A.  

KV Store

B.  

Lookups

C.  

Saved searches

D.  

Data models

A.  

Boolean expression, result if true, result if false

B.  

Result if true, result if false, boolean expression

C.  

Result if false, result if true, boolean expression

D.  

Boolean expression, result if false, result if true

A.  

Alerts

B.  

Email

C.  

Database

D.  

User permissions

A.  

tag!=Marketing tag=San_Francisco

B.  

tag=Marketing NOT (tag=San_Francisco)

C.  

tag=Marketing exclude (tag=San_Francisco)

D.  

tag::Marketing!=San_Francisco

A.  

0

B.  

N/A

C.  

NaN

D.  

NULL

A.  

tag=alert

B.  

host::tag::alert

C.  

tag==alert

D.  

tag::host=alert

A.  

Source type

B.  

At least five columns

C.  

Timestamp

D.  

Input filed

A.  

Streaming in some modes

B.  

Report generating

C.  

Distributable streaming

D.  

Centralized streaming

A.  

The timestamp of the event search time execution.

B.  

The timestamp of the earliest event.

C.  

The difference between the earliest and latest event.

D.  

The timestamp of the most recent event.

A.  

Identify at least one field:value pair.

B.  

Have the Power role at a minimum.

C.  

Be able to edit the sourcetype the tag applies to.

D.  

Must have the tag capability associated with their user role.

A.  

monthly_sales(argument 1, argument 2, argument 3)

B.  

monthly_sales(3)

C.  

monthly_sales[3]

D.  

monthly_sales[argument 1, argument 2, argument 3)

A.  

Pivot is used for creating datasets.

B.  

Data models are randomly structured datasets.

C.  

Pivot is used for creating reports and dashboards.

D.  

In most cases, each Splunk user will create their own data model.

A.  

Closed_txn field is set to o, or false.

B.  

Max_txn field is set to O, or false.

C.  

Txn_field is set to 1, or true.

D.  

open_txn field is set to 1, or true.

A.  

The original field name is not affected by the creation of a field alias.

B.  

The original field name is replaced by the field alias within the index.

C.  

The original field name is italicized to indicate that it is not an alias.

D.  

The original field name still exists in the index but is not visible to the user at search time.

A.  

Rank

B.  

Weight

C.  

Priority

D.  

Precedence

A.  

| chart count by vendor_action, user

B.  

| chart count over vendor_action, user

C.  

| chart count by vendor_action over user

D.  

| chart count over user by vendor_action

A.  

Format values

B.  

Convert values

C.  

Perform calculations

D.  

Use conditional statements

A.  

index=server_485 sourcetype=BETA_726 code=917 ['inputlookup append=t servercode.csv]

B.  

index=server_485 sourcetype=BETA_726 code=917 | stats where code > 200

C.  

index=server_485 sourcetype=BETA_726 code=917

D.  

index=server_485 sourcetype=BETA_726 code=917 | stats count by code

A.  

Select an additional sample event with the Field Extractor (FX) and highlight the missing value in the event.

B.  

Re-ingest the data and attempt to extract from a new dataset.

C.  

Click on the event where the field was not extracted and choose “Change to Delimited".

D.  

Edit the regular expression manually.

A.  

useother

B.  

usenull

C.  

fillfield

D.  

usefiled

A.  

example(2)

B.  

example(var1,var2)

C.  

example($,$)

D.  

example[2]

A.  

state can only group events using IP addresses.

B.  

The transaction command is faster and more efficient.

C.  

There is a 1000 event limitation with the transaction command.

D.  

Use state when the events need to be viewed as a single event.

A.  

a list of events

B.  

transactions

C.  

statistical values

A.  

index or source

B.  

sourcetype or host

C.  

index or sourcetype

D.  

sourcetype or source

A.  

Eval fields

B.  

Calculated fields

C.  

Field extractions

D.  

Calculated lookups

A.  

Tags

B.  

Extracted fields

C.  

Output fields for a lookup

D.  

Fields generated from a search string

A.  

Tags are case insensitive.

B.  

Tags can make your data more understandable.

C.  

Tags are created at index time.

D.  

Tags are searched by using the syntax tag :: .

A.  

Remove fields from results.

B.  

Create or replace an existing field.

C.  

Group transactions by one or more fields.

D.  

Save SPL commands to be reused in other searches.

A.  

Delimiter

B.  

rex command

C.  

The Field Extractor tool cannot extract regular expressions.

D.  

Regular expression

A.  

tag:=

B.  

tags=

C.  

tags:=

D.  

tag=

A.  

True

B.  

False

A.  

Unlimited

B.  

1h

C.  

1m

D.  

1d

A.  

One.

B.  

Two.

C.  

It depends on whether the original fields have the same name.

D.  

It depends on whether the two sourcetypes are associated with the same index.

A.  

It permits users to create workflow actions to align with industry standards.

B.  

It provides users with a standardized set of field names and tags to normalize data.

C.  

It allows users to create 3-D models of their data and export these visualizations.

D.  

It enables users to itemize their events based on the results of the Search Job Inspector.

A.  

Int ()

B.  

Count ( )

C.  

Print ()

D.  

Tostring ()

A.  

To send field values to an external resource.

B.  

To retrieve information from an external resource.

C.  

To use field values to perform a secondary search.

D.  

To define how events flow from forwarders to indexes.

A.  

A macro is a reusable search string that must contain the full search.

B.  

A macro is a reusable search string that must have a fixed time range.

C.  

A macro Is a reusable search string that may have a flexible time range.

D.  

A macro Is a reusable search string that must contain only a portion of the search.

A.  

Orchestrating

B.  

Transforming

C.  

Statistical

D.  

Generating

A.  

Replace empty values with a specified value.

B.  

Create a new field based on the values in an existing field.

C.  

Rename a specific field in the search results.

D.  

Replace all values in a specific field with a default value.

A.  

Rex

B.  

As

C.  

List

D.  

By

A.  

Selected-Fields

B.  

Non-Matches

C.  

Non-Extractions

D.  

Matches

A.  

For data cleanly separated by a space, a comma, or a pipe character.

B.  

For data in a CSV (comma-separated value) file.

C.  

For data with multiple, different characters separating fields.

D.  

For unstructured data.

A.  

‘weekly_sales(3.99, 10) '

B.  

‘weekly_sales($3.99$, $10$)

C.  

'weekly_sales (3.99, 10)

D.  

‘weekly_sales(3)

A.  

They can only be created from data models.

B.  

They can only be created by users with the Admin role.

C.  

They can only be created from summary indexes.

D.  

They can only be created from saved reports.

A.  

NOT, Parentheses, OR, AND

B.  

AND, Parentheses, NOT, OR

C.  

Parentheses, NOT, AND, OR

D.  

Parentheses, NOT, OR, AND

A.  

POST

B.  

Action

C.  

Search

D.  

Sub-Search

A.  

Tags are case-insensitive.

B.  

Tags are based on field/vale pairs.

C.  

Tags categorize events based on a search.

D.  

Tags are designed to make data more understandable.

A.  

Sets the maximum total time between events in a transaction.

B.  

Sets the maximum length of all events within a transaction.

C.  

Sets the maximum total time between the earliest and latest events in a transaction.

D.  

Sets the maximum length that any single event can reach to be included in the transaction.

A.  

All events In a transaction must have the same timestamp.

B.  

All events in a transaction must have the same sourcetype.

C.  

All events in a transaction must have the exact same set of fields.

D.  

All events in a transaction must be related by one or more fields.

A.  

duplicate

B.  

correlate

C.  

persist

D.  

tag

A.  

... | fillnull values=(0,"NO-VALUE") fields=(field1,field2)

B.  

There is no equivalent expression using fillnull

C.  

... | fillnull field1 | fillnull value="NO-VALUE" field2

D.  

... | fillnull value=0 field1 | fillnull field2

A.  

Evenrches would return a report of sales by state.

B.  

Events will be returned from the data model named Application_State.

C.  

Events will be returned from the data model named All_Application_state.

D.  

No events will be returned because the pipe should occur after the datamodel command

A.  

A name of the workflow action

B.  

A URI where the user will be directed at search time.

C.  

A label that will appear in the Event Action menu at search time.

D.  

A name for the URI where the user will be directed at search time.

A.  

Chronological

B.  

Reverser chronological

C.  

ASCIE

D.  

Alphabetical

A.  

sourcetype

B.  

index

C.  

source

D.  

host

A.  

geostats

B.  

cluster

C.  

geom

A.  

tag=success ful_purchases

B.  

Event Type:: successful purchases

C.  

successful_purchases

D.  

event type—success ful_purchases

A.  

In a field.

B.  

In an index.

C.  

In a KV Store.

D.  

In a database.

A.  

override default of 10

B.  

only work with top command

C.  

override default of 20

D.  

override default of 15

A.  

Constraint, field, value.

B.  

Events, searches, transactions.

C.  

Field extraction, regex, delimited.

D.  

Transaction, session ID, metadata.

A.  

eval, coalesce

B.  

transaction, stats

C.  

stats, format

D.  

top, rare

A.  

sourcetype=access_* | maximum totals by bytes

B.  

sourcetype=access_* | avg (bytes)

C.  

sourcetype=access_* | stats max(bytes)

D.  

sourcetype=access_* | max(bytes)

A.  

events with this field

B.  

rare values

C.  

top values by time

D.  

top values

A.  

Use the scats command when you next to group events by two or more fields.

B.  

The stats command is faster and more efficient than the transaction command

C.  

The transaction command is faster and more efficient than the stats command.

D.  

Use the transaction command when you want to see the results of a calculation.

A.  

max

B.  

distinct_count

C.  

fields

D.  

count

A.  

below

B.  

interesting fields

C.  

other fields

D.  

above

A.  

join

B.  

stats

C.  

streamstats

D.  

transaction

A.  

Consult the CIM data model reference tables.

B.  

Run a search using the authentication command.

C.  

Consult the CIM event type reference tables.

D.  

Run a search using the correlation command.

A.  

Field Aliases, Field Extractions, Lookups

B.  

Field Extractions, Field Aliases, Lookups

C.  

Field Extractions, Lookups, Field Aliases

D.  

Lookups, Field Aliases, Field Extractions

A.  

Place the variable name inside of curly braces: {variable name}.

B.  

Place the variable name inside of asterisks: variable name.

C.  

Place the variable name inside of dollar signs: $variable name$.

D.  

Place the variable name inside of percentage signs: %variable name%.

A.  

The macro's name ends with (3).

B.  

The macro's name starts with (3).

C.  

The macro's argument count setting is 3 or more.

D.  

Nothing, all macros can accept any number of arguments.

A.  

The chart command does not allow for multiple statistical functions.

B.  

Product, sum: addtocart, sum: remove, sum: purchase, count: addtocart, count: remove, count: purchase

C.  

Product, count: addtocart, count: remove, count: purchase, sum: addtocart, sum: remove, sum: purchase

D.  

Count: product, sum: product, count: action, sum: action

A.  

<=

B.  

=

C.  

!=

D.  

>

E.  

?=

A.  

Indexes

B.  

Tags

C.  

Event types

D.  

Sourcetypes

A.  

A Run workflow action, because the user is running a new search with a specific field value from an event returned in the user's search.

B.  

A Search workflow action, because the user is running a new search with a specific field value from an event returned in the user's search.

C.  

A POST workflow action, because the search is being sent to the user's current Splunk instance.

D.  

A GET workflow action, because a field value needs to be retrieved from the events returned in the user's search.

A.  

Users can save reports from Pivot.

B.  

Users cannot share visualizations created with Pivot.

C.  

Users must use SPL to find events in a Pivot.

D.  

Users cannot create visualizations with Pivot.

A.  

Event type

B.  

Field alias

C.  

Field extraction

D.  

Tag

A.  

Core datasets

B.  

Root datasets

C.  

Root indexes

D.  

Core indexes

A.  

In the top right corner, click Save As > Event Type.

B.  

In an event's detail dropdown, click Event Actions > Build Event Type.

C.  

Edit eventtypes.conf and add a new stanza.

D.  

Add | eventtype to the SPL and execute the search.

A.  

Event Actions > Extract Fields

B.  

Fields sidebar > Extract New Field

C.  

Settings > Field Extractions > New Field Extraction

D.  

Settings > Field Extractions > Open Field Extraction

A.  

When you need to group on multiple values.

B.  

When duration is irrelevant in search results. .

C.  

When you have over 1000 events in a transaction.

D.  

When you need to group based on start and end constraints.

A.  

Convert_sales (euro, €, 79)”

B.  

Convert_sales (euro, €, .79)

C.  

Convert_sales ($euro,$€$,s79$

D.  

Convert_sales ($euro, $€$,S,79$)

A.  

Table

B.  

Report

C.  

Pie chart

A.  

A pipe may always follow a macro.

B.  

The current user must own the macro.

C.  

The macro must be defined in the current app.

D.  

Only when sharing is set to global for the macro.

A.  

They cannot be created within the data model.

B.  

They can only be added into a root search dataset.

C.  

They cannot be edited if inherited from a parent dataset.

D.  

They can be added to a dataset from search time field extractions.

A.  

Normalizing data across a Splunk deployment.

B.  

Providing templates for reports and dashboards.

C.  

Algorithmically shifting events to other indexes.

D.  

Reingesting previously indexed data with new field names.

A.  

A macro is a method of categorizing events based on a search.

B.  

A macro is a way to associate an additional (new) name with an existing field name.

C.  

A macro is a portion of a search that can be reused in multiple place

D.  

A macro is a knowledge object that enables you to schedule searches for specific events.

A.  

index=web sourcetype=access_combined SD404K289O2F151 I table JSESSIONID

B.  

index=web sourcetype=access_combined JSESSIONID

C.  

index=web sourcetype=access_combined I highlight JSESSIONID I search SD404K289O2F151

D.  

index-web sourcetype=access_combined I transaction JSESSIONID I search SD404K289O2F151

A.  

because timechart doesn't support using a by clause.

B.  

because _time is already implied as the x-axis.

C.  

because one field would represent the x-axis and the other would represent the y-axis.

D.  

There is no limit specific to timechart.

A.  

0

B.  

N/A

C.  

NaN

D.  

NULL

A.  

field2 values are removed from the events.

B.  

field1 and field2 values are merged.

C.  

field2 values are unchanged.

D.  

field2 values are replaced with the value of the field1.