A.  

eval sc_bytes(1024/1024)

B.  

| eval negabytes=sc_bytes(1024/1024)

C.  

megabytes=sc_bytes(1024/1024)

D.  

sc_bytas(1024/1024)

A.  

Replace empty values with a specified value.

B.  

Create a new field based on the values in an existing field.

C.  

Rename a specific field in the search results.

D.  

Replace all values in a specific field with a default value.

A.  

Events in the transaction occurred within 5 seconds.

B.  

It groups events that share the same clientip and host.

C.  

The first and last events are no more than 5 seconds apart.

D.  

The first and last events are no more than 30 seconds apart.

A.  

Tags

B.  

Extracted fields

C.  

Output fields for a lookup

D.  

Fields generated from a search string

A.  

Amount of data shown on the timeline as data streams in

B.  

Amount of data fetched from index matching that time range

C.  

Time range for the static results

A.  

OR

B.  

( )

C.  

AND

D.  

NOT

A.  

By using the stack command.

B.  

By turning on the Use Trellis Layout option.

C.  

By changing Stack Mode in the Format menu.

D.  

You cannot display a chart in stack mode, only a timechart.

A.  

index-server_472 sourcetype-BETA_494 code-488 I stats count by code

B.  

index=server_472 sourcetype=BETA_494 code=488 [I inputlookup append=t servercode.csv]

C.  

index=server_472 sourcetype=BETA_494 code=488 I stats where code > 200

D.  

index=server_472 sourcetype=BETA_494 code-488

A.  

POST

B.  

Action

C.  

Search

D.  

Sub-Search

A.  

Rank

B.  

Weight

C.  

Priority

D.  

Precedence

A.  

Change indexed fields

B.  

Exclude fields from our search results

C.  

Extract new fields from our data using regular expressions

D.  

Give a field a new name at search time

A.  

Tags look for less specific data.

B.  

Tags visualize data with graphs and charts.

C.  

Tags group related data together.

D.  

Tags add fields to the raw event data.

A.  

Search

B.  

Where

C.  

If

D.  

Any of the above

A.  

Label, URI, search string.

B.  

XMI attributes, URI, name.

C.  

Label, URI, post arguments.

D.  

URI, search string, time range picker.

A.  

Eval expression

B.  

Data model

C.  

Event type

D.  

Regular expression

A.  

index=games I stats count as IP_count by IP B. | where IP_count > 5

B.  

index=games | search IP_Count > 5

C.  

index=games | where IP > 5

D.  

index=games I search IP > 5

A.  

Creates a table of the total count of users and split by corndogs.

B.  

Creates a table of the total count of mysterymeat corndogs split by user.

C.  

Creates a table with the count of all types of corndogs eaten split by user.

D.  

Creates a table that groups the total number of users by vegetarian corndogs.

A.  

Event types can be tagged.

B.  

Event types must include a time range,

C.  

Event types categorize events based on a search.

D.  

Event types can be a useful method for capturing and sharing knowledge.

A.  

limit=*

B.  

limit=all

C.  

limit=none

D.  

limit=0

A.  

They cannot be created within the data model.

B.  

They can only be added into a root search dataset.

C.  

They cannot be edited if inherited from a parent dataset.

D.  

They can be added to a dataset from search time field extractions.

A.  

span=12h

B.  

timespan=12h

C.  

span=12

D.  

timespan=12

A.  

users

B.  

power users

C.  

administrators

A.  

States of the United States

B.  

States and provinces of the united states and Canada

C.  

Countries of the European Union

D.  

Countries of the World

A.  

0

B.  

N/A

C.  

NaN

D.  

NULL

A.  

action

B.  

source type

C.  

_time

D.  

time

A.  

Tag-

B.  

Tag

C.  

Tag=::

D.  

Tag::=

A.  

This search will find all events for the third_party_outages event type that have "EMEA" or "-24h" in the raw event data.

B.  

This search will run the third_party_outages saved search and filter for events containing "EMEA" and "-24h" in the raw event data.

C.  

This search will run the third_party_outages macro and pass the arguments EMEA and -24h to the macro definition.

D.  

This search will find all events in the third_party_outages index with the tags EMEA and -24h.

A.  

tag=Priv

B.  

tag=Priv*

C.  

tag=priv*

D.  

tag=privileged

A.  

3

B.  

4

C.  

1

D.  

5

A.  

Both field values will be used and the product INFO field will become a multivalue field for the given event.

B.  

The value for the productName field because it appears first.

C.  

Neither field value will be used and the field will be assigned a NULL value for the given event.

D.  

The value for the field because it appears second.

A.  

Arguments are defined at execution time.

B.  

Arguments are defined when the macro is created.

C.  

Argument values are used to resolve the search string at execution time.

D.  

Argument values are used to resolve the search string when the macro is created.

A.  

It doesn't matter whether eval or sort is used first.

B.  

Convert the numeric to a string with eval first, then sort.

C.  

Use sort first, then convert the numeric to a string with eval.

D.  

You cannot use the sort command and the eval command on the same field.

A.  

index=X sourcetype=Y | chart sum(product) by price AND region

B.  

index=X | chart sum(price) by product, region

C.  

index=X | chart total(product) over price by region

D.  

index=X | chart total(price) by product, region

A.  

GET

B.  

POST

C.  

LOOKUP

D.  

Search

A.  

Turned off

B.  

Turned on

C.  

Determined automatically based on the sourcetype.

D.  

Determined automatically based on the data source.

A.  

Changes made manually can be reverted in the Field Extractor (FX) UI.

B.  

It is no longer possible to edit the field extraction in the Field Extractor (FX) UI.

C.  

It is not possible to manually edit a regular expression (regex) that was created using the Field Extractor (FX) UI.

D.  

The Field Extractor (FX) UI keeps its own version of the field extraction in addition to the one that was manually edited.

A.  

Both will appear in the All Fields list, but only if the alias is specified in the search.

B.  

Both will appear in the Interesting Fields list, but only if they appear in at least 20 percent of events.

C.  

The original field only appears in All Fields list and the alias only appears in the Interesting Fields list.

D.  

The alias only appears in the All Fields list and the original field only appears in the Interesting Fields list.

A.  

When you need to group on multiple values.

B.  

When duration is irrelevant in search results. .

C.  

When you have over 1000 events in a transaction.

D.  

When you need to group based on start and end constraints.

A.  

Calculated fields cannot be chained together to create more complex fields

B.  

Calculated fields can be chained together to create more complex fields.

C.  

Calculated fields can only be used in dashboards.

D.  

Calculated fields can only be used in saved reports.

A.  

Select an additional sample event with the Field Extractor (FX) and highlight the missing value in the event.

B.  

Re-ingest the data and attempt to extract from a new dataset.

C.  

Click on the event where the field was not extracted and choose “Change to Delimited".

D.  

Edit the regular expression manually.

A.  

skipped or deferred

B.  

automatically accelerated

C.  

deleted

D.  

all of the above

A.  

Alerts

B.  

Email

C.  

Database

D.  

User permissions

A.  

Creates lookups without using SPL.

B.  

Data Models are not required.

C.  

Creates reports without using SPL

D.  

Datasets are not required.

A.  

Only in a large distributed Splunk environment.

B.  

When calculating results from one or more fields.

C.  

When event grouping is based on start/end values.

D.  

When grouping events results in over 1000 events in each group.

A.  

It does not allow the use of wildcards.

B.  

It treats field values in a case-sensitive manner.

C.  

It can only be used at the beginning of the search pipeline.

D.  

It behaves exactly like search strings before the first pipe.

A.  

state can only group events using IP addresses.

B.  

The transaction command is faster and more efficient.

C.  

There is a 1000 event limitation with the transaction command.

D.  

Use state when the events need to be viewed as a single event.

A.  

duration=5m

B.  

bin=5m

C.  

earliest=-5m

D.  

maxspan=5m

A.  

Format values

B.  

Convert values

C.  

Perform calculations

D.  

Use conditional statements

A.  

prod:host=webserver

B.  

tag::host=prod

C.  

prod=host:webserver

D.  

prod=host::webserver

A.  

index=web status=50* | chart count over host, status

B.  

index=web status=50* | chart count over host by status

C.  

index=web status=50* | chart count by host, status

A.  

Delimiter

B.  

rex command

C.  

The Field Extractor tool cannot extract regular expressions.

D.  

Regular expression

A.  

Examplemacro [1,2]

B.  

samplemacro(1,2)

C.  

u amp -CJEUCXG (2)

D.  

samplemacro[2]

A.  

_raw

B.  

rime

C.  

_time

D.  

index

A.  

Calculated fields can be used in the search bar.

B.  

Calculated fields can be based on an extracted field.

C.  

Calculated fields can only be applied to host and sourcetype.

D.  

Calculated fields are shortcuts for performing calculations using the eval command.

A.  

NOT, Parentheses, OR, AND

B.  

AND, Parentheses, NOT, OR

C.  

Parentheses, NOT, AND, OR

D.  

Parentheses, NOT, OR, AND

A.  

When the events do not have the correct permissions set.

B.  

When the events are separated by a consistent character or set of characters.

C.  

When the events need a regular expression to define the matching pattern.

D.  

When the events need to be calculated using special characters.

A.  

POST workflow actions are always encrypted.

B.  

POST workflow actions cannot use field values in their URI.

C.  

POST workflow actions cannot be created on custom sourcetypes.

D.  

POST workflow actions can open a web page in either the same window or a new .

A.  

Multi-Series

B.  

Split-Series

C.  

Omit nulls

D.  

Stacked

A.  

Streaming in some modes

B.  

Report generating

C.  

Distributable streaming

D.  

Centralized streaming

A.  

By using the searchtypes command in the search bar.

B.  

By editing the event_type stanza in the props.conf file.

C.  

By going to the Settings menu and clicking Event Types > New.

D.  

By selecting an event in search results and clicking Event Actions > Build Event Type.

A.  

Rename a field in the index

B.  

remove duplicate values

C.  

provide an additional alias for the field that can D.be used in the search criteria

A.  

monthly_sales(argument 1, argument 2, argument 3)

B.  

monthly_sales(3)

C.  

monthly_sales[3]

D.  

monthly_sales[argument 1, argument 2, argument 3)

A.  

The Field Extractor automatically extracts all fields at search time.

B.  

The Field Extractor uses PERL to extract fields from the raw events.

C.  

Fields extracted using the Field Extractor persist as knowledge objects.

D.  

Fields extracted using the Field Extractor do not persist and must be defined for each search.

A.  

status

B.  

host

C.  

count

A.  

transaction

B.  

lookup

C.  

stats

D.  

eval

A.  

They can be used with Pivot, the | tstats command, or the | datamodel command.

B.  

They can still be used in the Pivot tool but only with the accelerate_pivot capability.

C.  

They can no longer be used in the Pivot tool.

D.  

They can be used with the |tstats command, but will only return that data which has been accelerated.

A.  

Fast mode is enabled.

B.  

The dashboard is private.

C.  

The extraction is private-

D.  

The person in the organization running the report does not have access to the index.

A.  

Şarg$

B.  

'arg'

C.  

%arg%

D.  

"arg"

A.  

field2 values are removed from the events.

B.  

field1 and field2 values are merged.

C.  

field2 values are unchanged.

D.  

field2 values are replaced with the value of the field1.

A.  

sourcetype

B.  

index

C.  

source

D.  

host

A.  

eval, coalesce

B.  

transaction, stats

C.  

stats, format

D.  

top, rare

A.  

parent

B.  

extracted

C.  

event

D.  

child

A.  

index=games sourcetype=score [search index=players | fields player_id]

B.  

index=games sourcetype=score I where score>9999

C.  

index=games sourcetype=score player=* score>9999

D.  

index=games sourcetype=score I stats count by player

A.  

For data cleanly separated by a space, a comma, or a pipe character.

B.  

For data in a CSV (comma-separated value) file.

C.  

For data with multiple, different characters separating fields.

D.  

For unstructured data.

A.  

count

B.  

duration

C.  

eventcount

D.  

transaction id

A.  

In a field.

B.  

In an index.

C.  

In a KV Store.

D.  

In a database.

A.  

Tags are case insensitive.

B.  

Tags can make your data more understandable.

C.  

Tags are created at index time.

D.  

Tags are searched by using the syntax tag :: .

A.  

startswith

B.  

with

C.  

startingwith

D.  

firstevent

A.  

Macros.

B.  

Field aliases.

C.  

The rename command.

D.  

CIM does not work with different names for the same field.

A.  

Pivot is used for creating datasets.

B.  

Data models are randomly structured datasets.

C.  

Pivot is used for creating reports and dashboards.

D.  

In most cases, each Splunk user will create their own data model.

A.  

It can contain transforming commands as long as it is a root search dataset.

B.  

It will automatically contain knowledge objects associated with the base search.

C.  

It must contain the transaction command if it is a root transaction dataset.

D.  

It can only contain a base search with no transforming commands.

A.  

chart sales by product_name

B.  

chart sum(price) as sales by product_name

C.  

stats sum(price) as sales over product_name

D.  

timechart list(sales), values(product_name)

A.  

A macro is a method of categorizing events based on a search.

B.  

A macro is a way to associate an additional (new) name with an existing field name.

C.  

A macro is a portion of a search that can be reused in multiple place

D.  

A macro is a knowledge object that enables you to schedule searches for specific events.

A.  

Constraint, field, value.

B.  

Events, searches, transactions.

C.  

Field extraction, regex, delimited.

D.  

Transaction, session ID, metadata.

A.  

Events will be returned from dataset Application_State.

B.  

Events will be returned from the data model named Application_State.

C.  

No events will be returned; the pipe must occur after the data model command.

D.  

Events will be returned from the data model named Application_State (flat mode).

A.  

POST

B.  

Drilldown

C.  

GET

D.  

Search

A.  

Index-main | REJECT trans sessionid

B.  

Index-main | transaction sessionid | search REJECT

C.  

Index=main | transaction sessionid | whose transaction=reject

D.  

Index=main | transaction sessionid | where transaction=reject’’

A.  

Evenrches would return a report of sales by state.

B.  

Events will be returned from the data model named Application_State.

C.  

Events will be returned from the data model named All_Application_state.

D.  

No events will be returned because the pipe should occur after the datamodel command

A.  

clean

B.  

transform

C.  

calculate

D.  

normalize

A.  

Search string

B.  

Data model name

C.  

Permission setting

D.  

An eval statement