A.  

$earliest_tok$and$now$

B.  

?click.field?and?click.value?

C.  

?earliest_tok$and?latest_tok?

D.  

?click.name?and?click.value?

A.  

GPX or GML files

B.  

TXT files

C.  

KMZ or KML files

D.  

CSV files

A.  

<set>and<unset>elements with adepend?attribute.

B.  

$earliest$and$latest$tokens set by a global time range picker.

C.  

<set>and<reset>elements with arejectsattribute.

D.  

<set>and<offset>elements withdependsandrejectsattributes.

A.  

NOT [inputlookup baditems.csv]

B.  

NOT (lookup baditems.csv OUTPUT item)

C.  

WHERE item NOT IN (baditems.csv)

D.  

[NOT inputlookup baditems.csv]

A.  

Reverse lexicographical order

B.  

Ascending lexicographical order

C.  

Ascending chronological order

D.  

Reverse chronological order

A.  

A visualization is opened in a new window.

B.  

Search results are refreshed for the selected visualization.

C.  

Search results are refreshed for all panels in a dashboard.

D.  

A search is opened in a new window.

A.  

bin

B.  

case

C.  

exact

D.  

mvzip

A.  

To create a summary index.

B.  

To backfill gaps in a summary index.

C.  

To reset a summary index that includes overlapping data.

D.  

To populate a summary index from a saved report.

A.  

No wildcards can be used with tstats.

B.  

In the where clause.

C.  

In the from clause.

D.  

In the by clause.

A.  

Use the Field Extractor for structured data and the IFX for unstructured data.

B.  

Use the IFX for structured data and the Field Extractor for unstructured data.

C.  

Use both tools interchangeably for any data type.

D.  

Avoid using both tools for field extraction.

A.  

The order of execution depends on whether either search uses a stats command.

B.  

The inner search executes first.

C.  

The outer search executes first.

D.  

The two searches are executed in parallel.

A.  

Run an eval statement based on a user clicking a value on a form.

B.  

Set a token to select a value from the time range picker.

C.  

Pass a token from a drilldown to modify index settings.

D.  

Cancel all jobs based on the number of search job results captured.

A.  

command.search.filter

B.  

command.search.fields

C.  

command.search.kv

D.  

command.search.regex

A.  

eval,fieldformat, andwhere

B.  

eval,fields, andwhere

C.  

fieldformat,search, andwhere

D.  

eval,mvexpand, andmakemv

A.  

The event data is broken up by values in the punch field.

B.  

The event data is broken up by major breakers and then broken up further by minor breakers.

C.  

The event data is broken up by a series of user-defined regex patterns.

D.  

The event data has all punctuation stripped out and is then space-delimited.

A.  

hideEdit

B.  

hideTitle

C.  

hideFilters

D.  

hideChrome

A.  

The inner macro should be created first.

B.  

The outer macro should be created first.

C.  

The outer macro name must be surrounded by backticks.

D.  

The inner macro passes arguments to the outer macro.

A.  

edit_search_server

B.  

edit_udp

C.  

edit_tcp

D.  

edit_alerts

A.  

Dark data

B.  

Unstructured data

C.  

Embedded data

D.  

Self-describing data

A.  

To filter events based on a condition.

B.  

To calculate the sum of a numeric field across all events.

C.  

To create a new field based on an existing field's value.

D.  

To group events by a specific field.

A.  

annotation_category

B.  

_time

C.  

eventtype

D.  

annotation_label

A.  

Limit the results to a specific time window.

B.  

Convert the search to an inline search.

C.  

Use NOT expressions to filter results.

D.  

Use the transaction command instead of stats.

A.  

| tstats count from datamodel=acc_datmodel summariesonly=false

B.  

| tstats count where datamodel=acc_datmodel summariesonly=false

C.  

| tstats count where index=datamodel by index, datamodel

D.  

| tstats count from datamodel=unacc_datmodel summariesonly=true

A.  

The distinct count of values for that field is exactly 0.

B.  

The distinct count of fields in the field summary is 1.

C.  

The distinct count of values in that field is approximated.

D.  

The distinct count of values for that field is exact.

A.  

chart

B.  

table

C.  

bin

D.  

xyseries

A.  

The argument value may be passed to the outer macro.

B.  

An argument cannot be used with an inner nested macro.

C.  

An argument cannot be used with an outer nested macro.

D.  

The argument value must be specified in the outer macro.

A.  

Visualization

B.  

Event

C.  

Dynamic

D.  

Contextual

A.  

Each collection must have at least 3 fields, one of which needs to match values of a field in your event data.

B.  

Each collection must have at least 2 fields, one of which needs to match values of a field in your event data.

C.  

Each collection must have at least 2 fields, none of which need to match values of a field in your event data.

D.  

Each collection must have at least 3 fields, none of which need to match values of a field in your event data.

A.  

... | mvexpand product

B.  

... | eval mvexpand(makemv(product, ","))

C.  

... | makemv delim="," product

D.  

... | makemv delim(product)

A.  

Use the lookup dropdown in the alert configuration window.

B.  

Follow a lookup with an alert command in the search bar.

C.  

Run a search that uses a lookup and save as an alert.

D.  

Upload a lookup file directly to the alert.

A.  

True, False, Unknown

B.  

Number, String, Bool

C.  

Number, String, Null

D.  

Field, Value, Lookup

A.  

As part of a dashboard, but not in a form.

B.  

Without notation in the underlying XML.

C.  

As a way to filter other input selections.

D.  

As a default way to delete a user role.

A.  

mvcombine

B.  

eval

C.  

makemv

D.  

list

A.  

tostring

B.  

strptime

C.  

tonumber

D.  

strftime

A.  

B.  

C.  

,

D.  

A.  

Applies only to accelerated data models.

B.  

When using an unaccelerated data model, the search produces a larger result count than withsummariesonly=f.

C.  

Applies only to unaccelerated data models.

D.  

When using an accelerated data model, the search produces a larger result count than withsummariesonly=f.