Question 1

Which of the following is a best practice when writing a search string?

Accepted Answer

A)  Include all formatting commands before any search terms. 
B)  Include at least one function as this is a search requirement. 
C)  Include the search terms at the beginning of the search string. 
D)  Avoid using formatting clauses, as they add too much overhead. 
A)  Include all formatting commands before any search terms. 
B)  Include at least one function as this is a search requirement. 
C)  Include the search terms at the beginning of the search string. 
D)  Avoid using formatting clauses, as they add too much overhead.

Question 2

When an alert action is configured to run a script, Splunk must be able to locate the script. Which is one of the directories Splunk will look in to find the script?

Accepted Answer

A)  $SPLUNK_HOME/bin/scripts 
B)  $SPLUNK_HOME/etc/scripts 
C)  $SPLUNK_HOME/bin/etc/scripts 
D)  $SPLUNK_HOME/etc/scripts/bin 
A)  $SPLUNK_HOME/bin/scripts 
B)  $SPLUNK_HOME/etc/scripts 
C)  $SPLUNK_HOME/bin/etc/scripts 
D)  $SPLUNK_HOME/etc/scripts/bin

Question 3

What is one benefit of creating dashboard panels from reports?

Accepted Answer

A)  Any newly created dashboard will include that report. 
B)  There are no benefits to creating dashboard panels from reports. 
C)  It makes the dashboard more efficient because it only has to run one search string. 
D)  Any change to the underlying report will affect every dashboard that utilizes that report. 
A)  Any newly created dashboard will include that report. 
B)  There are no benefits to creating dashboard panels from reports. 
C)  It makes the dashboard more efficient because it only has to run one search string. 
D)  Any change to the underlying report will affect every dashboard that utilizes that report.

Question 4

What is a quick, comprehensive way to learn what data is present in a Splunk deployment?

Accepted Answer

A)  Review Splunk reports 
B)  Run ./splunk show Run ./splunk show 
C)  Click Data Summary in Splunk Web 
D)  Search index=* sourcetype=* host=* Search index=* sourcetype=* host=* 
A)  Review Splunk reports 
B)  Run ./splunk show Run ./splunk show 
C)  Click Data Summary in Splunk Web 
D)  Search index=* sourcetype=* host=* Search index=* sourcetype=* host=*

Question 5

What kind of logs can Splunk Index?

Accepted Answer

A)  Only A, B 
B)  Router and Switch Logs 
C)  Firewall and Web Server Logs 
D)  Only C 
E)  Database logs
F) All firewall, web server, database, router and switch logs 
A)  Only A, B 
B)  Router and Switch Logs 
C)  Firewall and Web Server Logs 
D)  Only C 
E)  Database logs
F) All firewall, web server, database, router and switch logs

Question 6

When sorting on multiple fields with the sort command, what delimiter can be used between the field names in the search?

Accepted Answer

A)  | 
B)  $ 
C)  ! 
D)  , 
A)  | 
B)  $ 
C)  ! 
D)  ,

Question 7

When a Splunk search generates calculated data that appears in the Statistics tab, in what formats can the results be exported?

Accepted Answer

A)  CSV, JSON, PDF 
B)  CSV, XML, JSON 
C)  Raw Events, XML, JSON 
D)  Raw Events, CSV, XML, JSON 
A)  CSV, JSON, PDF 
B)  CSV, XML, JSON 
C)  Raw Events, XML, JSON 
D)  Raw Events, CSV, XML, JSON

Question 8

Machine data can be in structured and unstructured format.

Accepted Answer

A) True 
 B)False

Question 9

Keywords are highlighted when you mouse over search results and you can click this search result to (Choose three.):

Accepted Answer

A)  Open new search. 
B)  Exclude the item from search. 
C)  None of the above. 
D)  Add the item to search. 
A)  Open new search. 
B)  Exclude the item from search. 
C)  None of the above. 
D)  Add the item to search.

Question 10

Beginning parentheses is automatically highlighted to guide you on the presence of complimenting parentheses.

Accepted Answer

A)  No 
B)  Yes 
A)  No 
B)  Yes

Question 11

Which of the following is an option after clicking an item in search results?

Accepted Answer

A)  Saving the item to a report. 
B)  Adding the item to the search. 
C)  Adding the item to a dashboard. 
D)  Saving the Search to a JSON file. 
A)  Saving the item to a report. 
B)  Adding the item to the search. 
C)  Adding the item to a dashboard. 
D)  Saving the Search to a JSON file.

Question 12

When viewing the results of a search, what is an Interesting Field?

Accepted Answer

A)  A field that appears in any event. 
B)  A field that appears in every event. 
C)  A field that appears in the top 10 events. 
D)  A field that appears in at least 20% of the events. 
A)  A field that appears in any event. 
B)  A field that appears in every event. 
C)  A field that appears in the top 10 events. 
D)  A field that appears in at least 20% of the events.

Question 13

What is Search Assistant in Splunk?

Accepted Answer

A)  It is only available to Admins. 
B)  Such feature does not exist in Splunk. 
C)  Shows options to complete the search string. 
A)  It is only available to Admins. 
B)  Such feature does not exist in Splunk. 
C)  Shows options to complete the search string.

Question 14

Where does Licensing meter happen?

Accepted Answer

A)  Indexer 
B)  Parsing 
C)  Heavy Forwarder 
D)  Input 
A)  Indexer 
B)  Parsing 
C)  Heavy Forwarder 
D)  Input

Question 15

How can search results be kept longer than 7 days?

Accepted Answer

A)  By scheduling a report. 
B)  By creating a link to the job. 
C)  By changing the job settings. 
D)  By changing the time range picker to more than 7 days. 
A)  By scheduling a report. 
B)  By creating a link to the job. 
C)  By changing the job settings. 
D)  By changing the time range picker to more than 7 days.

Question 16

You are able to create new Index in Data Input settings.

Accepted Answer

A)  No 
B)  Yes 
A)  No 
B)  Yes

Question 17

In the Search and Reporting app, which tab displays timecharts and bar charts?

Accepted Answer

A)  Events 
B)  Patterns 
C)  Statistics 
D)  Visualization 
A)  Events 
B)  Patterns 
C)  Statistics 
D)  Visualization

Question 18

The default host name used in Inputs general settings can not be changed.

Accepted Answer

A) True 
 B)False

Question 19

Which of the following statements describes a search job?

Accepted Answer

A)  Once a search job begins, it cannot be stopped 
B)  A search job can only be paused when less than 50% of events are returned 
C)  A search job can only be stopped when less than 50% of events are returned 
D)  Once a search job begins, it can be stopped or paused at any point in time 
A)  Once a search job begins, it cannot be stopped 
B)  A search job can only be paused when less than 50% of events are returned 
C)  A search job can only be stopped when less than 50% of events are returned 
D)  Once a search job begins, it can be stopped or paused at any point in time

Question 20

Search Assistant is enabled by default in the SPL editor with compact settings.

Accepted Answer

A)  No 
B)  Yes 
A)  No 
B)  Yes

Which of the following is a best practice when writing a search string?

When an alert action is configured to run a script, Splunk must be able to locate the script. Which is one of the directories Splunk will look in to find the script?

What is one benefit of creating dashboard panels from reports?

What is a quick, comprehensive way to learn what data is present in a Splunk deployment?

What kind of logs can Splunk Index?

When sorting on multiple fields with the sort command, what delimiter can be used between the field names in the search?

When a Splunk search generates calculated data that appears in the Statistics tab, in what formats can the results be exported?

Machine data can be in structured and unstructured format.

Keywords are highlighted when you mouse over search results and you can click this search result to (Choose three.):

Beginning parentheses is automatically highlighted to guide you on the presence of complimenting parentheses.

Which of the following is an option after clicking an item in search results?

When viewing the results of a search, what is an Interesting Field?

What is Search Assistant in Splunk?

Where does Licensing meter happen?

How can search results be kept longer than 7 days?

You are able to create new Index in Data Input settings.

In the Search and Reporting app, which tab displays timecharts and bar charts?

The default host name used in Inputs general settings can not be changed.

Which of the following statements describes a search job?

Search Assistant is enabled by default in the SPL editor with compact settings.

Splunk Enterprise Certified Admin

Splunk Certified Developer

Splunk Enterprise Certified Architect

Splunk Enterprise Security Certified Admin

Splunk IT Service Intelligence Certified Admin

Splunk Core Certified Consultant

Filters

Exam 1: Splunk Core Certified User

Which of the following is a best practice when writing a search string?

When an alert action is configured to run a script, Splunk must be able to locate the script. Which is one of the directories Splunk will look in to find the script?

What is one benefit of creating dashboard panels from reports?

What is a quick, comprehensive way to learn what data is present in a Splunk deployment?

What kind of logs can Splunk Index?

When sorting on multiple fields with the sort command, what delimiter can be used between the field names in the search?

When a Splunk search generates calculated data that appears in the Statistics tab, in what formats can the results be exported?

Machine data can be in structured and unstructured format.

Keywords are highlighted when you mouse over search results and you can click this search result to (Choose three.):

Beginning parentheses is automatically highlighted to guide you on the presence of complimenting parentheses.

Which of the following is an option after clicking an item in search results?

When viewing the results of a search, what is an Interesting Field?

What is Search Assistant in Splunk?

Where does Licensing meter happen?

How can search results be kept longer than 7 days?

You are able to create new Index in Data Input settings.

In the Search and Reporting app, which tab displays timecharts and bar charts?

The default host name used in Inputs general settings can not be changed.

Which of the following statements describes a search job?

Search Assistant is enabled by default in the SPL editor with compact settings.

Splunk Enterprise Certified Admin

Splunk Certified Developer

Splunk Enterprise Certified Architect

Splunk Enterprise Security Certified Admin

Splunk IT Service Intelligence Certified Admin

Splunk Core Certified Consultant

Filters