Practice Free SPLK-1002 Exam Online Questions
Question #11
How is a Search Workflow Action configured to run at the same time range as the original search?
- A . Select the "Overwrite time range with the original search" checkbox.
- B . Select the "Use the same time range as the search that created the field listing" checkbox.
- C . Set the earliest time to match the original search.
- D . Select the same time range from the time-range picker.
Correct Answer: B
B
Explanation:
To configure a Search Workflow Action to use the same time range as the original search, you need to
check the option "Use the same time range as the search that created the field listing." This will ensure the time range is inherited from the original search.
Reference: Splunk Docs – Search Workflow Actions
B
Explanation:
To configure a Search Workflow Action to use the same time range as the original search, you need to
check the option "Use the same time range as the search that created the field listing." This will ensure the time range is inherited from the original search.
Reference: Splunk Docs – Search Workflow Actions
Question #12
If there are fields in the data with values that are " " or empty but not null, which of the following would add a value?
- A . | eval notNULL = if(isnull (notNULL), “0” notNULL)
- B . | eval notNULL = if(isnull (notNULL), “0”
- C . | eval notNULL = “” | nullfill value=0 notNULL
- D . | eval notNULL = “” fillnull value=0 notNULL
Correct Answer: D
D
Explanation:
The correct answer is
D. | eval notNULL = “” fillnull value=0 notNULL
Option A is incorrect because it is missing a comma between the “0” and the notNULL in the if function. The correct syntax for the if function is if (condition, true_value, false_value).
Option B is incorrect because it is missing the false_value argument in the if function. The correct syntax for the if function is if (condition, true_value, false_value).
Option C is incorrect because it uses the nullfill command, which only replaces null values, not empty strings. The nullfill command is equivalent to fillnull value=null.
Option D is correct because it uses the eval command to assign an empty string to the notNULL field, and then uses the fillnull command to replace the empty string with a zero. The fillnull command can replace any value with a specified replacement, not just null values.
D
Explanation:
The correct answer is
D. | eval notNULL = “” fillnull value=0 notNULL
Option A is incorrect because it is missing a comma between the “0” and the notNULL in the if function. The correct syntax for the if function is if (condition, true_value, false_value).
Option B is incorrect because it is missing the false_value argument in the if function. The correct syntax for the if function is if (condition, true_value, false_value).
Option C is incorrect because it uses the nullfill command, which only replaces null values, not empty strings. The nullfill command is equivalent to fillnull value=null.
Option D is correct because it uses the eval command to assign an empty string to the notNULL field, and then uses the fillnull command to replace the empty string with a zero. The fillnull command can replace any value with a specified replacement, not just null values.
Question #13
During the validation step of the Field Extractor workflow:
Select your answer.
- A . You can remove values that aren’t a match for the field you want to define
- B . You can validate where the data originated from
- C . You cannot modify the field extraction
Correct Answer: A
A
Explanation:
During the validation step of the Field Extractor workflow, you can remove values that aren’t a match for the field you want to define2. The validation step allows you to review and edit the values that have been extracted by the FX and make sure they are correct and consistent2. You can remove values that aren’t a match by clicking on them and selecting Remove Value from the menu2. This will exclude them from your field extraction and update the regular expression accordingly2. Therefore, option A is correct, while options B and C are incorrect because they are not actions that you can perform during the validation step of the Field Extractor workflow.
A
Explanation:
During the validation step of the Field Extractor workflow, you can remove values that aren’t a match for the field you want to define2. The validation step allows you to review and edit the values that have been extracted by the FX and make sure they are correct and consistent2. You can remove values that aren’t a match by clicking on them and selecting Remove Value from the menu2. This will exclude them from your field extraction and update the regular expression accordingly2. Therefore, option A is correct, while options B and C are incorrect because they are not actions that you can perform during the validation step of the Field Extractor workflow.
Question #14
Use this command to use lookup fields in a search and see the lookup fields in the field sidebar.
- A . inputlookup
- B . lookup
Correct Answer: B
Question #15
Which workflow uses field values to perform a secondary search?
- A . POST
- B . Action
- C . Search
- D . Sub-Search
Correct Answer: C
C
Explanation:
https://docs.splunk.com/Documentation/Splunk/8.0.2/Knowledge/CreateworkflowactionsinSplunk Web
C
Explanation:
https://docs.splunk.com/Documentation/Splunk/8.0.2/Knowledge/CreateworkflowactionsinSplunk Web
Question #16
A space is an implied _____ in a search string.
- A . OR
- B . AND
- C . ()
- D . NOT
Correct Answer: B
B
Explanation:
A space is an implied AND in a search string, which means that it acts as a logical operator that returns events that match both terms on either side of the space2. For example, status=200 method=GET will return events that have both status=200 and method=GET2. Therefore, option B is correct, while options A, C and D are incorrect because they are not implied by a space in a search string.
B
Explanation:
A space is an implied AND in a search string, which means that it acts as a logical operator that returns events that match both terms on either side of the space2. For example, status=200 method=GET will return events that have both status=200 and method=GET2. Therefore, option B is correct, while options A, C and D are incorrect because they are not implied by a space in a search string.
Question #17
When you mouse over and click to add a search term this (these. Boolean operator(s) is(are. not implied. (Select all that apply).
- A . OR
- B . ( )
- C . AND
- D . NOT
Correct Answer: ABD
ABD
Explanation:
When you mouse over and click to add a search term from the Fields sidebar or from an event in your search results, Splunk automatically adds the term to your search string with an implied AND operator2. However, this does not apply to some Boolean operators such as OR, NOT and parentheses (). These operators are not implied when you add a search term and you have to type them manually if you want to use them in your search string2. Therefore, options A, B and D are correct, while option C is incorrect because AND is implied when you add a search term.
ABD
Explanation:
When you mouse over and click to add a search term from the Fields sidebar or from an event in your search results, Splunk automatically adds the term to your search string with an implied AND operator2. However, this does not apply to some Boolean operators such as OR, NOT and parentheses (). These operators are not implied when you add a search term and you have to type them manually if you want to use them in your search string2. Therefore, options A, B and D are correct, while option C is incorrect because AND is implied when you add a search term.
Question #18
Which of the following statements about tags is true?
- A . Tags are case insensitive.
- B . Tags are created at index time.
- C . Tags can make your data more understandable.
- D . Tags are searched by using the syntax tag:: <fieldneme>
Correct Answer: C
C
Explanation:
Tags are aliases or alternative names for field values in Splunk. They can make your data more understandable by using common or descriptive terms instead of cryptic or technical terms. For example, you can tag a field value such as “200” with “OK” or “success” to indicate that it is a HTTP status code for a successful request. Tags are case sensitive, meaning that “OK” and “ok” are different tags. Tags are created at search time, meaning that they are applied when you run a search on your data. Tags are searched by using the syntax tag::<tagname>, where <tagname> is the name of the tag you want to search for.
C
Explanation:
Tags are aliases or alternative names for field values in Splunk. They can make your data more understandable by using common or descriptive terms instead of cryptic or technical terms. For example, you can tag a field value such as “200” with “OK” or “success” to indicate that it is a HTTP status code for a successful request. Tags are case sensitive, meaning that “OK” and “ok” are different tags. Tags are created at search time, meaning that they are applied when you run a search on your data. Tags are searched by using the syntax tag::<tagname>, where <tagname> is the name of the tag you want to search for.
Question #19
which of the following are valid options with the chart command
- A . useother
- B . usenull
- C . fillfield
- D . usefiled
Correct Answer: AB
Question #20
Which of the following examples would use a POST workflow action?
- A . Perform an external IP lookup based on a domain value found in events.
- B . Use the field values in an HTTP error event to create a new ticket in an external system.
- C . Launch secondary Splunk searches that use one or more field values from selected events.
- D . Open a web browser to look up an HTTP status code.
Correct Answer: B
B
Explanation:
The correct answer is B. Use the field values in an HTTP error event to create a new ticket in an external system.
A workflow action is a knowledge object that enables a variety of interactions between fields in events and other web resources. Workflow actions can create HTML links, generate HTTP POST requests, or launch secondary searches based on field values1.
There are three types of workflow actions that can be set up using Splunk Web: GET, POST, and Search2.
GET workflow actions create typical HTML links to do things like perform Google searches on specific values or run domain name queries against external WHOIS databases2.
POST workflow actions generate an HTTP POST request to a specified URI. This action type enables you to do things like creating entries in external issue management systems using a set of relevant field values2.
Search workflow actions launch secondary searches that use specific field values from an event, such as a search that looks for the occurrence of specific combinations of ipaddress and http_status field values in your index over a specific time range2.
Therefore, the example that would use a POST workflow action is
B. Use the field values in an HTTP error event to create a new ticket in an external system. This example requires sending an HTTP POST request to the URI of the external system with the field values from the event as arguments. The other examples would use different types of workflow actions.
These examples are:
A) Perform an external IP lookup based on a domain value found in events: This example would use a GET workflow action to create a link to an external IP lookup service with the domain value as a parameter.
C) Launch secondary Splunk searches that use one or more field values from selected events: This example would use a Search workflow action to run another Splunk search with the field values from the event as search terms.
D) Open a web browser to look up an HTTP status code: This example would also use a GET workflow action to create a link to a web page that explains the meaning of the HTTP status code.
Reference: Splexicon:Workflowaction
About workflow actions in Splunk Web
B
Explanation:
The correct answer is B. Use the field values in an HTTP error event to create a new ticket in an external system.
A workflow action is a knowledge object that enables a variety of interactions between fields in events and other web resources. Workflow actions can create HTML links, generate HTTP POST requests, or launch secondary searches based on field values1.
There are three types of workflow actions that can be set up using Splunk Web: GET, POST, and Search2.
GET workflow actions create typical HTML links to do things like perform Google searches on specific values or run domain name queries against external WHOIS databases2.
POST workflow actions generate an HTTP POST request to a specified URI. This action type enables you to do things like creating entries in external issue management systems using a set of relevant field values2.
Search workflow actions launch secondary searches that use specific field values from an event, such as a search that looks for the occurrence of specific combinations of ipaddress and http_status field values in your index over a specific time range2.
Therefore, the example that would use a POST workflow action is
B. Use the field values in an HTTP error event to create a new ticket in an external system. This example requires sending an HTTP POST request to the URI of the external system with the field values from the event as arguments. The other examples would use different types of workflow actions.
These examples are:
A) Perform an external IP lookup based on a domain value found in events: This example would use a GET workflow action to create a link to an external IP lookup service with the domain value as a parameter.
C) Launch secondary Splunk searches that use one or more field values from selected events: This example would use a Search workflow action to run another Splunk search with the field values from the event as search terms.
D) Open a web browser to look up an HTTP status code: This example would also use a GET workflow action to create a link to a web page that explains the meaning of the HTTP status code.
Reference: Splexicon:Workflowaction
About workflow actions in Splunk Web