Splunk Splunk Certifications SPLK-1002 Questions & Answers

• Question 111:

  If a calculated field has the same name as an extracted field, what happens to the extracted field?

  A. The calculated field will override the extracted field.

  B. The calculated and extracted fields will be combined.

  C. The calculated field will duplicate the extracted field.

  D. An error will be returned and the search will fail.

  Correct Answer: A

  When you define a calculated field, you can specify the name of the field that the eval expression will create or modify. If the name of the calculated field matches the name of an existing extracted field, the calculated field will override the extracted field and replace its value with the result of the eval expression. This means that the original value of the extracted field will not be available for searching or analysis. To avoid this, you should use a unique name for your calculated field or use a different name for your extracted field2

  1: Splunk Core Certified Power User Track, page 9. 2: Splunk Documentation, Configure calculated fields with props.conf.

• Question 112:

  In this search, __________ will appear on the y-axis. SEARCH: sourcetype=access_combined status!=200 | chart count over host

  A. status

  B. host

  C. count

  Correct Answer: C

  In this search, count will appear on the y-axis2. This search uses the chart command to create a chart of the count of events over host for events that have status not equal to 2002. The chart command creates a table with one column for each value of the field after the over clause and one row for each value of the field after the by clause (if any)2. The values in the table are calculated by applying the function before the over clause to the events in each group2. In this case, the chart command creates a table with one column for each host and one row for the count of events for each host. The y-axis of the chart shows the values of the count function applied to each host. Therefore, option C is correct, while options A and B are incorrect because they appear on the x-axis or as labels of the chart.

• Question 113:

  Select this in the fields sidebar to automatically pipe you search results to the rare command

  A. events with this field

  B. rare values

  C. top values by time

  D. top values

  Correct Answer: B

  The fields sidebar is a panel that shows the fields that are present in your search results2. The fields sidebar has two sections: selected fields and interesting fields2. Selected fields are fields that you choose to display in your search results by clicking on them in the fields sidebar or by using the fields command2. Interesting fields are fields that appear in at least 20 percent of events or have high variability among values2. For each field in the fields sidebar, you can select one of the following options: events with this field, rare values, top values by time or top values2. If you select rare values, Splunk will automatically pipe your search results to the rare command, which shows the least common values of a field2. Therefore, option B is correct, while options A, C and D are incorrect because they do not pipe your search results to the rare command.

• Question 114:

  Use this command to use lookup fields in a search and see the lookup fields in the field sidebar.

  A. inputlookup

  B. lookup

  Correct Answer: B

• Question 115:

  What is the purpose of the fillnull command?

  A. Replace empty values with a specified value.

  B. Create a new field based on the values in an existing field.

  C. Rename a specific field in the search results.

  D. Replace all values in a specific field with a default value.

  Correct Answer: A

  The fillnull command in Splunk is used to handle missing data within search results. It plays a crucial role in data normalization and preparation, especially before performing statistical analyses or visualizations. A. Replace empty values with a specified value: This is the correct answer. The fillnull command is specifically designed to replace null values (empty values) with a specified default value. This is particularly useful in ensuring consistency within your data, especially when performing operations that require numerical values or when you want to distinguish between genuinely missing data and zeroes, for instance. Example Usage: ... | fillnull value=0 This command would replace all null values in the search results with 0.

• Question 116:

  Which of the following objects can a calculated field use as a source?

  A. An alias of a field.

  B. A field added by an automatic lookup.

  C. The tag field.

  D. The eventtype field.

  Correct Answer: B

  The correct answer is B. A field added by an automatic lookup. A calculated field is a field that is added to events at search time by using an eval expression. A calculated field can use the values of two or more fields that are already present in the events to perform calculations. A calculated field can use any field as a source, as long as the field is extracted before the calculated field is defined1. An automatic lookup is a way to enrich events with additional fields from an external source, such as a CSV file or a database. An automatic lookup can add fields to events based on the values of existing fields, such as host, source, sourcetype, or any other extracted field2. An automatic lookup is performed before the calculated fields are defined, so the fields added by the lookup can be used as sources for the calculated fields3. Therefore, a calculated field can use a field added by an automatic lookup as a source. References: About calculated fields About lookups Search time processing

• Question 117:

  Which of the following is true about a datamodel that has been accelerated?

  A. They can be used with Pivot, the | tstats command, or the | datamodel command.

  B. They can still be used in the Pivot tool but only with the accelerate_pivot capability.

  C. They can no longer be used in the Pivot tool.

  D. They can be used with the |tstats command, but will only return that data which has been accelerated.

  Correct Answer: A

  A data model that has been accelerated can be used with Pivot, the | tstats command, or the | datamodel command (Option A). Acceleration pre-computes and stores results for quicker access, enhancing the performance of searches and analyses that utilize the data model, especially for large datasets. This makes accelerated data models highly efficient for use in various analytical tools and commands within Splunk.

• Question 118:

  By default search results are not returned in ________ order.

  A. Chronological

  B. Reverser chronological

  C. ASCIE

  D. Alphabetical

  Correct Answer: AD

• Question 119:

  Which command can include both an over and a by clause to divide results into sub- groupings?

  A. chart

  B. stats

  C. xyseries

  D. transaction

  Correct Answer: A

• Question 120:

  During the validation step of the Field Extractor workflow:

  Select your answer.

  A. You can remove values that aren't a match for the field you want to define

  B. You can validate where the data originated from

  C. You cannot modify the field extraction

  Correct Answer: A

  During the validation step of the Field Extractor workflow, you can remove values that aren't a match for the field you want to define2. The validation step allows you to review and edit the values that have been extracted by the FX and make sure they are correct and consistent2. You can remove values that aren't a match by clicking on them and selecting Remove Value from the menu2. This will exclude them from your field extraction and update the regular expression accordingly2. Therefore, option A is correct, while options B and C are incorrect because they are not actions that you can perform during the validation step of the Field Extractor workflow.