Splunk Splunk Certifications SPLK-1002 Questions & Answers

• Question 41:

  This function of the stats command allows you to return the middle-most value of field X.

  A. Median(X)

  B. Eval by X

  C. Fields(X)

  D. Values(X)

  Correct Answer: A

• Question 42:

  Which of the following searches show a valid use of a macro? (Choose all that apply.)

  A. index=main source=mySource oldField=* |'makeMyField(oldField)'| table _time newField

  B. index=main source=mySource oldField=* | stats if(`makeMyField(oldField)') | table _time newField

  C. index=main source=mySource oldField=* | eval newField='makeMyField(oldField)'| table _time newField

  D. index=main source=mySource oldField=* | "'newField(`makeMyField(oldField)')'" | table _time newField

  Correct Answer: AC

  The searches A and C show a valid use of a macro. A macro is a reusable piece of SPL code that can be called by using single quotes (`'). A macro can take arguments, which are passed inside parentheses after the macro name. For example, `makeMyField(oldField)' calls a macro named makeMyField with an argument oldField. The searches B and D are not valid because they use double quotes ("") instead of single quotes (`').

• Question 43:

  In the following eval statement, what is the value of description if the status is 503? index=main | eval description=case(status==200, "OK", status==404, "Not found", status==500, "Internal Server Error")

  A. The description field would contain no value.

  B. The description field would contain the value 0.

  C. The description field would contain the value "Internal Server Error".

  D. This statement would produce an error in Splunk because it is incomplete.

  Correct Answer: A

  https://docs.splunk.com/Documentation/Splunk/8.1.1/SearchReference/ConditionalFunctio ns

• Question 44:

  Which search retrieves events with the event type web_errors?

  A. tag=web_errors

  B. eventtype=web_errors

  C. eventtype "web errors"

  D. eventtype (web_errors)

  Correct Answer: B

  The correct answer is B. eventtype=web_errors.

  An event type is a way to categorize events based on a search. An event type assigns a label to events that match a specific search criteria. Event types can be used to filter and group events, create alerts, or generate reports1. To search for

  events that have a specific event type, you need to use the eventtype field with the name of the event type as the value. The syntax for this is:

  eventtype=

  For example, if you want to search for events that have the event type web_errors, you can use the following syntax:

  eventtype=web_errors

  This will return only the events that match the search criteria defined by the web_errors event type.

  The other options are not correct because they use different syntax or fields that are not related to event types. These options are:

  A. tag=web_errors: This option uses the tag field, which is a way to add descriptive keywords to events based on field values. Tags are different from event types, although they can be used together. Tags can be used to filter and group events by common characteristics2.

  C. eventtype "web errors": This option uses quotation marks around the event type name, which is not valid syntax for the eventtype field. Quotation marks are used to enclose phrases or exact matches in a search3. D. eventtype (web_errors): This option uses parentheses around the event type name, which is also not valid syntax for the eventtype field. Parentheses are used to group expressions or terms in a search3. References: About event types About tags Search command cheatsheet

• Question 45:

  Which of the following searches would create a graph similar to the one below?

  

  A. index_internal seourcetype=Savesplunker | fields sourcetype, status | transaction status maxspan-id | start count states

  B. index_internal seourcetype=Savesplunker | fields sourcetype, status | transaction status maxspan-id | chart count states by -time

  C. index_internal seourcetype=Savesplunker | fields sourcetype, status | transaction status maxspan-id | timechart count by status

  D. None of these searches would generate a similart graph.

  Correct Answer: C

  The following search would create a graph similar to the one below:

  index_internal sourcetype=Savesplunker | fields sourcetype, status | transaction status maxspan=1d | timechart count by status

  The search does the following:

  It uses index_internal to specify the internal index that contains Splunk logs and metrics.

  It uses sourcetype=Savesplunker to filter events by the sourcetype that indicates the Splunk Enterprise Security app.

  It uses fields sourcetype, status to keep only the sourcetype and status fields in the events.

  It uses transaction status maxspan=1d to group events into transactions based on the status field with a maximum time span of one day between the first and last events in a transaction. It uses timechart count by status to create a time-

  based chart that shows the count of transactions for each status value over time.

  The graph shows the following:

  It is a line graph with two lines, one yellow and one blue. The x-axis is labeled with dates from Wed, Apr 4, 2018 to Tue, Apr 10, 2018.

  The y-axis is labeled with numbers from 0 to 15.

  The yellow line represents "shipped" and the blue line represents "success". The yellow line has a steady increase from 0 to 15, while the blue line has a sharp increase from 0 to 5, then a decrease to 0, and then a sharp increase to 10.

  The graph is titled "Type".

  Therefore, option C is the correct answer.

• Question 46:

  Where are the descriptions of the data models that come with the Splunk Common Information Model (CIM) Add-on documented?

  A. Datamodel command reference guide.

  B. Pivot users manual.

  C. Search and reporting user manual.

  D. CIM Add-on manual.

  Correct Answer: D

  The CIM Add-on manual contains the descriptions of the data models that come with the Splunk Common Information Model (CIM) Add-on, as well as how to set up, use, and customize the add-on. References CIM Add-on manual Splunk Common Information Model (CIM) | Splunkbase Understand and use the Common Information Model Add-on - Splunk

• Question 47:

  Which of the following options will define the first event in a transaction?

  A. startswith

  B. with

  C. startingwith

  D. firstevent

  Correct Answer: A

  The explanation is as follows:

  The transaction command is used to find transactions based on events that meet various constraints12.

  Transactions are made up of the raw text (the _raw field) of each member, the time and date fields of the earliest member, as well as the union of all other fields of each member1. The startswith option is used to define the first event in a

  transaction by specifying a search term or an expression that matches the event13. For example, | transaction clientip JSESSIONID startswith="view" will create transactions based on the clientip and JSESSIONID fields, and the first event in

  each transaction will contain the term "view" in the _raw field2.

• Question 48:

  Which of the following eval command functions is valid?

  A. int()

  B. count()

  C. print()

  D. tostring()

  Correct Answer: D

  https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonEvalFunct ions

  The eval command function tostring() is valid. The tostring() function converts a numeric value to a string value. For example, tostring(3.14) returns "3.14". The other functions are not valid eval command functions.

• Question 49:

  When using the timechart command, how can a user group the events into buckets based on time?

  A. Using the span argument.

  B. Using the duration argument.

  C. Using the interval argument.

  D. Adjusting the fieldformat options.

  Correct Answer: A

• Question 50:

  This is what Splunk uses to categorize the data that is being indexed.

  A. Host

  B. Sourcetype

  C. Index

  D. Source

  Correct Answer: B