Splunk Splunk Certifications SPLK-1001 Questions & Answers

• Question 111:

  Creating Data Models:

  Fields associated with a data set are known as ______.

  A. Attributes

  B. Constraints

  Correct Answer: A

• Question 112:

  This search will return 20 results. SEARCH: error | top host limit = 20

  A. True

  B. False

  Correct Answer: A

• Question 113:

  Splunk Enterprise is used as a Scalable service in Splunk Cloud.

  A. True

  B. False

  Correct Answer: A

• Question 114:

  Which of the following is a best practice when writing a search string?

  A. Include all formatting commands before any search terms

  B. Include at least one function as this is a search requirement

  C. Include the search terms at the beginning of the search string

  D. Avoid using formatting clauses as they add too much overhead

  Correct Answer: C

  A best practice when writing a search string is to include the search terms at the beginning of the search string. This helps Splunk narrow down the events that match your search criteria and improve the search performance. Formatting commands and functions can be added later in the search pipeline to manipulate and display the results. References: Splunk Core User Certification Exam Study Guide, page 13.

• Question 115:

  According to Splunk best practices, which placement of the wildcard results in the most efficient search?

  A. f*il

  B. *fail

  C. fail*

  D. *fail*

  Correct Answer: C

• Question 116:

  What are Splunk alerts based on?

  A. Dashboards

  B. Searches

  C. Webhooks

  D. Reports

  Correct Answer: B

  Splunk alerts are based on searches that run on a schedule or in real time. You can use alerts to monitor for and respond to specific events or conditions in your data. Alerts use a saved search to look for events in real time or on a schedule. Alerts trigger when search results meet specific conditions. You can use alert actions to respond when alerts trigger, such as sending an email, running a script, or creating a ticket1. You can create alerts from the Search app, the Alerts page, or the Dashboards app. You can also use the Splunk Web framework to create custom alert actions using Python or JavaScript1. Dashboards, webhooks, and reports are not the basis for Splunk alerts, although they can be related to them. Dashboards are collections of views that display data visually in a variety of ways. You can add alert panels to dashboards to show the status of your alerts2. Webhooks are a type of alert action that send HTTP POST requests to a specified URL when an alert triggers. You can use webhooks to integrate Splunk alerts with external systems or applications3. Reports are saved searches that include additional attributes such as a visualization type, permissions, and an optional description. You can create reports from search results and add them to dashboards as panels. You can also use reports as the basis for scheduled or real-time alerts.

• Question 117:

  When viewing the results of a search, what is an Interesting Field?

  A. A field that appears in any event

  B. A field that appears in every event

  C. A field that appears in the top 10 events

  D. A field that appears in at least 20% of the events

  Correct Answer: D

• Question 118:

  Which of the following are not true about lookups? (Select all that apply.)

  A. Lookups can be time based

  B. Search results can be used to populate a lookup table

  C. Splunk DB Connect can be used to populate a lookup table from relational databases

  D. Output from a script can be used to populate a lookup table

  E. Lookup have a 10mg maximum size limit

  Correct Answer: E

• Question 119:

  How are events displayed after a search is executed?

  A. In chronological order.

  B. Randomly by default.

  C. In reverse chronological order.

  D. Alphabetically according to field name.

  Correct Answer: C

• Question 120:

  What will always appear in the Selected Fields list?

  A. index

  B. action

  C. clientip

  D. sourcetype

  Correct Answer: D