SPLUNK CORE CERTIFIED POWER
USER EXAM QUESTIONS AND
ANSWERS
Which one of the following statements about the search command is true?
A. It does not allow the use of wildcards.
B. It treats field values in a case-sensitive manner.
C. It can only be used at the beginning of the search pipeline.
D. It behaves exactly like search strings before the first pipe. - Correct Answers -D. It
behaves exactly like search strings before the first pipe.
Which are valid ways to create an event type? (Choose all that apply.)
A. By using the searchtypes command in the search bar.
B. By editing the event_type stanza in the props.conf file.
C. By going to the Settings menu and clicking Event Types > New.
D. By selecting an event in search results and clicking Event Actions > Build Event
Type. - Correct Answers -C. By going to the Settings menu and clicking Event Types >
New.
D. By selecting an event in search results and clicking Event Actions > Build Event
Type.
Which command can include both an over and a by clause to divide results into sub-
groupings?
A. chart
B. stats
C. xyseries
D. transaction - Correct Answers -A. chart
When should you use the transaction command instead of the stats command?
A. When you need to group on multiple values.
B. When duration is irrelevant in search results.
C. When you have over 1000 events in a transaction.
D. When you need to group based on start and end constraints. - Correct Answers -D.
When you need to group based on start and end constraints.
,Which of the following actions can the eval command perform?
A. Remove fields from results.
B. Create or replace an existing field.
C. Group transactions by one or more fields.
D. Save SPL commands to be reused in other searches. - Correct Answers -B. Create
or replace an existing field.
When can a pipe follow a macro?
A. A pipe may always follow a macro.
B. The current user must own the macro.
C. The macro must be defined in the current app.
D. Only when sharing is set to global for the macro.
Reveal Solution Discussion 8 - Correct Answers -A. A pipe may always follow a macro.
Data models are composed of one or more of which of the following datasets? (Choose
all that apply.)
A. Events datasets
B. Search datasets
C. Transaction datasets
D. Any child of event, transaction, and search datasets - Correct Answers -A. Events
datasets
B. Search datasets
C. Transaction datasets
When using the Field Extractor (FX), which of the following delimiters will work?
(Choose all that apply.)
A. Tabs
B. Pipes
C. Colons
D. Spaces - Correct Answers -A. Tabs
B. Pipes
D. Spaces
Which group of users would most likely use pivots?
A. Users
B. Architects
C. Administrators
D. Knowledge Managers - Correct Answers -A. Users
, When multiple event types with different color values are assigned to the same event,
what determines the color displayed for the event?
A. Rank
B. Weight
C. Priority
D. Precedence - Correct Answers -C. Priority
Based on the macro definition shown below, what is the correct way to execute the
macro in a search string?
A. "convert_sales(euro,79.,¬‚")ג
B. 'convert_sales(euro,79.,¬‚')ג
C. "convert_sales($euro$,$79$.$,$¬‚")ג
D. 'convert_sales($euro$,$79$.$,$¬‚ ')ג- Correct Answers -B. 'convert_sales(euro,.,¬‚ג
79)'
`convert_sales(euro,€,0.79)`
There are several ways to access the field extractor.Which option automatically
identifies the data type, source type, and sample event?
A. Event Actions > Extract Fields
B. Fields sidebar > Extract New Fields
C. Settings > Field Extractions > New Field Extraction
D. Settings > Field Extractions > Open Field Extractor - Correct Answers -A. Event
Actions > Extract Fields
Which of the following statements would help a user choose between the transaction
and stats commands?
A. stats can only group events using IP addresses.
B. The transaction command is faster and more efficient.
C. There is a 1000 event limitation with the transaction command.
D. Use stats when the events need to be viewed as a single correlated event. - Correct
Answers -C. There is a 1000 event limitation with the transaction command.
By default, how is acceleration configured in the Splunk Common Information Model
(CIM) add-on?
A. Turned off.
B. Turned on.
C. Determined automatically based on the sourcetype.
D. Determined automatically based on the data source. - Correct Answers -A. Turned
off.
USER EXAM QUESTIONS AND
ANSWERS
Which one of the following statements about the search command is true?
A. It does not allow the use of wildcards.
B. It treats field values in a case-sensitive manner.
C. It can only be used at the beginning of the search pipeline.
D. It behaves exactly like search strings before the first pipe. - Correct Answers -D. It
behaves exactly like search strings before the first pipe.
Which are valid ways to create an event type? (Choose all that apply.)
A. By using the searchtypes command in the search bar.
B. By editing the event_type stanza in the props.conf file.
C. By going to the Settings menu and clicking Event Types > New.
D. By selecting an event in search results and clicking Event Actions > Build Event
Type. - Correct Answers -C. By going to the Settings menu and clicking Event Types >
New.
D. By selecting an event in search results and clicking Event Actions > Build Event
Type.
Which command can include both an over and a by clause to divide results into sub-
groupings?
A. chart
B. stats
C. xyseries
D. transaction - Correct Answers -A. chart
When should you use the transaction command instead of the stats command?
A. When you need to group on multiple values.
B. When duration is irrelevant in search results.
C. When you have over 1000 events in a transaction.
D. When you need to group based on start and end constraints. - Correct Answers -D.
When you need to group based on start and end constraints.
,Which of the following actions can the eval command perform?
A. Remove fields from results.
B. Create or replace an existing field.
C. Group transactions by one or more fields.
D. Save SPL commands to be reused in other searches. - Correct Answers -B. Create
or replace an existing field.
When can a pipe follow a macro?
A. A pipe may always follow a macro.
B. The current user must own the macro.
C. The macro must be defined in the current app.
D. Only when sharing is set to global for the macro.
Reveal Solution Discussion 8 - Correct Answers -A. A pipe may always follow a macro.
Data models are composed of one or more of which of the following datasets? (Choose
all that apply.)
A. Events datasets
B. Search datasets
C. Transaction datasets
D. Any child of event, transaction, and search datasets - Correct Answers -A. Events
datasets
B. Search datasets
C. Transaction datasets
When using the Field Extractor (FX), which of the following delimiters will work?
(Choose all that apply.)
A. Tabs
B. Pipes
C. Colons
D. Spaces - Correct Answers -A. Tabs
B. Pipes
D. Spaces
Which group of users would most likely use pivots?
A. Users
B. Architects
C. Administrators
D. Knowledge Managers - Correct Answers -A. Users
, When multiple event types with different color values are assigned to the same event,
what determines the color displayed for the event?
A. Rank
B. Weight
C. Priority
D. Precedence - Correct Answers -C. Priority
Based on the macro definition shown below, what is the correct way to execute the
macro in a search string?
A. "convert_sales(euro,79.,¬‚")ג
B. 'convert_sales(euro,79.,¬‚')ג
C. "convert_sales($euro$,$79$.$,$¬‚")ג
D. 'convert_sales($euro$,$79$.$,$¬‚ ')ג- Correct Answers -B. 'convert_sales(euro,.,¬‚ג
79)'
`convert_sales(euro,€,0.79)`
There are several ways to access the field extractor.Which option automatically
identifies the data type, source type, and sample event?
A. Event Actions > Extract Fields
B. Fields sidebar > Extract New Fields
C. Settings > Field Extractions > New Field Extraction
D. Settings > Field Extractions > Open Field Extractor - Correct Answers -A. Event
Actions > Extract Fields
Which of the following statements would help a user choose between the transaction
and stats commands?
A. stats can only group events using IP addresses.
B. The transaction command is faster and more efficient.
C. There is a 1000 event limitation with the transaction command.
D. Use stats when the events need to be viewed as a single correlated event. - Correct
Answers -C. There is a 1000 event limitation with the transaction command.
By default, how is acceleration configured in the Splunk Common Information Model
(CIM) add-on?
A. Turned off.
B. Turned on.
C. Determined automatically based on the sourcetype.
D. Determined automatically based on the data source. - Correct Answers -A. Turned
off.
