Splunk Splunk Certifications SPLK-1002 Questions & Answers

• Question 141:

  Which of the following search modes automatically returns all extracted fields in the fields sidebar?

  A. Fast

  B. Smart

  C. C. Verbose

  Correct Answer: C

  The search modes determine how Splunk processes your search and displays your results2. There are three search modes: Fast, Smart and Verbose2. The search mode that automatically returns all extracted fields in the fields sidebar is Verbose2. The Verbose mode shows all the fields that are extracted from your events, including default fields, indexed fields and search-time extracted fields2. The fields sidebar is a panel that shows the fields that are present in your search results2. Therefore, option C is correct, while options A and B are incorrect because they are not search modes that automatically return all extracted fields in the fields sidebar.

• Question 142:

  The Splunk Common Information Model (CIM) is a collection of what type of knowledge object?

  A. KV Store

  B. Lookups

  C. Saved searches

  D. Data models

  Correct Answer: D

  The Splunk Common Information Model (CIM) is a collection of data models that apply a common structure and naming convention to data from any source. A data model is a type of knowledge object that defines the structure and relationships of fields in a dataset. A data model can have one or more datasets, which are subsets of the data model that represent different aspects of the data. For example, the Network Traffic data model has datasets such as All Traffic, DNS, HTTP, etc. The CIM contains 28 pre-configured data models that cover various domains such as authentication, network traffic, web, email, etc. The CIM is implemented as an add-on that contains the JSON files for the data models, documentation, and tools that support the consistent, normalized treatment of data for maximum efficiency at search time23

  1: Splunk Core Certified Power User Track, page 10. 2: Splunk Documentation, Overview of the Splunk Common Information Model 1. 3: Splunkbase, Splunk Common Information Model (CIM) 2.

• Question 143:

  Field aliases are used to __________ data

  A. clean

  B. transform

  C. calculate

  D. normalize

  Correct Answer: D

• Question 144:

  When extracting fields, we may choose to use our own regular expressions

  A. True

  B. False

  Correct Answer: A

• Question 145:

  These users can create global knowledge objects. (Select all that apply.)

  A. users

  B. power users

  C. administrators

  Correct Answer: BC

• Question 146:

  What approach is recommended when using the Splunk Common Information Model (CIM) add-on to normalize data?

  A. Consult the CIM data model reference tables.

  B. Run a search using the authentication command.

  C. Consult the CIM event type reference tables.

  D. Run a search using the correlation command.

  Correct Answer: A

  The recommended approach when using the Splunk Common Information Model (CIM) add-on to normalize data is A. Consult the CIM data model reference tables. This is because the CIM data model reference tables provide detailed information about the fields and tags that are expected for each dataset in a data model. By consulting the reference tables, you can determine which data models are relevant for your data source and how to map your data fields to the CIM fields. You can also use the reference tables to validate your data and troubleshoot any issues with normalization. You can find the CIM data model reference tables in the Splunk documentation1 or in the Data Model Editor page in Splunk Web2. The other options are incorrect because they are not related to the CIM add-on or data normalization. The authentication command is a custom command that validates events against the Authentication data model, but it does not help you to normalize other types of data. The correlation command is a search command that performs statistical analysis on event fields, but it does not help you to map your data fields to the CIM fields. The CIM event type reference tables do not exist, as event types are not part of the CIM add-on.

• Question 147:

  Which method in the Field Extractor would extract the port number from the following event? |

  10/20/2022 - 125.24.20.1 ++++ port 54 - user: admin

  A. Delimiter

  B. rex command

  C. The Field Extractor tool cannot extract regular expressions.

  D. Regular expression

  Correct Answer: B

  The rex command allows you to extract fields from events using regular expressions. You can use the rex command to specify a named group that matches the port number in the event. For example:

  rex "\+\+\+\+port (?\d+)"

  This will create a field called port with the value 54 for the event. The delimiter method is not suitable for this event because there is no consistent delimiter between the fields. The regular expression method is not a valid option for the Field

  Extractor tool. The Field Extractor tool can extract regular expressions, but it is not a method by itself.

  Reference: 1 Splunk Core Certified Power User | Splunk

• Question 148:

  The stats command will create a _____________ by default.

  A. Table

  B. Report

  C. Pie chart

  Correct Answer: A

• Question 149:

  A calculated field is a shortcut for performing repetitive, long, or complex transformations using which of the following commands?

  A. transaction

  B. lookup

  C. stats

  D. eval

  Correct Answer: D

  The correct answer is D. eval.

  A calculated field is a field that is added to events at search time by using an eval expression. A calculated field can use the values of two or more fields that are already present in the events to perform calculations. A calculated field can be defined with Splunk Web or in the props.conf file. They can be used in searches, reports, dashboards, and data models like any other extracted field1. A calculated field is a shortcut for performing repetitive, long, or complex transformations using the eval command. The eval command is used to create or modify fields by using expressions. The eval command can perform mathematical, string, date and time, comparison, logical, and other operations on fields or values2. For example, if you want to create a new field named total that is the sum of two fields named price and tax, you can use the eval command as follows: | eval total=price+tax However, if you want to use this new field in multiple searches, reports, or dashboards, you can create a calculated field instead of writing the eval command every time. To create a calculated field with Splunk Web, you need to go to Settings > Fields > Calculated Fields and enter the name of the new field (total), the name of the sourcetype (sales), and the eval expression (price+tax). This will create a calculated field named total that will be added to all events with the sourcetype sales at search time. You can then use the total field like any other extracted field without writing the eval expression1. The other options are not correct because they are not related to calculated fields. These options are:

  A. transaction: This command is used to group events that share some common values into a single record, called a transaction. A transaction can span multiple events and multiple sources, and can be useful for correlating events that are

  related but not contiguous3.

  B. lookup: This command is used to enrich events with additional fields from an external source, such as a CSV file or a database. A lookup can add fields to events based on the values of existing fields, such as host, source, sourcetype, or

  any other extracted field.

  C. stats: This command is used to calculate summary statistics on the fields in the search results, such as count, sum, average, etc. It can be used to group and aggregate data by one or more fields.

  References:

  About calculated fields

  eval command overview

  transaction command overview

  [lookup command overview]

  [stats command overview]

• Question 150:

  When creating a data model, which root dataset requires at least one constraint?

  A. Root transaction dataset

  B. Root event dataset

  C. Root child dataset

  D. Root search dataset

  Correct Answer: B

  The correct answer is B. Root event dataset. This is because root event datasets are defined by a constraint that filters out events that are not relevant to the dataset. A constraint for a root event dataset is a simple search that returns a fairly wide range of data, such as sourcetype=access_combined. Without a constraint, a root event dataset would include all the events in the index, which is not useful for data modeling. You can learn more about how to design data models and add root event datasets from the Splunk documentation1. The other options are incorrect because root transaction datasets and root search datasets have different ways of defining their datasets, such as transaction definitions or complex searches, and root child datasets are not a valid type of root dataset.