A.  

Boolean expression, result if true, result if false

B.  

Result if true, result if false, boolean expression

C.  

Result if false, result if true, boolean expression

D.  

Boolean expression, result if false, result if true

A.  

Xml

B.  

Json

C.  

Html

D.  

A php file

A.  

index=main source=mySource oldField=* |’makeMyField(oldField)’| table _time newField

B.  

index=main source=mySource oldField=* | stats if(‘makeMyField(oldField)’) | table _time newField

C.  

index=main source=mySource oldField=* | eval newField=’makeMyField(oldField)’| table _time newField

D.  

index=main source=mySource oldField=* | "’newField(‘makeMyField(oldField)’)’" | table _time newField

A.  

creates a single-value visualization

B.  

allows you to set colored ranges for a single-value visualization

C.  

creates a radial gauge visualization

A.  

index=games I stats count as IP_count by IP B. | where IP_count > 5

B.  

index=games | search IP_Count > 5

C.  

index=games | where IP > 5

D.  

index=games I search IP > 5

A.  

eval sc_bytes(1024/1024)

B.  

| eval negabytes=sc_bytes(1024/1024)

C.  

megabytes=sc_bytes(1024/1024)

D.  

sc_bytas(1024/1024)

A.  

Every event in the network index that does not have a value in this field.

B.  

Every event in the network index that does not contain a StatusCode of 200 and excluding events that do not have a value in this field.

C.  

Every event in the network index that does not contain a StatusCode of 200, including events that do not have a value in this field.

D.  

No results as the syntax is incorrect, the != field expression needs to be used instead of the NOT operator.

A.  

index-server_472 sourcetype-BETA_494 code-488 I stats count by code

B.  

index=server_472 sourcetype=BETA_494 code=488 [I inputlookup append=t servercode.csv]

C.  

index=server_472 sourcetype=BETA_494 code=488 I stats where code > 200

D.  

index=server_472 sourcetype=BETA_494 code-488

A.  

Events that contain the string value where A=B.

B.  

Events that contain the string value A=

B.  

C.  

Events where values of field are equal to values of field B.

D.  

Events where field A contains the string value B.

A.  

Sourcetype=access_* |sum bytes by host

B.  

Sourcetype=access_* |stats sum(categorylD. by host

C.  

Sourcetype=access_* |sum(bytes) by host

D.  

Sourcetype=access_* |stats sum by host

A.  

In the top right corner, click Save As > Event Type.

B.  

In an event's detail dropdown, click Event Actions > Build Event Type.

C.  

Edit eventtypes.conf and add a new stanza.

D.  

Add | eventtype to the SPL and execute the search.

A.  

Format values

B.  

Convert values

C.  

Perform calculations

D.  

Use conditional statements

A.  

It permits users to create workflow actions to align with industry standards.

B.  

It provides users with a standardized set of field names and tags to normalize data.

C.  

It allows users to create 3-D models of their data and export these visualizations.

D.  

It enables users to itemize their events based on the results of the Search Job Inspector.

A.  

Calculated fields cannot be chained together to create more complex fields

B.  

Calculated fields can be chained together to create more complex fields.

C.  

Calculated fields can only be used in dashboards.

D.  

Calculated fields can only be used in saved reports.

A.  

index=games sourcetype=score [search index=players | fields player_id]

B.  

index=games sourcetype=score I where score>9999

C.  

index=games sourcetype=score player=* score>9999

D.  

index=games sourcetype=score I stats count by player

A.  

parent

B.  

extracted

C.  

event

D.  

child

A.  

A macro is a method of categorizing events based on a search.

B.  

A macro is a way to associate an additional (new) name with an existing field name.

C.  

A macro is a portion of a search that can be reused in multiple place

D.  

A macro is a knowledge object that enables you to schedule searches for specific events.

A.  

Change indexed fields

B.  

Exclude fields from our search results

C.  

Extract new fields from our data using regular expressions

D.  

Give a field a new name at search time

A.  

In a field.

B.  

In an index.

C.  

In a KV Store.

D.  

In a database.

A.  

maxpause

B.  

endswith

C.  

maxduration

D.  

maxspan

A.  

count

B.  

duration

C.  

eventcount

D.  

transaction id

A.  

States of the United States

B.  

States and provinces of the united states and Canada

C.  

Countries of the European Union

D.  

Countries of the World

A.  

override default of 10

B.  

only work with top command

C.  

override default of 20

D.  

override default of 15

A.  

Rename a field in the index

B.  

remove duplicate values

C.  

provide an additional alias for the field that can D.be used in the search criteria

A.  

Event types can optimize data storage.

B.  

Event types improve dashboard performance.

C.  

Event types improve search performance.

D.  

Event types categorize events based on a search string.

A.  

Name and arguments.

B.  

Name and a validation error message.

C.  

Name and definition.

D.  

Definition and arguments.

A.  

Examplemacro [1,2]

B.  

samplemacro(1,2)

C.  

u amp -CJEUCXG (2)

D.  

samplemacro[2]

A.  

Transaction datasets

B.  

Events datasets

C.  

Search datasets

D.  

Any child of event, transaction, and search datasets

A.  

Perform an external IP lookup based on a domain value found in events.

B.  

Use the field values in an HTTP error event to create a new ticket in an external system.

C.  

Launch secondary Splunk searches that use one or more field values from selected events.

D.  

Open a web browser to look up an HTTP status code.

A.  

Search time

B.  

Index time

C.  

On a cron schedule

D.  

At midnight

A.  

They can only be created from data models.

B.  

They can only be created by users with the Admin role.

C.  

They can only be created from summary indexes.

D.  

They can only be created from saved reports.

A.  

Pivot is used for creating datasets.

B.  

Data model are randomly structured datasets.

C.  

Pivot is used for creating reports and dashboards.

D.  

In most cases, each Splunk user will create their own data model.

A.  

Fields

B.  

Tokens

C.  

Advanced Search

D.  

Searches, Reports, Alerts

A.  

in real-time

B.  

on a regular schedule

C.  

and have no matching events

A.  

Only in a large distributed Splunk environment.

B.  

When calculating results from one or more fields.

C.  

When event grouping is based on start/end values.

D.  

When grouping events results in over 1000 events in each group.

A.  

Three

B.  

Eight

C.  

Five

D.  

Zero

A.  

Int ()

B.  

Count ( )

C.  

Print ()

D.  

Tostring ()

A.  

example(2)

B.  

example(var1,var2)

C.  

example($,$)

D.  

example[2]

A.  

drills down for that value

B.  

highlights the field value across the chart

C.  

adds the highlighted value to the search criteria

A.  

Custom visualizations

B.  

Pre-configured data models

C.  

Fields and event category tags

D.  

Automatic data model acceleration

A.  

Root events cannot be accelerated.

B.  

Accelerated data models cannot be edited.

C.  

Private data models cannot be accelerated.

D.  

You must have administrative permissions or the accelerate_dacamodel capability to accelerate a data model.

A.  

OR

B.  

AND

C.  

()

D.  

NOT

A.  

Tag= Priv

B.  

Tag= Pri*

C.  

Tag= Priv*

D.  

Tag= Privileged

A.  

GET

B.  

POST

C.  

LOOKUP

D.  

Search

A.  

They are both knowledge objects.

B.  

Data models are created out of datasets called pivots.

C.  

Pivot requires users to input SPL searches on data models.

D.  

Pivot allows the creation of data visualizations that present different aspects of a data model.

A.  

By using the searchtypes command in the search bar.

B.  

By editing the event_type stanza in the props.conf file.

C.  

By going to the Settings menu and clicking Event Types > New.

D.  

By selecting an event in search results and clicking Event Actions > Build Event Type.

A.  

| datamodel web search | filed web *

B.  

| Search datamodel web web | filed web*

C.  

| datamodel web web field | search web*

D.  

Datamodel=web | search web | filed web*

A.  

Fast mode is enabled.

B.  

The dashboard is private.

C.  

The extraction is private-

D.  

The person in the organization running the report does not have access to the index.

A.  

Field alias names replace the original field name.

B.  

Field aliases can be used in lookup file definitions.

C.  

Field aliases only normalize data across sources and sourcetypes.

D.  

Field alias names are not case sensitive when used as part of a search.

A.  

The CIM add-on uses machine learning to normalize data.

B.  

The CIM add-on contains dashboards that show how to map data.

C.  

The CIM add-on contains data models to help you normalize data.

D.  

The CIM add-on is automatically installed in a Splunk environment.

A.  

Tabs

B.  

Pipes

C.  

Spaces

D.  

Commas

A.  

Events datasets

B.  

Search datasets

C.  

Transaction datasets

D.  

Any child of event, transaction, and search datasets

A.  

below

B.  

interesting fields

C.  

other fields

D.  

above

A.  

When a search should always include the same time range.

B.  

When a search needs to be added to other users' dashboards.

C.  

When the search string needs to be used in future searches.

D.  

When formatting needs to be included with the search string.

A.  

Both will appear in the All Fields list, but only if the alias is specified in the search.

B.  

Both will appear in the Interesting Fields list, but only if they appear in at least 20 percent of events.

C.  

The original field only appears in All Fields list and the alias only appears in the Interesting Fields list.

D.  

The alias only appears in the All Fields list and the original field only appears in the Interesting Fields list.

A.  

Changes made manually can be reverted in the Field Extractor (FX) UI.

B.  

It is no longer possible to edit the field extraction in the Field Extractor (FX) UI.

C.  

It is not possible to manually edit a regular expression (regex) that was created using the Field Extractor (FX) UI.

D.  

The Field Extractor (FX) UI keeps its own version of the field extraction in addition to the one that was manually edited.

A.  

The regex can no longer be edited.

B.  

The field being extracted will be required for all future events.

C.  

The events without the required field will not display in searches.

D.  

Only events with the required string will be included in the extraction.

A.  

Events in the transaction occurred within 5 seconds.

B.  

It groups events that share the same clientip and host.

C.  

The first and last events are no more than 5 seconds apart.

D.  

The first and last events are no more than 30 seconds apart.

A.  

CSV

B.  

PDF

C.  

XML

D.  

JSON

A.  

Tag-

B.  

Tag

C.  

Tag=::

D.  

Tag::=

A.  

Macros.

B.  

Field aliases.

C.  

The rename command.

D.  

CIM does not work with different names for the same field.

A.  

An additional filed named maxspan is created.

B.  

An additional field named duration is created.

C.  

An additional field named eventcount is created.

D.  

Events with the same JSESSIONID will be grouped together into a single event.

A.  

Data models provide the datasets for pivots.

B.  

Pivots and data models have no relationship.

C.  

Pivots and data models are the same thing.

D.  

Pivots provide the datasets for data models.

A.  

Calculated fields can be used in the search bar.

B.  

Calculated fields can be based on an extracted field.

C.  

Calculated fields can only be applied to host and sourcetype.

D.  

Calculated fields are shortcuts for performing calculations using the eval command.

A.  

Convert_sales (euro, €, 79)”

B.  

Convert_sales (euro, €, .79)

C.  

Convert_sales ($euro,$€$,s79$

D.  

Convert_sales ($euro, $€$,S,79$)

A.  

Fields and variables.

B.  

Fields and attributes.

C.  

Constraints and fields.

D.  

Constraints and lookups.

A.  

Index-main | REJECT trans sessionid

B.  

Index-main | transaction sessionid | search REJECT

C.  

Index=main | transaction sessionid | whose transaction=reject

D.  

Index=main | transaction sessionid | where transaction=reject’’

A.  

Creates a table of the total count of users and split by corndogs.

B.  

Creates a table of the total count of mysterymeat corndogs split by user.

C.  

Creates a table with the count of all types of corndogs eaten split by user.

D.  

Creates a table that groups the total number of users by vegetarian corndogs.

A.  

because timechart doesn't support using a by clause.

B.  

because _time is already implied as the x-axis.

C.  

because one field would represent the x-axis and the other would represent the y-axis.

D.  

There is no limit specific to timechart.

A.  

A macro is a reusable search string that must contain the full search.

B.  

A macro is a reusable search string that must have a fixed time range.

C.  

A macro Is a reusable search string that may have a flexible time range.

D.  

A macro Is a reusable search string that must contain only a portion of the search.

A.  

It does not allow the use of wildcards.

B.  

It treats field values in a case-sensitive manner.

C.  

It can only be used at the beginning of the search pipeline.

D.  

It behaves exactly like search strings before the first pipe.

A.  

Alerts

B.  

Email

C.  

Database

D.  

User permissions

A.  

By default. Search workflow actions will run as a real-time search.

B.  

Search workflow actions can be configured as scheduled searches,

C.  

The user can define the time range of the search when created the workflow action.

D.  

Search workflow actions cannot be configured with a search string that includes the transaction command

A.  

Remove fields from results.

B.  

Create or replace an existing field.

C.  

Group transactions by one or more fields.

D.  

Save SPL commands to be reused in other searches.

A.  

Search string

B.  

Data model name

C.  

Permission setting

D.  

An eval statement

A.  

Eval fields

B.  

Calculated fields

C.  

Field extractions

D.  

Calculated lookups

A.  

0

B.  

N/A

C.  

NaN

D.  

NULL

A.  

Use the scats command when you next to group events by two or more fields.

B.  

The stats command is faster and more efficient than the transaction command

C.  

The transaction command is faster and more efficient than the stats command.

D.  

Use the transaction command when you want to see the results of a calculation.

A.  

Field Aliases, Field Extractions, Lookups

B.  

Field Extractions, Field Aliases, Lookups

C.  

Field Extractions, Lookups, Field Aliases

D.  

Lookups, Field Aliases, Field Extractions

A.  

Tabs

B.  

Pipes

C.  

Colons

D.  

Spaces

A.  

‘’hex’’

B.  

‘’commas’’

C.  

‘’Decimal’’

D.  

‘’duration’’

A.  

KV Store

B.  

Lookups

C.  

Saved searches

D.  

Data models

A.  

You can remove values that aren't a match for the field you want to define

B.  

You can validate where the data originated from

C.  

You cannot modify the field extraction

A.  

tag:=

B.  

tags=

C.  

tags:=

D.  

tag=

A.  

A pipe may always follow a macro.

B.  

The current user must own the macro.

C.  

The macro must be defined in the current app.

D.  

Only when sharing is set to global for the macro.