Lognalytics Technology
Certification Provider: Splunk
Exam: Splunk Core Certified Power User
Duration: 1 Hours
Number of questions provided here: 96
-
Question of
Which one of the following statements about the search command is true?
-
It does not allow the use of wildcards.
-
It treats field values in a case-sensitive manner.
-
It can only be used at the beginning of the search pipeline.
-
It behaves exactly like search strings before the first pipe.
-
-
Question of
Which of the following actions can the eval command perform?
-
Remove fields from results.
-
Create or replace an existing field.
-
Group transactions by one or more fields.
-
Save SPL commands to be reused in other searches.
-
-
Question of
When multiple event types with different color values are assigned to the same event, what determines the color displayed for the event?
-
Rank
-
Weight
-
Priority
-
Precedence
-
-
Question of
When using the Field Extractor (FX), which of the following delimiters will work? (Choose all that apply.)
-
Tabs
-
Pipes
-
Colons
-
Spaces
-
B and D
-
-
Question of
When can a pipe follow a macro?
-
A pipe may always follow a macro.
-
The current user must own the macro.
-
The macro must be defined in the current app.
-
Only when sharing is set to global for the macro.
-
-
Question of
Data models are composed of one or more of which of the following datasets? (Choose all that apply.)
-
Events datasets
-
Search datasets
-
Transaction datasets
-
Any child of event, transaction, and search datasets
-
A, B and C
-
-
Question of
Which group of users would most likely use pivots?
-
Users
-
Architects
-
Administrators
-
Knowledge Managers
-
-
Question of
Based on the macro definition shown below, what is the correct way to execute the macro in a search string?
-
“convert_sales(euro,79.,¬‚ “
-
‘convert_sales(euro,79.,¬‚ ‘(ג
-
“convert_sales($euro$,$79$.$,$¬‚ “(ג
-
‘convert_sales($euro$,$79$.$,$¬‚ ‘(ג
-
-
Question of
There are several ways to access the field extractor. Which option automatically identifies the data type, source type, and sample event?
-
Event Actions > Extract Fields
-
Fields sidebar > Extract New Fields
-
Settings > Field Extractions > New Field Extraction
-
Settings > Field Extractions > Open Field Extractor
-
-
Question of
Which of the following statements would help a user choose between the transaction and stats commands?
-
stats can only group events using IP addresses.
-
The transaction command is faster and more efficient.
-
There is a 1000 event limitation with the transaction command.
-
Use stats when the events need to be viewed as a single correlated event.
-
-
Question of
By default, how is acceleration configured in the Splunk Common Information Model (CIM) add-on?
-
Turned off.
-
Turned on.
-
Determined automatically based on the sourcetype.
-
Determined automatically based on the data source.
-
-
Question of
Which of the following statements describe the Common Information Model (CIM)? (Choose all that apply.)
-
CIM is a methodology for normalizing data.
-
CIM can correlate data from different sources.
-
The Knowledge Manager uses the CIM to create knowledge objects.
-
CIM is an app that can coexist with other apps on a single Splunk deployment.
-
A, B and D
-
-
Question of
Which of the following statements describe calculated fields? (Choose all that apply.)
-
Calculated fields can be used in the search bar.
-
Calculated fields can be based on an extracted field.
-
Calculated fields can only be applied to host and sourcetype.
-
Calculated fields are shortcuts for performing calculations using the eval command.
-
A, B and D
-
-
Question of
Which of the following knowledge objects represents the output of an eval expression?
-
Eval fields
-
Calculated fields
-
Field extractions
-
Calculated lookups
-
-
Question of
What do events in a transaction have in common?
-
All events in a transaction must have the same timestamp.
-
All events in a transaction must have the same sourcetype.
-
All events in a transaction must have the exact same set of fields.
-
All events in a transaction must be related by one or more fields.
-
-
Question of
Which delimiters can the Field Extractor (FX) detect? (Choose all that apply.)
-
Tabs
-
Pipes
-
Spaces
-
Commas
-
B, C and D
-
-
Question of
A data model consists of which three types of datasets?
-
Constraint, field, value.
-
Events, searches, transactions.
-
Field extraction, regex, delimited.
-
Transaction, session ID, metadata.
-
-
Question of
Where are the results of eval commands stored?
-
In a field.
-
In an index.
-
In a KV Store.
-
In a database.
-
-
Question of
Calculated fields can be based on which of the following?
-
Tags
-
Extracted fields
-
Output fields for a lookup
-
Fields generated from a search string
-
-
Question of
When should transaction be used?
-
Only in a large distributed Splunk environment.
-
When calculating results from one or more fields.
-
When event grouping is based on start/end values.
-
-
Question of
When performing a regular expression (regex) field extraction using the Field Extractor (FX), what happens when the require option is used?
-
The regex can no longer be edited.
-
The field being extracted will be required for all future events.
-
The events without the required field will not display in searches.
-
Only events with the required string will be included in the extraction.
-
-
Question of
When using | timechart by host, which field is represented in the x-axis?
-
date
-
host
-
time
-
_time
-
-
Question of
Which of the following is the correct way to use the datamodel command to search fields in the Web data model within the Web dataset?
-
| datamodel Web Web search | fields Web*
-
| search datamodel Web Web | fields Web*
-
| datamodel Web Web fields | search Web*
-
datamodel=Web | search Web | fields Web*
-
-
Question of
Which of the following statements describe the command below? (Choose all that apply.) sourcetype=access_combined | transaction JSESSIONID
-
An additional field named maxspan is created.
-
An additional field named duration is created.
-
An additional field named eventcount is created.
-
Events with the same JSESSIONID will be grouped together into a single event.
-
B, C and D
-
-
Question of
Which of the following searches will return events containing a tag named Privileged?
-
tag=Priv
-
tag=Priv*
-
tag=priv*
-
tag=privileged
-
-
Question of
Given the macro definition below, what should be entered into the Name and Arguments fields to correctly configure the macro?
-
The macro name is sessiontracker and the arguments are action, JESSIONID.
-
The macro name is sessiontracker(2) and the arguments are action, JESSIONID.
-
The macro name is sessiontracker and the arguments are $action$, $JESSIONID$.
-
The macro name is sessiontracker(2) and the Arguments are $action$, $JESSIONID$.
-
-
Question of
What is required for a macro to accept three arguments?
-
The macro’s name ends with (3).
-
The macro’s name starts with (3).
-
The macro’s argument count setting is 3 or more.
-
Nothing, all macros can accept any number of arguments.
-
-
Question of
Which workflow action method can be used when the action type is set to link?
-
GET
-
PUT
-
Search
-
UPDATE
-
-
Question of
Which of the following statements about tags is true? (Choose all that apply.)
-
Tags are case-insensitive.
-
Tags are based on field/value pairs.
-
Tags categorize events based on a search.
-
Tags are designed to make data more understandable.
-
B and D
-
-
Question of
Which of the following statements about macros is true? (Choose all that apply.)
-
Arguments are defined at execution time.
-
Arguments are defined when the macro is created.
-
Argument values are used to resolve the search string at execution time.
-
Argument values are used to resolve the search string when the macro is created.
-
A and C
-
-
Question of
Information needed to create a GET workflow action includes which of the following? (Choose all that apply.)
-
A name for the workflow action.
-
A URI where the user will be directed at search time.
-
A label that will appear in the Event Action menu at search time.
-
A name for the URI where the user will be directed at search time.
-
A, B and C
-
-
Question of
Which of the following can be used with the eval command tostring function? (Choose all that apply.)
-
“hex”
-
“commas”
-
“decimal”
-
“duration”
-
A, B and D
-
-
Question of
Which of the following searches show a valid use of a macro? (Choose all that apply.)
-
index=main source=mySource oldField=* |’makeMyField(oldField)’| table _time newField
-
index=main source=mySource oldField=* | stats if(‘makeMyField(oldField)’) | table _time newField
-
index=main source=mySource oldField=* | eval newField=’makeMyField(oldField)’| table _time newField
-
index=main source=mySource oldField=* | “‘newField(‘makeMyField(oldField)’)'” | table _time newField
-
A and B
-
-
Question of
A user wants to convert numeric field values to strings and also to sort on those values. Which command should be used first, the eval or the sort?
-
It doesn’t matter whether eval or sort is used first.
-
Convert the numeric to a string with eval first, then sort.
-
Use sort first, then convert the numeric to a string with eval.
-
You cannot use the sort command and the eval command on the same field.
-
-
Question of
Which Knowledge Object does the Splunk Common Information Model (CIM) use to normalize data, in addition to field aliases, event types, and tags?
-
Macros
-
Lookups
-
Workflow actions
-
Field extractions
-
B and D
-
-
Question of
Which of the following statements describe data model acceleration? (Choose all that apply.)
-
Root events cannot be accelerated.
-
Accelerated data models cannot be edited.
-
Private data models cannot be accelerated.
-
You must have administrative permissions or the accelerate_datamodel capability to accelerate a data model.
-
-
Question of
How does a user display a chart in stack mode?
-
By using the stack command.
-
By turning on the Use Trellis Layout option.
-
By changing Stack Mode in the Format menu.
-
-
Question of
If no value is specified with the fillnull command, what default value will be used?
-
0
-
N/A
-
“€ג
-
NULL
-
-
Question of
What other syntax will produce exactly the same results as | chart count over vendor_action by user?
-
| chart count by vendor_action, user
-
| chart count over vendor_action, user
-
| chart count by vendor_action over user
-
| chart count over user by vendor_action
-
-
Question of
What are the two parts of a root event dataset?
-
Fields and variables.
-
Fields and attributes.
-
Constraints and fields.
-
-
Question of
When using timechart, how many fields can be listed after a by clause?
-
0, because timechart doesn’t support using a by clause.
-
1, because _time is already implied as the x-axis.
-
2, because one field would represent the x-axis and the other would represent the y-axis.
-
There is no limit specific to timechart.
-
-
Question of
A field alias has been created based on an original field. A search without any transforming commands is then executed in Smart Mode. Which field name appears in the results?
-
Both will appear in the All Fields list, but only if the alias is specified in the search.
-
Both will appear in the Interesting Fields list, but only if they appear in at least 20 percent of events.
-
The original field only appears in All Fields list and the alias only appears in the Interesting Fields list.
-
The alias only appears in the All Fields list and the original field only appears in the Interesting Fields list.
-
-
Question of
Which of the following statements describes macros?
-
A macro is a reusable search string that must contain the full search.
-
A macro is a reusable search string that must have a fixed time range.
-
A macro is a reusable search string that may have a flexible time range.
-
A macro is a reusable search string that must contain only a portion of the search.
-
-
Question of
In what order are the following knowledge objects/configurations applied?
-
Field Aliases, Field Extractions, Lookups
-
Field Extractions, Field Aliases, Lookups
-
Field Extractions, Lookups, Field Aliases
-
Lookups, Field Aliases, Field Extractions
-
-
Question of
In which of the following scenarios is an event type more effective than a saved search?
-
When a search should always include the same time range.
-
When a search needs to be added to other users’ dashboards.
-
When the search string needs to be used in future searches.
-
When formatting needs to be included with the search string.
-
-
Question of
When using the transaction command, what does the argument maxspan do?
-
Sets the maximum total time between events in a transaction.
-
Sets the maximum length of all the events within a transaction.
-
Sets the maximum total time between the earliest and latest events in a transaction.
-
-
Question of
When creating a Search workflow action, which field is required?
-
Search string
-
Data model name
-
Permission setting
-
An eval statement
-
-
Question of
To identify all of the contributing events within a transaction that contain at least one REJECT event, which syntax is correct?
-
index=main REJECT | transaction sessionid
-
index=main | transaction sessionid | search REJECT
-
index=main | transaction sessionid | where transaction=reject
-
index=main | transaction sessionid | where transaction=”REJECT*”
-
-
Question of
After manually editing a regular expression (regex), which of the following statements is true?
-
Changes made manually can be reverted in the Field Extractor (FX) UI.
-
It is no longer possible to edit the field extraction in the Field Extractor (FX) UI.
-
It is not possible to manually edit a regular expression (regex) that was created using the Field Extractor (FX) UI.
-
The Field Extractor (FX) UI keeps its own version of the field extraction in addition to the one that was manually edited.
-
-
Question of
Which of the following statements describes POST workflow actions?
-
Configuration of a POST workflow action includes choosing a sourcetype.
-
POST workflow actions can be configured to send email to the URI location.
-
By default, POST workflow actions are shown in both the event and field menus.
-
POST workflow actions can be configured to send POST arguments to the URI location.
-
-
Question of
Which of the following statements is true, especially in large environments?
-
Use the stats command when you need to group events by two or more fields.
-
The stats command is faster and more efficient than the transaction command.
-
The transaction command is faster and more efficient than the stats command.
-
Use the transaction command when you want to see the results of a calculation.
-
This post was created with our nice and easy submission form. Create your post!
GIPHY App Key not set. Please check settings