Splunk Question

Part 1
1. Which of the following statements would help a user choose between the transaction and stats
commands?

A. stats can only group events using IP addresses.

B. The transaction command is faster and more efficient.

C. There is a 1000 event limitation with the transaction command.

D. Use stats when the events need to be viewed as a single correlated event.

2. When using the transaction command, what does the argument maxspan do?

A. Sets the maximum total time between events in a transaction.

B. Sets the maximum length of all the events within a transaction.

C. Sets the maximum total time between the earliest and latest events in a transaction.

D. Sets the maximum length that any single event can reach to be included in the transaction.

3. When using the Field Extractor (FX), which of the following delimiters will work? (Choose all that
apply.)

A. Tabs

B. Pipes

C. Colons

D. Spaces

4. If no value is specified with the fillnull command, what default value will be used?

A. 0

B. N/A

C. –

D. NULL

5. Which of the following statements about tags is true?

A. Tags are case insensitive.

B. Tags are created at index time.

C. Tags can make your data more understandable.

D. Tags are searched by using the syntax tag::

6. Which of the following are required to create a POST workflow action?

A. Label, URI, search string.

B. XML attributes, URI, name.

C. Label, URI, post arguments.

D. URI, search string, time range picker.

7. What information must be included when using the datamodel command?

A. status field

B. Multiple indexes

C. Data model field name.

D. Data model dataset name.

8. Which of the following statements describes POST workflow actions?

A. POST workflow actions are always encrypted.

B. POST workflow actions cannot use field values in their URI.

C. POST workflow actions cannot be created on custom sourcetypes.

D. POST workflow actions can open a web page in either the same window or a new window.

9. After manually editing a regular expression (regex), which of the following statements is true?

A. Changes made manually can be reverted in the Field Extractor (FX) UI.

B. It is no longer possible to edit the field extraction in the Field Extractor (FX) UI.

C. It is not possible to manually edit a regular expression (regex) that was created using the Field
Extractor (FX) UI.

D. The Field Extractor (FX) UI keeps its own version of the field extraction in addition to the one that
was manually edited.

10. Which of the following statements describes field aliases?

A. Field alias names replace the original field name.

B. Field aliases can be used in lookup file definitions.

C. Field aliases only normalize data across sources and sourcetypes.

D. Field alias names are not case sensitive when used as part of a search.
11. When performing a regular expression (regex) field extraction using the Field Extractor (FX), what
happens when the require

option is used?

A. The regex can no longer be edited.

B. The field being extracted will be required for all future events.

C. The events without the required field will not display in searches.

D. Only events with the required string will be included in the extraction.

12. Which workflow uses field values to perform a secondary search?

A. POST

B. Action

C. Search

D. Sub-search

13. Which of the following is the correct way to use the datamodel command to search fields in the
Web data model within the

Web dataset?

A. | datamodel Web Web search | fields Web*

B. | search datamodel Web Web | fields Web*

C. | datamodel Web Web fields | search Web*

D. datamodel=Web | search Web | fields Web*

14. What does the following search do?

index=corndog type= mysterymeat action=eaten | stats count as corndog_count by user

A. Creates a table of the total count of users and split by corndogs.

B. Creates a table of the total count of mysterymeat corndogs split by user.

C. Creates a table with the count of all types of corndogs eaten split by user.

D. Creates a table that groups the total number of users by vegetarian corndogs.

15. In what order are the following knowledge objects/configurations applied?

A. Field Aliases, Field Extractions, Lookups

B. Field Extractions, Field Aliases, Lookups

C. Field Extractions, Lookups, Field Aliases

D. Lookups, Field Aliases, Field Extractions

16. Which of the following statements about data models and pivot are true? (Choose all that apply.)

A. They are both knowledge objects.

B. Data models are created out of datasets called pivots.

C. Pivot requires users to input SPL searches on data models.

D. Pivot allows the creation of data visualizations that present different aspects of a data model.

17. Which type of visualization shows relationships between discrete values in three dimensions?

A. Pie chart

B. Line chart

C. Bubble chart

D. Scatter chart

18. Which of the following statements describe the command below? (Choose all that apply.)

sourcetype=access_combined | transaction JSESSIONID

A. An additional field named maxspan is created.

B. An additional field named duration is created.

C. An additional field named eventcount is created.

D. Events with the same JSESSIONID will be grouped together into a single event.

19. When is a GET workflow action needed?

A. To send field values to an external resource.

B. To retrieve information from an external resource.

C. To use field values to perform a secondary search.

D. To define how events flow from forwarders to indexes.

20. A field alias has been created based on an original field. A search without any transforming
commands is then executed in
Smart Mode.

Which field name appears in the results?

A. Both will appear in the All Fields list, but only if the alias is specified in the search.

B. Both will appear in the Interesting Fields list, but only if they appear in at least 20 percent of
events.

C. The original field only appears in All Fields list and the alias only appears in the Interesting Fields
list.

D. The alias only appears in the All Fields list and the original field only appears in the Interesting
Fields list.

21. What does the Splunk Common Information Model (CIM) add-on include? (Choose all that apply.)

A. Custom visualizations

B. Pre-configured data models

C. Fields and event category tags

D. Automatic data model acceleration

22. Which workflow action method can be used when the action type is set to link?

A. GET

B. PUT

C. Search

D. UPDATE

23. Which command can include both an over and a by clause to divide results into sub-groupings?

A. chart

B. stats

C. xyseries

D. transaction

24. Which of the following statements about macros is true? (Choose all that apply.)

A. Arguments are defined at execution time.

B. Arguments are defined when the macro is created.

C. Argument values are used to resolve the search string at execution time.
D. Argument values are used to resolve the search string when the macro is created.

25. Which of the following knowledge objects represents the output of an eval expression?

A. Eval fields

B. Calculated fields

C. Field extractions

D. Calculated lookups