Practice Free SPLK-1002 Exam Online Questions
Question #61
Given the following eval statement:
…| eval fieldl – if(isnotnull(fieldl),fieldl,0), field2 = if(isnull<field2>, "NO-VALUE", fieid2) Which of the following is the equivalent using f ilinull?
- A . There is no equivalent expression using f ilinull
- B . … t filinull values=(0,"NO-VALUE") fields=(fieldl,field2)
- C . … I filinull value=0 fieldl I fillnull fields
- D . … I fillnull fieldl I filinull value="NO-VALUE" field2
Correct Answer: B
B
Explanation:
The fillnull command replaces null values in one or more fields with a specified value. The values option allows you to specify a comma-separated list of values to fill the null values in the corresponding fields. The fields option allows you to specify a comma-separated list of fields to apply the fillnull command to. The eval statement in the question uses the if and isnull functions to check if field1 and field2 have null values and replace them with 0 and “NO-VALUE” respectively. The equivalent expression using fillnull is to use the values option to specify 0 and “NO-VALUE” and the fields option to specify field1 and field22
1: Splunk Core Certified Power User Track, page 9. 2: Splunk Documentation, fillnull command.
B
Explanation:
The fillnull command replaces null values in one or more fields with a specified value. The values option allows you to specify a comma-separated list of values to fill the null values in the corresponding fields. The fields option allows you to specify a comma-separated list of fields to apply the fillnull command to. The eval statement in the question uses the if and isnull functions to check if field1 and field2 have null values and replace them with 0 and “NO-VALUE” respectively. The equivalent expression using fillnull is to use the values option to specify 0 and “NO-VALUE” and the fields option to specify field1 and field22
1: Splunk Core Certified Power User Track, page 9. 2: Splunk Documentation, fillnull command.
Question #62
The limit attribute will___________.
- A . override default of 10
- B . only work with top command
- C . override default of 20
- D . override default of 15
Correct Answer: A
Question #63
What are search macros?
- A . Lookup definitions in lookup tables.
- B . Reusable pieces of search processing language.
- C . A method to normalize fields.
- D . Categories of search results.
Correct Answer: B
B
Explanation:
The correct answer is B. Reusable pieces of search processing language.
The explanation is as follows:
Search macros are knowledge objects that allow you to insert chunks of SPL into other searches12. Search macros can be any part of a search, such as an eval statement or a search term, and do not need to be a complete command12.
You can also specify whether the macro field takes any arguments and define validation expressions for them12.
Search macros can help you make your SPL searches shorter and easier to understand3.
To use a search macro in a search string, you need to put a backtick character () before and after the macro name[^1^][1]. For example, mymacro`.
B
Explanation:
The correct answer is B. Reusable pieces of search processing language.
The explanation is as follows:
Search macros are knowledge objects that allow you to insert chunks of SPL into other searches12. Search macros can be any part of a search, such as an eval statement or a search term, and do not need to be a complete command12.
You can also specify whether the macro field takes any arguments and define validation expressions for them12.
Search macros can help you make your SPL searches shorter and easier to understand3.
To use a search macro in a search string, you need to put a backtick character () before and after the macro name[^1^][1]. For example, mymacro`.
Question #64
What will you learn from the results of the following search?
sourcetype=cisco_esa | transaction mid, dcid, icid | timechart avg(duration)
- A . The average time elapsed during each transaction for all transactions
- B . The average time for each event within each transaction
- C . The average time between each transaction
Correct Answer: A
Question #65
Where are the results of eval commands stored?
- A . In a field.
- B . In an index.
- C . In a KV Store.
- D . In a database.
Correct Answer: A
A
Explanation:
https://docs.splunk.com/Documentation/Splunk/8.0.2/SearchReference/Eval
The eval command calculates an expression and puts the resulting value into a search results field. If the field name that you specify does not match a field in the output, a new field is added to the search results.
If the field name that you specify matches a field name that already exists in the search results, the results of the eval expression overwrite the values in that field.
A
Explanation:
https://docs.splunk.com/Documentation/Splunk/8.0.2/SearchReference/Eval
The eval command calculates an expression and puts the resulting value into a search results field. If the field name that you specify does not match a field in the output, a new field is added to the search results.
If the field name that you specify matches a field name that already exists in the search results, the results of the eval expression overwrite the values in that field.
Question #66
Which of the following commands will show the maximum bytes?
- A . sourcetype=access_* | maximum totals by bytes
- B . sourcetype=access_* | avg (bytes)
- C . sourcetype=access_* | stats max(bytes)
- D . sourcetype=access_* | max(bytes)
Correct Answer: C
Question #67
The gauge command:
- A . creates a single-value visualization
- B . allows you to set colored ranges for a single-value visualization
- C . creates a radial gauge visualization
Correct Answer: B
Question #68
When should transaction be used?
- A . Only in a large distributed Splunk environment.
- B . When calculating results from one or more fields.
- C . When event grouping is based on start/end values.
- D . When grouping events results in over 1000 events in each group.
Correct Answer: C
Question #69
Which of the following commands support the same set of functions?
- A . stats, eval, table
- B . search, where, eval
- C . stats, chart, timechart
- D . transaction, chart, timechart
Correct Answer: C
Question #70
__________ datasets can be added to root dataset to narrow down the search
- A . parent
- B . extracted
- C . event
- D . child
Correct Answer: D
D
Explanation:
Child datasets can be added to root datasets to narrow down the search. Datasets are collections of events that represent your data in a structured and hierarchical way. Datasets can be created by using commands such as datamodel or pivot. Datasets can have different types, such as events, search, transaction, etc. Datasets can also have different levels, such as root or child. Root datasets are base datasets that contain all events from a data model or an index. Child datasets are derived datasets that contain a subset of events from a parent dataset based on some constraints, such as search terms, fields, time range, etc. Child datasets can be added to root datasets to narrow down the search and filter out irrelevant events.
D
Explanation:
Child datasets can be added to root datasets to narrow down the search. Datasets are collections of events that represent your data in a structured and hierarchical way. Datasets can be created by using commands such as datamodel or pivot. Datasets can have different types, such as events, search, transaction, etc. Datasets can also have different levels, such as root or child. Root datasets are base datasets that contain all events from a data model or an index. Child datasets are derived datasets that contain a subset of events from a parent dataset based on some constraints, such as search terms, fields, time range, etc. Child datasets can be added to root datasets to narrow down the search and filter out irrelevant events.