Practice Free SPLK-1002 Exam Online Questions
Question #71
Information needed to create a GET workflow action includes which of the following? (select all that apply.)
- A . A name of the workflow action
- B . A URI where the user will be directed at search time.
- C . A label that will appear in the Event Action menu at search time.
- D . A name for the URI where the user will be directed at search time.
Correct Answer: ABC
ABC
Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/8.0.3/Knowledge/SetupaGETworkflowaction Information needed to create a GET workflow action includes the following: a name of the workflow action, a URI where the user will be directed at search time, and a label that will appear in the Event Action menu at search time. A GET workflow action is a type of workflow action that performs a GET request when you click on a field value in your search results. A GET workflow action can be configured with various options, such as:
A name of the workflow action: This is a unique identifier for the workflow action that is used internally by Splunk. The name should be descriptive and meaningful for the purpose of the workflow action.
A URI where the user will be directed at search time: This is the base URL of the external web service or application that will receive the GET request. The URI can include field value variables that will be replaced by the actual field values at search time. For example, if you have a field value variable ip, you can write it as http://example.com/ip=$ip to send the IP address as a parameter to the external web service or application.
A label that will appear in the Event Action menu at search time: This is the display name of the workflow action that will be shown in the Event Action menu when you click on a field value in your search results. The label should be clear and concise for the user to understand what the workflow action does.
Therefore, options A, B, and C are correct.
ABC
Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/8.0.3/Knowledge/SetupaGETworkflowaction Information needed to create a GET workflow action includes the following: a name of the workflow action, a URI where the user will be directed at search time, and a label that will appear in the Event Action menu at search time. A GET workflow action is a type of workflow action that performs a GET request when you click on a field value in your search results. A GET workflow action can be configured with various options, such as:
A name of the workflow action: This is a unique identifier for the workflow action that is used internally by Splunk. The name should be descriptive and meaningful for the purpose of the workflow action.
A URI where the user will be directed at search time: This is the base URL of the external web service or application that will receive the GET request. The URI can include field value variables that will be replaced by the actual field values at search time. For example, if you have a field value variable ip, you can write it as http://example.com/ip=$ip to send the IP address as a parameter to the external web service or application.
A label that will appear in the Event Action menu at search time: This is the display name of the workflow action that will be shown in the Event Action menu when you click on a field value in your search results. The label should be clear and concise for the user to understand what the workflow action does.
Therefore, options A, B, and C are correct.
Question #72
The fields sidebar does not show________. (Select all that apply.)
- A . interesting fields
- B . selected fields
- C . all extracted fields
Correct Answer: C
C
Explanation:
The fields sidebar is a panel that shows the fields that are present in your search results2. The fields sidebar does not show all extracted fields, which are fields that are extracted from your raw data using various methods such as regular expressions, delimiters or key-value pairs2. The fields sidebar only shows selected fields and interesting fields2. Selected fields are fields that you choose to display in your search results by clicking on them in the fields sidebar or by using the fields command2. Interesting fields are fields that appear in at least 20 percent of events or have high variability among values2. Therefore, option C is correct, while options A and B are incorrect because they are types of fields that the fields sidebar does show.
C
Explanation:
The fields sidebar is a panel that shows the fields that are present in your search results2. The fields sidebar does not show all extracted fields, which are fields that are extracted from your raw data using various methods such as regular expressions, delimiters or key-value pairs2. The fields sidebar only shows selected fields and interesting fields2. Selected fields are fields that you choose to display in your search results by clicking on them in the fields sidebar or by using the fields command2. Interesting fields are fields that appear in at least 20 percent of events or have high variability among values2. Therefore, option C is correct, while options A and B are incorrect because they are types of fields that the fields sidebar does show.
Question #73
Which method in the Field Extractor would extract the port number from the following event? | 10/20/2022 – 125.24.20.1 ++++ port 54 – user: admin <web error>
- A . Delimiter
- B . rex command
- C . The Field Extractor tool cannot extract regular expressions.
- D . Regular expression
Correct Answer: B
B
Explanation:
The rex command allows you to extract fields from events using regular expressions. You can use the rex command to specify a named group that matches the port number in the event. For example: rex "++++port (?<port>d+)"
This will create a field called port with the value 54 for the event.
The delimiter method is not suitable for this event because there is no consistent delimiter between the fields. The regular expression method is not a valid option for the Field Extractor tool. The Field Extractor tool can extract regular expressions, but it is not a method by itself.
Reference: 1 Splunk Core Certified Power User | Splunk
B
Explanation:
The rex command allows you to extract fields from events using regular expressions. You can use the rex command to specify a named group that matches the port number in the event. For example: rex "++++port (?<port>d+)"
This will create a field called port with the value 54 for the event.
The delimiter method is not suitable for this event because there is no consistent delimiter between the fields. The regular expression method is not a valid option for the Field Extractor tool. The Field Extractor tool can extract regular expressions, but it is not a method by itself.
Reference: 1 Splunk Core Certified Power User | Splunk
Question #74
How can an existing accelerated data model be edited?
- A . An accelerated data model can be edited once its .tsidx file has expired.
- B . An accelerated data model can be edited from the Pivot tool.
- C . The data model must be de-accelerated before edits can be made to its structure.
- D . It cannot be edited. A new data model would need to be created.
Correct Answer: C
C
Explanation:
An existing accelerated data model can be edited, but the data model must be de-accelerated before any structural edits can be made (Option C). This is because the acceleration process involves pre-computing and storing data, and changes to the data model’s structure could invalidate or conflict with the pre-computed data. Once the data model is de-accelerated and edits are completed, it can be re-accelerated to optimize performance.
C
Explanation:
An existing accelerated data model can be edited, but the data model must be de-accelerated before any structural edits can be made (Option C). This is because the acceleration process involves pre-computing and storing data, and changes to the data model’s structure could invalidate or conflict with the pre-computed data. Once the data model is de-accelerated and edits are completed, it can be re-accelerated to optimize performance.
Question #75
When is a GET workflow action needed?
- A . To send field values to an external resource.
- B . To retrieve information from an external resource.
- C . To use field values to perform a secondary search.
- D . To define how events flow from forwarders to indexes.
Correct Answer: B
Question #76
Which of these search strings is NOT valid:
- A . index=web status=50* | chart count over host, status
- B . index=web status=50* | chart count over host by status
- C . index=web status=50* | chart count by host, status
Correct Answer: A
A
Explanation:
This search string is not valid: index=web status=50* | chart count over host,status2. This search string uses an invalid syntax for the chart command. The chart command requires one field after the over clause and optionally one field after the by clause. However, this search string has two fields after the over clause separated by a comma. This will cause a syntax error and prevent the search from running. Therefore, option A is correct, while options B and C are incorrect because they are valid search strings that use the chart command correctly.
A
Explanation:
This search string is not valid: index=web status=50* | chart count over host,status2. This search string uses an invalid syntax for the chart command. The chart command requires one field after the over clause and optionally one field after the by clause. However, this search string has two fields after the over clause separated by a comma. This will cause a syntax error and prevent the search from running. Therefore, option A is correct, while options B and C are incorrect because they are valid search strings that use the chart command correctly.
Question #77
If a calculated field has the same name as an extracted field, what happens to the extracted field?
- A . The calculated field will override the extracted field.
- B . The calculated and extracted fields will be combined.
- C . The calculated field will duplicate the extracted field.
- D . An error will be returned and the search will fail.
Correct Answer: A
A
Explanation:
When you define a calculated field, you can specify the name of the field that the eval expression will create or modify. If the name of the calculated field matches the name of an existing extracted field, the calculated field will override the extracted field and replace its value with the result of the eval expression. This means that the original value of the extracted field will not be available for searching or analysis. To avoid this, you should use a unique name for your calculated field or use a different name for your extracted field2
1: Splunk Core Certified Power User Track, page 9. 2: Splunk Documentation, Configure calculated fields with props.conf.
A
Explanation:
When you define a calculated field, you can specify the name of the field that the eval expression will create or modify. If the name of the calculated field matches the name of an existing extracted field, the calculated field will override the extracted field and replace its value with the result of the eval expression. This means that the original value of the extracted field will not be available for searching or analysis. To avoid this, you should use a unique name for your calculated field or use a different name for your extracted field2
1: Splunk Core Certified Power User Track, page 9. 2: Splunk Documentation, Configure calculated fields with props.conf.
Question #78
What happens when a user edits the regular expression (regex) field extraction generated in the Field Extractor (FX)?
- A . There is a limit to the number of fields that can be extracted.
- B . The user is unable to preview the extractions.
- C . The extraction is added at index time.
- D . The user is unable to return to the automatic field extraction workflow.
Correct Answer: A
Question #79
A field alias is created where field1―fieid2 and the Overwrite Field Values checkbox is selected.
What happens if an event only contains values for fieid1?
- A . field2 values are removed from the events.
- B . field1 and field2 values are merged.
- C . field2 values are unchanged.
- D . field2 values are replaced with the value of the field1.
Correct Answer: D
D
Explanation:
The correct answer is
D. field2 values are replaced with the value of the field1.
A field alias is a way to associate an additional (new) name with an existing field name. A field alias can be used to normalize fields from different sources that have different names but represent the same data. Field aliases can also be used to rename fields for clarity or convenience1.
When you create a field alias in Splunk Web, you can select the Overwrite Field Values option to change the behavior of the field alias. This option affects how the Splunk software handles situations where the original field has no value or does not exist, as well as situations where the alias field already exists as a field in your events, alongside the original field2.
If you select the Overwrite Field Values option, the following rules apply:
If the original field does not exist or has no value in an event, the alias field is removed from that event.
If the original field and the alias field both exist in an event, the value of the alias field is replaced with the value of the original field.
If you do not select the Overwrite Field Values option, the following rules apply:
If the original field does not exist or has no value in an event, the alias field is unchanged in that event.
If the original field and the alias field both exist in an event, both fields are retained with their respective values.
Therefore, if you create a field alias where field1―field2 and select the Overwrite Field Values option, and an event only contains values for field1, then the value of field2 will be replaced with the value of field1.
Reference: About calculated fields
About field aliases
Create field aliases in Splunk Web
D
Explanation:
The correct answer is
D. field2 values are replaced with the value of the field1.
A field alias is a way to associate an additional (new) name with an existing field name. A field alias can be used to normalize fields from different sources that have different names but represent the same data. Field aliases can also be used to rename fields for clarity or convenience1.
When you create a field alias in Splunk Web, you can select the Overwrite Field Values option to change the behavior of the field alias. This option affects how the Splunk software handles situations where the original field has no value or does not exist, as well as situations where the alias field already exists as a field in your events, alongside the original field2.
If you select the Overwrite Field Values option, the following rules apply:
If the original field does not exist or has no value in an event, the alias field is removed from that event.
If the original field and the alias field both exist in an event, the value of the alias field is replaced with the value of the original field.
If you do not select the Overwrite Field Values option, the following rules apply:
If the original field does not exist or has no value in an event, the alias field is unchanged in that event.
If the original field and the alias field both exist in an event, both fields are retained with their respective values.
Therefore, if you create a field alias where field1―field2 and select the Overwrite Field Values option, and an event only contains values for field1, then the value of field2 will be replaced with the value of field1.
Reference: About calculated fields
About field aliases
Create field aliases in Splunk Web
Question #80
What does the following search do?
- A . Creates a table of the total count of users and split by corndogs.
- B . Creates a table of the total count of mysterymeat corndogs split by user.
- C . Creates a table with the count of all types of corndogs eaten split by user.
- D . Creates a table that groups the total number of users by vegetarian corndogs.
Correct Answer: B
B
Explanation:
The search string below creates a table of the total count of mysterymeat corndogs split by user. | stats count by user | where corndog=mysterymeat
The search string does the following:
It uses the stats command to calculate the count of events for each value of the user field. The stats command creates a table with two columns: user and count.
It uses the where command to filter the results by the value of the corndog field. The where command only keeps the rows where corndog equals mysterymeat.
Therefore, the search string creates a table of the total count of mysterymeat corndogs split by user.
B
Explanation:
The search string below creates a table of the total count of mysterymeat corndogs split by user. | stats count by user | where corndog=mysterymeat
The search string does the following:
It uses the stats command to calculate the count of events for each value of the user field. The stats command creates a table with two columns: user and count.
It uses the where command to filter the results by the value of the corndog field. The where command only keeps the rows where corndog equals mysterymeat.
Therefore, the search string creates a table of the total count of mysterymeat corndogs split by user.