Splunk Core Certified Power User.SPLK-1002.ActualTests.2021-01-25.96q

Fausto Damian Cadena

問題数 228 • 4/21/2024

記憶度

完璧

34問

覚えた

81問

うろ覚え

0問

苦手

0問

未解答

0問

アカウント登録して、解答結果を保存しよう

問題一覧

Which one of the following statements about the search command is true?

It behaves exactly like search strings before the first pipe.

Which of the following actions can the eval command perform?

Create or replace an existing field.

When can a pipe follow a macro?

A pipe may always follow a macro.

Data models are composed of one or more of which of the following datasets? (Choose all that apply.)

Events datasets, Search datasets, Transaction datasets

When using the Field Extractor (FX), which of the following delimiters will work? (Choose all that apply.)

Pipes, Spaces

Which group of users would most likely use pivots?

Knowledge Managers

When multiple event types with different color values are assigned to the same event, what determines the color displayed for the event?

Priority

Based on the macro definition shown below, what is the correct way to execute the macro in a search string?

'convert_sales(euro,€,.79)'

There are several ways to access the field extractor. Which option automatically identifies the data type, source type, and sample event?

Event Actions > Extract Fields

Which of the following statements would help a user choose between the transaction and stats commands?

There is a 1000 event limitation with the transaction command.

By default, how is acceleration configured in the Splunk Common Information Model (CIM) add-on?

Turned off.

Which of the following statements describe the Common Information Model (CIM)? (Choose all that apply.)

CIM is a methodology for normalizing data., CIM can correlate data from different sources., CIM is an app that can coexist with other apps on a single Splunk deployment.

Which of the following knowledge objects represents the output of an eval expression?

Calculated fields

What do events in a transaction have in common?

All events in a transaction must be related by one or more fields.

Which delimiters can the Field Extractor (FX) detect? (Choose all that apply.)

Commas, Spaces, Pipes

A data model consists of which three types of datasets?

Events, searches, transactions.

Where are the results of eval commands stored?

In a field.

Which of the following statements describe calculated fields? (Choose all that apply.)

Calculated fields can be used in the search bar., Calculated fields can be based on an extracted field., Calculated fields are shortcuts for performing calculations using the eval command.

Calculated fields can be based on which of the following?

Extracted fields

When should transaction be used?

When event grouping is based on start/end values.

When performing a regular expression (regex) field extraction using the Field Extractor (FX), what happens when the require option is used?

Only events with the required string will be included in the extraction.

When using | timechart by host, which field is represented in the x-axis?

_time

Which of the following is the correct way to use the datamodel command to search fields in the Web data model within the Web dataset?

| datamodel Web Web search | fields Web*

Which of the following statements describe the command below? (Choose all that apply.) sourcetype=access_combined | transaction JSESSIONID

An additional field named duration is created., An additional field named eventcount is created., Events with the same JSESSIONID will be grouped together into a single event.

Which of the following searches will return events containing a tag named Privileged?

tag=Priv*

Given the macro definition below, what should be entered into the Name and Arguments fields to correctly configure the macro?

The macro name is sessiontracker(2) and the arguments are action, JESSIONID.

What is required for a macro to accept three arguments?

The macro's name ends with (3).

Which workflow action method can be used when the action type is set to link?

GET

Which of the following statements about tags is true? (Choose all that apply.)

Tags are based on field/value pairs., Tags are designed to make data more understandable.

Which of the following statements about macros is true? (Choose all that apply.)

Arguments are defined at execution time., Argument values are used to resolve the search string at execution time.

Information needed to create a GET workflow action includes which of the following? (Choose all that apply.)

A name for the workflow action., A URI where the user will be directed at search time., A label that will appear in the Event Action menu at search time.

Which of the following can be used with the eval command tostring function? (Choose all that apply.)

"hex" , "commas", "duration"

Which of the following searches show a valid use of a macro? (Choose all that apply.)

index=main source=mySource oldField=* |'makeMyField(oldField)'| table _time newField, index=main source=mySource oldField=* | stats if('makeMyField(oldField)') | table _time newField

A user wants to convert numeric field values to strings and also to sort on those values. Which command should be used first, the eval or the sort?

Convert the numeric to a string with eval first, then sort.

Which Knowledge Object does the Splunk Common Information Model (CIM) use to normalize data, in addition to field aliases, event types, and tags?

Lookups, Field extractions

Which of the following statements describe data model acceleration? (Choose all that apply.)

Accelerated data models cannot be edited., Private data models cannot be accelerated., You must have administrative permissions or the accelerate_datamodel capability to accelerate a data model.

How does a user display a chart in stack mode?

By changing Stack Mode in the Format menu.

If no value is specified with the fillnull command, what default value will be used?

What other syntax will produce exactly the same results as | chart count over vendor_action by user?

| chart count by vendor_action, user

What are the two parts of a root event dataset?

Constraints and fields.

When using timechart, how many fields can be listed after a by clause?

because _time is already implied as the x-axis.

A field alias has been created based on an original field. A search without any transforming commands is then executed in Smart Mode. Which field name appears in the results?

Both will appear in the Interesting Fields list, but only if they appear in at least 20 percent of events.

Which of the following statements describes macros?

A macro is a reusable search string that may have a flexible time range.

In what order are the following knowledge objects/configurations applied?

Field Extractions, Field Aliases, Lookups

In which of the following scenarios is an event type more effective than a saved search?

When the search string needs to be used in future searches.

When using the transaction command, what does the argument maxspan do?

Sets the maximum total time between the earliest and latest events in a transaction.

When creating a Search workflow action, which field is required?

Search string

To identify all of the contributing events within a transaction that contain at least one REJECT event, which syntax is correct?

index=main | transaction sessionid | search REJECT

After manually editing a regular expression (regex), which of the following statements is true?

It is no longer possible to edit the field extraction in the Field Extractor (FX) UI.

Which of the following statements describes POST workflow actions?

POST workflow actions can be configured to send POST arguments to the URI location.

Which of the following statements is true, especially in large environments?

The stats command is faster and more efficient than the transaction command.

What does the following search do? index=corndog type= mysterymeat action=eaten | stats count as corndog_count by user

Creates a table of the total count of mysterymeat corndogs split by user.

Which of the following statements about event types is true? (Choose all that apply.)

Event types can be tagged., Event types categorize events based on a search.

The Field Extractor (FX) is used to extract a custom field. A report can be created using this custom field. The created report can then be shared with other people in the organization. If another person in the organization runs the shared report and no results are returned, why might this be? (Choose all that apply.)

The extraction is private., The person in the organization running the report does not have access to the index.

Which of the following statements describe the search string below? | datamodel Application_State All_Application_State search

Events will be returned from the data model named Application_State.

What is the correct syntax to search for a tag associated with a value on a specific field?

tag::<field>=<tagname>

In most large Splunk environments, what is the most efficient command that can be used to group events by fields?

stats

Which workflow uses field values to perform a secondary search?

Which of the following statements describes field aliases?

Field aliases can be used in lookup file definitions.

Which statement is true?

Pivot is used for creating reports and dashboards.

Which of the following statements describes the use of the Field Extractor (FX)?

Fields extracted using the Field Extractor persist as knowledge objects.

Which of the following searches would return a report of sales by product_name?

chart sum(price) as sales by product_name

Which of the following data model are included In the Splunk Common Information Model (CIM) add-on? (select all that apply)

Alerts, Email, Databases

What is a limitation of searches generated by workflow actions?

Searches generated by workflow actions run with the same permissions as the user running them.

Which of the following searches would create a graph similar to the one below?

index=_internal sourcetype=SavedSplunker | fields sourcetype, status | transaction status maxspan=1d | timechart count by status

What does the transaction command do?

Creates a single event from a group of events.

What is the relationship between data models and pivots?

Data models provide the datasets for pivots.

Which of the following statements describes Search workflow actions?

The user can define the time range of the search when created the workflow action.

Which of the following commands support the same set of functions?

stats, chart, timechart

The eval command allows you to do which of the following? (Choose all that apply.)

Format values, Convert values, Perform calculations, Use conditional statements

When using the timechart command, how can a user group the events into buckets based on time?

Using the span argument.

Which of the following statements about data models and pivot are true? (Choose all that apply.)

Data models are created out of datasets called pivots., Pivot allows the creation of data visualizations that present different aspects of a data model.

Data model fields can be added using the Auto-Extracted method. Which of the following statements describe Auto-Extracted fields? (Choose all that apply.)

Auto-Extracted fields can be hidden in Pivot., Auto-Extracted fields can be given a friendly name for use in Pivot., Auto-Extracted fields can be added if they already exist in the dataset with constraints.

Which type of visualization shows relationships between discrete values in three dimensions?

Bubble chart

Which of the following is a function of the Splunk Common Information Model (CIM)?

Normalizing data across a Splunk deployment.

What information must be included when using the datamodel command?

Data model dataset name.

Which of the following workflow actions can be executed from search results? (Choose all that apply.)

GET, POST, Search

Which of the following eval command functions is valid?

tostring()

A calculated field may be based on which of the following?

Extracted fields

A data model can consist of what three types of datasets?

Events, searches, and transactions.

When is a GET workflow action needed?

To send field values to an external resource.

Which of the following statements describe GET workflow actions?

GET workflow actions can be configured to open the URI link in the current window or in a new window.

Which are valid ways to create an event type? (Choose all that apply.)

By selecting an event in search results and clicking Event Actions > Build Event Type., By going to the Settings menu and clicking Event Types > New.

Which command can include both an over and a by clause to divide results into sub-groupings?

chart

Which of the following statements describes POST workflow actions?

POST workflow actions can open a web page in either the same window or a new .

What does the Splunk Common Information Model (CIM) add-on include? (Choose all that apply.)

Pre-configured data models, Fields and event category tags

Which of the following file formats can be extracted using a delimiter field extraction?

CSV

A user wants to create a new field alias for a field that appears in two sourcetypes. How many field aliases need to be created?

Two.

In the following eval statement, what is the value of description if the status is 503? index=main | eval description=case(status==200, "OK", status==404, "Not found", status==500, "Internal Server Error")

The description field would contain no value.

In which Settings section are macros defined?

Advanced Search

Which of the following statements describes calculated fields?

Calculated fields are a shortcut for repetitive and complex eval commands.

Which of the following are required to create a POST workflow action?

Label, URI, post arguments.

Which of the following is one of the pre-configured data models included in the Splunk Common Information Model (CIM) add-on?

Authentication

Which of the following statements describe the search below? (Choose all that apply.) index=main | transaction clientip host maxspan=30s maxpause=5s

The first and last events are no more than 30 seconds apart, It groups events that share the same clientip and host.