Splunk Splunk Certifications SPLK-1002 Questions & Answers

• Question 121:

  A report scheduled to run every 15 mins. but takes 17 mins. to complete is in danger of being_____.

  A. skipped or deferred

  B. automatically accelerated

  C. deleted

  D. all of the above

  Correct Answer: A

  A report that is scheduled to run every 15 minutes but takes 17 minutes to complete is in danger of being skipped or deferred2. This means that Splunk may skip some scheduled runs of the report if they overlap with previous runs that are still in progress or defer them until the previous runs are finished2. This can affect the accuracy and timeliness of the report results and notifications2. Therefore, option A is correct, while options B, C and D are incorrect because they are not consequences of a report taking longer than its schedule interval.

• Question 122:

  If there are fields in the data with values that are " " or empty but not null, which of the following would add a value?

  A. | eval notNULL = if(isnull (notNULL), "0" notNULL)

  B. | eval notNULL = if(isnull (notNULL), "0"

  C. | eval notNULL = "" | nullfill value=0 notNULL

  D. | eval notNULL = "" fillnull value=0 notNULL

  Correct Answer: D

  The correct answer is D. | eval notNULL = "" fillnull value=0 notNULL

  Option A is incorrect because it is missing a comma between the "0" and the notNULL in the if function. The correct syntax for the if function is if (condition, true_value, false_value). Option B is incorrect because it is missing the false_value argument in the if function. The correct syntax for the if function is if (condition, true_value, false_value). Option C is incorrect because it uses the nullfill command, which only replaces null values, not empty strings. The nullfill command is equivalent to fillnull value=null. Option D is correct because it uses the eval command to assign an empty string to the notNULL field, and then uses the fillnull command to replace the empty string with a zero. The fillnull command can replace any value with a specified replacement, not just null values.

• Question 123:

  Which function should you use with the transaction command to set the maximum total time between the earliest and latest events returned?

  A. maxpause

  B. endswith

  C. maxduration

  D. maxspan

  Correct Answer: D

  The maxspan function of the transaction command allows you to set the maximum total time between the earliest and latest events returned. The maxspan function is an argument that can be used with the transaction command to specify the start and end constraints for the transactions. The maxspan function takes a time modifier as its value, such as 30s, 5m, 1h, etc. The maxspan function sets the maximum time span between the first and last events in a transaction. If the time span between the first and last events exceeds the maxspan value, the transaction will be split into multiple transactions.

• Question 124:

  Which of the following is true about Pivot?

  A. Users can save reports from Pivot.

  B. Users cannot share visualizations created with Pivot.

  C. Users must use SPL to find events in a Pivot.

  D. Users cannot create visualizations with Pivot.

  Correct Answer: A

  In Splunk, Pivot is a tool that allows you to report on a specific data set without using the Splunk Search Processing Language (SPLTM)1. You can use a drag-and-drop interface to design and generate pivots that present different aspects of

  your data in the form of tables, charts, and other visualizations12.

  One of the features of Pivot is that it allows you to save your reports1. This can be useful when you want to reuse a report or share it with others1. Therefore, it's not true that users cannot share visualizations created with Pivot or that they

  must use SPL to find events in a Pivot12. It's also not true that users cannot create visualizations with Pivot, as creating visualizations is one of the main functions of Pivot12.

• Question 125:

  The fields sidebar does not show________. (Select all that apply.)

  A. interesting fields

  B. selected fields

  C. all extracted fields

  Correct Answer: C

  The fields sidebar is a panel that shows the fields that are present in your search results2. The fields sidebar does not show all extracted fields, which are fields that are extracted from your raw data using various methods such as regular expressions, delimiters or key-value pairs2. The fields sidebar only shows selected fields and interesting fields2. Selected fields are fields that you choose to display in your search results by clicking on them in the fields sidebar or by using the fields command2. Interesting fields are fields that appear in at least 20 percent of events or have high variability among values2. Therefore, option C is correct, while options A and B are incorrect because they are types of fields that the fields sidebar does show.

• Question 126:

  Which statement is true?

  A. Pivot is used for creating datasets.

  B. Data model are randomly structured datasets.

  C. Pivot is used for creating reports and dashboards.

  D. In most cases, each Splunk user will create their own data model.

  Correct Answer: C

  Reference: https://docs.splunk.com/Documentation/Splunk/8.0.3/Pivot/IntroductiontoPivot

  Pivot is used for creating reports and dashboards. Pivot is a tool that allows you to create reports and dashboards from your data models without writing any SPL commands. Pivot can help you visualize and analyze your data using various options, such as filters, rows, columns, cells, charts, tables, maps, etc. Pivot can also help you accelerate your reports and dashboards by using summary data from your accelerated data models. Pivot is not used for creating datasets or data models. Datasets are collections of events that represent your data in a structured and hierarchical way. Data models are predefined datasets for various domains, such as network traffic, web activity, authentication, etc. Datasets and data models can be created by using commands such as datamodel or pivot.

• Question 127:

  Which of the following is included with the Common Information Model (CIM) add-on?

  A. Search macros

  B. Event category tags

  C. Workflow actions

  D. tsidx files

  Correct Answer: B

  The correct answer is B. Event category tags. This is because the CIM add- on contains a collection of preconfigured data models that you can apply to your data at search time. Each data model in the CIM consists of a set of field names and tags that define the least common denominator of a domain of interest. Event category tags are used to classify events into high-level categories, such as authentication, network traffic, or web activity. You can use these tags to filter and analyze events based on their category. You can learn more about event category tags from the Splunk documentation12. The other options are incorrect because they are not included with the CIM add-on. Search macros are reusable pieces of search syntax that you can invoke from other searches. They are not specific to the CIM add-on, although some Splunk apps may provide their own search macros. Workflow actions are custom links or scripts that you can run on specific fields or events. They are also not specific to the CIM add-on, although some Splunk apps may provide their own workflow actions. tsidx files are index files that store the terms and pointers to the raw data in Splunk buckets. They are part of the Splunk indexing process and have nothing to do with the CIM add-on.

• Question 128:

  The eval command allows you to do which of the following? (Choose all that apply.)

  A. Format values

  B. Convert values

  C. Perform calculations

  D. Use conditional statements

  Correct Answer: ABCD

• Question 129:

  Which workflow action method can be used the action type is set to link?

  A. GET

  B. PUT

  C. Search

  D. UPDATE

  Correct Answer: A

  https://docs.splunk.com/Documentation/Splunk/8.0.2/Knowledge/SetupaGETworkflowactio n

  Define a GET workflow action

  Steps

  Navigate to Settings > Fields > Workflow Actions.

  Click New to open up a new workflow action form.

  Define a Label for the action.

  The Label field enables you to define the text that is displayed in either the field or event workflow menu. Labels can be static or include the value of relevant fields. Determine whether the workflow action applies to specific fields or event

  types in your data.

  Use Apply only to the following fields to identify one or more fields. When you identify fields, the workflow action only appears for events that have those fields, either in their event menu or field menus. If you leave it blank or enter an asterisk

  the action appears in menus for all fields.

  Use Apply only to the following event types to identify one or more event types. If you identify an event type, the workflow action only appears in the event menus for events that belong to the event type.

  For Show action in determine whether you want the action to appear in the Event menu, the Fields menus, or Both.

  Set Action type to link.

  In URI provide a URI for the location of the external resource that you want to send your field values to.

  Similar to the Label setting, when you declare the value of a field, you use the name of the field enclosed by dollar signs.

  Variables passed in GET actions via URIs are automatically URL encoded during transmission. This means you can include values that have spaces between words or punctuation characters. Under Open link in, determine whether the

  workflow action displays in the current window or if it opens the link in a new window.

  Set the Link method to get.

  Click Save to save your workflow action definition.

• Question 130:

  Use the dedup command to _____.

  A. Rename a field in the index

  B. remove duplicate values

  C. provide an additional alias for the field that can D.be used in the search criteria

  Correct Answer: B