Splunk SPLK-1002 Exam Practice Test Instant Access

Question 1

Consider the following search: index=web sourcetype=access_combined

The log shows several events that share the same jsessionid value (sd497k117o2f098). View the events as a group.

From the following list, which search groups events by JSESSIONID?

Aindex=web sourcetype=access_combined | transaction JSESSIONID | search SD497K117O2F098

Bindex=web sourcetype=access_combined JSESSIONID <sd497kl!7o2f098>

Cindex=web sourcetype=access_combined | highlight JSESSIONID 'search SD497K117O2F098

Dindex=web sourcetype=access_combined SD497K117O2F098 | table JSESSIONID

Answer : A

The objective is to group all events that share the same JSESSIONID value and filter them by a specific JSESSIONID.

Option A: This uses the transaction command with the JSESSIONID field to group all events sharing the same session ID and filters for the specific value SD497K117O2F098. This is correct.

Option B: The syntax here is invalid because JSESSIONID <value> is not a proper search syntax.

Option C: The highlight command only highlights fields or values in events; it does not group them.

Option D: While this filters for events containing SD497K117O2F098, it does not group them by JSESSIONID.

Splunk Docs: Transaction Command

Question 2

Which of the following can a field alias be applied to?

ATags

BIndexes

CSourcetypes

DEvent types

Answer : C

Field aliases in Splunk are used to map field names in event data to alternate names to make them easier to understand or consistent across datasets.

Option A (Tags): Field aliases are not directly applied to tags. Tags are used for categorizing events or field values.

Option B (Indexes): Field aliases cannot be applied to indexes. Indexes are physical storage locations for events in Splunk.

Option C (Sourcetypes): This is correct. Field aliases can be defined at the sourcetype level to ensure consistent naming across events of the same sourcetype.

Option D (Event types): Event types are saved searches, and field aliases do not apply here directly.

Splunk Docs: Field Aliases

Question 3

What does the fillnull command do in this search?

index=main sourcetype=http_log | fillnull value="Unknown" src

ASet the values of the src field to null when it is 'Unknown'.

BSet all fields with the value of 'Unknown' to null.

CSet the values of the src field to 'Unknown' if it is null.

DSet all fields that are null to 'Unknown'.

Answer : C

The fillnull command in Splunk is used to replace null (missing) field values with a specified value.

Explanation of options:

A: Incorrect, as fillnull does not set fields to null; it fills null values with a specific value.

B: Incorrect, as the command only affects the specified field (src in this case).

C: Correct, as the fillnull command explicitly sets null values in the src field to 'Unknown'.

D: Incorrect, as only the src field is affected, not all fields.

Example:

If the src field is null for some events, fillnull will populate 'Unknown' in those cases.

Question 4

Brad created a tag called "SpecialProjectX". It is associated with several field/value pairs, such as team=support, location=Austin, and release=Fuji. What search should Brad run to filter results for SpecialProjectX events related to the Support Team?

Atag=SpecialProjectX

Btag::team=SpecialProjectX

Ctag::Support-SpecialProjectX

Dtag!=Fuji,Austin

Answer : B

Tags in Splunk allow users to assign multiple field-value pairs to a common label.

The correct syntax to filter by tag is tag::<field>=<tag_name>.

tag::team=SpecialProjectX will filter results where team=support is associated with the tag SpecialProjectX.

tag=SpecialProjectX searches for all events associated with SpecialProjectX, not just the support team.

tag::Support-SpecialProjectX is incorrect syntax.

tag!=Fuji,Austin is incorrect since it does not filter using the SpecialProjectX tag.

Reference: Splunk Docs - Tags

Question 5

When using the eval command, which of these characters can be used to concatenate a string and a number into a single value?

A& (ampersand)

B+ (plus)

C- (tilde)

D. (period)

Answer : D

In Splunk, the eval command is often used for manipulating field values, including concatenation. The correct way to concatenate a string and a number is to use the . (period) operator. This operator joins different types of data into a single string value.

For example:

eval concatenated_value = 'value_' . 123

Result: concatenated_value will be value_123.

Other operators:

& is not a valid operator in eval for concatenation.

+ is used for arithmetic addition, not concatenation.

- is also not a concatenation operator.

Question 6

Two separate results tables are being combined using the join command. The outer table has the following values:

The inner table has the following values:

The line of SPL used to join the tables is: join employeeNumber type=outer

How many rows are returned in the new table?

AThree

BEight

CFive

DZero

Answer : C

In this case, the outer join is applied, which means that all rows from the outer (left) table will be included, even if there are no matching rows in the inner (right) table. The result will include all five rows from the outer table, with the matched data from the inner table where employeeNumber matches. Rows without matching employeeNumber values will have null values for the fields from the inner table.

Splunk Documentation - Join Command

Question 7

A search contains example(100,200). What is the name of the macro?

Aexample(2)

Bexample(var1,var2)

Cexample($,$)

Dexample[2]

Answer : B

In Splunk, macros that accept arguments are defined with placeholders for those arguments in the format example(var1, var2). In the search example(100,200), '100' and '200' are the values passed for var1 and var2 respectively.

Splunk Docs -- Macros

Splunk SPLK-1002 Splunk Core Certified Power User Exam Practice Test