Splunk - Core Power User Exam - DUMP | 2024 questions & answers

Splunk - Core Power User Exam - DUMP | 2024 questions & answers Splunk - Core Power User Exam - DUMP When performing a regular expression (regex) field extraction using the Field Extractor (FX), what happens when the require option is used? A. The regex can no longer be edited. B. The field being extracted will be required for all future events. C. The events without the required field will not display in searches. D. Only events with the required string will be included in the extraction. Which of the following statements describe data model acceleration? (select all that apply) A.Root events cannot be accelerated. B.Accelerated data models cannot be edited. C.Private data models cannot be accelerated. D.You must have administrative permissions or the accelerate_dacamodel capability to accelerate a data model. ANSWER: BCD Which of the following are required to create a POST workflow action? A. Label, URI, search string. B. XMI attributes, URI, name. C. Label, URI, post arguments. D. URI, search string, time range picker. In which of the following scenarios is an event type more effective than a saved search? A. When a search should always include the same time range. B. When a search needs to be added to other users' dashboards. C. When the search string needs to be used in future searches. D. When formatting needs to be included with the search string. ANSWER: D What does the following search do? index=corndog type=mystermeat action=eaten | stats count as corndog_count by user A. Creates a table of the total count of users and split by corndogs. B. Creates a table of the total count of mysterymeat corndogs split by user. C. Creates a table with the count of all types of corndogs eaten split by user. D. Creates a table that groups the total number of users by vegetarian corndogs. What does the Splunk Common Information Model (CIM) add-on include? (select all that apply) A. Custom visualizations B. Pre-configured data models C. Fields and event category tags D. Automatic data model acceleration The Field Extractor (FX) is used to extract a custom field. A report can be created using this custom field. The created report can then be shared with other people in the organization. If another person in the organization runs the shared report and no results are returned, why might this be? (select all that apply) A. Fast mode is enabled. B. The dashboard is private. C. The extraction is privateD. The person in the organization running the report does not have access to the index. ANSWER: CD Selected fields are displayed ______each event in the search results. A. below B. interesting fields C. other fields D. above How does a user display a chart in stack mode? A. By using the stack command. B. By turning on the Use Trellis Layout option. C. By changing Stack Mode in the Format menu. D. You cannot display a chart in stack mode, only a timechart. ANSWER: C Which of the following is the correct way to use the data model command to search field in the data model within the web dataset? A. | datamodel web search | filed web * B. | Search datamodel web web | filed web* C. | datamodel web web field | search web* D. Datamodel=web | search web | filed web* ANSWER: A Which of the following statements describes macros? A. A macro is a reusable search string that must contain the full search. B. A macro is a reusable search string that must have a fixed time range. C. A macro Is a reusable search string that may have a flexible time range. D. A macro Is a reusable search string that must contain only a portion of the search. A user wants to convert field values to string and also to sort on those value. Which command should be used first, the eval or the sort? A. It doesn't matter whether eval or sort is used first. B. Convert the numeric to a string with eval first, then sort. C. Use sort first, then convert the numeric to a string with eval. D. You cannot use the sort command and the eval command on the same field. ANSWER: B 00:0201:47 Which of the following Statements about macros is true? (select all that apply) A. Arguments are defined at execution time. B. Arguments are defined when the macro is created. C. Argument values are used to resolve the search string at execution time. D. Argument values are used to resolve the search string when the macro is created To identify all of the contributing events within a transaction that contains at least one REJECT event, which syntax is correct? A. Index-main | REJECT trans sessionid B. Index-main | transaction sessionid | search REJECT C. Index=main | transaction sessionid | whose transaction=reject D. Index=main | transaction sessionid | where transaction=reject'' Which of the following knowledge objects represents the output of an eval expression? A. Eval fields B. Calculated fields C. Field extractions D. Calculated lookups Which of the following statements about data models and pivot are true? (select all that apply) A. They are both knowledge objects. B. Data models are created out of datasets called pivots. C. Pivot requires users to input SPL searches on data models. D. Pivot allows the creation of data visualizations that present different aspects of a data model. Which of the following describes the Splunk Common Information Model (CIM) add-on? A. The CIM add-on uses machine learning to normalize data. B. The CIM add-on contains dashboards that show how to map data. C. The CIM addon contains data models to help you normalize data. D. The CIM add-on is automatically installed in a Splunk environment. What is the relationship between data models and pivots? A. Data models provide the datasets for pivots. B. Pivots and data models have no relationship. C. Pivots and data models are the same thing. D. Pivots provide the datasets for data models. ANSWER: A Which of the following workflow actions can be executed from search results? (select all that apply) A. GET B. POST C. LOOKUP D. Search What functionality does the Splunk Common Information Model (CIM) rely on to normalize fields with different names? A. Macros B. Field Aliases C. The rename command D. CIM does not work with different names for the same field Which of the following statements about tags is true? A. Tags are case insensitive. B. Tags are created at index time. C. Tags can make your data more understandable. D. Tags are searched by using the syntax tag: : <fieldneme> Which of the following statements about event types is true? (select all that apply) A. Event types can be tagged. B. Event types must include a time range, C. Event types categorize events based on a search. D. Event types can be a useful method for capturing and sharing knowledge. A field alias has been created based on an original field. A search without any transforming commands is then executed in Smart Mode. Which field name appears in the results? A. Both will appear in the All Fields list, but only if the alias is specified in the search. B. Both will appear in the Interesting Fields list, but only if they appear in at least 20 percent of events. C. The original field only appears in All Fields list and the alias only appears in the Interesting Fields list. D. the alias only appears in the All Fields list and the original field only appears in the Interesting Fields list When using the Field Extractor (FX), which of the following delimiters will work? (select all that apply) A. Tabs B. Pipes C. Colons D. Spaces ANSWER: ABD Which of the following eval command function is valid? A. Int () B. Count ( ) C. Print () D. Tostring () ANSWER: D Which are valid ways to create an event type? (select all that apply) A. By using the searchtypes command in the search bar. B. By editing the event_type stanza in the file. C. By going to the Settings menu and clicking Event Types > New. D. By selecting an event in search results and clicking Event Actions > Build Event Type. ANSWER: CD A calculated field maybe based on which of the following? A. Lookup tables B. Extracted fields C. Regular expressions D. Fields generated within a search string ANSWER: B Data model are composed of one or more of which of the fo-owing datasets? (select all that apply.) A. Events datasets B. Search datasets C. Transaction datasets D. Any child of event, transaction, and search datasets ANSWER: ABC What is required for a macro to accept three arguments? A. The macro's name ends with (3). B. The macro's name starts with (3). C. The macro's argument count setting is 3 or more. D. Nothing, all macros can accept any number of arguments. ANSWER: A If a search returns ____________ it can be viewed as a chart. A. timestamps B. statistics C. events D. keywords ANSWER: B When should transaction be used? A. Only in a large distributed Splunk environment. B. When calculating results from one or more fields. C. When event grouping is based on start/end values. D. When grouping events results in over 1000 events in each group. ANSWER: C Book saying D Verified When a search returns __________, you can view the results as a list. A. a list of events B. transactions C. statistical values ANSWER: C Highlighted search terms indicate _________ search results in Splunk. A. Display as selected fields. B. Sorted C. Charted based on time D. Matching ANSWER: D Which statement is true? A. Pivot is used for creating datasets. B. Data model are randomly structured datasets. C. Pivot is used for creating reports and dashboards. D. In most cases, each Splunk user will create their own data model. ANSWER: C This role is required to install the CIM Add-on. Select your answer. A. ADMIN B. POWER C. USER ANSWER: A The timechart command buckets data in time intervals depending on: A. the number of events returned B. the selected time range C. the type of visualization selected ANSWER: B In most large Splunk environments, what is the most efficient command that can be used to group events by fields/ A. join B. stats C. streamstats D. transaction ANSWER: B This is what Splunk uses to categorize the data that is being indexed. A. Host B. Sourcetype C. Index D. Source ANSWER: B Field aliases are used to __________ data A. clean B. transform C. calculate D. normalize ANSWER: D These allow you to categorize events based on search terms. Select your answer. A. Groups B. Event Types C. Macros D. Tags ANSWER: B A report scheduled to run every 15 mins. but takes 17 mins. to complete is in danger of being_____. A. skipped or deferred B. automatically accelerated C. deleted D. all of the above ANSWER: A When using the transaction command, what does the argument maxspan do? A. Sets the maximum total time between events in a transaction. B. Sets the maximum length of all events within a transaction. C. Sets the maximum total time between the earliest and latest events in a transaction. D. Sets the maximum length that any single event can reach to be included in the transaction. ANSWER: B The gauge command: A. creates a single-value visualization B. allows you to set colored ranges for a single-value visualization C. creates a radial gauge visualization ANSWER: B Which search would limit an "alert" tag to the "host" field? A. tag=alert B. host::tag::alert C. tag==alert D. tag::host=alert ANSWER: D Which of the following search control will not re-rerun the search? (Select all that apply.) A. zoom out B. selecting a bar on the timeline C. deselect D. selecting a range of bars on the timelines ANSWER: BCD Which of the following statements would help a user choose between the transaction and stats commands? A. state can only group events using IP addresses. B. The transaction command is faster and more efficient. C. There is a 1000 event limitation with the transaction command. D. Use state when the events need to be viewed as a single event. ANSWER: C The Splunk CIM Add-on includes data models in a __________ format. Select your answer. A. MySQL B. XML C. JSON ANSWER: C In this search, __________ will appear on the y-axis. SEARCH: sourcetype=access_combined status!=200 | chart count over host A. status B. host C. count ANSWER: C The stats command will create a _____________ by default. A. Table B. Report C. Pie chart ANSWER: A This clause is used to group the output of a stats command by a specific name. A. Rex B. As C. List D. By ANSWER: B There are several ways to access the field extractor. Which option automatically identifies data type, source type, and sample event? A.Event Actions > Extract Fields B. Fields sidebar > Extract New Field C. Settings > Field Extractions > New Field Extraction D. Settings > Field Extractions > Open Field Extraction ANSWER: B Which workflow action method can be used the action type is set to link? A. GET B. PUT C. Search D. UPDATE ANSWER: A The fields sidebar does not show________. (Select all that apply.) A. interesting fields B. selected fields C. all extracted fields ANSWER: C Which of these search strings is NOT valid: A. index=web status=50* | chart count over host, status B. index=web status=50* | chart count over host by status C. index=web status=5-* | chart count by host, status ANSWER: B Use this command to use lookup fields in a search and see the lookup fields in the field sidebar. A. inputlookup B. lookup ANSWER: B By default, how is acceleration configured in the Splunk Common Information Model (CIM) add-on? A. Turned off B. Turned on C. Determined automatically based on the sourcetype. D. Determined automatically based on the data source ANSWER: D Which of the following are valid options to speed up reports? (Select all the apply.) A. Edit permissions B. Edit description C. Edit acceleration D. Edit schedule ANSWER: C The eval command 'if' function requires the following three arguments (in order): A. Boolean expression, result if true, result if false B. Result if true, result if false, boolean expression C. Result if false, result if true, boolean expression D. Boolean expression, result if false, result if true ANSWER: A Which knowledge Object does the Splunk Common Information Model (CIM) use to normalize data. in addition to field aliases, event types, and tags? A. Macros B. Lookups C. Workflow actions D. Field extractions ANSWER: B The transaction command allows you to __________ events across multiple sources A. duplicate B. correlate C. persist D. tag ANSWER: B Using the export function, you can export search results as __________.( Select all that apply) A. Xml B. Json C. Html D. A php file ANSWER: AB What is a limitation of searches generated by workflow actions? A. Searches generated by workflow action cannot use macros. B. Searches generated by workflow actions must be less than 256 characters long. C. Searches generated by workflow action must run in the same app as the workflow action. D. Searches generated by workflow action run with the same permissions as the user running them. ANSWER: D This is what Splunk uses to categorize the data that is being indexed. A. Sourcetype B. Index C. Source D. Host ANSWER: A Which of the following statements are true for this search? (Select all that apply.) SEARCH: sourcetype=access* |fields action productld status A. is looking for all events that include the search terms: fields AND action AND productld AND status B. users the table command to improve performance C. limits the fields are extracted D. returns a table with 3 columns ANSWER: CD What other syntax will produce exactly the same results as | chart count over vendor_action by user? A. | chart count by vendor_action, user B. | chart count over vendor_action, user C. | chart count by vendor_action over user D. | chart count over user by vendor_action ANSWER: C Which of the following statements about tags is true? (select all that apply.) A. Tags are case-insensitive. B. Tags are based on field/vale pairs. C. Tags categorize events based on a search. D. Tags are designed to make data more understandable. ANSWER: BD During the validation step of the Field Extractor workflow: Select your answer. A. You can remove values that aren't a match for the field you want to define B. You can validate where the data originated from C. You cannot modify the field extraction ANSWER: A Splunk alerts can be based on search that run______. (Select all that apply.) A. in real-time B. on a regular schedule C. and have no matching events ANSWER: AB This function of the stats command allows you to return the sample standard deviation of a field. A. stdev B. dev C. count deviation D. by standarddev ANSWER: A This function of the stats command allows you to return the middle-most value of field X. A. Median(X) B. Eval by X C. Fields(X) D. Values(X) ANSWER: A The limit attribute will___________. A. override default of 10 B. only work with top command C. override default of 20 D. override default of 15 ANSWER: A These users can create global knowledge objects. (Select all that apply.) A. users B. power users C. administrators ANSWER: BC When using a split series on a chart, the series MUST be displayed using the STACKED option. A. True B. False ANSWER: B It is mandatory for the lookup file to have this for an automatic lookup to work. A. Source type B. At least five columns C. Timestamp D. Input filed ANSWER: D When using | timchart by host, which filed is representted in the x-axis? A. date B. host C. time D. -time ANSWER: A When can a pipe follow a macro? A. A pipe may always follow a macro. B. The current user must own the macro. C. The macro must be defined in the current app. D. Only when sharing is set to global for the macro. ANSWER: A Clicking a SEGMENT on a chart, ________. A. drills down for that value B. highlights the field value across the chart C. adds the highlighted value to the search criteria ANSWER: C Complete the search, .... | _____ failure>successes A. Search B. Where C. If D. Any of the above ANSWER: B Which of the following statements describes the use of the Filed Extractor (FX)? A. The Field Extractor automatically extracts all field at search time. B. The Field Extractor uses PERL to extract field from the raw events. C. Field extracted using the Extracted persist as knowledge objects. D. Fields extracted using the Field Extractor do not persist and must be defined for each search. ANSWER: C Which of the following searches would create a graph similar to the one below? Looks like a timechart graph A. index_internal seourcetype=Savesplunker | fields sourcetype, status | transaction status maxspan-id | start count states B. index_internal seourcetype=Savesplunker | fields sourcetype, status | transaction status maxspan-id | chart count states by -time C. index_internal seourcetype=Savesplunker | fields sourcetype, status | transaction status maxspan-id | timechart count by status D. None of these searches would generate a similart graph. ANSWER: C Which of the following commands will show the maximum bytes? A. sourcetype=access_* | maximum totals by bytes B. sourcetype=access_* | avg (bytes) C. sourcetype=access_* | stats max(bytes) D. sourcetype=access_* | max(bytes) ANSWER: C In the Field Extractor Utility, this button will display events that do not contain extracted fields. Select your answer. A. Selected-Fields B. Non-Matches C. Non-Extractions D. Matches ANSWER: B which of the following are valid options with the chart command A. useother B. usenull C. fillfield D. usefiled ANSWER: AB We can use the rename command to _____ (Select all that apply.) A. Change indexed fields B. Exclude fields from our search results C. Extract new fields from our data using regular expressions D. Give a field a new name at search time ANSWER: D Which of the following search modes automatically returns all extracted fields in the fields sidebar? A. Fast B. Smart C. Verbose ANSWER: C When you mouse over and click to add a search term this (thesE. Boolean operator(s) is(arE. not implied. (Select all that apply). A. OR B. ( ) C. AND D. NOT ANSWER: B When using a field value variable with a Workflow Action, which punctuation mark will escape the data A. * B. ! C. ^ D. # ANSWER: B Which of the following are valid options with the chart command ?(select all that apply) A. usenull=f B. useother=f C. split=t D. transcation=t