Splunk SPLK-1001 Exam Practice Test Instant Access

Question 1

What is the result of the following search?

index=myindex source=c: \mydata. txt NOT error=*

AOnly data where the error field is present and does not contain a value will be displayed.

BOnly data with a value in the field error will be displayed.

COnly data that does not contain the error field will be displayed.

DOnly data where the value of the field error does not equal an asterisk (*) will be displayed.

Answer : C

The search query index=myindex source=c: \mydata. txt NOT error=* specifies three criteria for the events to be returned:

The index must be myindex, which is a user-defined index that contains the data from a specific source or sources.

The source must be c: \mydata. txt, which is the name of the file or directory where the data came from.

The error field must not exist in the events, which is indicated by the NOT operator and the wildcard character (*).

The NOT operator negates the following expression, which means that it returns the events that do not match the expression. The wildcard character () matches any value, including an empty value or a null value. Therefore, the expression NOT error=means that the events must not have an error field at all, regardless of its value.

The search query does not use quotation marks around the source value, which means that it is case-sensitive and exact. If there are any variations in the source name, such as capitalization or spacing, they will not match the query.

Reference

Search command syntax details

Search command examples

Basic searches and search results

Question 2

Which of the following is a metadata field assigned to every event in Splunk?

Ahost

Bowner

Cbytes

Daction

Answer : A

Explanation/Reference: Reference: https://docs.splunk.com/Documentation/Splunk/8.0.3/Data/Assignmetadatatoeventsdynamically

Question 3

Assuming a user has the capability to edit reports, which of the following are editable?

AAcceleration, schedule, permissions

BThe report's name, schedule, permissions

CThe report's name, acceleration, schedule

DThe report's name, acceleration, permissions

Answer : B

Explanation/Reference: Reference: https://docs.splunk.com/Documentation/Splunk/8.0.3/Report/Createandeditreports

Question 4

What is a quick, comprehensive way to learn what data is present in a Splunk deployment?

AReview Splunk reports

BRun ./splunk show

CClick Data Summary in Splunk Web

DSearch index=* sourcetype=* host=*

Answer : C

Explanation/Reference: Reference: https://docs.splunk.com/Documentation/Splunk/8.0.3/InheritedDeployment/Yourdata

Question 5

When viewing results of a search job from the Activity menu, which of the following is displayed?

ANew events based on the current time range picker

BThe same events based on the current time range picker

CThe same events from when the original search was executed

DNew events in addition to the same events from the original search

Answer : C

Question 6

Following are the time selection option while making search:

(Choose all that apply.)

ADate & Time Range

BAdvanced

CDate Range

DPresets

ERelative

Answer : B

Question 7

Selected fields are a set of configurable fields displayed for each event.

ATrue

BFalse

Answer : A

Splunk SPLK-1001 Splunk Core Certified User Exam Practice Test