Splunk Splunk Certifications SPLK-1002 Questions & Answers

• Question 71:

  This is what Splunk uses to categorize the data that is being indexed.

  A. sourcetype

  B. index

  C. source

  D. host

  Correct Answer: A

• Question 72:

  which of the following are valid options with the chart command

  A. useother

  B. usenull

  C. fillfield

  D. usefiled

  Correct Answer: AB

• Question 73:

  Why are tags useful in Splunk?

  A. Tags look for less specific data.

  B. Tags visualize data with graphs and charts.

  C. Tags group related data together.

  D. Tags add fields to the raw event data.

  Correct Answer: C

  Tags are a type of knowledge object that enable you to assign descriptive keywords to events based on the values of their fields. Tags can help you to search more efficiently for groups of event data that share common characteristics, such as functionality, location, priority, etc. For example, you can tag all the IP addresses of your routers as router, and then search for tag=router to find all the events related to your routers. Tags can also help you to normalize data from different sources by using the same tag name for equivalent field values. For example, you can tag the field values error, fail, and critical as severity=high, and then search for severity=high to find all the events with high severity level2

  1: Splunk Core Certified Power User Track, page 10. 2: Splunk Documentation, About tags and aliases.

• Question 74:

  In which Settings section are macros defined?

  A. Fields

  B. Tokens

  C. Advanced Search

  D. Searches, Reports, Alerts

  Correct Answer: C

• Question 75:

  These kinds of charts represent a series in a single bar with multiple sections

  A. Multi-Series

  B. Split-Series

  C. Omit nulls

  D. Stacked

  Correct Answer: D

  Stacked charts represent a series in a single bar with multiple sections. A chart is a graphical representation of data that shows trends, patterns, or comparisons. A chart can have different types, such as column, bar, line, area, pie, etc. A chart can also have different modes, such as split-series, multi-series, stacked, etc. A stacked chart is a type of chart that shows multiple series in a single bar or area with different sections for each series

• Question 76:

  Which of the following about reports is/are true?

  A. Reports are knowledge objects.

  B. Reports can be scheduled.

  C. Reports can run a script.

  D. All of the above.

  Correct Answer: D

  A report is a way to save a search and its results in a format that you can reuse and share with others2. A report is also a type of knowledge object, which is an entity that you create to add knowledge to your data and make it easier to search and analyze2. Therefore, option A is correct. A report can be scheduled, which means that you can configure it to run at regular intervals and send the results to yourself or others via email or other methods2. Therefore, option B is correct. A report can run a script, which means that you can specify a script file to execute when the report runs and use it to perform custom actions or integrations2. Therefore, option C is correct. Therefore, option D is correct because all of the above statements are true for reports.

• Question 77:

  Which of the following statements best describes a macro?

  A. A macro is a method of categorizing events based on a search.

  B. A macro is a way to associate an additional (new) name with an existing field name.

  C. A macro is a portion of a search that can be reused in multiple place

  D. A macro is a knowledge object that enables you to schedule searches for specific events.

  Correct Answer: C

  The correct answer is C. A macro is a portion of a search that can be reused in multiple places.

  A macro is a way to reuse a piece of SPL code in different searches. A macro can be any part of a search, such as an eval statement or a search term, and does not need to be a complete command. A macro can also take arguments, which

  are variables that can be replaced by different values when the macro is called. A macro can also contain another macro within it, which is called a nested macro1. To create a macro, you need to define its name, definition, arguments, and

  description in the Settings > Advanced Search > Search Macros page in Splunk Web or in the macros.conf file. To use a macro in a search, you need to enclose the macro name in backtick characters (`) and provide values for the arguments

  if any1. For example, if you have a macro named my_macro that takes one argument named object and has the following definition:

  search sourcetype= object

  You can use it in a search by writing:

  my_macro(web)

  This will expand the macro and run the following SPL code:

  search sourcetype=web

  The benefits of using macros are that they can simplify complex searches, reduce errors, improve readability, and promote consistency1. The other options are not correct because they describe other types of knowledge objects in Splunk,

  not macros. These objects are:

  A. An event type is a method of categorizing events based on a search. An event type assigns a label to events that match a specific search criteria. Event types can be used to filter and group events, create alerts, or generate reports2. B. A field alias is a way to associate an additional (new) name with an existing field name. A field alias can be used to normalize fields from different sources that have different names but represent the same data. Field aliases can also be used to rename fields for clarity or convenience3.

  D. An alert is a knowledge object that enables you to schedule searches for specific events and trigger actions when certain conditions are met. An alert can be used to monitor your data for anomalies, errors, or other patterns of interest and notify you or others when they occur4. References: About event types About field aliases About alerts Define search macros in Settings Use search macros in searches

• Question 78:

  The limit attribute will___________.

  A. override default of 10

  B. only work with top command

  C. override default of 20

  D. override default of 15

  Correct Answer: A

• Question 79:

  A user wants to create a workflow action that will retrieve a specific field value from an event and run a search in a new browser window

  in the user's Splunk instance. What kind of workflow action should they create?

  A. A Run workflow action, because the user is running a new search with a specific field value from an event returned in the user's search.

  B. A Search workflow action, because the user is running a new search with a specific field value from an event returned in the user's search.

  C. A POST workflow action, because the search is being sent to the user's current Splunk instance.

  D. A GET workflow action, because a field value needs to be retrieved from the events returned in the user's search.

  Correct Answer: B

  A Search workflow action is the appropriate choice when a user wants to retrieve a specific field value from an event and run a search in a new browser window within their Splunk instance (Option B). This type of workflow action allows users to define a search that utilizes field values from selected events as parameters, enabling more detailed investigation or context-specific analysis based on the original search results.

• Question 80:

  Which of the following searches will return events containing a tag named Privileged?

  A. tag=Priv

  B. tag=Priv*

  C. tag=priv*

  D. tag=privileged

  Correct Answer: B

  The tag=Priv* search will return events containing a tag named Privileged, as well as any other tag that starts with Priv. The asterisk (*) is a wildcard character that matches zero or more characters. The other searches will not match the exact tag name.