Splunk SPLK-1002 Exam Practice Test Instant Access

Question 1

What is needed to define a calculated field?

AEval expression

BData model

CEvent type

DRegular expression

Answer : A

A calculated field in Splunk is created using an eval expression, which allows users to perform calculations or transformations on field values during search time.

Splunk Docs - Calculated fields

Question 2

Given the following eval statement:

... | eval field1 = if(isnotnull(field1),field1,0), field2 = if(isnull(field2), "NO-VALUE", field2)

Which of the following is the equivalent using fillnull?

A... | fillnull values=(0,'NO-VALUE') fields=(field1,field2)

BThere is no equivalent expression using fillnull

C... | fillnull field1 | fillnull value='NO-VALUE' field2

D... | fillnull value=0 field1 | fillnull field2

Answer : D

The fillnull command can be used to replace null values in specific fields. The correct equivalent expression for the given eval statement would involve using fillnull twice, once for field1 to replace null values with 0, and once for field2 to replace null values with 'NO-VALUE'.

Splunk Docs - fillnull command

Question 3

Which of the following is true about data sets used in the Pivot tool?

AThey can only be created from data models.

BThey can only be created by users with the Admin role.

CThey can only be created from summary indexes.

DThey can only be created from saved reports.

Answer : A

In Splunk, data sets used in the Pivot tool are derived from data models. The Pivot tool allows users to create reports and visualizations based on the structured information available in data models.

Splunk Docs - Pivot tool

Question 4

Why would the transaction command be used instead of the stats command?

AThe transaction command has better search-time performance.

BThe transaction command can perform calculations on fields.

CThe transaction command keeps the raw data for each event.

DThe transaction command is less resource-intensive.

Answer : C

The transaction command is used when you need to group events and preserve the raw event data. This is essential in situations where context is important and you need to maintain the original details of each event.

Splunk Docs - transaction command

Splunk Answers - When to use transaction vs stats

Question 5

How is a Search Workflow Action configured to run at the same time range as the original search?

ASelect the 'Overwrite time range with the original search' checkbox.

BSelect the 'Use the same time range as the search that created the field listing' checkbox.

CSet the earliest time to match the original search.

DSelect the same time range from the time-range picker.

Answer : B

To configure a Search Workflow Action to use the same time range as the original search, you need to check the option 'Use the same time range as the search that created the field listing.' This will ensure the time range is inherited from the original search.

Splunk Docs - Search Workflow Actions

Question 6

To which of the following can a field alias be applied?

AData found in a lookup table.

BEither a calculated field or an extracted field.

COnly one single field in a dataset.

DA given host, source, or sourcetype.

Answer : B

In Splunk, a field alias is used to create an alternative name for an existing field, making it easier to refer to data in a consistent manner across different searches and reports. Field aliases can be applied to both calculated fields and extracted fields. Calculated fields are those that are created using eval expressions, while extracted fields are typically those parsed from the raw data at index time or search time. This flexibility allows users to streamline their searches by using more intuitive field names without altering the underlying data. Field aliases cannot be applied to data in a lookup table, specific individual fields within a dataset, or directly to a host, source, or sourcetype.

Question 7

Which of these stats commands will show the total bytes for each unique combination of page and server?

Aindex=web | stats sum (bytes) BY page BY server

Bindex=web | stats sum (bytes) BY page server

Cindex=web | stats sum(bytes) BY page AND server

Dindex=web | stats sum(bytes) BY values (page) values (server)

Answer : B

The correct command to show the total bytes for each unique combination of page and server isindex=web | stats sum (bytes) BY page server. In Splunk, thestatscommand is used to calculate aggregate statistics over the dataset, such as count, sum, avg, etc. When using theBYclause, it groups the results by the specified fields. The correct syntax does not include commas or the word 'AND' between the field names. Instead, it simply lists the field names separated by spaces within theBYclause.

Reference: The usage of thestatscommand with theBYclause is confirmed by examples in the Splunk Community, where it's explained thatstatswith aby foo barwill output one row for every unique combination of thebyfields1.

Splunk SPLK-1002 Splunk Core Certified Power User Exam Practice Test