SPLK-1002 Practice Question and Answers

A.  

tag=Priv

B.  

tag=Priv*

C.  

tag=priv*

D.  

tag=privileged

A.  

Sets the maximum total time between events in a transaction.

B.  

Sets the maximum length of all events within a transaction.

C.  

Sets the maximum total time between the earliest and latest events in a transaction.

D.  

Sets the maximum length that any single event can reach to be included in the transaction.

A.  

Turned off

B.  

Turned on

C.  

Determined automatically based on the sourcetype.

D.  

Determined automatically based on the data source.

A.  

skipped or deferred

B.  

automatically accelerated

C.  

deleted

D.  

all of the above

A.  

You can remove values that aren't a match for the field you want to define

B.  

You can validate where the data originated from

C.  

You cannot modify the field extraction

A.  

In a field.

B.  

In an index.

C.  

In a KV Store.

D.  

In a database.

A.  

Transaction datasets

B.  

Events datasets

C.  

Search datasets

D.  

Any child of event, transaction, and search datasets

A.  

Tag= Priv

B.  

Tag= Pri*

C.  

Tag= Priv*

D.  

Tag= Privileged

A.  

Display as selected fields.

B.  

Sorted

C.  

Charted based on time

D.  

Matching

A.  

chart sales by product_name

B.  

chart sum(price) as sales by product_name

C.  

stats sum(price) as sales over product_name

D.  

timechart list(sales), values(product_name)

A.  

It doesn't matter whether eval or sort is used first.

B.  

Convert the numeric to a string with eval first, then sort.

C.  

Use sort first, then convert the numeric to a string with eval.

D.  

You cannot use the sort command and the eval command on the same field.

A.  

Events in the transaction occurred within 5 seconds.

B.  

It groups events that share the same clientip and host.

C.  

The first and last events are no more than 5 seconds apart.

D.  

The first and last events are no more than 30 seconds apart.

A.  

This is a valid search and will display a timechart of the average duration, of each transaction event.

B.  

This is a valid search and will display a stats table showing the maximum pause among transactions.

C.  

No results will be returned because the transaction command must include the startswith and endswith options.

D.  

No results will be returned because the transaction command must be the last command used in the search pipeline.

A.  

Int ()

B.  

Count ( )

C.  

Print ()

D.  

Tostring ()

A.  

CIM is a methodology for normalizing data.

B.  

CIM can correlate data from different sources.

C.  

The Knowledge Manager uses the CIM to create knowledge objects.

D.  

CIM is an app that can coexist with other apps on a single Splunk deployment.

A.  

The regex can no longer be edited.

B.  

The field being extracted will be required for all future events.

C.  

The events without the required field will not display in searches.

D.  

Only events with the required string will be included in the extraction.

A.  

index=main source=mySource oldField=* |'makeMyField(oldField)'| table _time newField

B.  

index=main source=mySource oldField=* | stats if('makeMyField(oldField)') | table _time newField

C.  

index=main source=mySource oldField=* | eval newField='makeMyField(oldField)'| table _time newField

D.  

index=main source=mySource oldField=* | "'newField('makeMyField(oldField)')'" | table _time newField

A.  

Tags are case insensitive.

B.  

Tags are created at index time.

C.  

Tags can make your data more understandable.

D.  

Tags are searched by using the syntax tag: :

A.  

Rank

B.  

Weight

C.  

Priority

D.  

Precedence

A.  

Tag-

B.  

Tag

C.  

Tag=::

D.  

Tag::=

A.  

An additional filed named maxspan is created.

B.  

An additional field named duration is created.

C.  

An additional field named eventcount is created.

D.  

Events with the same JSESSIONID will be grouped together into a single event.

A.  

Groups a set of transactions based on time.

B.  

Creates a single event from a group of events.

C.  

Separates two events based on one or more values.

D.  

Returns the number of credit card transactions found in the event logs.

A.  

By default. Search workflow actions will run as a real-time search.

B.  

Search workflow actions can be configured as scheduled searches,

C.  

The user can define the time range of the search when created the workflow action.

D.  

Search workflow actions cannot be configured with a search string that includes the transaction command

A.  

Only in a large distributed Splunk environment.

B.  

When calculating results from one or more fields.

C.  

When event grouping is based on start/end values.

D.  

When grouping events results in over 1000 events in each group.

A.  

maxcount

B.  

duration

C.  

eventcount

A.  

Rename a field in the index

B.  

remove duplicate values

C.  

provide an additional alias for the field that can

D.  

A.  

a list of events

B.  

transactions

C.  

statistical values