Practice Free SPLK-1002 Exam Online Questions
Question #21
When creating a Search workflow action, which field is required?
- A . Search string
- B . Data model name
- C . Permission setting
- D . An eval statement
Correct Answer: A
A
Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/8.0.3/Knowledge/Setupasearchworkflowaction
A workflow action is a link that appears when you click an event field value in your search results2. A workflow action can open a web page or run another search based on the field value2. There are two types of workflow actions: GET and POST2. A GET workflow action appends the field value to the end of a URI and opens it in a web browser2. A POST workflow action sends the field value as part of an HTTP request to a web server2. When creating a Search workflow action, which is a type of GET workflow action that runs another search based on the field value, the only required field is the search string2. The search string defines the search that will be run when the workflow action is clicked2. Therefore, option A is correct, while options B, C and D are incorrect because they are not
required fields for creating a Search workflow action.
A
Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/8.0.3/Knowledge/Setupasearchworkflowaction
A workflow action is a link that appears when you click an event field value in your search results2. A workflow action can open a web page or run another search based on the field value2. There are two types of workflow actions: GET and POST2. A GET workflow action appends the field value to the end of a URI and opens it in a web browser2. A POST workflow action sends the field value as part of an HTTP request to a web server2. When creating a Search workflow action, which is a type of GET workflow action that runs another search based on the field value, the only required field is the search string2. The search string defines the search that will be run when the workflow action is clicked2. Therefore, option A is correct, while options B, C and D are incorrect because they are not
required fields for creating a Search workflow action.
Question #22
For the following search, which command would further filter for only IP addresses present more than five times?
- A . index=games I stats count as IP_count by IP
- B . | where IP_count > 5
- C . index=games | search IP_Count > 5
- D . index=games | where IP > 5
- E . index=games I search IP > 5
Correct Answer: A
A
Explanation:
To filter for only IP addresses that appear more than five times in the search results for index=games, you can use a combination of the stats and where commands. The stats command counts the occurrences of each IP address and assigns the count to IP_count. The where command then filters the results to include only those IP addresses with a count greater than five.
Here is how the complete search would look:
index=games | stats count as IP_count by IP | where IP_count > 5
Reference: Splunk Docs: stats command
Splunk Docs: where command
Splunk Answers: Filtering results using stats and where commands
A
Explanation:
To filter for only IP addresses that appear more than five times in the search results for index=games, you can use a combination of the stats and where commands. The stats command counts the occurrences of each IP address and assigns the count to IP_count. The where command then filters the results to include only those IP addresses with a count greater than five.
Here is how the complete search would look:
index=games | stats count as IP_count by IP | where IP_count > 5
Reference: Splunk Docs: stats command
Splunk Docs: where command
Splunk Answers: Filtering results using stats and where commands
Question #23
Which workflow action type performs a secondary search?
- A . POST
- B . Drilldown
- C . GET
- D . Search
Correct Answer: D
D
Explanation:
The correct answer is D. Search.
A workflow action is a knowledge object that enables a variety of interactions between fields in events and other web resources. Workflow actions can create HTML links, generate HTTP POST requests, or launch secondary searches based on field values1.
There are three types of workflow actions that can be set up using Splunk Web: GET, POST, and Search2.
GET workflow actions create typical HTML links to do things like perform Google searches on specific values or run domain name queries against external WHOIS databases2.
POST workflow actions generate an HTTP POST request to a specified URI. This action type enables you to do things like creating entries in external issue management systems using a set of relevant field values2.
Search workflow actions launch secondary searches that use specific field values from an event, such as a search that looks for the occurrence of specific combinations of ipaddress and http_status field values in your index over a specific time range2.
Therefore, the workflow action type that performs a secondary search is Search.
Reference: Splexicon: Workflowaction
About workflow actions in Splunk Web
D
Explanation:
The correct answer is D. Search.
A workflow action is a knowledge object that enables a variety of interactions between fields in events and other web resources. Workflow actions can create HTML links, generate HTTP POST requests, or launch secondary searches based on field values1.
There are three types of workflow actions that can be set up using Splunk Web: GET, POST, and Search2.
GET workflow actions create typical HTML links to do things like perform Google searches on specific values or run domain name queries against external WHOIS databases2.
POST workflow actions generate an HTTP POST request to a specified URI. This action type enables you to do things like creating entries in external issue management systems using a set of relevant field values2.
Search workflow actions launch secondary searches that use specific field values from an event, such as a search that looks for the occurrence of specific combinations of ipaddress and http_status field values in your index over a specific time range2.
Therefore, the workflow action type that performs a secondary search is Search.
Reference: Splexicon: Workflowaction
About workflow actions in Splunk Web
Question #24
Complete the search, …. | _____ failure>successes
- A . Search
- B . Where
- C . If
- D . Any of the above
Correct Answer: B
B
Explanation:
The where command can be used to complete the search below.
… | where failure>successes
The where command is a search command that allows you to filter events based on complex or custom criteri
a. The where command can use any boolean expression or function to evaluate each event and determine whether to keep it or discard it. The where command can also compare fields or perform calculations on fields using operators such as >, <, =, +, -, etc. The where command can be used after any transforming command that creates a table or a chart. The search string below does the following:
It uses … to represent any search criteria or commands before the where command.
It uses the where command to filter events based on a comparison between two fields: failure and successes.
It uses the greater than operator (>) to compare the values of failure and successes fields for each event.
It only keeps events where failure is greater than successes.
B
Explanation:
The where command can be used to complete the search below.
… | where failure>successes
The where command is a search command that allows you to filter events based on complex or custom criteri
a. The where command can use any boolean expression or function to evaluate each event and determine whether to keep it or discard it. The where command can also compare fields or perform calculations on fields using operators such as >, <, =, +, -, etc. The where command can be used after any transforming command that creates a table or a chart. The search string below does the following:
It uses … to represent any search criteria or commands before the where command.
It uses the where command to filter events based on a comparison between two fields: failure and successes.
It uses the greater than operator (>) to compare the values of failure and successes fields for each event.
It only keeps events where failure is greater than successes.
Question #25
What does the fillnull command do in this search?
index=main sourcetype=http_log | fillnull value="Unknown" src
- A . Set the values of the src field to null when it is "Unknown".
- B . Set all fields with the value of "Unknown" to null.
- C . Set the values of the src field to "Unknown" if it is null.
- D . Set all fields that are null to "Unknown".
Correct Answer: C
C
Explanation:
The fillnull command in Splunk is used to replace null (missing) field values with a specified value.
Explanation of options:
A: Incorrect, as fillnull does not set fields to null; it fills null values with a specific value.
B: Incorrect, as the command only affects the specified field (src in this case).
C: Correct, as the fillnull command explicitly sets null values in the src field to "Unknown".
D: Incorrect, as only the src field is affected, not all fields.
Example:
If the src field is null for some events, fillnull will populate "Unknown" in those cases.
Reference: Splunk Docs – Fillnull Command
C
Explanation:
The fillnull command in Splunk is used to replace null (missing) field values with a specified value.
Explanation of options:
A: Incorrect, as fillnull does not set fields to null; it fills null values with a specific value.
B: Incorrect, as the command only affects the specified field (src in this case).
C: Correct, as the fillnull command explicitly sets null values in the src field to "Unknown".
D: Incorrect, as only the src field is affected, not all fields.
Example:
If the src field is null for some events, fillnull will populate "Unknown" in those cases.
Reference: Splunk Docs – Fillnull Command
Question #26
In which of the following scenarios is an event type more effective than a saved search?
- A . When a search should always include the same time range.
- B . When a search needs to be added to other users’ dashboards.
- C . When the search string needs to be used in future searches.
- D . When formatting needs to be included with the search string.
Correct Answer: C
C
Explanation:
Reference: https://answers.splunk.com/answers/4993/eventtype-vs-saved-search.html
An event type is a way to categorize events based on a search string that matches the events2. You can use event types to simplify your searches by replacing long or complex search strings with short and simple event type names2. An event type is more effective than a saved search when the search string needs to be used in future searches because it allows you to reuse the search string without having to remember or type it again2. Therefore, option C is correct, while options A, B and D are incorrect because they are not scenarios where an event type is more effective than a saved search.
C
Explanation:
Reference: https://answers.splunk.com/answers/4993/eventtype-vs-saved-search.html
An event type is a way to categorize events based on a search string that matches the events2. You can use event types to simplify your searches by replacing long or complex search strings with short and simple event type names2. An event type is more effective than a saved search when the search string needs to be used in future searches because it allows you to reuse the search string without having to remember or type it again2. Therefore, option C is correct, while options A, B and D are incorrect because they are not scenarios where an event type is more effective than a saved search.
Question #27
What type of command is eval?
- A . Streaming in some modes
- B . Report generating
- C . Distributable streaming
- D . Centralized streaming
Correct Answer: C
C
Explanation:
The correct answer is
C. Distributable streaming. This is because the eval command is a type of command that can run on the indexers before the results are sent to the search head. This reduces the amount of data that needs to be transferred and improves the search performance. Distributable streaming commands can operate on each event or result individually, without depending on other events or results. You can learn more about the types of commands and how they affect search performance from the Splunk documentation1.
C
Explanation:
The correct answer is
C. Distributable streaming. This is because the eval command is a type of command that can run on the indexers before the results are sent to the search head. This reduces the amount of data that needs to be transferred and improves the search performance. Distributable streaming commands can operate on each event or result individually, without depending on other events or results. You can learn more about the types of commands and how they affect search performance from the Splunk documentation1.
Question #28
The stats command will create a _____________ by default.
- A . Table
- B . Report
- C . Pie chart
Correct Answer: A
Question #29
Which of the following definitions describes a macro named "samplemacro" that accepts two arguments?
- A . Examplemacro [1,2]
- B . samplemacro(1,2)
- C . u amp -CJEUCXG (2)
- D . samplemacro[2]
Correct Answer: B
B
Explanation:
In Splunk, a macro can accept arguments, and the correct syntax for a macro that takes two arguments is macro_name(argument1, argument2). In this case, the macro is called samplemacro, and it accepts two arguments, so the correct format would be samplemacro(1,2). This syntax allows for passing dynamic values into the macro, which can then be used to modify the search dynamically based on the arguments provided.
Reference: Splunk Docs – Macros
B
Explanation:
In Splunk, a macro can accept arguments, and the correct syntax for a macro that takes two arguments is macro_name(argument1, argument2). In this case, the macro is called samplemacro, and it accepts two arguments, so the correct format would be samplemacro(1,2). This syntax allows for passing dynamic values into the macro, which can then be used to modify the search dynamically based on the arguments provided.
Reference: Splunk Docs – Macros
Question #30
What is the purpose of the fillnull command?
- A . Replace empty values with a specified value.
- B . Create a new field based on the values in an existing field.
- C . Rename a specific field in the search results.
- D . Replace all values in a specific field with a default value.
Correct Answer: A
A
Explanation:
The fillnull command in Splunk is used to handle missing data within search results. It plays a crucial role in data normalization and preparation, especially before performing statistical analyses or visualizations.
A
Explanation:
The fillnull command in Splunk is used to handle missing data within search results. It plays a crucial role in data normalization and preparation, especially before performing statistical analyses or visualizations.