Splunk SPLK-1002 Free Practice Questions

NEW QUESTION 1

Splunk alerts can be based on search that run _______. (Select all that apply.)

• A. in real-time
• B. on a regular schedule
• C. and have no matching events

Answer: AB

NEW QUESTION 2

Based on the macro definition shown below, what is the correct way to execute the macro in a search string?

• A. Convert_sales (euro, €, 79)”
• B. Convert_sales (euro, €, .79)
• C. Convert_sales ($euro,$€$,s79$
• D. Convert_sales ($euro, $€$,S,79$)

Answer: B

NEW QUESTION 3

Which of the following statements describe the search below? (select all that apply) Index=main I transaction clientip host maxspan=30s maxpause=5s

• A. Events in the transaction occurred within 5 seconds.
• B. It groups events that share the same clientip and host.
• C. The first and last events are no more than 5 seconds apart.
• D. The first and last events are no more than 30 seconds apart.

Answer: B

NEW QUESTION 4

Which of the following statements describe GET workflow actions?

• A. GET workflow actions must be configured with POST arguments.
• B. Configuration of GET workflow actions includes choosing a sourcetype.
• C. Label names for GET workflow actions must include a field name surrounded by dollar signs.
• D. GET workflow actions can be configured to open the URT link in the current window or in a new window

Answer: D

NEW QUESTION 5

When creating a Search workflow action, which field is required?

• A. Search string
• B. Data model name
• C. Permission setting
• D. An eval statement

Answer: A

NEW QUESTION 6

When performing a regular expression (regex) field extraction using the Field Extractor (FX), what happens when the require option is used?

• A. The regex can no longer be edited.
• B. The field being extracted will be required for all future events.
• C. The events without the required field will not display in searches.
• D. Only events with the required string will be included in the extraction.

Answer: D

NEW QUESTION 7

Which delimiters can the Field Extractor (FX) detect? (select all that apply)

• A. Tabs
• B. Pipes
• C. Spaces
• D. Commas

Answer: ABCD

NEW QUESTION 8

What functionality does the Splunk Common Information Model (CIM) rely on to normalize fields with different names?

• A. Macros.
• B. Field aliases.
• C. The rename command.
• D. CIM does not work with different names for the same field.

Answer: B

NEW QUESTION 9

Which search would limit an "alert" tag to the "host" field?

• A. tag=alert
• B. host::tag::alert
• C. tag==alert
• D. tag::host=alert

Answer: D

NEW QUESTION 10

Given the macro definition below, what should be entered into the Name and Arguments fileds to correctly configured the macro?

• A. The macro name is sessiontracker and the argument are action, JESSION.
• B. The macro name is sessiontracker (2) and the action JESSIONID
• C. The macro name is sessiontracker and the argument are sectional ,$ JESSIONIDS.
• D. The macro name is sessiontracker (2) and the argument are $action ,$JESSIONIDS.

Answer: B

NEW QUESTION 11

In what order arc the following knowledge objects/configurations applied?

• A. Field Aliases, Field Extractions, Lookups
• B. Field Extractions, Field Aliases, Lookups
• C. Field Extractions, Lookups, Field Aliases
• D. Lookups, Field Aliases, Field Extractions

Answer: B

NEW QUESTION 12

To identify all of the contributing events within a transaction that contains at least one REJECT event, which syntax is correct?

• A. Index-main | REJECT trans sessionid
• B. Index-main | transaction sessionid | search REJECT
• C. Index=main | transaction sessionid | whose transaction=reject
• D. Index=main | transaction sessionid | where transaction=reject’’

Answer: D

NEW QUESTION 13

Which is not a comparison operator in Splunk

• A. <=
• B. =
• C. !=
• D. >
• E. ?=

Answer: E

NEW QUESTION 14

What does the fillnull command replace null values with, it the value argument is not specified?

• A. N/A
• B. NaN
• C. NULL

Answer: A

NEW QUESTION 15

Which of the following commands will show the maximum bytes?

• A. sourcetype=access_* | maximum totals by bytes
• B. sourcetype=access_* | avg (bytes)
• C. sourcetype=access_* | stats max(bytes)
• D. sourcetype=access_* | max(bytes)

Answer: C

NEW QUESTION 16

After manually editing; a regular expression (regex), which of the following statements is true?

• A. Changes made manually can be reverted in the Field Extractor (FX) UI.
• B. It is no longer possible to edit the field extraction in the Field Extractor (FX) UI.
• C. It is not possible to manually edit a regular expression (regex) that was created using the Field Extractor (FX) UI.
• D. The Field Extractor (FX) UI keeps its own version of the field extraction in addition to the one that wasmanually edited.

Answer: D

NEW QUESTION 17

Which of the following describes the Splunk Common Information Model (CIM) add-on?

• A. The CIM add-on uses machine learning to normalize data.
• B. The CIM add-on contains dashboards that show how to map data.
• C. The CIM add-on contains data models to help you normalize data.
• D. The CIM add-on is automatically installed in a Splunk environment.

Answer: C

NEW QUESTION 18

Which of the following statements describe data model acceleration? (select all that apply)

• A. Root events cannot be accelerated.
• B. Accelerated data models cannot be edited.
• C. Private data models cannot be accelerated.
• D. You must have administrative permissions or the accelerate_dacamodel capability to accelerate a data model.

Answer: BCD

NEW QUESTION 19

Which of the following knowledge objects represents the output of an oval expression?

• A. Eval fields
• B. Calculated fields
• C. Field extractions
• D. Calculated lookups

Answer: C

NEW QUESTION 20

Which of the following file formats can be extracted using a delimiter field extraction?

• A. CSV
• B. PDF
• C. XML
• D. JSON

Answer: A

NEW QUESTION 21

Which of the following searches will return events contains a tag name Privileged?

• A. Tag= Priv
• B. Tag= Priv*
• C. Tag= Priv*
• D. Tag= Privileged

Answer: D

NEW QUESTION 22
......