Practice Free SPLK-1002 Exam Online Questions
Question #81
Which of the following searches will return events contains a tag name Privileged?
- A . Tag= Priv
- B . Tag= Pri*
- C . Tag= Priv*
- D . Tag= Privileged
Correct Answer: B
B
Explanation:
Reference: https://docs.splunk.com/Documentation/PCI/4.1.0/Install/PrivilegedUserActivity
A tag is a descriptive label that you can apply to one or more fields or field values in your events1. You can use tags to simplify your searches by replacing long or complex field names or values with short and simple tags1. To search for events that contain a tag name, you can use the tag keyword followed by an equal sign and the tag name1. You can also use wildcards (*) to match partial tag names1. Therefore, option B is correct because it will return events that contain a tag name that starts with Pri. Options A and D are incorrect because they will only return events that contain an exact tag name match. Option C is incorrect because it will return events that contain a tag name that starts with Priv, not Privileged.
B
Explanation:
Reference: https://docs.splunk.com/Documentation/PCI/4.1.0/Install/PrivilegedUserActivity
A tag is a descriptive label that you can apply to one or more fields or field values in your events1. You can use tags to simplify your searches by replacing long or complex field names or values with short and simple tags1. To search for events that contain a tag name, you can use the tag keyword followed by an equal sign and the tag name1. You can also use wildcards (*) to match partial tag names1. Therefore, option B is correct because it will return events that contain a tag name that starts with Pri. Options A and D are incorrect because they will only return events that contain an exact tag name match. Option C is incorrect because it will return events that contain a tag name that starts with Priv, not Privileged.
Question #82
Which type of visualization shows relationships between discrete values in three dimensions?
- A . Pie chart
- B . Line chart
- C . Bubble chart
- D . Scatter chart
Correct Answer: C
C
Explanation:
https://docs.splunk.com/Documentation/DashApp/0.9.0/DashApp/chartsBub
C
Explanation:
https://docs.splunk.com/Documentation/DashApp/0.9.0/DashApp/chartsBub
Question #83
Which of the following is true about the Splunk Common Information Model (CIM)?
- A . The data models included in the CIM are configured with data model acceleration turned off.
- B . The CIM contains 28 pre-configured datasets.
- C . The CIM is an app that needs to run on the indexer.
- D . The data models included in the CIM are configured with data model acceleration turned on.
Correct Answer: D
D
Explanation:
The Splunk Common Information Model (CIM) is an app that contains a set of predefined data models that apply a common structure and naming convention to data from any source. The CIM enables you to use data from different sources in a consistent and coherent way. The CIM contains 28 pre-configured datasets that cover various domains such as authentication, network traffic, web, email, etc. The data models included in the CIM are configured with data model acceleration turned
on by default, which means that they are optimized for faster searches and analysis. Data model acceleration creates and maintains summary data for the data models, which reduces the amount of raw data that needs to be scanned when you run a search using a data model.
: Splunk Core Certified Power User Track, page 10.: Splunk Documentation, About the Splunk Common Information Model.
D
Explanation:
The Splunk Common Information Model (CIM) is an app that contains a set of predefined data models that apply a common structure and naming convention to data from any source. The CIM enables you to use data from different sources in a consistent and coherent way. The CIM contains 28 pre-configured datasets that cover various domains such as authentication, network traffic, web, email, etc. The data models included in the CIM are configured with data model acceleration turned
on by default, which means that they are optimized for faster searches and analysis. Data model acceleration creates and maintains summary data for the data models, which reduces the amount of raw data that needs to be scanned when you run a search using a data model.
: Splunk Core Certified Power User Track, page 10.: Splunk Documentation, About the Splunk Common Information Model.
Question #84
When used with the timechart command, which value of the limit argument returns all values?
- A . limit=*
- B . limit=all
- C . limit=none
- D . limit=0
Correct Answer: D
D
Explanation:
The correct answer is
D. limit=0. This is because the limit argument specifies the maximum number of series to display in the chart. If you set limit=0, no series filtering occurs and all values are returned. You can learn more about the limit argument and how it works with the agg argument from the Splunk documentation1. The other options are incorrect because they are not valid values for the limit argument. The limit argument expects an integer value, not a string or a wildcard. You can learn more about the syntax and usage of the timechart command from the Splunk documentation23.
D
Explanation:
The correct answer is
D. limit=0. This is because the limit argument specifies the maximum number of series to display in the chart. If you set limit=0, no series filtering occurs and all values are returned. You can learn more about the limit argument and how it works with the agg argument from the Splunk documentation1. The other options are incorrect because they are not valid values for the limit argument. The limit argument expects an integer value, not a string or a wildcard. You can learn more about the syntax and usage of the timechart command from the Splunk documentation23.
Question #85
Which of the following statements about tags is true?
- A . Tags are case insensitive.
- B . Tags can make your data more understandable.
- C . Tags are created at index time.
- D . Tags are searched by using the syntax tag :: <fieldname>.
Correct Answer: B
B
Explanation:
Tags are a knowledge object that allow you to assign an alias to one or more field values. Tags are applied to events at search time and can be used as search terms or filters.
Tags can help you make your data more understandable by replacing cryptic or complex field values with meaningful names. For example, you can tag the value 200 in the status field as success, or tag the value 404 as not_found.
B
Explanation:
Tags are a knowledge object that allow you to assign an alias to one or more field values. Tags are applied to events at search time and can be used as search terms or filters.
Tags can help you make your data more understandable by replacing cryptic or complex field values with meaningful names. For example, you can tag the value 200 in the status field as success, or tag the value 404 as not_found.
Question #86
Calculated fields can be based on which of the following?
- A . Tags
- B . Extracted fields
- C . Output fields for a lookup
- D . Fields generated from a search string
Correct Answer: B
B
Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/8.0.3/Knowledge/definecalcfields
A calculated field is a field that you create based on the value of another field or fields1. You can use calculated fields to enrich your data with additional information or to transform your data into a more useful format1. Calculated fields can be based on extracted fields, which are fields that are extracted from your raw data using various methods such as regular expressions, delimiters, or key-value pairs1. Therefore, option B is correct, while options A, C and D are incorrect because tags, output fields for a lookup, and fields generated from a search string are not types of extracted fields.
B
Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/8.0.3/Knowledge/definecalcfields
A calculated field is a field that you create based on the value of another field or fields1. You can use calculated fields to enrich your data with additional information or to transform your data into a more useful format1. Calculated fields can be based on extracted fields, which are fields that are extracted from your raw data using various methods such as regular expressions, delimiters, or key-value pairs1. Therefore, option B is correct, while options A, C and D are incorrect because tags, output fields for a lookup, and fields generated from a search string are not types of extracted fields.
Question #87
Which of the following statements describe data model acceleration? (select all that apply)
- A . Root events cannot be accelerated.
- B . Accelerated data models cannot be edited.
- C . Private data models cannot be accelerated.
- D . You must have administrative permissions or the accelerate_dacamodel capability to accelerate a data model.
Correct Answer: B, C, D
B, C, D
Explanation:
Data model acceleration is a feature that speeds up searches on data models by creating and storing summaries of the data model datasets1. To enable data model acceleration, you must have administrative permissions or the accelerate_datamodel capability1. Therefore, option D is correct. Accelerated data models cannot be edited unless you disable the acceleration first1. Therefore, option B is correct. Private data models cannot be accelerated because they are not visible to other users1. Therefore, option C is correct. Root events can be accelerated as long as they are not based on a search string1. Therefore, option A is incorrect.
B, C, D
Explanation:
Data model acceleration is a feature that speeds up searches on data models by creating and storing summaries of the data model datasets1. To enable data model acceleration, you must have administrative permissions or the accelerate_datamodel capability1. Therefore, option D is correct. Accelerated data models cannot be edited unless you disable the acceleration first1. Therefore, option B is correct. Private data models cannot be accelerated because they are not visible to other users1. Therefore, option C is correct. Root events can be accelerated as long as they are not based on a search string1. Therefore, option A is incorrect.
Question #88
If a search returns ____________ it can be viewed as a chart.
- A . timestamps
- B . statistics
- C . events
- D . keywords
Correct Answer: B
B
Explanation:
If a search returns statistics, it can be viewed as a chart2. Statistics are tabular data that show the relationship between two or more fields2. You can create statistics by using commands such as stats, chart or timechart2. You can view statistics as a chart by selecting the Visualization tab in the Search app and choosing a chart type such as column, line or pie2. Therefore, option B is correct, while options A, C and D are incorrect because they are not types of data that can be viewed as a chart.
B
Explanation:
If a search returns statistics, it can be viewed as a chart2. Statistics are tabular data that show the relationship between two or more fields2. You can create statistics by using commands such as stats, chart or timechart2. You can view statistics as a chart by selecting the Visualization tab in the Search app and choosing a chart type such as column, line or pie2. Therefore, option B is correct, while options A, C and D are incorrect because they are not types of data that can be viewed as a chart.
Question #89
Which of the following can be saved as an event type?
- A . index=server_496 sourcetype=BETA_534 code=610
- B . index=server_49c sourcetype=BETA_534 code=610 | stats count by code
- C . index=server_496 sourcetype=BETA_534 code=610 | where code > 200
- D . index=server_496 sourcetype=BETA_534 code=610 [| inputlookup append=t servercode.csv]
Correct Answer: A
A
Explanation:
Comprehensive and Detailed Step-by-Step
Event types in Splunk are predefined searches that match specific patterns in the event data.
Only raw searches (without transforming commands like stats, where, or inputlookup) can be saved as an event type.
Option A is a basic search string and can be saved as an event type.
Option B includes stats count by code, which transforms the data and cannot be used.
Option C includes where code > 200, which modifies results after they are returned, making it ineligible.
Option D includes a subsearch with inputlookup, which is not valid for event types.
Reference: Splunk Docs – Event Types
A
Explanation:
Comprehensive and Detailed Step-by-Step
Event types in Splunk are predefined searches that match specific patterns in the event data.
Only raw searches (without transforming commands like stats, where, or inputlookup) can be saved as an event type.
Option A is a basic search string and can be saved as an event type.
Option B includes stats count by code, which transforms the data and cannot be used.
Option C includes where code > 200, which modifies results after they are returned, making it ineligible.
Option D includes a subsearch with inputlookup, which is not valid for event types.
Reference: Splunk Docs – Event Types
Question #90
Which of the following statements describes an event type?
- A . A log level measurement: info, warn, error.
- B . A knowledge object that is applied before fields are extracted.
- C . A field for categorizing events based on a search string.
- D . Either a log, a metric, or a trace.
Correct Answer: C
C
Explanation:
This is because an event type is a knowledge object that assigns a user-defined name to a set of events that match a specific search criteria. For example, you can create an event type named successful_purchase for events that have sourcetype=access_combined, status=200, and action=purchase. Then, you can use eventtype=successful_purchase as a search term to find those events. You can also use event types to create alerts, reports, and dashboards. You can learn more about event types from the Splunk documentation1. The other options are incorrect because they do not describe what an event type is. A log level measurement is a field that indicates the severity of an event, such as info, warn, or error. A knowledge object that is applied before fields are extracted is a source type, which identifies the format and structure of the data. Either a log, a metric, or a trace is a type of data that Splunk can ingest and analyze, but not an event type.
C
Explanation:
This is because an event type is a knowledge object that assigns a user-defined name to a set of events that match a specific search criteria. For example, you can create an event type named successful_purchase for events that have sourcetype=access_combined, status=200, and action=purchase. Then, you can use eventtype=successful_purchase as a search term to find those events. You can also use event types to create alerts, reports, and dashboards. You can learn more about event types from the Splunk documentation1. The other options are incorrect because they do not describe what an event type is. A log level measurement is a field that indicates the severity of an event, such as info, warn, or error. A knowledge object that is applied before fields are extracted is a source type, which identifies the format and structure of the data. Either a log, a metric, or a trace is a type of data that Splunk can ingest and analyze, but not an event type.