A.  

Evenrches would return a report of sales by state.

B.  

Events will be returned from the data model named Application_State.

C.  

Events will be returned from the data model named All_Application_state.

D.  

No events will be returned because the pipe should occur after the datamodel command

A.  

Convert_sales (euro, €, 79)”

B.  

Convert_sales (euro, €, .79)

C.  

Convert_sales ($euro,$€$,s79$

D.  

Convert_sales ($euro, $€$,S,79$)

A.  

OR

B.  

AND

C.  

()

D.  

NOT

A.  

Fast mode is enabled.

B.  

The dashboard is private.

C.  

The extraction is private-

D.  

The person in the organization running the report does not have access to the index.

A.  

Changes made manually can be reverted in the Field Extractor (FX) UI.

B.  

It is no longer possible to edit the field extraction in the Field Extractor (FX) UI.

C.  

It is not possible to manually edit a regular expression (regex) that was created using the Field Extractor (FX) UI.

D.  

The Field Extractor (FX) UI keeps its own version of the field extraction in addition to the one that was manually edited.

A.  

Auto-Extracted fields can be hidden in Pivot.

B.  

Auto-Extracted fields can have their data type changed.

C.  

Auto-Extracted fields can be given a friendly name for use in Pivot.

D.  

Auto-Extracted fields can be added if they already exist in the dataset with constraints.

A.  

Data models provide the datasets for pivots.

B.  

Pivots and data models have no relationship.

C.  

Pivots and data models are the same thing.

D.  

Pivots provide the datasets for data models.

A.  

By using the searchtypes command in the search bar.

B.  

By editing the event_type stanza in the props.conf file.

C.  

By going to the Settings menu and clicking Event Types > New.

D.  

By selecting an event in search results and clicking Event Actions > Build Event Type.

A.  

They are both knowledge objects.

B.  

Data models are created out of datasets called pivots.

C.  

Pivot requires users to input SPL searches on data models.

D.  

Pivot allows the creation of data visualizations that present different aspects of a data model.

A.  

Search string

B.  

Data model name

C.  

Permission setting

D.  

An eval statement

A.  

Remove fields from results.

B.  

Create or replace an existing field.

C.  

Group transactions by one or more fields.

D.  

Save SPL commands to be reused in other searches.

A.  

Eval fields

B.  

Calculated fields

C.  

Field extractions

D.  

Calculated lookups

A.  

Fields and variables.

B.  

Fields and attributes.

C.  

Constraints and fields.

D.  

Constraints and lookups.

A.  

Root events cannot be accelerated.

B.  

Accelerated data models cannot be edited.

C.  

Private data models cannot be accelerated.

D.  

You must have administrative permissions or the accelerate_dacamodel capability to accelerate a data model.

A.  

A log level measurement: info, warn, error.

B.  

A knowledge object that is applied before fields are extracted.

C.  

A field for categorizing events based on a search string.

D.  

Either a log, a metric, or a trace.

A.  

To group events based on a single field value.

B.  

To see results of a calculation.

C.  

To have a faster and more efficient search.

D.  

To group events based on start/end values.

A.  

Tabs

B.  

Pipes

C.  

Colons

D.  

Spaces

A.  

timestamps

B.  

statistics

C.  

events

D.  

keywords

A.  

POST

B.  

Action

C.  

Search

D.  

Sub-Search

A.  

Macros.

B.  

Field aliases.

C.  

The rename command.

D.  

CIM does not work with different names for the same field.

A.  

The macro's name ends with (3).

B.  

The macro's name starts with (3).

C.  

The macro's argument count setting is 3 or more.

D.  

Nothing, all macros can accept any number of arguments.

A.  

Rename a field in the index

B.  

remove duplicate values

C.  

provide an additional alias for the field that can D.be used in the search criteria

A.  

Median(X)

B.  

Eval by X

C.  

Fields(X)

D.  

Values(X)

A.  

Creates a table of the total count of users and split by corndogs.

B.  

Creates a table of the total count of mysterymeat corndogs split by user.

C.  

Creates a table with the count of all types of corndogs eaten split by user.

D.  

Creates a table that groups the total number of users by vegetarian corndogs.

A.  

Calculated fields, lookups, event types, and tags.

B.  

Calculated fields and tags only.

C.  

Calculated fields and event types only.

D.  

Calculated fields, lookups, event types, and extracted fields.

A.  

Name and arguments.

B.  

Name and a validation error message.

C.  

Name and definition.

D.  

Definition and arguments.

A.  

It is an SPL command that groups at least two events together based on shared values in selected fields.

B.  

It allows an exchange of data from one Splunk index to another Splunk index.

C.  

It is an SPL command that groups events together with shared values in selected fields.

D.  

It allows an exchange of data from one Splunk system to another Splunk system.

A.  

count

B.  

duration

C.  

eventcount

D.  

transaction id

A.  

When a log file has values that are separated by the same character, for example, commas.

B.  

When a log file contains empty lines or comments.

C.  

With structured files such as JSON or XML.

D.  

When the file has a header that might provide information about its structure or format.

A.  

field2 values are removed from the events.

B.  

field1 and field2 values are merged.

C.  

field2 values are unchanged.

D.  

field2 values are replaced with the value of the field1.

A.  

Turned off

B.  

Turned on

C.  

Determined automatically based on the sourcetype.

D.  

Determined automatically based on the data source.

A.  

Pivot is used for creating datasets.

B.  

Data models are randomly structured datasets.

C.  

Pivot is used for creating reports and dashboards.

D.  

In most cases, each Splunk user will create their own data model.

A.  

This search will find all events for the third_party_outages event type that have "EMEA" or "-24h" in the raw event data.

B.  

This search will run the third_party_outages saved search and filter for events containing "EMEA" and "-24h" in the raw event data.

C.  

This search will run the third_party_outages macro and pass the arguments EMEA and -24h to the macro definition.

D.  

This search will find all events in the third_party_outages index with the tags EMEA and -24h.

A.  

Amount of data shown on the timeline as data streams in

B.  

Amount of data fetched from index matching that time range

C.  

Time range for the static results

A.  

0

B.  

N/A

C.  

NaN

D.  

NULL

A.  

index=web status=50* | chart count over host, status

B.  

index=web status=50* | chart count over host by status

C.  

index=web status=50* | chart count by host, status

A.  

The Field Extractor automatically extracts all fields at search time.

B.  

The Field Extractor uses PERL to extract fields from the raw events.

C.  

Fields extracted using the Field Extractor persist as knowledge objects.

D.  

Fields extracted using the Field Extractor do not persist and must be defined for each search.

A.  

Events in the transaction occurred within 5 seconds.

B.  

It groups events that share the same clientip and host.

C.  

The first and last events are no more than 5 seconds apart.

D.  

The first and last events are no more than 30 seconds apart.

A.  

Int ()

B.  

Count ( )

C.  

Print ()

D.  

Tostring ()

A.  

An additional filed named maxspan is created.

B.  

An additional field named duration is created.

C.  

An additional field named eventcount is created.

D.  

Events with the same JSESSIONID will be grouped together into a single event.

A.  

You can remove values that aren't a match for the field you want to define

B.  

You can validate where the data originated from

C.  

You cannot modify the field extraction

A.  

| eval notNULL = if(isnull (notNULL), “0” notNULL)

B.  

| eval notNULL = if(isnull (notNULL), “0”

C.  

| eval notNULL = “” | nullfill value=0 notNULL

D.  

| eval notNULL = “” fillnull value=0 notNULL

A.  

duplicate

B.  

correlate

C.  

persist

D.  

tag

A.  

An argument can be passed through the outer macro.

B.  

An argument can be passed to the outer macro by nesting parentheses.

C.  

There is no way to pass an argument to the inner macro.

D.  

An argument can be passed to the inner macro by nesting parentheses.

A.  

Xml

B.  

Json

C.  

Html

D.  

A php file

A.  

interesting fields

B.  

selected fields

C.  

all extracted fields

A.  

True

B.  

False

A.  

An alias of a field.

B.  

A field added by an automatic lookup.

C.  

The tag field.

D.  

The eventtype field.

A.  

When events contain JSON data.

B.  

When events contain comma-separated data.

C.  

When events contain unstructured data.

D.  

When events contain table-based data.

A.  

Perform an external IP lookup based on a domain value found in events.

B.  

Use the field values in an HTTP error event to create a new ticket in an external system.

C.  

Launch secondary Splunk searches that use one or more field values from selected events.

D.  

Open a web browser to look up an HTTP status code.

A.  

Configuration of a POST workflow action includes choosing a sourcetype.

B.  

POST workflow actions can be configured to send email to the URI location.

C.  

By default, POST workflow action are shown in both the event and field menus.

D.  

POST workflow actions can be configured to send POST arguments to the URI location.

A.  

Edit permissions

B.  

Edit description

C.  

Edit acceleration

D.  

Edit schedule

A.  

Users can save reports from Pivot.

B.  

Users cannot share visualizations created with Pivot.

C.  

Users must use SPL to find events in a Pivot.

D.  

Users cannot create visualizations with Pivot.

A.  

Rex

B.  

As

C.  

List

D.  

By

A.  

The average time elapsed during each transaction for all transactions

B.  

The average time for each event within each transaction

C.  

The average time between each transaction

A.  

‘weekly_sales(3.99, 10) '

B.  

‘weekly_sales($3.99$, $10$)

C.  

'weekly_sales (3.99, 10)

D.  

‘weekly_sales(3)

A.  

tag=web_errors

B.  

eventtype=web_errors

C.  

eventtype "web errors"

D.  

eventtype (web_errors)

A.  

Regular expression

B.  

Delimiters

C.  

eval expression

D.  

table extraction

A.  

maxcount

B.  

duration

C.  

eventcount

A.  

status field

B.  

Multiple indexes

C.  

Data model field name.

D.  

Data model dataset name.

A.  

GET workflow actions must be configured with POST arguments.

B.  

Configuration of GET workflow actions includes choosing a sourcetype.

C.  

Label names for GET workflow actions must include a field name surrounded by dollar signs.

D.  

GET workflow actions can be configured to open the URT link in the current window or in a new window

A.  

| datamodel web search | filed web *

B.  

| Search datamodel web web | filed web*

C.  

| datamodel web web field | search web*

D.  

Datamodel=web | search web | filed web*

A.  

Tags

B.  

Extracted fields

C.  

Output fields for a lookup

D.  

Fields generated from a search string

A.  

Custom visualizations

B.  

Pre-configured data models

C.  

Fields and event category tags

D.  

Automatic data model acceleration

A.  

CSV

B.  

PDF

C.  

XML

D.  

JSON

A.  

This is a valid search and will display a timechart of the average duration, of each transaction event.

B.  

This is a valid search and will display a stats table showing the maximum pause among transactions.

C.  

No results will be returned because the transaction command must include the startswith and endswith options.

D.  

No results will be returned because the transaction command must be the last command used in the search pipeline.

A.  

Use the scats command when you next to group events by two or more fields.

B.  

The stats command is faster and more efficient than the transaction command

C.  

The transaction command is faster and more efficient than the stats command.

D.  

Use the transaction command when you want to see the results of a calculation.

A.  

Field alias names replace the original field name.

B.  

Field aliases can be used in lookup file definitions.

C.  

Field aliases only normalize data across sources and sourcetypes.

D.  

Field alias names are not case sensitive when used as part of a search.

A.  

By default. Search workflow actions will run as a real-time search.

B.  

Search workflow actions can be configured as scheduled searches,

C.  

The user can define the time range of the search when created the workflow action.

D.  

Search workflow actions cannot be configured with a search string that includes the transaction command

A.  

The CIM add-on uses machine learning to normalize data.

B.  

The CIM add-on contains dashboards that show how to map data.

C.  

The CIM add-on contains data models to help you normalize data.

D.  

The CIM add-on is automatically installed in a Splunk environment.

A.  

Event types can be tagged.

B.  

Event types must include a time range,

C.  

Event types categorize events based on a search.

D.  

Event types can be a useful method for capturing and sharing knowledge.

A.  

‘’hex’’

B.  

‘’commas’’

C.  

‘’Decimal’’

D.  

‘’duration’’

A.  

A macro is a reusable search string that must contain the full search.

B.  

A macro is a reusable search string that must have a fixed time range.

C.  

A macro Is a reusable search string that may have a flexible time range.

D.  

A macro Is a reusable search string that must contain only a portion of the search.

A.  

Events datasets

B.  

Search datasets

C.  

Transaction datasets

D.  

Any child of event, transaction, and search datasets

A.  

The regex can no longer be edited.

B.  

The field being extracted will be required for all future events.

C.  

The events without the required field will not display in searches.

D.  

Only events with the required string will be included in the extraction.

A.  

Lookup tables

B.  

Extracted fields

C.  

Regular expressions

D.  

Fields generated within a search string

A.  

All events In a transaction must have the same timestamp.

B.  

All events in a transaction must have the same sourcetype.

C.  

All events in a transaction must have the exact same set of fields.

D.  

All events in a transaction must be related by one or more fields.