Splunk Splunk Certifications SPLK-1002 Questions & Answers

• Question 21:

  After manually editing; a regular expression (regex), which of the following statements is true?

  A. Changes made manually can be reverted in the Field Extractor (FX) UI.

  B. It is no longer possible to edit the field extraction in the Field Extractor (FX) UI.

  C. It is not possible to manually edit a regular expression (regex) that was created using the Field Extractor (FX) UI.

  D. The Field Extractor (FX) UI keeps its own version of the field extraction in addition to the one that was manually edited.

  Correct Answer: B

  Explanation: After manually editing a regular expression (regex) that was created using the Field Extractor (FX) UI, it is no longer possible to edit the field extraction in the FX UI. The FX UI is a tool that helps you extract fields from your data using delimiters or regular expressions. The FX UI can generate a regex for you based on your selection of sample values or you can enter your own regex in the FX UI. However, if you edit the regex manually in the props.conf file, the FX UI will not be able to recognize the changes and will not let you edit the field extraction in the FX UI anymore. You will have to use the props.conf file to make any further changes to the field extraction. Changes made manually cannot be reverted in the FX UI, as the FX UI does not keep track of the changes made in the props.conf file. It is possible to manually edit a regex that was created using the FX UI, as long as you do it in the props.conf file. Therefore, only statement B is true about manually editing a regex.

• Question 22:

  Which of the following actions can the eval command perform?

  A. Remove fields from results.

  B. Create or replace an existing field.

  C. Group transactions by one or more fields.

  D. Save SPL commands to be reused in other searches.

  Correct Answer: B

  Explanation: The eval command is used to create new fields or modify existing fields based on an expression2. The eval command can perform various actions such as calculations, conversions, string manipulations and more2. One of the actions that the eval command can perform is to create or replace an existing field with a new value based on an expression2. For example, | eval status=if(status="200","OK","ERROR") will create or replace the status field with either OK or ERROR depending on the original value of status2. Therefore, option B is correct, while options A, C and D are incorrect because they are not actions that the eval command can perform.

• Question 23:

  The Field Extractor (FX) is used to extract a custom field. A report can be created using this custom field. The created report can then be shared with other people in the organization. If another person in the organization runs the shared report and no results are returned, why might this be? (select all that apply)

  A. Fast mode is enabled.

  B. The dashboard is private.

  C. The extraction is private-

  D. The person in the organization running the report does not have access to the index.

  Correct Answer: CD

  Explanation: The Field Extractor (FX) is a tool that helps you extract fields from your events using a graphical interface2. You can create a report using a custom field extracted by the FX and share it with other users in your organization2. However, if another user runs the shared report and no results are returned, there could be two possible reasons. One reason is that the extraction is private, which means that only you can see and use the extracted field2. To make the extraction available to other users, you need to make it global or app-level2. Therefore, option C is correct. Another reason is that the other user does not have access to the index where the events are stored2. To fix this issue, you need to grant the appropriate permissions to the other user for the index2. Therefore, option D is correct. Options A and B are incorrect because they are not related to the field extraction or the report.

• Question 24:

  What is required for a macro to accept three arguments?

  A. The macro's name ends with (3).

  B. The macro's name starts with (3).

  C. The macro's argument count setting is 3 or more.

  D. Nothing, all macros can accept any number of arguments.

  Correct Answer: A

  Explanation: To create a macro that accepts arguments, you must include the number of arguments in parentheses at the end of the macro name1. For example, my_macro(3) is a macro that accepts three arguments. The number of arguments in the macro name must match the number of arguments in the definition1. Therefore, option A is correct, while options B, C and D are incorrect.

• Question 25:

  How does a user display a chart in stack mode?

  A. By using the stack command.

  B. By turning on the Use Trellis Layout option.

  C. By changing Stack Mode in the Format menu.

  D. You cannot display a chart in stack mode, only a timechart.

  Correct Answer: C

  Explanation: A chart is a graphical representation of your search results that shows the relationship between two or more fields2. You can display a chart in stack mode by changing the Stack Mode option in the Format menu2. Stack mode allows you to stack multiple series on top of each other in a chart to show the cumulative values of each series2. Therefore, option C is correct, while options A, B and D are incorrect because they are not ways to display a chart in stack mode.

• Question 26:

  Which group of users would most likely use pivots?

  A. Users

  B. Architects

  C. Administrators

  D. Knowledge Managers

  Correct Answer: A

  Reference: https://docs.splunk.com/Documentation/Splunk/8.0.3/Pivot/IntroductiontoPivot

  A pivot is a tool that allows you to create reports and dashboards using data models without writing any SPL commands2. You can use pivots to explore, filter, split and visualize your data using a graphical interface2. Pivots are designed for users who want to analyze and report on their data without having to learn the SPL syntax or the underlying structure of the data2. Therefore, option A is correct, while options B, C and D are incorrect because they are not the typical group of users who would use pivots.

• Question 27:

  Which delimiters can the Field Extractor (FX) detect? (select all that apply)

  A. Tabs

  B. Pipes

  C. Spaces

  D. Commas

  Correct Answer: BCD

  Reference: https://docs.splunk.com/Documentation/Splunk/8.0.3/Knowledge/FXSelectMethodstep

  The Field Extractor (FX) is a tool that helps you extract fields from your data using delimiters or regular expressions. Delimiters are characters or strings that separate fields in your data. The FX can detect some common delimiters automatically, such as pipes (|), spaces ( ), commas (,), semicolons (;), etc. The FX cannot detect tabs (\t) as delimiters automatically, but you can specify them manually in the FX interface.

• Question 28:

  Which of the following statements describes this search?

  sourcetype=access_combined I transaction JSESSIONID | timechart avg (duration)

  A. This is a valid search and will display a timechart of the average duration, of each transaction event.

  B. This is a valid search and will display a stats table showing the maximum pause among transactions.

  C. No results will be returned because the transaction command must include the startswith and endswith options.

  D. No results will be returned because the transaction command must be the last command used in the search pipeline.

  Correct Answer: A

  Explanation: This search uses the transaction command to group events that share a common value for JSESSIONID into transactions1. The transaction command assigns a duration field to each transaction, which is the difference between the latest and earliest timestamps of the events in the transaction1. The search then uses the timechart command to create a time-series chart of the average duration of each transaction1. Therefore, option A is correct because it describes the search accurately. Option B is incorrect because the search does not use the stats command or the pause field. Option C is incorrect because the transaction command does not require the startswith and endswith options, although they can be used to specify how to identify the beginning and end of a transaction1. Option D is incorrect because the transaction command does not have to be the last command in the search pipeline, although it is often used near the end of a search1.

• Question 29:

  Data model are composed of one or more of which of the following datasets? (select all that apply.)

  A. Events datasets

  B. Search datasets

  C. Transaction datasets

  D. Any child of event, transaction, and search datasets

  Correct Answer: ABC

  Reference: https://docs.splunk.com/Documentation/Splunk/8.0.3/Knowledge/Aboutdatamodels

  Data models are collections of datasets that represent your data in a structured and hierarchical way. Data models define how your data is organized into objects and fields. Data models can be composed of one or more of the following datasets:

  Events datasets: These are the base datasets that represent raw events in Splunk. Events datasets can be filtered by constraints, such as search terms, sourcetypes, indexes, etc.

  Search datasets: These are derived datasets that represent the results of a search on events or other datasets. Search datasets can use any search command, such as stats, eval, rex, etc., to transform the data.

  Transaction datasets: These are derived datasets that represent groups of events that are related by fields, time, or both. Transaction datasets can use the transaction command or event types with transactiontype=true to create transactions.

• Question 30:

  Based on the macro definition shown below, what is the correct way to execute the macro in a search string?

  

  A. Convert_sales (euro, , 79)"

  B. Convert_sales (euro, , .79)

  C. Convert_sales ($euro,$$,s79$

  D. Convert_sales ($euro, $$,S,79$)

  Correct Answer: B

  Reference: https://docs.splunk.com/Documentation/Splunk/8.0.3/Knowledge/Usesearchmacros

  The correct way to execute the macro in a search string is to use the format macro_name($arg1$, $arg2$, ...) where $arg1$, $arg2$, etc. are the arguments for the macro. In this case, the macro name is convert_sales and it takes three

  arguments: currency, symbol, and rate. The arguments are enclosed in dollar signs and separated by commas. Therefore, the correct way to execute the macro is convert_sales($euro$, $$, .79).