The Secret Of Splunk SPLK-1002 Exam

NEW QUESTION 1

What is a limitation of searches generated by workflow actions?

• A. Searches generated by workflow action cannot use macros.
• B. Searches generated by workflow actions must be less than 256 characters long.
• C. Searches generated by workflow action must run in the same app as the workflow action.
• D. Searches generated by workflow action run with the same permissions as the user running them.

Answer: D

NEW QUESTION 2

To identify all of the contributing events within a transaction that contains at least one REJECT event, which syntax is correct?

• A. Index-main | REJECT trans sessionid
• B. Index-main | transaction sessionid | search REJECT
• C. Index=main | transaction sessionid | whose transaction=reject
• D. Index=main | transaction sessionid | where transaction=reject’’

Answer: D

NEW QUESTION 3

Which of the following statements describes macros?

• A. A macro is a reusable search string that must contain the full search.
• B. A macro is a reusable search string that must have a fixed time range.
• C. A macro Is a reusable search string that may have a flexible time range.
• D. A macro Is a reusable search string that must contain only a portion of the search.

Answer: C

NEW QUESTION 4

We can use the rename command to ______ (Select all that apply.)

• A. Change indexed fields
• B. Exclude fields from our search results
• C. Extract new fields from our data using regular expressions
• D. Give a field a new name at search time

Answer: D

NEW QUESTION 5

Which of the following statements about event types is true? (select all that apply)

• A. Event types can be tagged.
• B. Event types must include a time range,
• C. Event types categorize events based on a search.
• D. Event types can be a useful method for capturing and sharing knowledge.

Answer: AC

NEW QUESTION 6

which of the following are valid options with the chart command

• A. useother
• B. usenull
• C. fillfield
• D. usefiled

Answer: AB

NEW QUESTION 7

Which of the following statements is true, especially in large environments?

• A. Use the scats command when you next to group events by two or more fields.
• B. The stats command is faster and more efficient than the transaction command
• C. The transaction command is faster and more efficient than the stats command.
• D. Use the transaction command when you want to see the results of a calculation.

Answer: B

NEW QUESTION 8

When using the Field Extractor (FX), which of the following delimiters will work? (select all that apply)

• A. Tabs
• B. Pipes
• C. Colons
• D. Spaces

Answer: ABD

NEW QUESTION 9

Which of the following describes the Splunk Common Information Model (CIM) add-on?

• A. The CIM add-on uses machine learning to normalize data.
• B. The CIM add-on contains dashboards that show how to map data.
• C. The CIM add-on contains data models to help you normalize data.
• D. The CIM add-on is automatically installed in a Splunk environment.

Answer: C

NEW QUESTION 10

What does the following search do?

• A. Creates a table of the total count of users and split by corndogs.
• B. Creates a table of the total count of mysterymeat corndogs split by user.
• C. Creates a table with the count of all types of corndogs eaten split by user.
• D. Creates a table that groups the total number of users by vegetarian corndogs.

Answer: A

NEW QUESTION 11

Clicking a SEGMENT on a chart, _______.

• A. drills down for that value
• B. highlights the field value across the chart
• C. adds the highlighted value to the search criteria

Answer: C

NEW QUESTION 12

A space is an implied _____ in a search string.

• A. OR
• B. AND
• C. ()
• D. NOT

Answer: B

NEW QUESTION 13

In which of the following scenarios is an event type more effective than a saved search?

• A. When a search should always include the same time range.
• B. When a search needs to be added to other users' dashboards.
• C. When the search string needs to be used in future searches.
• D. When formatting needs to be included with the search string.

Answer: D

NEW QUESTION 14

What does the fillnull command replace null values with, it the value argument is not specified?

• A. N/A
• B. NaN
• C. NULL

Answer: A

NEW QUESTION 15

When performing a regular expression (regex) field extraction using the Field Extractor (FX), what happens when the require option is used?

• A. The regex can no longer be edited.
• B. The field being extracted will be required for all future events.
• C. The events without the required field will not display in searches.
• D. Only events with the required string will be included in the extraction.

Answer: D

NEW QUESTION 16

What will you learn from the results of the following search? sourcetype=cisco_esa | transaction mid, dcid, icid | timechart avg(duration)

• A. The average time elapsed during each transaction for all transactions
• B. The average time for each event within each transaction
• C. The average time between each transaction

Answer: A

NEW QUESTION 17

Which of the following commands will show the maximum bytes?

• A. sourcetype=access_* | maximum totals by bytes
• B. sourcetype=access_* | avg (bytes)
• C. sourcetype=access_* | stats max(bytes)
• D. sourcetype=access_* | max(bytes)

Answer: C

NEW QUESTION 18

Using the export function, you can export search results as _______.( Select all that apply)

• A. Xml
• B. Json
• C. Html
• D. A php file

Answer: AB

NEW QUESTION 19

Given the macro definition below, what should be entered into the Name and Arguments fileds to correctly configured the macro?

• A. The macro name is sessiontracker and the argument are action, JESSION.
• B. The macro name is sessiontracker (2) and the action JESSIONID
• C. The macro name is sessiontracker and the argument are sectional ,$ JESSIONIDS.
• D. The macro name is sessiontracker (2) and the argument are $action ,$JESSIONIDS.

Answer: B

NEW QUESTION 20

Which of the following statements describes this search? sourcetype=access_combined I transaction JSESSIONID | timechart avg (duration)

• A. This is a valid search and will display a timechart of the average duration, of each transaction event.
• B. This is a valid search and will display a stats table showing the maximum pause among transactions.
• C. No results will be returned because the transaction command must include the startswith and endswith options.
• D. No results will be returned because the transaction command must be the last command used in the search pipeline.

Answer: A

NEW QUESTION 21

When using timechart, how many fields can be listed after a by clause? ( Choose Two )

• A. because timechart doesn't support using a by clause.
• B. because _time is already implied as the x-axis.
• C. because one field would represent the x-axis and the other would represent the y-axis.
• D. There is no limit specific to timechart.

Answer: BD

NEW QUESTION 22

Selected fields are displayed ______ each event in the search results.

• A. below
• B. interesting fields
• C. other fields
• D. above

Answer: A

NEW QUESTION 23

When should you use the transaction command instead of the scats command?

• A. When you need to group on multiple values.
• B. When duration is irrelevant in search result
• C. .
• D. When you have over 1000 events in a transaction.
• E. When you need to group based on start and end constraints.

Answer: C

NEW QUESTION 24
......