Splunk Splunk Certifications SPLK-1002 Questions & Answers

• Question 201:

  Which of the following statements describe GET workflow actions?

  A. GET workflow actions must be configured with POST arguments.

  B. Configuration of GET workflow actions includes choosing a sourcetype.

  C. Label names for GET workflow actions must include a field name surrounded by dollar signs.

  D. GET workflow actions can be configured to open the URT link in the current window or in a new window

  Correct Answer: D

  GET workflow actions are custom actions that open a URL link when you click on a field value in your search results. GET workflow actions can be configured with various options, such as label name, base URL, URI parameters, app context, etc. One of the options is to choose whether to open the URL link in the current window or in a new window. GET workflow actions do not have to be configured with POST arguments, as they use GET method to send requests to web servers. Configuration of GET workflow actions does not include choosing a sourcetype, as they do not generate any data in Splunk. Label names for GET workflow actions must include a field name surrounded by dollar signs, as this indicates the field value that will be used to replace the variable in the URL link.

• Question 202:

  Based on the macro definition shown below, what is the correct way to execute the macro in a search string?

  

  A. Convert_sales (euro, , 79)"

  B. Convert_sales (euro, , .79)

  C. Convert_sales ($euro,$$,s79$

  D. Convert_sales ($euro, $$,S,79$)

  Correct Answer: B

  Reference: https://docs.splunk.com/Documentation/Splunk/8.0.3/Knowledge/Usesearchmacros

  The correct way to execute the macro in a search string is to use the format macro_name($arg1$, $arg2$, ...) where $arg1$, $arg2$, etc. are the arguments for the macro. In this case, the macro name is convert_sales and it takes three arguments: currency, symbol, and rate. The arguments are enclosed in dollar signs and separated by commas. Therefore, the correct way to execute the macro is convert_sales($euro$, $$, .79).

• Question 203:

  What does the following search do?

  

  A. Creates a table of the total count of users and split by corndogs.

  B. Creates a table of the total count of mysterymeat corndogs split by user.

  C. Creates a table with the count of all types of corndogs eaten split by user.

  D. Creates a table that groups the total number of users by vegetarian corndogs.

  Correct Answer: B

  The search string below creates a table of the total count of mysterymeat corndogs split by user.

  | stats count by user | where corndog=mysterymeat The search string does the following:

  It uses the stats command to calculate the count of events for each value of the user field. The stats command creates a table with two columns: user and count. It uses the where command to filter the results by the value of the corndog field.

  The where command only keeps the rows where corndog equals mysterymeat. Therefore, the search string creates a table of the total count of mysterymeat corndogs split by user.

• Question 204:

  When using timechart, how many fields can be listed after a by clause?

  A. because timechart doesn't support using a by clause.

  B. because _time is already implied as the x-axis.

  C. because one field would represent the x-axis and the other would represent the y-axis.

  D. There is no limit specific to timechart.

  Correct Answer: B

  The timechart command is used to create a time-series chart of statistical values based on your search results2. You can use the timechart command with a by clause to split the results by one or more fields and create multiple series in the chart2. However, you can only list one field after the by clause when using the timechart command because _time is already implied as the x-axis of the chart2. Therefore, option B is correct, while options A, C and D are incorrect.

• Question 205:

  Which of the following searches will return events contains a tag name Privileged?

  A. Tag= Priv

  B. Tag= Pri*

  C. Tag= Priv*

  D. Tag= Privileged

  Correct Answer: B

  Reference: https://docs.splunk.com/Documentation/PCI/4.1.0/Install/PrivilegedUserActivity A tag is a descriptive label that you can apply to one or more fields or field values in your events1. You can use tags to simplify your searches by replacing long or complex field names or values with short and simple tags1. To search for events that contain a tag name, you can use the tag keyword followed by an equal sign and the tag name1. You can also use wildcards (*) to match partial tag names1. Therefore, option B is correct because it will return events that contain a tag name that starts with Pri. Options A and D are incorrect because they will only return events that contain an exact tag name match. Option C is incorrect because it will return events that contain a tag name that starts with Priv, not Privileged.

• Question 206:

  What do events in a transaction have In common?

  A. All events In a transaction must have the same timestamp.

  B. All events in a transaction must have the same sourcetype.

  C. All events in a transaction must have the exact same set of fields.

  D. All events in a transaction must be related by one or more fields.

  Correct Answer: D

  Reference: https://docs.splunk.com/Documentation/Splunk/8.0.3/Knowledge/Abouttransactions

  A transaction is a group of events that share some common characteristics, such as fields, time, or both. A transaction can be created by using the transaction command or by defining an event type with transactiontype=true in props.conf. Events in a transaction have one or more fields in common that relate them to each other. For example, you can create a transaction based on JSESSIONID, which is a unique identifier for each user session in web logs. Events in a transaction do not have to have the same timestamp, sourcetype, or exact same set of fields. They only have to share one or more fields that define the transaction.

• Question 207:

  A calculated field maybe based on which of the following?

  A. Lookup tables

  B. Extracted fields

  C. Regular expressions

  D. Fields generated within a search string

  Correct Answer: B

  As mentioned before, a calculated field is a field that you create based on the value of another field or fields2. A calculated field can be based on extracted fields, which are fields that are extracted from your raw data using various methods such as regular expressions, delimiters or key-value pairs2. Therefore, option B is correct, while options A, C and D are incorrect because they are not types of fields that a calculated field can be based on.

• Question 208:

  To identify all of the contributing events within a transaction that contains at least one REJECT event, which syntax is correct?

  A. Index-main | REJECT trans sessionid

  B. Index-main | transaction sessionid | search REJECT

  C. Index=main | transaction sessionid | whose transaction=reject

  D. Index=main | transaction sessionid | where transaction=reject''

  Correct Answer: B

• Question 209:

  A space is an implied _____ in a search string.

  A. OR

  B. AND

  C. ()

  D. NOT

  Correct Answer: B

  A space is an implied AND in a search string, which means that it acts as a logical operator that returns events that match both terms on either side of the space2. For example, status=200 method=GET will return events that have both status=200 and method=GET2. Therefore, option B is correct, while options A, C and D are incorrect because they are not implied by a space in a search string.

• Question 210:

  Selected fields are displayed ______each event in the search results.

  A. below

  B. interesting fields

  C. other fields

  D. above

  Correct Answer: A

  Selected fields are fields that you choose to display in your search results by clicking on them in the Fields sidebar or by using the fields command2. Selected fields are displayed below each event in the search results, along with their values2. Therefore, option A is correct, while options B, C and D are incorrect because they are not places where selected fields are displayed.