Question 1

When using timechart , how many fields can be listed after a by clause?

Accepted Answer

A)  0, because timechart doesn't support using a by clause. 
B)  1, because _time is already implied as the x-axis. 
C)  2, because one field would represent the x-axis and the other would represent the y-axis. 
D)  There is no limit specific to timechart. 
A)  0, because timechart doesn't support using a by clause. 
B)  1, because _time is already implied as the x-axis. 
C)  2, because one field would represent the x-axis and the other would represent the y-axis. 
D)  There is no limit specific to timechart.

Question 2

Which of the following statements describe the search below? (Choose all that apply.) index=main | transaction clientip host maxspan=30s maxpause=5s

Accepted Answer

A)  Events in the transaction occurred within 5 seconds. 
B)  It groups events that share the same clientip and host. 
C)  The first and last events are no more than 5 seconds apart. 
D)  The first and last events are no more than 30 seconds apart 
A)  Events in the transaction occurred within 5 seconds. 
B)  It groups events that share the same clientip and host. 
C)  The first and last events are no more than 5 seconds apart. 
D)  The first and last events are no more than 30 seconds apart

Question 3

Calculated fields can be based on which of the following?

Accepted Answer

A)  Tags 
B)  Extracted fields 
C)  Output fields for a lookup 
D)  Fields generated from a search string 
A)  Tags 
B)  Extracted fields 
C)  Output fields for a lookup 
D)  Fields generated from a search string

Question 4

When can a pipe follow a macro?

Accepted Answer

A)  A pipe may always follow a macro. 
B)  The current user must own the macro. 
C)  The macro must be defined in the current app. 
D)  Only when sharing is set to global for the macro. 
A)  A pipe may always follow a macro. 
B)  The current user must own the macro. 
C)  The macro must be defined in the current app. 
D)  Only when sharing is set to global for the macro.

Question 5

Information needed to create a GET workflow action includes which of the following? (Choose all that apply.)

Accepted Answer

A)  A name for the workflow action. 
B)  A URI where the user will be directed at search time. 
C)  A label that will appear in the Event Action menu at search time. 
D)  A name for the URI where the user will be directed at search time. 
A)  A name for the workflow action. 
B)  A URI where the user will be directed at search time. 
C)  A label that will appear in the Event Action menu at search time. 
D)  A name for the URI where the user will be directed at search time.

Question 6

What do events in a transaction have in common?

Accepted Answer

A)  All events in a transaction must have the same timestamp. 
B)  All events in a transaction must have the same sourcetype. 
C)  All events in a transaction must have the exact same set of fields. 
D)  All events in a transaction must be related by one or more fields. 
A)  All events in a transaction must have the same timestamp. 
B)  All events in a transaction must have the same sourcetype. 
C)  All events in a transaction must have the exact same set of fields. 
D)  All events in a transaction must be related by one or more fields.

Question 7

Which of the following statements describes the use of the Field Extractor (FX)?

Accepted Answer

A)  The Field Extractor automatically extracts all fields at search time. 
B)  The Field Extractor uses PERL to extract fields from the raw events. 
C)  Fields extracted using the Field Extractor persist as knowledge objects. 
D)  Fields extracted using the Field Extractor do not persist and must be defined for each search. 
A)  The Field Extractor automatically extracts all fields at search time. 
B)  The Field Extractor uses PERL to extract fields from the raw events. 
C)  Fields extracted using the Field Extractor persist as knowledge objects. 
D)  Fields extracted using the Field Extractor do not persist and must be defined for each search.

Question 8

By default, how is acceleration configured in the Splunk Common Information Model (CIM) add-on?

Accepted Answer

A)  Turned off. 
B)  Turned on. 
C)  Determined automatically based on the sourcetype. 
D)  Determined automatically based on the data source. 
A)  Turned off. 
B)  Turned on. 
C)  Determined automatically based on the sourcetype. 
D)  Determined automatically based on the data source.

Question 9

In which of the following scenarios is an event type more effective than a saved search?

Accepted Answer

A)  When a search should always include the same time range. 
B)  When a search needs to be added to other users' dashboards. 
C)  When the search string needs to be used in future searches. 
D)  When formatting needs to be included with the search string. 
A)  When a search should always include the same time range. 
B)  When a search needs to be added to other users' dashboards. 
C)  When the search string needs to be used in future searches. 
D)  When formatting needs to be included with the search string.

Question 10

Based on the macro definition shown below, what is the correct way to execute the macro in a search string?

Accepted Answer

A)  "convert_sales(euro,€,.79)" 
B)  'convert_sales(euro,€,.79)' 
C)  "convert_sales($euro$,$€$,$.79$)" 
D)  'convert_sales($euro$,$€$,$.79$)' 
A)  "convert_sales(euro,€,.79)" 
B)  'convert_sales(euro,€,.79)' 
C)  "convert_sales($euro$,$€$,$.79$)" 
D)  'convert_sales($euro$,$€$,$.79$)'

Question 11

A data model consists of which three types of datasets?

Accepted Answer

A)  Constraint, field, value. 
B)  Events, searches, transactions. 
C)  Field extraction, regex, delimited. 
D)  Transaction, session ID, metadata. 
A)  Constraint, field, value. 
B)  Events, searches, transactions. 
C)  Field extraction, regex, delimited. 
D)  Transaction, session ID, metadata.

Question 12

In which Settings section are macros defined?

Accepted Answer

A)  Fields 
B)  Tokens 
C)  Advanced Search 
D)  Searches, Reports, Alerts 
A)  Fields 
B)  Tokens 
C)  Advanced Search 
D)  Searches, Reports, Alerts

Question 13

What is a limitation of searches generated by workflow actions?

Accepted Answer

A)  Searches generated by workflow actions cannot use macros. 
B)  Searches generated by workflow actions must be less than 256 characters long. 
C)  Searches generated by workflow actions must run in the same app as the workflow action. 
D)  Searches generated by workflow actions run with the same permissions as the user running them. 
A)  Searches generated by workflow actions cannot use macros. 
B)  Searches generated by workflow actions must be less than 256 characters long. 
C)  Searches generated by workflow actions must run in the same app as the workflow action. 
D)  Searches generated by workflow actions run with the same permissions as the user running them.

Question 14

Which of the following statements about macros is true? (Choose all that apply.)

Accepted Answer

A)  Arguments are defined at execution time. 
B)  Arguments are defined when the macro is created. 
C)  Argument values are used to resolve the search string at execution time. 
D)  Argument values are used to resolve the search string when the macro is created. 
A)  Arguments are defined at execution time. 
B)  Arguments are defined when the macro is created. 
C)  Argument values are used to resolve the search string at execution time. 
D)  Argument values are used to resolve the search string when the macro is created.

Question 15

Which of the following data models are included in the Splunk Common Information Model (CIM) add-on? (Choose all that apply.)

Accepted Answer

A)  Alerts 
B)  Email 
C)  Databases 
D)  User permissions 
A)  Alerts 
B)  Email 
C)  Databases 
D)  User permissions

Question 16

After manually editing a regular expression (regex), which of the following statements is true?

Accepted Answer

A)  Changes made manually can be reverted in the Field Extractor (FX) UI. 
B)  It is no longer possible to edit the field extraction in the Field Extractor (FX) UI. 
C)  It is not possible to manually edit a regular expression (regex) that was created using the Field Extractor (FX) UI. 
D)  The Field Extractor (FX) UI keeps its own version of the field extraction in addition to the one that was manually edited. 
A)  Changes made manually can be reverted in the Field Extractor (FX) UI. 
B)  It is no longer possible to edit the field extraction in the Field Extractor (FX) UI. 
C)  It is not possible to manually edit a regular expression (regex) that was created using the Field Extractor (FX) UI. 
D)  The Field Extractor (FX) UI keeps its own version of the field extraction in addition to the one that was manually edited.

Question 17

Which of the following commands support the same set of functions?

Accepted Answer

A)  stats, eval, table 
B)  search, where, eval 
C)  stats, chart, timechart 
D)  transaction, chart, timechart 
A)  stats, eval, table 
B)  search, where, eval 
C)  stats, chart, timechart 
D)  transaction, chart, timechart

Question 18

When creating a Search workflow action, which field is required?

Accepted Answer

A)  Search string 
B)  Data model name 
C)  Permission setting 
D)  An eval statement An eval statement 
A)  Search string 
B)  Data model name 
C)  Permission setting 
D)  An eval statement An eval statement

Question 19

A data model can consist of what three types of datasets?

Accepted Answer

A)  Pivot, searches, and events. 
B)  Pivot, events, and transactions. 
C)  Searches, transactions, and pivot. 
D)  Events, searches, and transactions. 
A)  Pivot, searches, and events. 
B)  Pivot, events, and transactions. 
C)  Searches, transactions, and pivot. 
D)  Events, searches, and transactions.

Question 20

Which of the following actions can the eval command perform?

Accepted Answer

A)  Remove fields from results. 
B)  Create or replace an existing field. 
C)  Group transactions by one or more fields. 
D)  Save SPL commands to be reused in other searches. 
A)  Remove fields from results. 
B)  Create or replace an existing field. 
C)  Group transactions by one or more fields. 
D)  Save SPL commands to be reused in other searches.

When using timechart , how many fields can be listed after a by clause?

Which of the following statements describe the search below? (Choose all that apply.) index=main | transaction clientip host maxspan=30s maxpause=5s

Calculated fields can be based on which of the following?

When can a pipe follow a macro?

Information needed to create a GET workflow action includes which of the following? (Choose all that apply.)

What do events in a transaction have in common?

Which of the following statements describes the use of the Field Extractor (FX)?

By default, how is acceleration configured in the Splunk Common Information Model (CIM) add-on?

In which of the following scenarios is an event type more effective than a saved search?

Based on the macro definition shown below, what is the correct way to execute the macro in a search string?

A data model consists of which three types of datasets?

In which Settings section are macros defined?

What is a limitation of searches generated by workflow actions?

Which of the following statements about macros is true? (Choose all that apply.)

Which of the following data models are included in the Splunk Common Information Model (CIM) add-on? (Choose all that apply.)

After manually editing a regular expression (regex), which of the following statements is true?

Which of the following commands support the same set of functions?

When creating a Search workflow action, which field is required?

A data model can consist of what three types of datasets?

Which of the following actions can the eval command perform?

Splunk Core Certified User

Splunk Certified Developer

Splunk Enterprise Certified Architect

Splunk Enterprise Security Certified Admin

Splunk IT Service Intelligence Certified Admin

Splunk Core Certified Consultant

Filters

Exam 2: Splunk Enterprise Certified Admin

When using timechart , how many fields can be listed after a by clause?

Which of the following statements describe the search below? (Choose all that apply.) index=main | transaction clientip host maxspan=30s maxpause=5s

Calculated fields can be based on which of the following?

When can a pipe follow a macro?

Information needed to create a GET workflow action includes which of the following? (Choose all that apply.)

What do events in a transaction have in common?

Which of the following statements describes the use of the Field Extractor (FX)?

By default, how is acceleration configured in the Splunk Common Information Model (CIM) add-on?

In which of the following scenarios is an event type more effective than a saved search?

Based on the macro definition shown below, what is the correct way to execute the macro in a search string?

A data model consists of which three types of datasets?

In which Settings section are macros defined?

What is a limitation of searches generated by workflow actions?

Which of the following statements about macros is true? (Choose all that apply.)

Which of the following data models are included in the Splunk Common Information Model (CIM) add-on? (Choose all that apply.)

After manually editing a regular expression (regex), which of the following statements is true?

Which of the following commands support the same set of functions?

When creating a Search workflow action, which field is required?

A data model can consist of what three types of datasets?

Which of the following actions can the eval command perform?

Splunk Core Certified User

Splunk Certified Developer

Splunk Enterprise Certified Architect

Splunk Enterprise Security Certified Admin

Splunk IT Service Intelligence Certified Admin

Splunk Core Certified Consultant

Filters