Splunk SPLK-1002 Online Practice Questions and Exam Preparation

Splunk SPLK-1002 Online Questions & Answers

• Question 101:

  The macro weekly_sales (2) contains the search string:

  index=games | eval ProductSales = $Price$ * $AmountSold$

  Which of the following will return results?

  A. `weekly sales (3)'
  B. `weekly_sales($3.995, $108)'
  C. 'weekly_sales (3.99, 10)'
  D. `weekly sales (3.99, 10)'
  C. 'weekly_sales (3.99, 10)'

  ---

  Explanation/Reference:

  To use a search macro in a search string, you need to place a back tick character (`) before and after the macro name. You also need to use the same number of arguments as defined in the macro. The macro weekly sales (2) has two

  arguments:Price and AmountSold. Therefore, you need to provide two values for these arguments when you call the macro.

  The option A is incorrect because it uses parentheses instead of back ticks around the macro name. The option B is incorrect because it uses underscores instead of spaces in the macro name. The option D is incorrect because it uses

  spaces instead of commas to separate the argument values.

  Reference:

  1.

  Use search macros in searches - Splunk Documentation

  2.

  Define search macros in Settings - Splunk Documentation

• Question 102:

  In the following eval statement, what is the value of description if the status is 503? index=main | eval description=case(status==200, "OK", status==404, "Not found", status==500, "Internal Server Error")

  A. The description field would contain no value.
  B. The description field would contain the value 0.
  C. The description field would contain the value "Internal Server Error".
  D. This statement would produce an error in Splunk because it is incomplete.
  A. The description field would contain no value.

  ---

  Explanation/Reference:

  https://docs.splunk.com/Documentation/Splunk/8.1.1/SearchReference/ConditionalFunctio ns

• Question 103:

  The transaction command allows you to __________ events across multiple sources

  A. duplicate
  B. correlate
  C. persist
  D. tag
  B. correlate

  ---

  Explanation/Reference:

  The transaction command allows you to correlate events across multiple sources. The transaction command is a search command that allows you to group events into transactions based on some common characteristics, such as fields, time, or both. A transaction is a group of events that share one or more fields that relate them to each other. A transaction can span across multiple sources or sourcetypes that have different formats or structures of data. The transaction command can help you correlate events across multiple sources by using the common fields as the basis for grouping. The transaction command can also create some additional fields for each transaction, such as duration, eventcount, startime, etc.

• Question 104:

  What type of command is eval?

  A. Streaming in some modes
  B. Report generating
  C. Distributable streaming
  D. Centralized streaming
  C. Distributable streaming

  ---

  Explanation/Reference:

  The correct answer is C. Distributable streaming. This is because the eval command is a type of command that can run on the indexers before the results are sent to the search head. This reduces the amount of data that needs to be transferred and improves the search performance. Distributable streaming commands can operate on each event or result individually, without depending on other events or results.You can learn more about the types of commands and how they affect search performance from the Splunk documentation.

• Question 105:

  A user wants to create a new field alias for a field that appears in two sourcetypes. How many field aliases need to be created?

  A. One.
  B. Two.
  C. It depends on whether the original fields have the same name.
  D. It depends on whether the two sourcetypes are associated with the same index.
  B. Two.

• Question 106:

  What are the expected results for a search that contains the command | where A=B?

  A. Events that contain the string value where A=B.
  B. Events that contain the string value A=B.
  C. Events where values of field are equal to values of field B.
  D. Events where field A contains the string value B.
  C. Events where values of field are equal to values of field B.

  ---

  Explanation/Reference:

  The correct answer is C. Events where values of field A are equal to values of field B.

  The where command is used to filter the search results based on an expression that evaluates to true or false. The where command can compare two fields, two values, or a field and a value.The where command can also use functions,

  operators, and wildcards to create complex expressions.

  The syntax for the where command is:

  | where

  The expression can be a comparison, a calculation, a logical operation, or a combination of these. The expression must evaluate to true or false for each event. To compare two fields with the where command, you need to use the field names

  without any quotation marks. For example, if you want to find events where the values for the field A match the values for the field B, you can use the following syntax:

  | where A=B

  This will return only the events where the two fields have the same value. The other options are not correct because they use different syntax or fields that are not related to the where command. These options are:

  A. Events that contain the string value where A=B: This option uses the string value where A=B as a search term, which is not valid syntax for the where command. This option will return events that have the literal text "where A=B" in them. B. Events that contain the string value A=B: This option uses the string value A=B as a search term, which is not valid syntax for the where command. This option will return events that have the literal text "A=B" in them. D. Events where field A contains the string value B: This option uses quotation marks around the value B, which is not valid syntax for comparing fields with the where command.Quotation marks are used to enclose phrases or exact matches in a search. This option will return events where the field A contains the string value "B". References: where command usage Search command cheatsheet

• Question 107:

  Which of the following are valid options to speed up reports? (Select all the apply.)

  A. Edit permissions
  B. Edit description
  C. Edit acceleration
  D. Edit schedule
  C. Edit acceleration

  ---

  Explanation/Reference:

  One of the valid options to speed up reports is to edit acceleration, which means that you can enable summary indexing or data model acceleration for your reports to improve their performance. Summary indexing allows you to create reports that run over large amounts of data by storing the results of scheduled searches in a summary index and using that index for faster reporting. Data model acceleration allows you to create reports that use data models by creating and storing summaries of the data model datasets and using them for faster reporting. Therefore, option C is correct, while options A, B and D are incorrect because they are not options to speed up reports.

• Question 108:

  Which of the following statements describes an event type?

  A. A log level measurement: info, warn, error.
  B. A knowledge object that is applied before fields are extracted.
  C. A field for categorizing events based on a search string.
  D. Either a log, a metric, or a trace.
  C. A field for categorizing events based on a search string.

  ---

  Explanation/Reference:

  This is because an event type is a knowledge object that assigns a user- defined name to a set of events that match a specific search criteria. For example, you can create an event type named successful_purchase for events that have sourcetype=access_combined, status=200, and action=purchase. Then, you can use eventtype=successful_purchase as a search term to find those events. You can also use event types to create alerts, reports, and dashboards. You can learn more about event types from the Splunk documentation. The other options are incorrect because they do not describe what an event type is. A log level measurement is a field that indicates the severity of an event, such as info, warn, or error. A knowledge object that is applied before fields are extracted is a source type, which identifies the format and structure of the data. Either a log, a metric, or a trace is a type of data that Splunk can ingest and analyze, but not an event type.

• Question 109:

  This is what Splunk uses to categorize the data that is being indexed.

  A. sourcetype
  B. index
  C. source
  D. host
  A. sourcetype

• Question 110:

  When should transaction be used?

  A. Only in a large distributed Splunk environment.
  B. When calculating results from one or more fields.
  C. When event grouping is based on start/end values.
  D. When grouping events results in over 1000 events in each group.
  C. When event grouping is based on start/end values.