Splunk Splunk Certifications SPLK-1002 Questions & Answers

• Question 211:

  A report scheduled to run every 15 mins. but takes 17 mins. to complete is in danger of being_____.

  A. skipped or deferred

  B. automatically accelerated

  C. deleted

  D. all of the above

  Correct Answer: A

  Explanation: A report that is scheduled to run every 15 minutes but takes 17 minutes to complete is in danger of being skipped or deferred2. This means that Splunk may skip some scheduled runs of the report if they overlap with previous runs that are still in progress or defer them until the previous runs are finished2. This can affect the accuracy and timeliness of the report results and notifications2. Therefore, option A is correct, while options B, C and D are incorrect because they are not consequences of a report taking longer than its schedule interval.

• Question 212:

  This function of the stats command allows you to identify the number of values a field has.

  A. max

  B. distinct_count

  C. fields

  D. count

  Correct Answer: D

• Question 213:

  When a search returns __________, you can view the results as a list.

  A. a list of events

  B. transactions

  C. statistical values

  Correct Answer: C

• Question 214:

  Which of the following is a function of the Splunk Common Information Model (CIM)?

  A. Normalizing data across a Splunk deployment.

  B. Providing templates for reports and dashboards.

  C. Algorithmically shifting events to other indexes.

  D. Reingesting previously indexed data with new field names.

  Correct Answer: A

• Question 215:

  Which of the following examples would use a POST workflow action?

  A. Perform an external IP lookup based on a domain value found in events.

  B. Use the field values in an HTTP error event to create a new ticket in an external system.

  C. Launch secondary Splunk searches that use one or more field values from selected events.

  D. Open a web browser to look up an HTTP status code.

  Correct Answer: B

  The correct answer is B. Use the field values in an HTTP error event to create a new ticket in an external system.

  A workflow action is a knowledge object that enables a variety of interactions between fields in events and other web resources. Workflow actions can create HTML links, generate HTTP POST requests, or launch secondary searches based

  on field values1. There are three types of workflow actions that can be set up using Splunk Web: GET, POST, and Search2.

  GET workflow actions create typical HTML links to do things like perform Google searches on specific values or run domain name queries against external WHOIS databases2.

  POST workflow actions generate an HTTP POST request to a specified URI. This action type enables you to do things like creating entries in external issue management systems using a set of relevant field values2. Search workflow actions

  launch secondary searches that use specific field values from an event, such as a search that looks for the occurrence of specific combinations of ipaddress and http_status field values in your index over a specific time range2.

  Therefore, the example that would use a POST workflow action is B. Use the field values in an HTTP error event to create a new ticket in an external system. This example requires sending an HTTP POST request to the URI of the external

  system with the field values from the event as arguments.

  The other examples would use different types of workflow actions. These examples are:

  A. Perform an external IP lookup based on a domain value found in events: This example would use a GET workflow action to create a link to an external IP lookup service with the domain value as a parameter.

  C. Launch secondary Splunk searches that use one or more field values from selected events: This example would use a Search workflow action to run another Splunk search with the field values from the event as search terms. D. Open a web browser to look up an HTTP status code: This example would also use a GET workflow action to create a link to a web page that explains the meaning of the HTTP status code. References: Splexicon:Workflowaction About workflow actions in Splunk Web

• Question 216:

  Why would the following search produce multiple transactions instead of one?

  

  A. The maxspan option is not included.

  B. The transaction command has a limit of 1000 events per transaction.

  C. The transaction and commands cannot be used together.

  D. The stats list () function is used.

  Correct Answer: A

  Explanation: The correct answer is A. The maxspan option is not included1. In Splunk, the transaction command is used to group events that share common characteristics into a single transaction1. By default, the transaction command

  groups all matching events into a single transaction1.

  However, you can use the maxspan option to limit the time span of the transactions1. If the time span between the first and last event in a transaction exceeds the maxspan value, the transaction command will start a new transaction1.

  Therefore, if the maxspan option is not included in the search, the transaction command might produce multiple transactions instead of one if the time span between the first and last event in a transaction exceeds the default maxspan value1.

  Here is an example of how you can use the maxspan option in a search:

  index=main sourcetype=access_combined | transaction someuniqefield maxspan=1h In this search, the transaction command groups events that share the same someuniqefield value into a single transaction, but only if the time span

  between the first and last event in the transaction does not exceed 1 hour1. If the time span exceeds 1 hour, the transaction command will start a new transaction1.

• Question 217:

  which of the following are valid options with the chart command

  A. useother

  B. usenull

  C. fillfield

  D. usefiled

  Correct Answer: AB

• Question 218:

  Which of the following commands support the same set of functions?

  A. stats, eval, table

  B. search, where, eval

  C. stats, chart, timechart

  D. transaction, chart, timechart

  Correct Answer: C

• Question 219:

  Which of the following objects can a calculated field use as a source?

  A. An alias of a field.

  B. A field added by an automatic lookup.

  C. The tag field.

  D. The eventtype field.

  Correct Answer: B

  Explanation: The correct answer is B. A field added by an automatic lookup.

  A calculated field is a field that is added to events at search time by using an eval expression. A calculated field can use the values of two or more fields that are already present in the events to perform calculations. A calculated field can use any field as a source, as long as the field is extracted before the calculated field is defined1. An automatic lookup is a way to enrich events with additional fields from an external source, such as a CSV file or a database. An automatic lookup can add fields to events based on the values of existing fields, such as host, source, sourcetype, or any other extracted field2. An automatic lookup is performed before the calculated fields are defined, so the fields added by the lookup can be used as sources for the calculated fields3. Therefore, a calculated field can use a field added by an automatic lookup as a source. References: About calculated fields About lookups Search time processing

• Question 220:

  Which of the following eval commands will provide a new value for host from src if it exists?

  A. | eval host = if (isnu11 (src), src, host)

  B. | eval host = if (NOT src = host, src, host)

  C. | eval host = if (src = host, src, host)

  D. | eval host = if (isnotnull (src), src, host)

  Correct Answer: D

  The eval command is a Splunk command that allows you to create or modify fields using expressions .

  The if function is an expression that evaluates a condition and returns a value based on whether the condition is true or false. The syntax of the if function is if(X,Y,Z), where X is the condition, Y is the value to return if X is true, and Z is the

  value to return if X is false.

  The isnotnull function is an expression that returns true if the argument is not null, and false otherwise. The syntax of the isnotnull function is isnotnull(X), where X is the argument to check.

  Therefore, the expression if (isnotnull (src), src, host) returns the value of src if it is not null, and the value of host otherwise. This means that it will provide a new value for host from src if it exists, and keep the original value of host otherwise.