Splunk Splunk Certifications SPLK-1002 Questions & Answers

• Question 101:

  When should transaction be used?

  A. Only in a large distributed Splunk environment.

  B. When calculating results from one or more fields.

  C. When event grouping is based on start/end values.

  D. When grouping events results in over 1000 events in each group.

  Correct Answer: C

• Question 102:

  What information must be included when using the datamodel command?

  A. status field

  B. Multiple indexes

  C. Data model field name.

  D. Data model dataset name.

  Correct Answer: D

• Question 103:

  Which of the following search control will not re-rerun the search? (Select all that apply.)

  A. zoom out

  B. selecting a bar on the timeline

  C. deselect

  D. selecting a range of bars on the timelines

  Correct Answer: BCD

  The timeline is a graphical representation of your search results that shows the distribution of events over time2. You can use the timeline to zoom in or out of a specific time range or to select one or more bars on the timeline to filter your results by that time range2. However, these actions will not re-run the search, but rather refine the existing results based on the selected time range2. Therefore, options B, C and D are correct, while option A is incorrect because zooming out will re-run the search with a broader time range.

• Question 104:

  When you mouse over and click to add a search term this (thesE. Boolean operator(s) is(arE. not implied. (Select all that apply).

  A. OR

  B. ( )

  C. AND

  D. NOT

  Correct Answer: ABD

  When you mouse over and click to add a search term from the Fields sidebar or from an event in your search results, Splunk automatically adds the term to your search string with an implied AND operator2. However, this does not apply to some Boolean operators such as OR, NOT and parentheses (). These operators are not implied when you add a search term and you have to type them manually if you want to use them in your search string2. Therefore, options A, B and D are correct, while option C is incorrect because AND is implied when you add a search term.

• Question 105:

  What is the correct way to name a macro with two arguments?

  A. us_sales2

  B. us_sales(1,2)

  C. us_sale,2

  D. us_sales(2)

  Correct Answer: D

• Question 106:

  Which of the following is one of the pre-configured data models included in the Splunk Common Information Model (CIM) add-on?

  A. Access

  B. Accounting

  C. Authorization

  D. Authentication

  Correct Answer: D

• Question 107:

  For the following search, which field populates the x-axis?

  index=security sourcetype=linux secure | timechart count by action

  A. action

  B. source type

  C. _time

  D. time

  Correct Answer: C

  The correct answer is C. _time.

  The timechart command creates a time series chart with corresponding table of statistics, with time used as the X-axis1. You can specify a split-by field, where each distinct value of the split-by field becomes a series in the chart1. In this case,

  the split-by field is action, which means that the chart will have different lines for different actions, such as accept, reject, or fail2. The count function will calculate the number of events for each action in each time bin1.

  For example, the following image shows a timechart of the count by action for a similar search3:

  As you can see, the x-axis is populated by the _time field, which represents the time range of the search. The y-axis is populated by the count function, which represents the number of events for each action. The legend shows the different

  values of the action field, which are used to split the chart into different series.

  Reference:

  2: Timechart Command In Splunk With Example - Mindmajix 1: timechart - Splunk Documentation 3: timechart command examples - Splunk Documentation

• Question 108:

  Where are the descriptions of the data models that come with the Splunk Common Information Model (CIM) Add-on documented?

  A. Search and reporting user manual.

  B. CIM Add-on manual.

  C. Pivot users manual.

  D. Datamodel command reference guide.

  Correct Answer: B

  The descriptions of the data models that come with the Splunk Common Information Model (CIM) Add-on are documented in the CIM Add-on manual (Option B). This manual provides detailed information about the data models, including their structure, the types of data they are designed to normalize, and how they can be used to facilitate cross-sourcing reporting and analysis.

• Question 109:

  Which of the following examples would use a POST workflow action?

  A. Perform an external IP lookup based on a domain value found in events.

  B. Use the field values in an HTTP error event to create a new ticket in an external system.

  C. Launch secondary Splunk searches that use one or more field values from selected events.

  D. Open a web browser to look up an HTTP status code.

  Correct Answer: B

  The correct answer is B. Use the field values in an HTTP error event to create a new ticket in an external system.

  A workflow action is a knowledge object that enables a variety of interactions between fields in events and other web resources. Workflow actions can create HTML links, generate HTTP POST requests, or launch secondary searches based on field values1. There are three types of workflow actions that can be set up using Splunk Web: GET, POST, and Search2. GET workflow actions create typical HTML links to do things like perform Google searches on specific values or run domain name queries against external WHOIS databases2. POST workflow actions generate an HTTP POST request to a specified URI. This action type enables you to do things like creating entries in external issue management systems using a set of relevant field values2. Search workflow actions launch secondary searches that use specific field values from an event, such as a search that looks for the occurrence of specific combinations of ipaddress and http_status field values in your index over a specific time range2. Therefore, the example that would use a POST workflow action is B. Use the field values in an HTTP error event to create a new ticket in an external system. This example requires sending an HTTP POST request to the URI of the external system with the field values from the event as arguments. The other examples would use different types of workflow actions. These examples are:

  A. Perform an external IP lookup based on a domain value found in events: This example would use a GET workflow action to create a link to an external IP lookup service with the domain value as a parameter. C. Launch secondary Splunk searches that use one or more field values from selected events: This example would use a Search workflow action to run another Splunk search with the field values from the event as search terms. D. Open a web browser to look up an HTTP status code: This example would also use a GET workflow action to create a link to a web page that explains the meaning of the HTTP status code. References: Splexicon:Workflowaction About workflow actions in Splunk Web

• Question 110:

  What does the fillnull command replace null values with, if the value argument is not specified?

  A. 0

  B. N/A

  C. NaN

  D. NULL

  Correct Answer: A

  The fillnull command replaces null values with 0 by default, if the value argument is not specified. You can use the value argument to specify a different value to replace null values with, such as N/A or NULL.