Practice Free SPLK-1002 Exam Online Questions
Question #31
Which of the following eval command functions is valid?
- A . int()
- B . count()
- C . print()
- D . tostring()
Correct Answer: D
D
Explanation:
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonEvalFunctions The eval command function tostring() is valid. The tostring() function converts a numeric value to a string value. For example, tostring(3.14) returns “3.14”. The other functions are not valid eval command functions.
D
Explanation:
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonEvalFunctions The eval command function tostring() is valid. The tostring() function converts a numeric value to a string value. For example, tostring(3.14) returns “3.14”. The other functions are not valid eval command functions.
Question #32
Which workflow action method can be used the action type is set to link?
- A . GET
- B . PUT
- C . Search
- D . UPDATE
Correct Answer: A
A
Explanation:
https://docs.splunk.com/Documentation/Splunk/8.0.2/Knowledge/SetupaGETworkflowaction
Define a GET workflow action
Steps
Navigate to Settings > Fields > Workflow Actions.
Click New to open up a new workflow action form.
Define a Label for the action.
The Label field enables you to define the text that is displayed in either the field or event workflow menu. Labels can be static or include the value of relevant fields.
Determine whether the workflow action applies to specific fields or event types in your data. Use Apply only to the following fields to identify one or more fields. When you identify fields, the workflow action only appears for events that have those fields, either in their event menu or field menus. If you leave it blank or enter an asterisk the action appears in menus for all fields.
Use Apply only to the following event types to identify one or more event types. If you identify an event type, the workflow action only appears in the event menus for events that belong to the event type.
For Show action in determine whether you want the action to appear in the Event menu, the Fields menus, or Both.
Set Action type to link.
In URI provide a URI for the location of the external resource that you want to send your field values to.
Similar to the Label setting, when you declare the value of a field, you use the name of the field enclosed by dollar signs.
Variables passed in GET actions via URIs are automatically URL encoded during transmission. This means you can include values that have spaces between words or punctuation characters.
Under Open link in, determine whether the workflow action displays in the current window or if it opens the link in a new window.
Set the Link method to get.
Click Save to save your workflow action definition.
A
Explanation:
https://docs.splunk.com/Documentation/Splunk/8.0.2/Knowledge/SetupaGETworkflowaction
Define a GET workflow action
Steps
Navigate to Settings > Fields > Workflow Actions.
Click New to open up a new workflow action form.
Define a Label for the action.
The Label field enables you to define the text that is displayed in either the field or event workflow menu. Labels can be static or include the value of relevant fields.
Determine whether the workflow action applies to specific fields or event types in your data. Use Apply only to the following fields to identify one or more fields. When you identify fields, the workflow action only appears for events that have those fields, either in their event menu or field menus. If you leave it blank or enter an asterisk the action appears in menus for all fields.
Use Apply only to the following event types to identify one or more event types. If you identify an event type, the workflow action only appears in the event menus for events that belong to the event type.
For Show action in determine whether you want the action to appear in the Event menu, the Fields menus, or Both.
Set Action type to link.
In URI provide a URI for the location of the external resource that you want to send your field values to.
Similar to the Label setting, when you declare the value of a field, you use the name of the field enclosed by dollar signs.
Variables passed in GET actions via URIs are automatically URL encoded during transmission. This means you can include values that have spaces between words or punctuation characters.
Under Open link in, determine whether the workflow action displays in the current window or if it opens the link in a new window.
Set the Link method to get.
Click Save to save your workflow action definition.
Question #33
Consider the following search:
Index=web sourcetype=access_combined
The log shows several events that share the same JSESSIONID value (SD404K289O2F151). View the events as a group.
From the following list, which search groups events by JSESSIONID?
- A . index=web sourcetype=access_combined SD404K289O2F151 I table JSESSIONID
- B . index=web sourcetype=access_combined JSESSIONID <SD404K289O2F151>
- C . index=web sourcetype=access_combined I highlight JSESSIONID I search SD404K289O2F151
- D . index-web sourcetype=access_combined I transaction JSESSIONID I search SD404K289O2F151
Correct Answer: B
Question #34
Which knowledge Object does the Splunk Common Information Model (CIM) use to normalize dat a. in addition to field aliases, event types, and tags?
- A . Macros
- B . Lookups
- C . Workflow actions
- D . Field extractions
Correct Answer: B
B
Explanation:
Normalize your data for each of these fields using a combination of field aliases, field extractions, and lookups.
https://docs.splunk.com/Documentation/CIM/4.15.0/User/UsetheCIMtonormalizedataatsearchtime
B
Explanation:
Normalize your data for each of these fields using a combination of field aliases, field extractions, and lookups.
https://docs.splunk.com/Documentation/CIM/4.15.0/User/UsetheCIMtonormalizedataatsearchtime
Question #35
Which of the following statements describes the command below (select all that apply)
Sourcetype=access_combined | transaction JSESSIONID
- A . An additional filed named maxspan is created.
- B . An additional field named duration is created.
- C . An additional field named eventcount is created.
- D . Events with the same JSESSIONID will be grouped together into a single event.
Correct Answer: B, C, D
B, C, D
Explanation:
The command sourcetype=access_combined | transaction JSESSIONID does three things:
It filters the events by the sourcetype access_combined, which is a predefined sourcetype for Apache web server logs.
It groups the events by the field JSESSIONID, which is a unique identifier for each user session.
It creates a single event from each group of events that share the same JSESSIONID value. This single event will have some additional fields created by the transaction command, such as duration, event count, and startime.
Therefore, the statements B, C, and D are true.
B, C, D
Explanation:
The command sourcetype=access_combined | transaction JSESSIONID does three things:
It filters the events by the sourcetype access_combined, which is a predefined sourcetype for Apache web server logs.
It groups the events by the field JSESSIONID, which is a unique identifier for each user session.
It creates a single event from each group of events that share the same JSESSIONID value. This single event will have some additional fields created by the transaction command, such as duration, event count, and startime.
Therefore, the statements B, C, and D are true.
Question #35
Which of the following statements describes the command below (select all that apply)
Sourcetype=access_combined | transaction JSESSIONID
- A . An additional filed named maxspan is created.
- B . An additional field named duration is created.
- C . An additional field named eventcount is created.
- D . Events with the same JSESSIONID will be grouped together into a single event.
Correct Answer: B, C, D
B, C, D
Explanation:
The command sourcetype=access_combined | transaction JSESSIONID does three things:
It filters the events by the sourcetype access_combined, which is a predefined sourcetype for Apache web server logs.
It groups the events by the field JSESSIONID, which is a unique identifier for each user session.
It creates a single event from each group of events that share the same JSESSIONID value. This single event will have some additional fields created by the transaction command, such as duration, event count, and startime.
Therefore, the statements B, C, and D are true.
B, C, D
Explanation:
The command sourcetype=access_combined | transaction JSESSIONID does three things:
It filters the events by the sourcetype access_combined, which is a predefined sourcetype for Apache web server logs.
It groups the events by the field JSESSIONID, which is a unique identifier for each user session.
It creates a single event from each group of events that share the same JSESSIONID value. This single event will have some additional fields created by the transaction command, such as duration, event count, and startime.
Therefore, the statements B, C, and D are true.
Question #37
Data model are composed of one or more of which of the following datasets? (select all that apply.)
- A . Events datasets
- B . Search datasets
- C . Transaction datasets
- D . Any child of event, transaction, and search datasets
Correct Answer: A, B, C
A, B, C
Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/8.0.3/Knowledge/Aboutdatamodels
Data models are collections of datasets that represent your data in a structured and hierarchical way. Data models define how your data is organized into objects and fields. Data models can be composed of one or more of the following datasets:
Events datasets: These are the base datasets that represent raw events in Splunk. Events datasets can be filtered by constraints, such as search terms, sourcetypes, indexes, etc.
Search datasets: These are derived datasets that represent the results of a search on events or other datasets. Search datasets can use any search command, such as stats, eval, rex, etc., to transform the data.
Transaction datasets: These are derived datasets that represent groups of events that are related by fields, time, or both. Transaction datasets can use the transaction command or event types with transactiontype=true to create transactions.
A, B, C
Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/8.0.3/Knowledge/Aboutdatamodels
Data models are collections of datasets that represent your data in a structured and hierarchical way. Data models define how your data is organized into objects and fields. Data models can be composed of one or more of the following datasets:
Events datasets: These are the base datasets that represent raw events in Splunk. Events datasets can be filtered by constraints, such as search terms, sourcetypes, indexes, etc.
Search datasets: These are derived datasets that represent the results of a search on events or other datasets. Search datasets can use any search command, such as stats, eval, rex, etc., to transform the data.
Transaction datasets: These are derived datasets that represent groups of events that are related by fields, time, or both. Transaction datasets can use the transaction command or event types with transactiontype=true to create transactions.
Question #38
What are the two parts of a root event dataset?
- A . Fields and variables.
- B . Fields and attributes.
- C . Constraints and fields.
- D . Constraints and lookups.
Correct Answer: C
C
Explanation:
Reference: https://docs.splunk.com/Documentation/SplunkLight/7.3.5/GettingStarted/Designdatamodelobjects
A root event dataset is the base dataset for a data model that defines the source or sources of the data and the constraints and fields that apply to the data1. A root event dataset has two parts: constraints and fields1. Constraints are filters that limit the data to a specific index, source, sourcetype, host or search string1. Fields are the attributes that describe the data and can be extracted, calculated or looked up1. Therefore, option C is correct, while options A, B and D are incorrect.
C
Explanation:
Reference: https://docs.splunk.com/Documentation/SplunkLight/7.3.5/GettingStarted/Designdatamodelobjects
A root event dataset is the base dataset for a data model that defines the source or sources of the data and the constraints and fields that apply to the data1. A root event dataset has two parts: constraints and fields1. Constraints are filters that limit the data to a specific index, source, sourcetype, host or search string1. Fields are the attributes that describe the data and can be extracted, calculated or looked up1. Therefore, option C is correct, while options A, B and D are incorrect.
Question #39
What does the fillnull command replace null values with, it the value argument is not specified?
- A . 0
- B . N/A
- C . NaN
- D . NULL
Correct Answer: A
A
Explanation:
Reference: https://answers.splunk.com/answers/653427/fillnull-doesnt-work-without-specfying-a-field.html
The fillnull command is a search command that replaces null values with a specified value or 0 if no value is specified. Null values are values that are missing, empty, or undefined in Splunk. The fillnull command can replace null values for all fields or for specific fields. The fillnull command can take an optional argument called value that specifies the value to replace null values with. If no value argument is specified, the fillnull command will replace null values with 0 by default.
A
Explanation:
Reference: https://answers.splunk.com/answers/653427/fillnull-doesnt-work-without-specfying-a-field.html
The fillnull command is a search command that replaces null values with a specified value or 0 if no value is specified. Null values are values that are missing, empty, or undefined in Splunk. The fillnull command can replace null values for all fields or for specific fields. The fillnull command can take an optional argument called value that specifies the value to replace null values with. If no value argument is specified, the fillnull command will replace null values with 0 by default.
Question #40
Which of the following statements describes the use of the Filed Extractor (FX)?
- A . The Field Extractor automatically extracts all field at search time.
- B . The Field Extractor uses PERL to extract field from the raw events.
- C . Field extracted using the Extracted persist as knowledge objects.
- D . Fields extracted using the Field Extractor do not persist and must be defined for each search.
Correct Answer: C
C
Explanation:
The Field Extractor (FX) is a tool that helps you extract fields from your events using a graphical interface or by manually editing the regular expression2. The FX allows you to create field extractions that persist as knowledge objects, which are entities that you create to add knowledge to your data and make it easier to search and analyze2. Field extractions are methods that extract fields from your raw data using various techniques such as regular expressions, delimiters or key-value pairs2. When you create a field extraction using the FX, you can save it as a knowledge object that applies to your data at search time2. You can also manage and share your field extractions with other users in your organization2. Therefore, option C is correct, while options A, B and D are incorrect because they do not describe the use of the FX.
C
Explanation:
The Field Extractor (FX) is a tool that helps you extract fields from your events using a graphical interface or by manually editing the regular expression2. The FX allows you to create field extractions that persist as knowledge objects, which are entities that you create to add knowledge to your data and make it easier to search and analyze2. Field extractions are methods that extract fields from your raw data using various techniques such as regular expressions, delimiters or key-value pairs2. When you create a field extraction using the FX, you can save it as a knowledge object that applies to your data at search time2. You can also manage and share your field extractions with other users in your organization2. Therefore, option C is correct, while options A, B and D are incorrect because they do not describe the use of the FX.