Question 1

What other syntax will produce exactly the same results as | chart count over vendor_action by user ?

Accepted Answer

Question 2

Which of the following knowledge objects represents the output of an eval expression?

Accepted Answer

A)  Eval fields 
B)  Calculated fields 
C)  Field extractions 
D)  Calculated lookups 
A)  Eval fields 
B)  Calculated fields 
C)  Field extractions 
D)  Calculated lookups

Question 3

Which of the following searches show a valid use of a macro? (Choose all that apply.)

Accepted Answer

A)  index=main source=mySource oldField=* |'makeMyField(oldField)'| table _time newField 
B)  index=main source=mySource oldField=* | stats if('makeMyField(oldField)') | table _time newField 
C)  index=main source=mySource oldField=* | eval newField='makeMyField(oldField)'| table _time newField 
D)  index=main source=mySource oldField=* | "'newField('makeMyField(oldField)')'" | table _time newField 
A)  index=main source=mySource oldField=* |'makeMyField(oldField)'| table _time newField 
B)  index=main source=mySource oldField=* | stats if('makeMyField(oldField)') | table _time newField 
C)  index=main source=mySource oldField=* | eval newField='makeMyField(oldField)'| table _time newField 
D)  index=main source=mySource oldField=* | "'newField('makeMyField(oldField)')'" | table _time newField

Question 4

Which of the following statements describe the command below? (Choose all that apply.) sourcetype=access_combined | transaction JSESSIONID

Accepted Answer

A)  An additional field named maxspan is created. An additional field named maxspan is created. 
B)  An additional field named duration is created. duration 
C)  An additional field named eventcount is created. eventcount 
D)  Events with the same JSESSIONID will be grouped together into a single event. 
A)  An additional field named maxspan is created. An additional field named maxspan is created. 
B)  An additional field named duration is created. duration 
C)  An additional field named eventcount is created. eventcount 
D)  Events with the same JSESSIONID will be grouped together into a single event.

Question 5

If no value is specified with the fillnull command, what default value will be used?

Accepted Answer

A)  0 
B)  N/A 
C)  - 
D)  NULL 
A)  0 
B)  N/A 
C)  - 
D)  NULL

Question 6

What is the relationship between data models and pivots?

Accepted Answer

A)  Data models provide the datasets for pivots. 
B)  Pivots and data models have no relationship. 
C)  Pivots and data models are the same thing. 
D)  Pivots provide the datasets for data models. 
A)  Data models provide the datasets for pivots. 
B)  Pivots and data models have no relationship. 
C)  Pivots and data models are the same thing. 
D)  Pivots provide the datasets for data models.

Question 7

In most large Splunk environments, what is the most efficient command that can be used to group events by fields?

Accepted Answer

A)  join 
B)  stats 
C)  streamstats 
D)  transaction 
A)  join 
B)  stats 
C)  streamstats 
D)  transaction

Question 8

Which type of visualization shows relationships between discrete values in three dimensions?

Accepted Answer

A)  Pie chart 
B)  Line chart 
C)  Bubble chart 
D)  Scatter chart 
A)  Pie chart 
B)  Line chart 
C)  Bubble chart 
D)  Scatter chart

Question 9

What are the two parts of a root event dataset?

Accepted Answer

A)  Fields and variables. 
B)  Fields and attributes. 
C)  Constraints and fields. 
D)  Constraints and lookups. 
A)  Fields and variables. 
B)  Fields and attributes. 
C)  Constraints and fields. 
D)  Constraints and lookups.

Question 10

Which of the following statements describe data model acceleration? (Choose all that apply.)

Accepted Answer

A)  Root events cannot be accelerated. 
B)  Accelerated data models cannot be edited. 
C)  Private data models cannot be accelerated. 
D)  You must have administrative permissions or the accelerate_datamodel capability to accelerate a data model. You must have administrative permissions or the accelerate_datamodel capability to accelerate a data model. 
A)  Root events cannot be accelerated. 
B)  Accelerated data models cannot be edited. 
C)  Private data models cannot be accelerated. 
D)  You must have administrative permissions or the accelerate_datamodel capability to accelerate a data model. You must have administrative permissions or the accelerate_datamodel capability to accelerate a data model.

Question 11

When using the transaction command, what does the argument maxspan do?

Accepted Answer

A)  Sets the maximum total time between events in a transaction. 
B)  Sets the maximum length of all the events within a transaction. 
C)  Sets the maximum total time between the earliest and latest events in a transaction. 
D)  Sets the maximum length that any single event can reach to be included in the transaction. 
A)  Sets the maximum total time between events in a transaction. 
B)  Sets the maximum length of all the events within a transaction. 
C)  Sets the maximum total time between the earliest and latest events in a transaction. 
D)  Sets the maximum length that any single event can reach to be included in the transaction.

Question 12

A user wants to convert numeric field values to strings and also to sort on those values. Which command should be used first, the eval or the sort ?

Accepted Answer

A)  It doesn't matter whether eval or sort is used first. It doesn't matter whether or is used first. 
B)  Convert the numeric to a string with eval first, then sort . Convert the numeric to a string with first, then . 
C)  Use sort first, then convert the numeric to a string with eval . Use first, then convert the numeric to a string with 
D)  You cannot use the sort command and the eval command on the same field. You cannot use the command and the command on the same field. 
A)  It doesn't matter whether eval or sort is used first. It doesn't matter whether or is used first. 
B)  Convert the numeric to a string with eval first, then sort . Convert the numeric to a string with first, then . 
C)  Use sort first, then convert the numeric to a string with eval . Use first, then convert the numeric to a string with 
D)  You cannot use the sort command and the eval command on the same field. You cannot use the command and the command on the same field.

Question 13

What does the fillnull command replace null values with, if the value argument is not specified?

Accepted Answer

A)  0 
B)  N/A 
C)  NaN 
D)  NULL 
A)  0 
B)  N/A 
C)  NaN 
D)  NULL

Question 14

Which workflow action method can be used when the action type is set to link?

Accepted Answer

A)  GET 
B)  PUT 
C)  Search 
D)  UPDATE 
A)  GET 
B)  PUT 
C)  Search 
D)  UPDATE

Question 15

When using the Field Extractor (FX), which of the following delimiters will work? (Choose all that apply.)

Accepted Answer

A)  Tabs 
B)  Pipes 
C)  Colons 
D)  Spaces 
A)  Tabs 
B)  Pipes 
C)  Colons 
D)  Spaces

Question 16

Which of the following statements describe calculated fields? (Choose all that apply.)

Accepted Answer

A)  Calculated fields can be used in the search bar. 
B)  Calculated fields can be based on an extracted field. 
C)  Calculated fields can only be applied to host and sourcetype. 
D)  Calculated fields are shortcuts for performing calculations using the eval command. Calculated fields are shortcuts for performing calculations using the eval command. 
A)  Calculated fields can be used in the search bar. 
B)  Calculated fields can be based on an extracted field. 
C)  Calculated fields can only be applied to host and sourcetype. 
D)  Calculated fields are shortcuts for performing calculations using the eval command. Calculated fields are shortcuts for performing calculations using the eval command.

Question 17

Which of the following statements would help a user choose between the transaction and stats commands?

Accepted Answer

A)  stats can only group events using IP addresses. can only group events using IP addresses. 
B)  The transaction command is faster and more efficient. The command is faster and more efficient. 
C)  There is a 1000 event limitation with the transaction command. There is a 1000 event limitation with the command. 
D)  Use stats when the events need to be viewed as a single correlated event. Use when the events need to be viewed as a single correlated event. 
A)  stats can only group events using IP addresses. can only group events using IP addresses. 
B)  The transaction command is faster and more efficient. The command is faster and more efficient. 
C)  There is a 1000 event limitation with the transaction command. There is a 1000 event limitation with the command. 
D)  Use stats when the events need to be viewed as a single correlated event. Use when the events need to be viewed as a single correlated event.

Question 18

What information must be included when using the datamodel command?

Accepted Answer

A)  status field status field 
B)  Multiple indexes 
C)  Data model field name. 
D)  Data model dataset name. 
A)  status field status field 
B)  Multiple indexes 
C)  Data model field name. 
D)  Data model dataset name.

Question 19

There are several ways to access the field extractor. Which option automatically identifies the data type, source type, and sample event?

Accepted Answer

A)  Event Actions > Extract Fields 
B)  Fields sidebar > Extract New Fields 
C)  Settings > Field Extractions > New Field Extraction 
D)  Settings > Field Extractions > Open Field Extractor 
A)  Event Actions > Extract Fields 
B)  Fields sidebar > Extract New Fields 
C)  Settings > Field Extractions > New Field Extraction 
D)  Settings > Field Extractions > Open Field Extractor

Question 20

Which of the following statements describes POST workflow actions?

Accepted Answer

A)  Configuration of a POST workflow action includes choosing a sourcetype. 
B)  POST workflow actions can be configured to send email to the URI location. 
C)  By default, POST workflow actions are shown in both the event and field menus. 
D)  POST workflow actions can be configured to send POST arguments to the URI location. 
A)  Configuration of a POST workflow action includes choosing a sourcetype. 
B)  POST workflow actions can be configured to send email to the URI location. 
C)  By default, POST workflow actions are shown in both the event and field menus. 
D)  POST workflow actions can be configured to send POST arguments to the URI location.

What other syntax will produce exactly the same results as | chart count over vendor_action by user ?

Which of the following knowledge objects represents the output of an eval expression?

Which of the following searches show a valid use of a macro? (Choose all that apply.)

Which of the following statements describe the command below? (Choose all that apply.) sourcetype=access_combined | transaction JSESSIONID

If no value is specified with the fillnull command, what default value will be used?

What is the relationship between data models and pivots?

In most large Splunk environments, what is the most efficient command that can be used to group events by fields?

Which type of visualization shows relationships between discrete values in three dimensions?

What are the two parts of a root event dataset?

Which of the following statements describe data model acceleration? (Choose all that apply.)

When using the transaction command, what does the argument maxspan do?

A user wants to convert numeric field values to strings and also to sort on those values. Which command should be used first, the eval or the sort ?

What does the fillnull command replace null values with, if the value argument is not specified?

Which workflow action method can be used when the action type is set to link?

When using the Field Extractor (FX), which of the following delimiters will work? (Choose all that apply.)

Which of the following statements describe calculated fields? (Choose all that apply.)

Which of the following statements would help a user choose between the transaction and stats commands?

What information must be included when using the datamodel command?

There are several ways to access the field extractor. Which option automatically identifies the data type, source type, and sample event?

Which of the following statements describes POST workflow actions?

Splunk Core Certified User

Splunk Certified Developer

Splunk Enterprise Certified Architect

Splunk Enterprise Security Certified Admin

Splunk IT Service Intelligence Certified Admin

Splunk Core Certified Consultant

Filters

Exam 2: Splunk Enterprise Certified Admin

What other syntax will produce exactly the same results as | chart count over vendor_action by user ?

Which of the following knowledge objects represents the output of an eval expression?

Which of the following searches show a valid use of a macro? (Choose all that apply.)

Which of the following statements describe the command below? (Choose all that apply.) sourcetype=access_combined | transaction JSESSIONID

If no value is specified with the fillnull command, what default value will be used?

What is the relationship between data models and pivots?

In most large Splunk environments, what is the most efficient command that can be used to group events by fields?

Which type of visualization shows relationships between discrete values in three dimensions?

What are the two parts of a root event dataset?

Which of the following statements describe data model acceleration? (Choose all that apply.)

When using the transaction command, what does the argument maxspan do?

A user wants to convert numeric field values to strings and also to sort on those values. Which command should be used first, the eval or the sort ?

What does the fillnull command replace null values with, if the value argument is not specified?

Which workflow action method can be used when the action type is set to link?

When using the Field Extractor (FX), which of the following delimiters will work? (Choose all that apply.)

Which of the following statements describe calculated fields? (Choose all that apply.)

Which of the following statements would help a user choose between the transaction and stats commands?

What information must be included when using the datamodel command?

There are several ways to access the field extractor. Which option automatically identifies the data type, source type, and sample event?

Which of the following statements describes POST workflow actions?

Splunk Core Certified User

Splunk Certified Developer

Splunk Enterprise Certified Architect

Splunk Enterprise Security Certified Admin

Splunk IT Service Intelligence Certified Admin

Splunk Core Certified Consultant

Filters