Splunk SPLK-1002 Online Practice Questions and Exam Preparation

Splunk SPLK-1002 Online Questions & Answers

• Question 91:

  For the following search, which command would further filter for only IP addresses present more than five times?

  A. index=games I stats count as IP_count by IP B. | where IP_count > 5
  B. index=games | search IP_Count > 5
  C. index=games | where IP > 5
  D. index=games I search IP > 5
  A. index=games I stats count as IP_count by IP B. | where IP_count > 5

  ---

  Explanation/Reference:

  To filter for only IP addresses that appear more than five times in the search results for index=games, you can use a combination of the stats and where commands. The stats command counts the occurrences of each IP address and assigns

  the count to IP_count. The where command then filters the results to include only those IP addresses with a count greater than five.

  Here is how the complete search would look:

  index=games | stats count as IP_count by IP | where IP_count > 5

  References:

  Splunk Docs: stats command

  Splunk Docs: where command

  Splunk Answers: Filtering results using stats and where commands

• Question 92:

  What field must be present in order to use the timechart command?

  A. _raw
  B. rime
  C. _time
  D. index
  C. _time

  ---

  Explanation/Reference:

  The timechart command in Splunk requires the _time field to be present in the dataset because it uses time as the primary axis for charting data. The _time field represents the time of events and is essential for commands that generate

  visualizations based on time, such as timechart. This command groups the events into time intervals and performs statistical functions on those time intervals. Without the _time field, the timechart command will not function properly.

  References:

  Splunk Docs - timechart command

• Question 93:

  Which of the following searches will return events contains a tag name Privileged?

  A. Tag= Priv
  B. Tag= Pri*
  C. Tag= Priv*
  D. Tag= Privileged
  B. Tag= Pri*

  ---

  Explanation/Reference:

  Reference:https://docs.splunk.com/Documentation/PCI/4.1.0/Install/PrivilegedUserActivity

  A tag is a descriptive label that you can apply to one or more fields or field values in your events. You can use tags to simplify your searches by replacing long or complex field names or values with short and simple tags. To search for events that contain a tag name, you can use the tag keyword followed by an equal sign and the tag name. You can also use wildcards (*) to match partial tag names. Therefore, option B is correct because it will return events that contain a tag name that starts with Pri. Options A and D are incorrect because they will only return events that contain an exact tag name match. Option C is incorrect because it will return events that contain a tag name that starts with Priv, not Privileged.

• Question 94:

  For the following search, which field populates the x-axis?

  index=security sourcetype=linux secure | timechart count by action

  A. action
  B. source type
  C. _time
  D. time
  C. _time

  ---

  Explanation/Reference:

  The correct answer is C. _time.

  The timechart command creates a time series chart with corresponding table of statistics, with time used as the X-axis.You can specify a split-by field, where each distinct value of the split-by field becomes a series in the chart.In this case, the

  split-by field is action, which means that the chart will have different lines for different actions, such as accept, reject, or fail.The count function will calculate the number of events for each action in each time bin.

  For example, the following image shows a timechart of the count by action for a similar search:

  As you can see, the x-axis is populated by the _time field, which represents the time range of the search. The y-axis is populated by the count function, which represents the number of events for each action. The legend shows the different

  values of the action field, which are used to split the chart into different series.

  Reference:

  1:timechart - Splunk Documentation

  2:Timechart Command In Splunk With Example - Mindmajix

  3:timechart command examples - Splunk Documentation

• Question 95:

  Where are the results of eval commands stored?

  A. In a field.
  B. In an index.
  C. In a KV Store.
  D. In a database.
  A. In a field.

  ---

  Explanation/Reference:

  https://docs.splunk.com/Documentation/Splunk/8.0.2/SearchReference/Eval The eval command calculates an expression and puts the resulting value into a search results field.

  If the field name that you specify does not match a field in the output, a new field is added to the search results.

  If the field name that you specify matches a field name that already exists in the search results, the results of the eval expression overwrite the values in that field.

• Question 96:

  When extracting fields, we may choose to use our own regular expressions

  A. True
  B. False
  A. True

• Question 97:

  Which of the following is one of the pre-configured data models included in the Splunk Common Information Model (CIM) add-on?

  A. Access
  B. Accounting
  C. Authorization
  D. Authentication
  D. Authentication

• Question 98:

  How can an existing accelerated data model be edited?

  A. An accelerated data model can be edited once its .tsidx file has expired.
  B. An accelerated data model can be edited from the Pivot tool.
  C. The data model must be de-accelerated before edits can be made to its structure.
  D. It cannot be edited. A new data model would need to be created.
  C. The data model must be de-accelerated before edits can be made to its structure.

  ---

  Explanation/Reference:

  An existing accelerated data model can be edited, but the data model must be de- accelerated before any structural edits can be made (Option C). This is because the acceleration process involves pre-computing and storing data, and changes to the data model's structure could invalidate or conflict with the pre-computed data. Once the data model is de-accelerated and edits are completed, it can be re-accelerated to optimize performance.

• Question 99:

  A data model consists of which three types of datasets?

  A. Constraint, field, value.
  B. Events, searches, transactions.
  C. Field extraction, regex, delimited.
  D. Transaction, session ID, metadata.
  B. Events, searches, transactions.

  ---

  Explanation/Reference:

  The building block of a data model. Each data model is composed of one or more data model datasets. Each dataset within a data model defines a subset of the dataset represented by the data model as a whole. Data model datasets have a hierarchical relationship with each other, meaning they have parent-child relationships. Data models can contain multiple dataset hierarchies. There are three types of dataset hierarchies: event, search, and transaction.

  https://docs.splunk.com/Splexicon:Datamodeldataset

• Question 100:

  How is a Search Workflow Action configured to run at the same time range as the original search?

  A. Set the earliest time to match the original search.
  B. Select the same time range from the time-range picker.
  C. Select the "Use the same time range as the search that created the field listing" checkbox.
  D. Select the "Overwrite time range with the original search" checkbox.
  C. Select the "Use the same time range as the search that created the field listing" checkbox.

  ---

  Explanation/Reference:

  To configure a Search Workflow Action to run at the same time range as the original search, you need to select the "Use the same time range as the search that created the field listing" checkbox. This will ensure that the workflow action search uses the same earliest and latest time parameters as the original search.