Splunk SPLK-1001 Exam Practice Test Instant Access

Question 1

How are the results of the following search sorted?

... | sort action, ---file, +bytes

AIn descending order by action, then descending order by file, and lastly by ascending order of bytes.

BIn ascending order by action, then descending order by file, and lastly by ascending order of bytes.

CIn descending order by action if it exists. If not, then in descending order by file, and if both action and file do not exist, by ascending order of bytes.

DIn ascending order by action if it exists. If not, then in descending order by file, and if both action and file do not exist, by ascending order of bytes.

Answer : B

Using a minus sign (-) for descending order and a plus sign (+) for ascending order. If no sign is specified, the default order is ascending.

Sorting by multiple fields in the order they are specified. If there are duplicate values in one field, the next field is used to break the tie.

Sorting by field values according to their types. If the field type is not specified, the sort command tries to automatically determine it.

Question 2

Which of the following is the appropriately formatted SPL search?

Aindex=security sourcetype=linux secure (invalid OR failed) | stats count as
'Potential Issues'

Bindex=security sourcetype=linux secure (invalid OR failed) | stats as
'Potential Issues'

Cindex---security sourcetype=linux secure (invalid OR failed) | count stats as
'Potential Issues'

Dindex---security sourcetype=linux secure (invalid OR failed) | count as 'Potential Issues'

Answer : A

This is the appropriately formatted SPL search because it follows the SPL syntax rules12, such as:

Using the=operator to specify field-value pairs, such asindex=securityandsourcetype=linux.

Using theORoperator to combine multiple values for the same field, such as(invalid OR failed).

Using the|character to separate commands, such asstats count as 'Potential Issues'.

Using theaskeyword to rename fields, such ascount as 'Potential Issues'.

Question 3

Which of the following is the best description of Splunk Apps?

ABuilt only by Splunk employees.

BA collection of files.

COnly available for download on Splunkbase.

DAvailable on iOS and Android.

Answer : B

The best description of Splunk Apps is a collection of files that provide specific functionality or views of your data. Splunk Apps can be built by anyone, not only by Splunk employees. Splunk Apps are not only available for download on Splunkbase, but also can be created or customized by users. Splunk Apps are not available on iOS and Android, but rather on Splunk Enterprise or Splunk Cloud platforms.

Question 4

What are the three main Splunk components?

ASearch head, GPU, streamer

BSearch head, indexer, forwarder

CSearch head, SQL database, forwarder

DSearch head, SSD, heavy weight agent

Answer : B

Explanation/Reference:

Question 5

What are the two most efficient search filters?

A_time and host

B_time and index

Chost and sourcetype

Dindex and sourcetype

Answer : B

This is the correct answer because these two filters can help you limit the amount of data that Splunk retrieves from disk, which is the key to fast searching1.The _time filter allows you to specify a narrow time window for your search, which reduces the number of buckets that Splunk scans2.The index filter allows you to specify which index or indexes contain the data that you want to search, which reduces the number of files that Splunk reads3.

Question 6

Which of the following statements describes a search job?

AOnce a search job begins, it cannot be stopped

BA search job can only be paused when less than 50% of events are returned

CA search job can only be stopped when less than 50% of events are returned

DOnce a search job begins, it can be stopped or paused at any point in time

Answer : D

Explanation/Reference: Reference: https://answers.splunk.com/answers/329699/why-does-my-search-head-cluster-captain-start-dele- 1.html

Question 7

When saving a search directly to a dashboard panel instead of saving as a report first, which of the following is

created?

ACloned panel

BInline panel

CReport panel

DPrebuilt panel

Answer : C

Splunk SPLK-1001 Splunk Core Certified User Exam Practice Test