based on which of the following?

A.

Lookup tables

B.

Extracted fields

C.

Regular expressions

D.

Fields generated within a search string

Full Access
Question # 56

What is the relationship between data models and pivots?

A.

Data models provide the datasets for pivots.

B.

Pivots and data models have no relationship.

C.

Pivots and data models are the same thing.

D.

Pivots provide the datasets for data models.

Full Access
Question # 57

What is required for a macro to accept three arguments?

A.

The macro's name ends with (3).

B.

The macro's name starts with (3).

C.

The macro's argument count setting is 3 or more.

D.

Nothing, all macros can accept any number of arguments.

Full Access
Question # 58

Which of the following statements describes the command below (select all that apply)

Sourcetype=access_combined | transaction JSESSIONID

A.

An additional filed named maxspan is created.

B.

An additional field named duration is created.

C.

An additional field named eventcount is created.

D.

Events with the same JSESSIONID will be grouped together into a single event.

Full Access
Question # 59

Which of the following describes the Splunk Common Information Model (CIM) add-on?

A.

The CIM add-on uses machine learning to normalize data.

B.

The CIM add-on contains dashboards that show how to map data.

C.

The CIM add-on contains data models to help you normalize data.

D.

The CIM add-on is automatically installed in a Splunk environment.

Full Access
Question # 60

Data model fields can be added using the Auto-Extracted method. Which of the following statements describe Auto-Extracted fields? (select all that apply)

A.

Auto-Extracted fields can be hidden in Pivot.

B.

Auto-Extracted fields can have their data type changed.

C.

Auto-Extracted fields can be given a friendly name for use in Pivot.

D.

Auto-Extracted fields can be added if they already exist in the dataset with constraints.

Full Access
Question # 61

Which delimiters can the Field Extractor (FX) detect? (select all that apply)

A.

Tabs

B.

Pipes

C.

Spaces

D.

Commas

Full Access
Question # 62

Which of the following statements describes Search workflow actions?

A.

By default. Search workflow actions will run as a real-time search.

B.

Search workflow actions can be configured as scheduled searches,

C.

The user can define the time range of the search when created the workflow action.

D.

Search workflow actions cannot be configured with a search string that includes the transaction command

Full Access
Question # 63

Which of the following statements is true, especially in large environments?

A.

Use the scats command when you next to group events by two or more fields.

B.

The stats command is faster and more efficient than the transaction command

C.

The transaction command is faster and more efficient than the stats command.

D.

Use the transaction command when you want to see the results of a calculation.

Full Access
Question # 64

What is a limitation of searches generated by workflow actions?

A.

Searches generated by workflow action cannot use macros.

B.

Searches generated by workflow actions must be less than 256 characters long.

C.

Searches generated by workflow action must run in the same app as the workflow action.

D.

Searches generated by workflow action run with the same permissions as the user running them.

Full Access
Question # 65

Which of the following is NOT a stats function:

A.

sum

B.

addtotals

C.

count

D.

avg

Full Access
Question # 66

The limit attribute will___________.

A.

override default of 10

B.

only work with top command

C.

override default of 20

D.

override default of 15

Full Access
Question # 67

It is mandatory for the lookup file to have this for an automatic lookup to work.

A.

Source type

B.

At least five columns

C.

Timestamp

D.

Input filed

Full Access
Question # 68

In which Settings section are macros defined?

A.

Fields

B.

Tokens

C.

Advanced Search

D.

Searches, Reports, Alerts

Full Access
Question # 69

Consider the following search:

index=web sourcetype=access_combined

The log shows several events that share the same JSESSIONID value (SD470K92802F117). View the events as a group.

From the following list, which search groups events by JSESSIONID?

A.

index=web sourcetype=access_combined | highlight JSESSIONID | search SD470K92802F117

B.

index=web sourcetype=access_combined | transaction JSESSIONID | search SD470K92802F117

C.

index=web sourcetype=access_combined SD470K92802F117 | table JSESSIONID

D.

index=web sourcetype=access_combined JSESSIONID

Full Access
Question # 70

Which of the following options will define the first event in a transaction?

A.

startswith

B.

with

C.

startingwith

D.

firstevent

Full Access
Question # 71

Which workflow uses field values to perform a secondary search?

A.

POST

B.

Action

C.

Search

D.

Sub-Search

Full Access
Question # 72

Which of the following statements describes POST workflow actions?

A.

Configuration of a POST workflow action includes choosing a sourcetype.

B.

POST workflow actions can be configured to send email to the URI location.

C.

By default, POST workflow action are shown in both the event and field menus.

D.

POST workflow actions can be configured to send POST arguments to the URI location.

Full Access
Question # 73

Clicking a SEGMENT on a chart, ________.

A.

drills down for that value

B.

highlights the field value across the chart

C.

adds the highlighted value to the search criteria

Full Access
Question # 74

How is an event type created from the search window? (select all that apply)

A.

In the top right corner, click Save As > Event Type.

B.

In an event's detail dropdown, click Event Actions > Build Event Type.

C.

Edit eventtypes.conf and add a new stanza.

D.

Add | eventtype to the SPL and execute the search.

Full Access
Question # 75

The transaction command allows you to __________ events across multiple sources

A.

duplicate

B.

correlate

C.

persist

D.

tag

Full Access
Question # 76

What type of command is eval?

A.

Streaming in some modes

B.

Report generating

C.

Distributable streaming

D.

Centralized streaming

Full Access
Question # 77

Calculated fields can be based on which of the following?

A.

Tags

B.

Extracted fields

C.

Output fields for a lookup

D.

Fields generated from a search string

Full Access
Question # 78

Which of the following is true about data model attributes?

A.

They cannot be created within the data model.

B.

They can only be added into a root search dataset.

C.

They cannot be edited if inherited from a parent dataset.

D.

They can be added to a dataset from search time field extractions.

Full Access
Question # 79

A POST workflow action will pass which types of arguments to an external website?

A.

Clear text only.

B.

A mix of clear text strings and variables.

C.

It can only send raw event data.

D.

Variables only.

Full Access