Splunk Splunk Certifications SPLK-1002 Questions & Answers

• Question 51:

  What type of command is eval?

  A. Streaming in some modes

  B. Report generating

  C. Distributable streaming

  D. Centralized streaming

  Correct Answer: C

  The correct answer is C. Distributable streaming. This is because the eval command is a type of command that can run on the indexers before the results are sent to the search head. This reduces the amount of data that needs to be transferred and improves the search performance. Distributable streaming commands can operate on each event or result individually, without depending on other events or results. You can learn more about the types of commands and how they affect search performance from the Splunk documentation1.

• Question 52:

  Tags can reference which of the following knowledge objects?

  A. Lookups and event types only.

  B. Extracted fields, field aliases, calculated fields, lookups, and event types.

  C. Tags cannot reference any of these knowledge objects because tags are the last knowledge objects generated in the search-time operation sequence.

  D. Extracted fields, calculated fields, and field aliases only.

  Correct Answer: B

  Tags are a type of knowledge object that enable you to assign descriptive keywords to events. Tags can reference any of the following knowledge objects: extracted fields, field aliases, calculated fields, lookups, and event types. Tags cannot reference other tags or search macros. Tags are applied to events at search time based on the values of the fields that they reference2

  1: Splunk Core Certified Power User Track, page 10. 2: Splunk Documentation, About tags and aliases.

• Question 53:

  A user wants to create a new field alias for a field that appears in two sourcetypes.

  How many field aliases need to be created?

  A. One.

  B. Two.

  C. It depends on whether the original fields have the same name.

  D. It depends on whether the two sourcetypes are associated with the same index.

  Correct Answer: B

• Question 54:

  What are search macros?

  A. Lookup definitions in lookup tables.

  B. Reusable pieces of search processing language.

  C. A method to normalize fields.

  D. Categories of search results.

  Correct Answer: B

  The correct answer is B. Reusable pieces of search processing language.

  The explanation is as follows:

  Search macros are knowledge objects that allow you to insert chunks of SPL into other searches12.

  Search macros can be any part of a search, such as an eval statement or a search term, and do not need to be a complete command12. You can also specify whether the macro field takes any arguments and define validation expressions for

  them12.

  Search macros can help you make your SPL searches shorter and easier to understand3.

  To use a search macro in a search string, you need to put a backtick character () before and after the macro name[^1^][1]. For example, mymacro`.

• Question 55:

  Which of the following describes this search?

  New Search 'third_party_outages(EMEA,-24h)'

  A. This search will find all events for the third_party_outages event type that have "EMEA" or "-24h" in the raw event data.

  B. This search will run the third_party_outages saved search and filter for events containing "EMEA" and "-24h" in the raw event data.

  C. This search will run the third_party_outages macro and pass the arguments EMEA and - 24h to the macro definition.

  D. This search will find all events in the third_party_outages index with the tags EMEA and -24h.

  Correct Answer: C

  This search will run the third_party_outages macro and pass the arguments EMEA and - 24h to the macro definition. A search macro is a reusable chunk of SPL that can be inserted into other searches. A search macro can take arguments that are used to resolve the search string at execution time. The syntax for using a search macro is macro_name (argument1, argument2, ...).ReferencesSee Use search macros in searches and Search macro examples in the Splunk Documentation.

• Question 56:

  When using | timchart by host, which filed is representted in the x-axis?

  A. date

  B. host

  C. time

  D. -time

  Correct Answer: A

• Question 57:

  What happens when a user edits the regular expression (regex) field extraction generated in the Field Extractor (FX)?

  A. There is a limit to the number of fields that can be extracted.

  B. The user is unable to preview the extractions.

  C. The extraction is added at index time.

  D. The user is unable to return to the automatic field extraction workflow.

  Correct Answer: A

• Question 58:

  In most large Splunk environments, what is the most efficient command that can be used to group events by fields/

  A. join

  B. stats

  C. streamstats

  D. transaction

  Correct Answer: B

  https://docs.splunk.com/Documentation/Splunk/8.0.2/Search/Abouttransactions In other cases, it's usually better to use the stats command, which performs more efficiently, especially in a distributed environment. Often there is a unique ID in the events and stats can be used.

• Question 59:

  Which type of visualization shows relationships between discrete values in three dimensions?

  A. Pie chart

  B. Line chart

  C. Bubble chart

  D. Scatter chart

  Correct Answer: C

  https://docs.splunk.com/Documentation/DashApp/0.9.0/DashApp/chartsBub

• Question 60:

  Which of the following searches would return a report of sales by product-name?

  A. chart sales by product_name

  B. chart sum(price) as sales by product_name

  C. stats sum(price) as sales over product_name

  D. timechart list(sales), values(product_name)

  Correct Answer: B

  https://docs.splunk.com/Documentation/Splunk/8.1.0/SearchReference/Chart https://docs.splunk.com/Documentation/Splunk/8.1.0/SearchReference/Stats