1. When creating a Search workflow action, which field is required?

A. Search string
B. Data model name
C. Permission setting
D. An eval statement

2. Which of the following data models are included In the Splunk Common Information
Model (CIM) add-on? (Select all that apply)
A. Alerts
B. Email
C. Database
D. User permissions

3. When using a timechart, how many fields can be listed after a by clause?
A. 0, because timechart doesn't support using a by clause.
B. 1, because _time is already implied as the x-axis.
C. 2, because one field would represent the x-axis and the other would represent the
y-axis.
D. There is no limit specific to timechart.

4. Which of the following statements describes Search workflow actions?

A. By default. Search workflow actions will run as a real-time search.
B. Search workflow actions can be configured as scheduled searches,
C. The user can define the time range of the search when creating the workflow action.
D. Search workflow actions cannot be configured with a search string that includes the
transaction command

5. Which of the following knowledge objects represents the output of an eval

expression?
A. Eval fields
B. Calculated fields
C. Field extractions
D. Calculated lookups

6. Which of the following statements describe Auto-Extracted fields? (select all that
apply)
A. Auto-Extracted fields can be hidden in Pivot.
B. Auto-Extracted fields can have their data type changed.
C. Auto-Extracted fields can be given a friendly name for use in Pivot.
D. Auto-Extracted fields can be added if they already exist in the dataset with
constraints.
7. What does the transaction command do?
A. Groups a set of transactions based on time.
B. Creates a single event from a group of events.
C. Separates two events based on one or more values.
D. Returns the number of credit card transactions found in the event logs.

8. Data models are composed of one or more of which of the following datasets? (Select
all that apply.)
A. Events datasets
B. Search datasets
C. Transaction datasets
D. Any child of event, transaction, and search datasets

9. When performing a regular expression (regex) field extraction using the Field Extractor
(FX), what happens when the required option is used?
A. The regex can no longer be edited.
B. The field being extracted will be required for all future events.
C. The events without the required field will not display in searches.
D. Only events with the required string will be included in the extraction.

10. Which of the following statements describes POST workflow actions?

A. POST workflow actions are always encrypted.
B. POST workflow actions cannot use field values in their URI.
C. POST workflow actions cannot be created on custom sourcetypes.
D. POST workflow actions can open a web page in either the same window or a new.

11. What is required for a macro to accept three arguments?

A. The macro’s name ends with (3).
B. The macro’s name starts with (3).
C. The macro’s argument count setting is 3 or more.
D. Nothing, all macros can accept any number of arguments.

12. Which of the following statements describes the command below (select all that
apply)
Sourcetype=access_combined | transaction JSESSIONID

A. An additional field named maxspan is created.

B. An additional field named duration is created.
C. An additional field named eventcount is created.
D. Events with the same JSESSIONID will be grouped together into a single event.
13. A space is an implied _____ in a search string.
A. OR
B. AND
C. ()
D. NOT

14. Which of the following statements about data models and pivot are true? (select all
that apply)
A. They are both knowledge objects.
B. Data models are created out of datasets called pivots.
C. Pivot requires users to input SPL searches on data models.
D. Pivot allows the creation of data visualizations that present different aspects of a data
model.

15. Which of the following describes the Splunk Common Information Model (CIM) add-
on?
A. The CIM add-on uses machine learning to normalize data.
B. The CIM add-on contains dashboards that show how to map data.
C. The CIM add-on contains data models to help you normalize data.
D. The CIM add-on is automatically installed in a Splunk environment.

16. When using the Field Extractor (FX), which of the following delimiters will work?
(Select all that apply)
A. Tabs
B. Pipes
C. Colons
D. Spaces

cleanly separated by a common delimiter, such as a space, a comma, or a pipe character.

https://docs.splunk.com/Documentation/Splunk/8.0.3/Knowledge/FXSelectMethodstep

17. In what order are the following knowledge objects/configurations applied?

A. Field Aliases, Field Extractions, Lookups
B. Field Extractions, Field Aliases, Lookups
C. Field Extractions, Lookups, Field Aliases
D. Lookups, Field Aliases, Field Extractions

18. Which of the following statements about event types is true? (select all that apply)
A. Event types can be tagged.
B. Event types must include a time range,
C. Event types categorize events based on a search.
D. Event types can be a useful method for capturing and sharing knowledge.

https://www.edureka.co/blog/splunk-events-event-types-and-tags/

19. A field alias has been created based on an original field. A search without any
transforming commands is then executed in Smart Mode. Which field name appears in
the results?
A. Both will appear in the All Fields list, but only if the alias is specified in the search.
B. Both will appear in the Interesting Fields list, but only if they appear in at least 20
percent of events.
C. The original field only appears in the All Fields list and the alias only appears in the
Interesting Fields list.
D. The alias only appears in the All Fields list and the original field only appears in the
Interesting Fields list.

20. Which of the following statements describes macros?

A. A macro is a reusable search string that must contain the full search.
B. A macro is a reusable search string that must have a fixed time range.
C. A macro Is a reusable search string that may have a flexible time range.
D. A macro Is a reusable search string that must contain only a portion of the search.

21. Which of the following workflow actions can be executed from search results? (select
all that apply)
A. GET
B. POST
C. LOOKUP
D. Search
22. Which group of users would most likely use pivots?
A. Users
B. Architects
C. Administrators
D. Knowledge Managers
it's users who uses them, knowledge managers build them

https://docs.splunk.com/Documentation/Splunk/9.0.1/Pivot/IntroductiontoPivot

23. Which of the following is the correct way to use the data model command to search
fields in the data model within the web dataset?
A. | datamodel web search | fields web*
B. | Search datamodel web web | fields web*
C. | datamodel web web fields | search web*
D. Datamodel=web | search web | fields web*

24. What does the following search do?

index=corndog type=mysterymeat action=eaten | stats count as corndog_count by
user
A. Creates a table of the total count of users and split by corndogs.
B. Creates a table of the total count of mysterymeat corndogs split by user.
C. Creates a table with the count of all types of corndogs eaten split by user.
D. Creates a table that groups the total number of users by vegetarian corndogs.
25. What is the relationship between data models and pivots?
A. Data models provide the datasets for pivots.
B. Pivots and data models have no relationship.
C. Pivots and data models are the same thing.
D. Pivots provide the datasets for data models.

26. Which of the following searches will return events containing a tag name Privileged?
A. tag=priv
B. tag=Priv*
C. tag=priv*
D. tag=privileged

27. When should you use the transaction command instead of the stats command?
A. When you need to group on multiple values. (correct ref link)
B. When duration is irrelevant in search results. .
C. When you have over 1000 events in a transaction.
D. When you need to group based on start and end constraints.

BOOK EXCERPT: When to use “transaction” and when to use “stats” | Splunk
28. To identify all of the contributing events within a transaction that contains at least
one REJECT event, which syntax is correct?
A. index=main | REJECT trans sessionid
B. index=main | transaction sessionid | search REJECT
C. index=main | transaction sessionid | whose transaction=reject
D. index=main | transaction sessionid | where transaction=reject’’

29. Which are valid ways to create an event type? (select all that apply)
A. By using the searchtypes command in the search bar.
B. By editing the event_type stanza in the props.conf file.
C. By going to the Settings menu and clicking Event Types > New.
D. By selecting an event in search results and clicking Event Actions > Build Event Type.

30. The Field Extractor (FX) is used to extract a custom field. A report can be created
using this custom field. The created report can then be shared with other people in the
organization. If another person in the organization runs the shared report and no results
are returned, why might this be? (select all that apply)
A. Fast mode is enabled.
B. The dashboard is private.
C. The extraction is private.
D. The person in the organization running the report does not have access to the index.

31. Which of the following statements describe the search below? (select all that apply)
Index=main I transaction clientip host maxspan=30s maxpause=5s

A. Events in the transaction occurred within 5 seconds.

B. It groups events that share the same clientip and host.
C. The first and last events are no more than 5 seconds apart.
D. The first and last events are no more than 30 seconds apart.

32. Which of the following statements describe data model acceleration? (select all that
apply)
A. Root events cannot be accelerated.
B. Accelerated data models cannot be edited.
C. Private data models cannot be accelerated.
D. You must have administrative permissions or the accelerate_datamodel capability to
accelerate a data model.
33. What does the Splunk Common Information Model (CIM) add-on include? (select all
that apply)
A. Custom visualizations
B. Pre-configured data models
C. Fields and event category tags
D. Automatic data model acceleration

Reference: https://docs.splunk.com/Documentation/CIM/4.18.0/User/Overview

34. Which of the following file formats can be extracted using a delimiter field extraction?
A. CSV
B. PDF
C. XML
D. JSON

35. Which of the following actions can the eval command perform?
A. Remove fields from results.
B. Create or replace an existing field.
C. Group transactions by one or more fields.
D. Save SPL commands to be reused in other searches.

36. What does the fillnull command replace null values with, if the value argument is not
specified?
A. 0
B. N/A
C. NaN
D. NULL

37. What are the two parts of a root event dataset?

A. Fields and variables.
B. Fields and attributes.
C. Constraints and fields.
D. Constraints and lookups.

38. Calculated fields can be based on which of the following?

A. Tags
B. Extracted fields
C. Output fields for a lookup
D. Fields generated from a search string
39. When can a pipe follow a macro?
A. A pipe may always follow a macro.
B. The current user must own the macro.
C. The macro must be defined in the current app.
D. Only when sharing is set to global for the macro.

40. Which one of the following statements about the search command is true?
A. It does not allow the use of wildcards.
B. It treats field values in a case-sensitive manner.
C. It can only be used at the beginning of the search pipeline.
D. It behaves exactly like search strings before the first pipe.

41. What functionality does the Splunk Common Information Model (CIM) rely on to
normalize fields with different names?
A. Macros.
B. Field aliases.
C. The rename command.
D. CIM does not work with different names for the same field.

42. When multiple event types with different color values are assigned to the same event,
what determines the color displayed for the events?
A. Rank
B. Weight
C. Priority
D. Precedence

43. What is the correct syntax to search for a tag associated with a value on a specific
field?
A. Tag-<field?
B. Tag<field(tagname.)
C. Tag=<field>::<tagname>
D. Tag::<field>=<tagname>

44. Which of the following Statements about macros is true? (select all that apply)
A. Arguments are defined at execution time.
B. Arguments are defined when the macro is created.
C. Argument values are used to resolve the search string at execution time.
D. Argument values are used to resolve the search string when the macro is created.
45. A user wants to convert numeric field values to strings and to sort on those values.
Which command should be used first, the eval or the sort?
A. It doesn’t matter whether eval or sort is used first.
B. Convert the numeric to a string with eval first, then sort.
C. Use sort first, then convert the numeric to a string with eval.
D. You cannot use the sort command and the eval command on the same field.

46. Which of the following statements describe calculated fields? (select all that apply)
A. Calculated fields can be used in the search bar.
B. Calculated fields can be based on an extracted field.
C. Calculated fields can only be applied to host and sourcetype.
D. Calculated fields are shortcuts for performing calculations using the eval command.

47. Which of the following statements describe the search string below?
| datamodel Application_State All_Application_State search

A. Events will be returned from a dataset named Application_State.

B. Events will be returned from the data model named Application_State.
C. Events will be returned from the data model named All_Application_state.
D. No events will be returned because the pipe should occur after the data model
command

48. Which of the following searches show a valid use of macro? (Select all that apply)
A. index=main source=mySource oldField=* |’makeMyField(oldField)’| table _time
newField
B. index=main source=mySource oldField=* | stats if(‘makeMyField(oldField)’) | table
_time newField
C. index=main source=mySource oldField=* | eval newField=’makeMyField(oldField)’
| table _time newField
D. index=main source=mySource oldField=* | "’newField(‘makeMyField(oldField)’)’"
| table _time newField
49. Which of the following are required to create a POST workflow action?
A. Label, URI, search string.
B. XMI attributes, URI, name.
C. Label, URI, post arguments.
D. URI, search string, time range picker.

50. Selected fields are displayed ______each event in the search results.
A. below
B. interesting fields
C. other fields
D. above
51. Which of the following statements describes field aliases?
A. Field alias names replace the original field name.
B. Field aliases can be used in lookup file definitions.
C. Field aliases only normalize data across sources and sourcetypes.
D. Field alias names are not case sensitive when used as part of a search.

52. Which of the following statements about tags is true?

A. Tags are case insensitive.
B. Tags are created at index time.
C. Tags can make your data more understandable.
D. Tags are searched by using the syntax tag: : <fieldname>

Q:- Which of the following statements about tags is true? (select all that apply.)

A. Tags are case-insensitive.

B. Tags are based on field/vale pairs.
C. Tags categorize events based on a search.
D. Tags are designed to make data more understandable.

Answer(s): B,D

53. In which of the following scenarios is an event type more effective than a saved
search?
A. When a search should always include the same time range.
B. When a search needs to be added to other users’ dashboards.
C. When the search string needs to be used in future searches.
D. When formatting needs to be included with the search string.

54. Which delimiters can the Field Extractor (FX) detect? (select all that apply)
A. Tabs
B. Pipes
C. Spaces
D. Commas

such as a space, a comma, or a pipe character

https://docs.splunk.com/Documentation/Splunk/8.0.3/Knowledge/FXSelectMethodstep

55. There are several ways to access the field extractor. Which option automatically
identifies the data type, source type, and sample event?
A. Event Actions > Extract Fields
B. Fields sidebar > Extract New Fields
C. Settings > Field Extractions > New Field Extraction
D. Settings > Field Extractions > Open Field Extractor
56. How does a user display a chart in stack mode?
A. By using the stack command.
B. By turning on the Use Trellis Layout option.
C. By changing Stack Mode in the Format menu.
D. You cannot display a chart in stack mode, only a timechart.

57. What do events in a transaction have In common?

A. All events In a transaction must have the same timestamp.
B. All events in a transaction must have the same sourcetype.
C. All events in a transaction must have the exact same set of fields.
D. All events in a transaction must be related by one or more fields.

https://docs.splunk.com/Documentation/Splunk/8.0.3/Knowledge/Abouttransactions

58. Which of the following statements describe GET workflow actions?

A. GET workflow actions must be configured with POST arguments.
B. Configuration of GET workflow actions includes choosing a sourcetype.
C. Label names for GET workflow actions must include a field name surrounded by
dollar signs.
D. GET workflow actions can be configured to open the URI link in the current window or
in a new window

59. Which of the following eval command functions is valid?

A. int()
B. count()
C. print()
D. tostring()

60. Which of the following statements is true, especially in large environments?

A. Use the stats command when you next group events by two or more fields.
B. The stats command is faster and more efficient than the transaction command
C. The transaction command is faster and more efficient than the stats command.
D. Use the transaction command when you want to see the results of a calculation.

61. After manually editing a regular expression (regex), which of the following statements
is true?
A. Changes made manually can be reverted in the Field Extractor (FX) UI
B. It is no longer possible to edit the field extraction in the Field Extractor (FX) UI
C. It is not possible to manually edit a regular expression (regex) that was created using
the Field Extractor (FX) UI
D. The Field Extractor (FX) UI keeps its own version of the field extraction in addition to
the one that was manually edited.
62. Which of the following statements would help a user choose between the transaction
and stats commands?
A. stats can only group events using IP addresses.
B. The transaction command is faster and more efficient.
C. There is a 1000 event limitation with the transaction command.
D. Use stats when the events need to be viewed as a single correlated event.

Reference: https://docs.splunk.com/Documentation/Splunk/8.0.3/SearchReference/Transaction

63. By default, how is acceleration configured in the Splunk Common Information Model
(CIM) add-on?
A. Turned off.
B. Turned on.
C. Determined automatically based on the sourcetype.
D. Determined automatically based on the data source

64. Which of the following statements describe the Common Information Model (CIM)?
(Choose all that apply.)
A. CIM is a methodology for normalizing data.
B. CIM can correlate data from different sources.
C. The Knowledge Manager uses the CIM to create knowledge objects.
D. CIM is an app that can coexist with other apps on a single Splunk deployment.

https://docs.splunk.com/Documentation/CIM/4.15.0/User/Overview

65. Which of the following statements describes this search?

sourcetype=access_combined | transaction JSESSIONID | timechart avg (duration)

A. This is a valid search and will display a timechart of the average duration of each
transaction event.
B. This is a valid search and will display a stats table showing the maximum pause
among transactions.
C. No results will be returned because the transaction command must include the
startswith and endswith options.
D. No results will be returned because the transaction command must be the last
command used in the search pipeline.

66. A calculated field may be based on which of the following?

A. Lookup tables
B. Extracted fields
C. Regular expressions
D. Fields generated within a search string
67. Which of the following can be used with the eval command tostring function (select
all that apply)
A. hex
B. commas
C. Decimal
D. duration

68. When using | timechart by host, which field is represented in the x-axis?
A. date
B. host
C. time
D. _time

https://docs.splunk.com/Documentation/Splunk/8.0.4/SearchReference/Timechart

69. Which of the following is the correct way to use the datamodel command to search
fields in the Web data model within the Web dataset?
A. | datamodel Web Web search | fields Web*
B. | search datamodel Web Web | fields Web*
C. | datamodel Web Web fields | search Web*
D. datamodel=Web | search Web | fields Web*

70. Which of the following statements about tags is true? (Choose all that apply.)
A. Tags are case-insensitive.
B. Tags are based on field/value pairs.
C. Tags categorize events based on a search.
D. Tags are designed to make data more understandable.

71. Information needed to create a GET workflow action includes which of the following?
(Choose all that apply.)
A. A name for the workflow action.
B. A URI where the user will be directed at search time.
C. A label that will appear in the Event Action menu at search time.
D. A name for the URI where the user will be directed at search time.

72. Which Knowledge Object does the Splunk Common Information Model (CIM) use to
normalize data, in addition to field aliases, event types, and tags?
A. Macros
B. Lookups
C. Workflow actions
D. Field extractions
73. What other syntax will produce exactly the same results as | chart count over
vendor_action by user?
A. | chart count by vendor_action, user
B. | chart count over vendor_action, user
C. | chart count by vendor_action over user
D. | chart count over user by vendor_action

74. What is a limitation of searches generated by workflow actions?

A. Searches generated by workflow actions cannot use macros.
B. Searches generated by workflow actions must be less than 256 characters long.
C. Searches generated by workflow actions must run in the same app as the workflow
action.
D. Searches generated by workflow actions run with the same permissions as the user
running them.

75. Which of the following searches would return a report of sales by product_name?
A. chart sales by product_name
B. chart sum(price) as sales by product_name
C. stats sum(price) as sales over product_name
D. timechart list(sales), values(product_name)

76. Which of the following statements describes the use of the Field Extractor (FX)?
A. The Field Extractor automatically extracts all fields at search time.
B. The Field Extractor uses PERL to extract fields from the raw events.
C. Fields extracted using the Field Extractor persist as knowledge objects.
D. Fields extracted using the Field Extractor do not persist and must be defined for each
search.

77. Which statement is true?

A. Pivot is used for creating datasets.
B. Data models are randomly structured datasets.
C. Pivot is used for creating reports and dashboards.
D. In most cases, each Splunk user will create their own data model.

78. Which workflow uses field values to perform a secondary search?

A. POST
B. Action
C. Search
D. Sub-search
79. In most large Splunk environments, what is the most efficient command that can be
used to group events by fields?
A. join
B. stats
C. streamstats
D. transaction

80. Which of the following statements describes POST workflow actions?

A. Configuration of a POST workflow action includes choosing a sourcetype.
B. POST workflow actions can be configured to send email to the URI location.
C. By default, POST workflow actions are shown in both the event and field menus.
D. POST workflow actions can be configured to send POST arguments to the URI
location.

81. Which workflow action method can be used when the action type is set to link?
A. GET
B. PUT
C. Search
D. UPDATE

82. Which of the following commands support the same set of functions?
A. stats, eval, table
B. search, where, eval
C. stats, chart, timechart
D. transaction, chart, timechart

83. The eval command allows you to do which of the following? (Choose all that apply.)
A. Format values
B. Convert values
C. Perform calculations
D. Use conditional statements

84. When using the timechart command, how can a user group the events into buckets
based on time?
A. Using the span argument.
B. Using the duration argument.
C. Using the interval argument.
D. Adjusting the fieldformat options.
85. Which type of visualization shows relationships between discrete values in three
dimensions?
A. Pie chart
B. Line chart
C. Bubble chart
D. Scatter chart

86. Which of the following is a function of the Splunk Common Information Model (CIM)?
A. Normalizing data across a Splunk deployment.
B. Providing templates for reports and dashboards.
C. Algorithmically shifting events to other indexes.
D. Reingesting previously indexed data with new field names.

87. Which is not a comparison operator in Splunk?

A. =
B. >
C. ?=
D. <=
E. !=

88. The gauge command:

A. allows you to set colored ranges for a single-value visualization
B. creates a radial gauge visualization
C. creates a single-value visualization

89. Which type of visualization allows you to show a third dimension of data?
A. area chart
B. scatter chart
C. pie chart
D. bubble chart

90. Choose the command for removing the status field from the returned events, in -
sourcetype=a* status=404 | ___________ status
A. not
B. fields -
C. table
D. None of these
E. fields
91. The trendline command requires the following three arguments.
A. trend type, time period, and field
B. wma, sma, and ema

92. Identify the missing details in the following search - sourcetype=a* | rename ip as
""User IP"" | table User IP
A. None of these
B. A table command.
C. Quotation marks around User IP.
D. Search terms
E. A pipe.

93. How many results are shown by default when using a Top or Rare Command?
A. 1
B. 1000
C. 12
D. 10

94. Which of the following is not a Stats function?

A. None of these
B. List
C. Addtotals
D. Count
E. Avg
F. Sum

95. State whether the following statement holds Correct or Incorrect - "A Power User can
share and promote knowledge objects."
A. Correct
B. Incorrect

96. Which of the following is used for categorizing the data that is being indexed, in
Splunk?
A. source
B. index
C. sourcetype
D. None of these
E. host

97. The Splunk CIM Add-on includes data models in a __________ format.
A. JSON
B. MySQL
C. XML
98. This function of the stats command allows you to identify the number of values a field
has.
A. max
B. distinct_count
C. fields
D. count

99. The eval command 'if' function requires the following three arguments(in order)
A. Boolean expression, result if true,result if false
B. result if true,result if false,Boolean expression
C. result if false,result if true,Boolean expression
D. Boolean expression, result if false,result if true

100. Which of the following search modes automatically returns all extracted fields in the
fields sidebar?
A. Fast
B. Smart
C. Verbose

101. We can use the rename command to _____ (Select all that apply.)
A. Change indexed fields
B. Exclude fields from our search results
C. Extract new fields from our data using regular expressions
D. Give a field a new name at search time

102. Which statement is true?

A. Pivot is used for creating datasets.
B. Data models are randomly structured datasets.
C. Pivot is used for creating reports and dashboards.
D. In most cases, each Splunk user will create their own data model.

103. Which command is used to create choropleth maps?

A. geostats
B. cluster
C. geom

104. Which of the following statements are true for this search? (Select all that apply.)
sourcetype=access* |fields action productld status
A. is looking for all events that include the search terms: fields AND action AND
productld AND status
B. users the table command to improve performance
C. limits the fields are extracted
D. returns a table with 3 columns
105. In most large Splunk environments, what is the most efficient command that can be
used to group events by fields/
A. join
B. stats
C. streamstats
D. transaction

106. When using a field value variable with a Workflow Action, which punctuation mark
will escape the data
A. *
B. !
C. ^
D. #

107. In the Field Extractor Utility, this button will display events that do not contain
extracted fields.
A. Selected-Fields
B. Non-Matches
C. Non-Extractions
D. Matches

108. The transaction command allows you to __________ events across multiple sources
A. duplicate
B. correlate
C. persist
D. tag

109. These users can create global knowledge objects. (Select all that apply.)
A. users
B. power users
C. administrators

110. When a search returns __________, you can view the results as a list.
A. a list of events
B. transactions
C. statistical values
111. When you mouse over and click to add a search term this (these Boolean
operator(s) is) are not implied.
A. OR
B. 31 of 49
C. ()
D. AND
E. NOT

112. It is mandatory for the lookup file to have this for an automatic lookup to work.
A. Source type
B. At least five columns
C. Timestamp
D. Input field

113. A real-time alert is ______________.

A. A scheduled alert
B. constantly running in the background

114. Highlighted search terms indicate _________ search results in Splunk.

A. Display as selected fields.
B. Sorted
C. Charted based on time
D. Matching

115. Which of these is NOT a field that is automatically created with the transaction
command?
A. maxcount
B. duration
C. eventcount

116. A report scheduled to run every 15 mins. but it takes 17 mins. to complete is in
danger of being_____.
A. skipped or deferred
B. automatically accelerated
C. deleted
D. all the above

117. This tab shows you the event patterns in the results of a specific search.
A. statistics
B. visualization
C. patterns
118. Use this command to use lookup fields in a search and see the lookup fields in the
field sidebar.
A. inputlookup
B. lookup

119. Which of the following search controls will not re-rerun the search? (Select all that
apply.)
A. zoom out
B. selecting a bar on the timeline
C. deselect
D. selecting a range of bars on the timelines

120. which of the following are valid options with the chart command
A. useother
B. usenull
C. fillfield
D. usefiled

121. Splunk alerts can be based on searches that run______. (Select all that apply.)
A. in real-time
B. on a regular schedule
C. and have no matching events

122. How many ways are there to access the Field Extractor Utility?
A. 3
B. 4
C. 1
D. 5

123. Complete the search, .... | _____ failure>successes

A. 45 of 49
B. Search
C. Where
D. If
E. Any of the above

124. When using the transaction command, what does the argument maxspan do?
A. Sets the maximum total time between events in a transaction.
B. Sets the maximum length of all the events within a transaction.
C. Sets the maximum total time between the earliest and latest events in a transaction.
D. Sets the maximum length that any single event can reach to be included in the
transaction.
125. Field aliases are used to __________ data
A. clean
B. transform
C. calculate
D. normalize

126. Clicking a SEGMENT on a chart, ________.

A. drills down for that value
B. highlights the field value across the chart
C. adds the highlighted value to the search criteria

127. This function of the stats command allows you to return the middle-most value of
field X.
A. Median(X)
B. Eval by X
C. Fields(X)
D. Values(X)

128. The fields sidebar does not show________.

A. interesting fields
B. selected fields
C. all extracted fields

129. __________ datasets can be added to root dataset to narrow down the search
A. parent
B. extracted
C. event
D. child

130. By default search results are not returned in ________ order.

A. Chronological
B. Reverser chronological
C. ASCIE
D. Alphabetical
Answer : A, D

131. During the validation step of the Field Extractor workflow:

A. You can remove values that aren't a match for the field you want to define
B. You can validate where the data originated from
C. You cannot modify the field extraction
132. Select this in the fields sidebar to automatically pipe you search results to the rare
command
A. events with this field
B. rare values
C. top values by time
D. top values

133. Which of the following is/are reports true?

A. Reports are knowledge objects.
B. Reports can be scheduled.
C. Reports can run a script.
D. All of the above.

134. which of the following commands are used when creating visualizations(select all
that apply.)
A. Geom
B. Choropleth
C. Geostats
D. iplocation

135. This function of the stats command allows you to return the sample standard
deviation of a field.
A. stdev
B. dev
C. count deviation
D. by standarddev

136. The time range specified for a historical search defines the ____________ .
A. Amount of data shown on the timeline as data streams in
B. Amount of data fetched from index matching that time range
C. Time range for the static results

137. These kinds of charts represent a series in a single bar with multiple sections
A. Multi-Series
B. Split-Series
C. Omit nulls
D. Stacked

138. Which of these search strings is NOT valid:

A. index=web status=50* | chart count over host, status
B. index=web status=50* | chart count over host by status
C. index=web status=5-* | chart count by host, status
139. If a search returns ____________ it can be viewed as a chart.
A. timestamps
B. statistics
C. events
D. keywords

140. When using a split series on a chart, the series MUST be displayed using the
STACKED option.
A. True
B. False

141. What will you learn from the results of the following search?
sourcetype=cisco_esa | transaction mid, dcid, icid | timechart avg(duration)
A. The average time elapsed during each transaction for all transactions
B. The average time for each event within each transaction
C. The average time between each transaction

142. When extracting fields, we may choose to use our own regular expressions
A. True
B. False

143. Alert throttling is used to _______.

A. verify each alert
B. stagger search request in a time sequenced order
C. stop spamming yourself with alerts
D. check severity

144. This clause is used to group the output of a stats command by a specific name.
A. List
B. By
C. As
D. Rex

145. The limit attribute will___________.

A. only work with top command
B. override default of 20
C. override default of 10
D. override default of 15

146. The timechart command buckets data in time intervals depending on:
A. the type of visualization selected
B. the number of events returned
C. the selected time range
147. These are the default selected fields.
A. host, source, _raw
B. source, sourcetype, host
C. source, sourcetype, timestamp
D. source, sourcetype, index

148. The pivot editor has a map visualization option.

A. True
B. False

149. Which command can include both an over and a by clause to divide results into sub-
groupings?
A. chart
B. stats
C. xyseries
D. transaction

150. In the following eval statement, what is the value of description if the status is 503?
index=main | eval description=case(status==200, "OK", status==404, "Not found",
status==500, "Internal Server Error")
A. The description field would contain no value.
B. The description field would contain the value 0.
C. The description field would contain the value "Internal Server Error".
D. This statement would produce an error in Splunk because it is incomplete.

151. The Splunk search language does not support wildcards.

A. False
B. True

152. When is a GET workflow action needed?

A. To define how events flow from forwarders to indexes.
B. To retrieve information from an external resource.
C. To send field values to an external resource.
D. To use field values to perform a secondary search.

153. Lookups allow you to overwrite your raw event.

A. True
B. False
154. Index=web sourcetype=access_combined
The log shows several events that share the same JSESSIONID value
(SD404K289O2F151). View the events as a group. From the following list, which search
groups events by JSESSIONID?
A. index-web sourcetype=access_combined I transaction JSESSIONID I search
SD404K289O2F151
B. index=web sourcetype=access_combined SD404K289O2F151 I table JSESSIONID
C. index=web sourcetype=access_combined I highlight JSESSIONID I search
SD404K289O2F151
D. index=web sourcetype=access_combined JSESSIONID <SD404K289O2F151>

155. What information must be included when using the datamodel command?
A. Data model dataset name.
B. status field
C. Data model field name.
D. Multiple indexes

QUESTION: 22
Based on the macro definition shown below, what is the correct way to execute the macro in a
search string?

A. Convert_sales (euro, , 79)"

B. Convert_sales (euro, , .79)
C. Convert_sales ($euro,$$,s79$
D. Convert_sales ($euro, $$,S,79$)

QUESTION: 122
A data model consists of which three types of datasets?

A. Constraint, field, value.

B. Events, searches, transactions.
C. Field extraction, regex, delimited.
D. Transaction, session ID, metadata.
 QUESTION: 103
Where are the results of eval commands stored?

A. In a field.
B. In an index.
C. In a KV Store.
D. In a database.

Answer(s): A
QUESTION: 91
When should transaction be used?

A. Only in a large distributed Splunk environment.

B. When calculating results from one or more fields.
C. When event grouping is based on start/end values.
D. When grouping events results in over 1000 events in each group.

Answer(s): B

https://docs.splunk.com/Documentation/Splunk/8.0.3/Search/Abouttransactions

QUESTION: 1
Given the macro definition below, what should be entered into the Name and Arguments
fileds to correctly configured the macro?

A. The macro name is sessiontracker and the argument are action, JESSION.
B. The macro name is sessiontracker (2) and the action JESSIONID
C. The macro name is sessiontracker and the argument are sectional ,$ JESSIONIDS.
D. The macro name is sessiontracker (2) and the argument are $action ,$JESSIONIDS.
QUESTION: 41
When using timechart, how many fields can be listed after a by clause? ( Choose Two )

A. because timechart doesn't support using a by clause.

B. because _time is already implied as the x-axis.
C. because one field would represent the x-axis and the other would represent the y-axis.
D. There is no limit specific to timechart.

Q: - Which of the following is one of the pre-configured data models included in the
Splunk Common Information Model (CIM) add-on?

A.Access
B.Accounting
C.Authorization
D.Authentication

Answer: D

Reference: https://docs.splunk.com/Documentation/CIM/4.18.0/User/Overview

QUESTION: Which of the following statements describes calculated fields?

A.Calculated fields are only used on fields added by lookups.

B.Calculated fields are a shortcut for repetitive and complex eval commands.
C.Calculated fields are a shortcut for repetitive and complex calc commands.
D.Calculated fields automatically calculate the simple moving average for indexed fields.

Answer: C

Reference:
https://docs.splunk.com/Documentation/Splunk/8.1.1/Knowledge/CreatecalculatedfieldswithSplu
nkWeb

QUESTION: In which Settings section are macros defined?

A.Fields
B.Tokens
C.Advanced Search
D.Searches, Reports, Alerts

Answer: C

Reference:
https://docs.splunk.com/Documentation/Splunk/8.1.1/Knowledge/Definesearchmacros
Q:- A user wants to create a new field alias for a field that appears in two sourcetypes.
How many field aliases need to be created?
A. One.
B. Two.
C. It depends on whether the original fields have the same name.
D. It depends on whether the two source types are associated with the same index.
Answer: A

QUESTION: 146
This is what Splunk uses to categorize the data that is being indexed.

A. sourcetype
B. index
C. source
D. host

QUESTION: 141
These allow you to categorize events based on search terms.

Select your answer.

A. Groups
B. Event Types
C. Macros
D. Tags

QUESTION: 131
Which of the following searches would create a graph similar to the one below?

A. index_internal seourcetype=Savesplunker | fields sourcetype, status | transaction

status maxspan-id | start count states
B. index_internal seourcetype=Savesplunker | fields sourcetype, status | transaction
status maxspan-id | chart count states by -time
C. index_internal seourcetype=Savesplunker | fields sourcetype, status | transaction
status maxspan-id | timechart count by status
D. None of these searches would generate a similart graph.
 QUESTION: 124
What is the correct way to name a macro with two arguments?

A. us_sales2
B. us_sales(1,2)
C. us_sale,2
D. us_sales(2)

Answer(s): D

QUESTION: 123
Which search would limit an "alert" tag to the "host" field?

A. tag=alert
B. host::tag::alert
C. tag==alert
D. tag::host=alert

Answer(s): D

QUESTION: 120
This role is required to install the CIM Add-

on. Select your answer.

A. ADMIN
B. POWER
C. USER

Answer(s): A

QUESTION: 119
There are several ways to access the field extractor. Which option automatically identifies data
type, source type, and sample event?

A. Event Actions > Extract Fields

B. Fields sidebar > Extract New Field
C. Settings > Field Extractions > New Field Extraction
D. Settings > Field Extractions > Open Field Extraction

QUESTION: Which of the following about reports is/are true?

A. Reports are knowledge objects.

B. Reports can be scheduled.
C. Reports can run a script.
D. All of the above.
QUESTION: 116
Which of the following searches will show the number of categories ld used by each host?

A. Sourcetype=access_* |sum bytes by host

B. Sourcetype=access_* |stats sum(categorylD. by host
C. Sourcetype=access_* |sum(bytes) by host
D. Sourcetype=access_* |stats sum by host

QUESTION: 114
Which of the following search control will not re-rerun the search? (Select all that apply.)

A. zoom out
B. selecting a bar on the timeline
C. deselect
D. selecting a range of bars on the timelines

QUESTION: 88
Using the export function, you can export search results as .( Select all that
apply)

A. Xml
B. Json
C. Html
D. A php file

QUESTION: 76
The stats command will create a by default.

A. Table
B. Report
C. Pie chart

QUESTION: 74
Which of the following are valid options to speed up reports? (Select all the apply.)

A. Edit permissions
B. Edit description
C. Edit acceleration
D. Edit schedule
QUESTION: 72
Which of the following commands will show the maximum bytes?

A. sourcetype=access_* | maximum totals by bytes

B. sourcetype=access_* | avg (bytes)
C. sourcetype=access_* | stats max(bytes)
D. sourcetype=access_* | max(bytes)

QUESTION: 70
Which function should you use with the transaction command to set the maximum total
time between the earliest and latest events returned?

A. maxpause
B. endswith
C. maxduration
D. maxspan

QUESTION: 69
For choropleth maps,splunk ships with the following KMZ files (select all that apply)

A. States of the United States

B. States and provinces of the united states and Canada
C. Countries of the European Union
D. Countries of the World

QUESTION: 68
In this search, will appear on the y-axis. SEARCH: sourcetype=access_combined
status!=200 | chart count over host

A. status
B. host
C. count

QUESTION: 38
Data model fields can be added using the Auto-Extracted method. Which of the following
statements describe Auto-Extracted fields? (select all that apply)

A. Auto-Extracted fields can be hidden in Pivot.

B. Auto-Extracted fields can have their data type changed.
C. Auto-Extracted fields can be given a friendly name for use in Pivot.
D. Auto-Extracted fields can be added if they already exist in the dataset with constraints.

QUESTION: 34
In what order arc the following knowledge objects/configurations applied?

A. Field Aliases, Field Extractions, Lookups

B. Field Extractions, Field Aliases, Lookups
C. Field Extractions, Lookups, Field Aliases
D. Lookups, Field Aliases, Field Extractions
QUESTION: 10
Which of the following statements describes macros?

A. A macro is a reusable search string that must contain the full search.
B. A macro is a reusable search string that must have a fixed time range.
C. A macro Is a reusable search string that may have a flexible time range.
D. A macro Is a reusable search string that must contain only a portion of the search.

QUESTION: 8
Which of the following statements describe the search string

below? datamodel Application_State All_Application_State search

A. Events will be returned from dataset named Application_state.

B. Events will be returned from the data model named Application_State.
C. Events will be returned from the data model named All_Application_state.
D. No events will be returned because the pipe should occur after the datamodel command