Splunk SPLK-1002 Online Practice Questions and Exam Preparation

Splunk SPLK-1002 Online Questions & Answers

• Question 111:

  Data model are composed of one or more of which of the following datasets? (select all that apply.)

  A. Events datasets
  B. Search datasets
  C. Transaction datasets
  D. Any child of event, transaction, and search datasets
  A. Events datasets
  B. Search datasets
  C. Transaction datasets
  D. Any child of event, transaction, and search datasets

  ---

  Data models are collections of datasets that represent your data in a structured and hierarchical way. Data models define how your data is organized into objects and fields. Data models can be composed of one or more of the following

  datasets:

  Events datasets: These are the base datasets that represent raw events in Splunk. Events datasets can be filtered by constraints, such as search terms, sourcetypes, indexes, etc.

  Search datasets: These are derived datasets that represent the results of a search on events or other datasets. Search datasets can use any search command, such as stats, eval, rex, etc., to transform the data.

  Transaction datasets: These are derived datasets that represent groups of events that are related by fields, time, or both. Transaction datasets can use the transaction command or event types with transactiontype=true to create transactions.

• Question 112:

  Which command can include both an over and a by clause to divide results into sub- groupings?

  A. chart
  B. stats
  C. xyseries
  D. transaction
  A. chart

• Question 113:

  What is required for a macro to accept three arguments?

  A. The macro's name ends with (3).
  B. The macro's name starts with (3).
  C. The macro's argument count setting is 3 or more.
  D. Nothing, all macros can accept any number of arguments.
  A. The macro's name ends with (3).

  ---

  Explanation/Reference:

  To create a macro that accepts arguments, you must include the number of arguments in parentheses at the end of the macro name. For example, my_macro(3) is a macro that accepts three arguments. The number of arguments in the macro name must match the number of arguments in the definition. Therefore, option A is correct, while options B, C and D are incorrect.

• Question 114:

  When using the Field Extractor (FX) to perform a field extraction, which delimiter can be used?

  A. A period or comma.
  B. A comma.
  C. A tab or space.
  D. Any consistent character.
  D. Any consistent character.

  ---

  Explanation/Reference:

  When using the Field Extractor (FX) in Splunk to perform field extraction, any consistent character can be used as a delimiter. The Field Extractor allows users to define how fields are separated in the raw event data, and as long as the delimiter is consistent, the FX tool can parse and extract the fields correctly. References: Splunk Docs: Field Extractor Splunk Answers: Field extraction delimiters

• Question 115:

  Which of the following file formats can be extracted using a delimiter field extraction?

  A. CSV
  B. PDF
  C. XML
  D. JSON
  A. CSV

  ---

  Explanation/Reference:

  A delimiter field extraction is a method of extracting fields from data that uses a character or a string to separate fields in each event. A delimiter field extraction can be performed by using the Field Extractor (FX) tool or by editing the props.conf file. A delimiter field extraction can be applied to any file format that uses a delimiter to separate fields, such as CSV, TSV, PSV, etc. A CSV file is a comma-separated values file that uses commas as delimiters. Therefore, a CSV file can be extracted using a delimiter field extraction.

• Question 116:

  The time range specified for a historical search defines the ____________ .------ questionable on ans

  A. Amount of data shown on the timeline as data streams in
  B. Amount of data fetched from index matching that time range
  C. Time range for the static results
  B. Amount of data fetched from index matching that time range

  ---

  Explanation/Reference:

  The time range specified for a historical search defines the amount of data fetched from the index matching that time range. A historical search is a search that runs over a fixed period of time in the past. When you run a historical search, Splunk searches the index for events that match your searchstring and fall within the specified time range. Therefore, option B is correct, while options A and C are incorrect because they are not what the time range defines for a historical search.

• Question 117:

  Which statement is true?

  A. Pivot is used for creating datasets.
  B. Data models are randomly structured datasets.
  C. Pivot is used for creating reports and dashboards.
  D. In most cases, each Splunk user will create their own data model.
  C. Pivot is used for creating reports and dashboards.

  ---

  Explanation/Reference:

  The statement that pivot is used for creating reports and dashboards is true. Pivot is a graphical interface that allows you to create tables, charts, and visualizations from data models. Data models are structured datasets that define how data is organized and categorized. Pivot does not create datasets, but uses existing ones.

• Question 118:

  Which of the following is true about data model attributes?

  A. They cannot be created within the data model.
  B. They can only be added into a root search dataset.
  C. They cannot be edited if inherited from a parent dataset.
  D. They can be added to a dataset from search time field extractions.
  D. They can be added to a dataset from search time field extractions.

  ---

  Explanation/Reference:

  Data model attributes are fields that are added to a dataset from search time field extractions, calculated fields, lookups, or aliases. They can be created within the data model editor or inherited from a parent dataset. They can be edited or

  removed unless they are required by the data model. They can be added to any type of dataset, not just root search datasets.

  References:

  See About data models, [Define data model attributes], and [Edit data model datasets] in the Splunk Documentation.

• Question 119:

  If there are fields in the data with values that are " " or empty but not null, which of the following would add a value?

  A. | eval notNULL = if(isnull (notNULL), "0" notNULL)
  B. | eval notNULL = if(isnull (notNULL), "0"
  C. | eval notNULL = "" | nullfill value=0 notNULL
  D. | eval notNULL = "" fillnull value=0 notNULL
  D. | eval notNULL = "" fillnull value=0 notNULL

  ---

  Explanation/Reference:

  The correct answer is D. | eval notNULL = "" fillnull value=0 notNULL

  Option A is incorrect because it is missing a comma between the "0" and the notNULL in the if function. The correct syntax for the if function is if (condition, true_value, false_value). Option B is incorrect because it is missing the false_value argument in the if function. The correct syntax for the if function is if (condition, true_value, false_value). Option C is incorrect because it uses the nullfill command, which only replaces null values, not empty strings. The nullfill command is equivalent to fillnull value=null. Option D is correct because it uses the eval command to assign an empty string to the notNULL field, and then uses the fillnull command to replace the empty string with a zero. The fillnull command can replace any value with a specified replacement, not just null values.

• Question 120:

  Which of the following statements describes POST workflow actions?

  A. Configuration of a POST workflow action includes choosing a sourcetype.
  B. POST workflow actions can be configured to send email to the URI location.
  C. By default, POST workflow action are shown in both the event and field menus.
  D. POST workflow actions can be configured to send POST arguments to the URI location.
  D. POST workflow actions can be configured to send POST arguments to the URI location.

  ---

  Explanation/Reference:

  Reference:https://docs.splunk.com/Documentation/Splunk/8.0.3/Knowledge/SetupaPOSTw orkflowaction