SPLUNK EXAM 2 QUESTIONS AND ANSWERS (GRADED A)

SPLUNK EXAM 2 QUESTIONS AND
ANSWERS



Which of the following statement about tags is true? (Select all that apply). - Correct
Answers -Tags are based on field/value pairs.
Tags are designed to make data more understandable

When using the timechart command, how can a user group the events into buckets
based on time? - Correct Answers -

Which are valid ways to create an event type? (select all that apply). - Correct Answers
-By going on the settings menu and clicking event types > New
By selecting an event in search results and clicking event action > Built Event Type

Which of the following statements describe marcos? - Correct Answers -A marco is
reusable search string that must contain only a portion of a search.

A user wants to create a new field alias for a field that appears in two sourcetypes. How
many field aliases need to be created? - Correct Answers -Two

When creating a search workflow action, which field is required? - Correct Answers -
Search string.

What is a limitation of searches generated by workflow action? - Correct Answers -
Searches generated by workflow action run with the same permissions as a user
running them.

What does the transactions command do? - Correct Answers -Groups a set of
transactions based on time.

When performing a regular expression (regex) field extraction using the Field Extractor
(FX), what happens when the require option is used? - Correct Answers -Only events
which required string will be included in the extraction.

Which of the following accurate about building a visualization? - Correct Answers -There
is a wide variety of visualization types (e.g. static table, line table, pie chart, etc.).

, Which of the following statement describe the command below? (select all that apply)
sourcetype=access_ combined | transaction JSESSIONID. - Correct Answers -An
additional field named duration is created.
An additional field named eventcount is created.
Events with the same JSESSIONID will be grouped together into a single event.

Information needed to create a GET workflow action includes which of the following?
( select all that apply). - Correct Answers -A URL where the user will be directed at
search time.
A label that will appear in the Event Action menu at search time.

What other syntax will produce exactly the same results as | chart count over
vendor_action by user? - Correct Answers -Chart count by vendor_action, user.

Which of the following statements describes POST workflow actions? - Correct Answers
-POST workflow actions can be configured to send POST arguments to the URI
location.

Which delimiters can the Field Extractor (FX) detect? (select all that apply). - Correct
Answers -Tabs
Pipes
Space
Commas

In what order are the following knowledge objects/configurations applied? - Correct
Answers -Field Extractions, Field Aliases, Lookups

When is a GET workflow action needed? - Correct Answers -To send field values to an
external resource.

Which of the following can be used with the evil command tostring function? (select all
that apply) - Correct Answers -"hex"
"comma's"
" duration"

What information must be included when using the datamodel command? - Correct
Answers -Data model dataset name

Data models fields can be added using the Auto-Extracted method. Which of the
following statements describe Auto-Extracted fields. - Correct Answers -Auto-Extracted
fields can be given a friendly name for use in pivot.

What is the correct Syntax to search for a tag associated with a value on a specific
field? - Correct Answers -tag ::< field>=< tagname>