Splunk Splunk Certifications SPLK-1002 Questions & Answers

• Question 131:

  Which of the following expressions could be used to create a calculated field called gigabytes?

  A. eval sc_bytes(1024/1024)

  B. | eval negabytes=sc_bytes(1024/1024)

  C. megabytes=sc_bytes(1024/1024)

  D. sc_bytas(1024/1024)

  Correct Answer: B

• Question 132:

  A user runs the following search:

  index--X sourcetype=Y I chart count (domain) as count, sum (price) as sum by product, action usenull=f useother--f

  Which of the following table headers match the order this command creates?

  A. The chart command does not allow for multiple statistical functions.

  B. Product, sum: addtocart, sum: remove, sum: purchase, count: addtocart, count: remove, count: purchase

  C. Product, count: addtocart, count: remove, count: purchase, sum: addtocart, sum: remove, sum: purchase

  D. Count: product, sum: product, count: action, sum: action

  Correct Answer: C

  The correct answer is C. Product, count: addtocart, count: remove, count: purchase, sum:

  addtocart, sum: remove, sum: purchase1.

  In Splunk, the chart command is used to create a table or a chart visualization from your data2. The chart command takes at least one function and one field, and optionally another field to group by2. In the given search, the chart command is

  used with two functions (count and sum), two fields (domain and price), and two fields to group by (product and action). The usenull=f and useother=f options are used to exclude null values and other values from the chart2. The chart

  command creates a table with headers that match the order of the fields and functions in the command1. The headers for the count function are prefixed with count:, and the headers for the sum function are prefixed with sum:1. The values of

  the product and action fields are used as the suffixes for the headers1. Therefore, the table headers created by this command are Product, count: addtocart, count: remove, count: purchase, sum: addtocart, sum: remove, and sum: purchase1.

• Question 133:

  When using the transaction command, what does the argument maxspan do?

  A. Sets the maximum total time between events in a transaction.

  B. Sets the maximum length of all events within a transaction.

  C. Sets the maximum total time between the earliest and latest events in a transaction.

  D. Sets the maximum length that any single event can reach to be included in the transaction.

  Correct Answer: C

  Reference: https://docs.splunk.com/Documentation/Splunk/8.0.3/SearchReference/Transaction

• Question 134:

  The macro weekly_sales (2) contains the search string:

  index--games I eval Product Sales = $price$ $AmountS01d$

  Which of the following will return results?

  A. `weekly_sales(3.99, 10) '

  B. `weekly_sales($3.99$, $10$)

  C. 'weekly_sales (3.99, 10)

  D. `weekly_sales(3)

  Correct Answer: C

  The correct answer is C. `weekly_sales (3.99, 10)'. This is because search macros accept arguments without quotation marks or dollar signs, and the number of arguments must match the number of parameters defined in the macro. The other options are incorrect because they either use quotation marks or dollar signs around the arguments, or they provide a different number of arguments than the macro expects. You can learn more about how to use search macros in searches from the Splunk documentation1.

• Question 135:

  The transaction command allows you to __________ events across multiple sources

  A. duplicate

  B. correlate

  C. persist

  D. tag

  Correct Answer: B

  The transaction command allows you to correlate events across multiple sources. The transaction command is a search command that allows you to group events into transactions based on some common characteristics, such as fields, time, or both. A transaction is a group of events that share one or more fields that relate them to each other. A transaction can span across multiple sources or sourcetypes that have different formats or structures of data. The transaction command can help you correlate events across multiple sources by using the common fields as the basis for grouping. The transaction command can also create some additional fields for each transaction, such as duration, eventcount, startime, etc.

• Question 136:

  In the Field Extractor, when would the regular expression method be used?

  A. When events contain JSON data.

  B. When events contain comma-separated data.

  C. When events contain unstructured data.

  D. When events contain table-based data.

  Correct Answer: C

  The correct answer is C. When events contain unstructured data. The regular expression method works best with unstructured event data, such as log files or text messages, where the fields are not separated by a common delimiter, such as

  a comma or space1. You select a sample event and highlight one or more fields to extract from that event, and the field extractor generates a regular expression that matches similar events in your dataset and extracts the fields from them1.

  The regular expression method provides several tools for testing and refining the accuracy of the regular expression. It also allows you to manually edit the regular expression1. The delimiters method is designed for structured event data:

  data from files with headers, where all of the fields in the events are separated by a common delimiter, such as a comma or space1. You select a sample event, identify the delimiter, and then rename the fields that the field extractor finds1.

  This method is simpler and faster than the regular expression method, but it may not work well with complex or irregular data formats1.

  Reference:

  1: Build field extractions with the field extractor - Splunk Documentation

• Question 137:

  Which of the following is true about the Splunk Common Information Model (CIM)?

  A. The data models included in the CIM are configured with data model acceleration turned off.

  B. The CIM contains 28 pre-configured datasets.

  C. The CIM is an app that needs to run on the indexer.

  D. The data models included in the CIM are configured with data model acceleration turned on.

  Correct Answer: D

  The Splunk Common Information Model (CIM) is an app that contains a set of predefined data models that apply a common structure and naming convention to data from any source. The CIM enables you to use data from different sources in a consistent and coherent way. The CIM contains 28 pre-configured datasets that cover various domains such as authentication, network traffic, web, email, etc. The data models included in the CIM are configured with data model acceleration turned on by default, which means that they are optimized for faster searches and analysis. Data model acceleration creates and maintains summary data for the data models, which reduces the amount of raw data that needs to be scanned when you run a search using a data model. Splunk Core Certified Power User Track, page 10. : Splunk Documentation, About the Splunk Common Information Model.

• Question 138:

  Which field extraction method should be selected for comma-separated data?

  A. Regular expression

  B. Delimiters

  C. eval expression

  D. table extraction

  Correct Answer: B

  The correct answer is B. Delimiters. This is because the delimiters method is designed for structured event data, such as data from files with headers, where all of the fields in the events are separated by a common delimiter, such as a comma or space. You can select a sample event, identify the delimiter, and then rename the fields that the field extractor finds. You can learn more about the delimiters method from the Splunk documentation1. The other options are incorrect because they are not suitable for comma- separated data. The regular expression method works best with unstructured event data, where you select and highlight one or more fields to extract from a sample event, and the field extractor generates a regular expression that matches similar events and extracts the fields from them. The eval expression is a command that lets you calculate new fields or modify existing fields using arithmetic, string, and logical operations. The table extraction is a feature that lets you extract tabular data from PDF files or web pages. You can learn more about these methods from the Splunk documentation23 .

• Question 139:

  There are several ways to access the field extractor. Which option automatically identifies data type, source type, and sample event?

  A. Event Actions > Extract Fields

  B. Fields sidebar > Extract New Field

  C. Settings > Field Extractions > New Field Extraction D. Settings > Field Extractions > Open Field Extraction

  Correct Answer: B

  There are several ways to access the field extractor. The option that automatically identifies data type, source type, and sample event is Fields sidebar > Extract New Field. The field extractor is a tool that helps you extract fields from your

  data using delimiters or regular expressions. The field extractor can generate a regex for you based on your selection of sample values or you can enter your own regex in the field extractor. The field extractor can be accessed by using

  various methods, such as:

  Fields sidebar > Extract New Field: This is the easiest way to access the field extractor. The fields sidebar is a panel that shows all available fields for your data and their values. When you click on Extract New Field in the fields sidebar,

  Splunk will automatically identify the data type, source type, and sample event for your data based on your current search criteria. You can then use the field extractor to select sample values and generate a regex for your new field. Event

  Actions > Extract Fields: This is another way to access the field extractor. Event actions are actions that you can perform on individual events in your search results, such as viewing event details, adding to report, adding to dashboard, etc.

  When you click on Extract Fields in the event actions menu, Splunk will use the current event as the sample event for your data and ask you to select the source type and data type for your data. You can then use the field extractor to select

  sample values and generate a regex for your new field. Settings > Field Extractions > New Field Extraction: This is a more advanced way to access the field extractor. Settings is a menu that allows you to configure various aspects of Splunk,

  such as indexes, inputs, outputs, users, roles, apps, etc. When you click on New Field Extraction in the Settings menu, Splunk will ask you to enter all the details for your new field extraction manually, such as app context, name, source type,

  data type, sample event, regex, etc. You can then use the field extractor to verify or modify your regex for your new field.

• Question 140:

  Which of the following statements about tags is true?

  A. Tags are case insensitive.

  B. Tags can make your data more understandable.

  C. Tags are created at index time.

  D. Tags are searched by using the syntax tag :: .

  Correct Answer: B

  Tags are a knowledge object that allow you to assign an alias to one or more field values . Tags are applied to events at search time and can be used as search terms or filters . Tags can help you make your data more understandable by replacing cryptic or complex field values with meaningful names . For example, you can tag the value 200 in the status field as success, or tag the value 404 as not_found .