Latest Aug 02, 2022 SPLK-1002 Brain Dump A Study Guide with Tips & Tricks for passing Exam [Q57-Q81]

Rate this post

Latest Aug 02, 2022 SPLK-1002 Brain Dump: A Study Guide with Tips & Tricks for passing Exam

SPLK-1002 Question Bank: Free PDF Download Recently Updated Questions

Certification Path

Splunk Core Certified User is a recommended entry-level exam to Splunk Core Certified Power User. We encourage all candidates to become Splunk Core Certified Users as their first step in our certification program, though it is not required, Candidates can directly appear for Splunk Core Certified Power User splk-1002 Exam.

The benefit in Obtaining the splk-1002 Exam Certification

splk-1002 Exam certified individuals would able to have benefits from the stronger community of Splunk, splunk community use to provide support to individuals as and when required.
Splunk Core Certified Power User will be confident and stand different from others as their skills are more trained than non-certified professionals.
Splunk Core Certified Power User has the knowledge to use the tools to complete the task efficiently and cost-effectively than the other non-certified professionals lack in doing so.
Splunk Core Certified Power User Certifications provide opportunities to get a job.
Splunk Core Certified Power User Certification provides practical experience to candidates from all the aspects so that they would be a proficient employee in the organization.

Q57. Which command can include both an over and a by clause to divide results into sub-groupings?

chart

stats

xyseries

transaction

Q58. When using the Field Extractor (FX), which of the following delimiters will work? (select all that apply)

Tabs

Pipes

Colons

Spaces

Reference:https://docs.splunk.com/Documentation/Splunk/8.0.3/Knowledge/FXSelectMethodstep

Q59. Which of the following searches show a valid use of a macro? (Choose all that apply.) index=main source=mySource oldField=* |’makeMyField(oldField)’| table _time

newField
index=main source=mySource oldField=* | stats if(‘makeMyField(oldField)’) |

table _time newField
index=main source=mySource oldField=* | eval newField=’makeMyField(oldField)’|

table _time newField
index=main source=mySource oldField=* | “‘newField(‘makeMyField(oldField)’)'”

| table _time newField

Explanation/Reference: https://answers.splunk.com/answers/574643/field-showing-an-additional-and-not-visible-value-1.html

Q60. In which of the following scenarios is an event type more effective than a saved search?

When a search should always include the same time range.

When a search needs to be added to other users’ dashboards.

When the search string needs to be used in future searches.

When formatting needs to be included with the search string.

Reference:https://answers.splunk.com/answers/4993/eventtype-vs-saved-search.html

Q61. Which of the following data model are included In the Splunk Common Information Model (CIM) add-on? (select all that apply)

Alerts

Database

User permissions

Reference:
https://docs.splunk.com/Documentation/CIM/4.15.0/User/Overview

Q62. To identify all of the contributing events within a transaction that contains at least one REJECT event, which syntax is correct?

Index-main | REJECT trans sessionid

Index-main | transaction sessionid | search REJECT

Index=main | transaction sessionid | whose transaction=reject

Index=main | transaction sessionid | where transaction=reject”

Q63. A data model consists of which three types of datasets?

Constraint, field, value.

Events, searches, transactions.

Field extraction, regex, delimited.

Transaction, session ID, metadata.

Explanation
Explanation/Reference: https://docs.splunk.com/Splexicon:Datamodeldataset

Q64. Which one of the following statements about the searchcommand is true?

It does not allow the use of wildcards.

It treats field values in a case-sensitive manner.

It can only be used at the beginning of the search pipeline.

It behaves exactly like search strings before the first pipe.

Explanation/Reference: https://docs.splunk.com/Documentation/SplunkCloud/8.0.2003/Search/Usethesearchcommand

Q65. Which of the following statements describes the command below (select all that apply) Sourcetype=access_combined | transaction JSESSIONID

An additional filed named maxspan is created.

An additional field named duration is created.

An additional field named eventcount is created.

Events with the same JSESSIONID will be grouped together into a single event.

Q66. In which of the following scenarios is an event type more effective than a saved search?

When a search should always include the same time range.

When a search needs to be added to other users’ dashboards.

When the search string needs to be used in future searches.

When formatting needs to be included with the search string.

Q67. In what order arc the following knowledge objects/configurations applied?

Field Aliases, Field Extractions, Lookups

Field Extractions, Field Aliases, Lookups

Field Extractions, Lookups, Field Aliases

Lookups, Field Aliases, Field Extractions

Q68. When multiple event types with different color values are assigned to the same event, what determines the color displayed for the event?

Rank

Weight

Priority

Precedence

Explanation/Reference: https://docs.splunk.com/Documentation/SplunkCloud/8.0.2003/Knowledge/Defineeventtypes

Q69. Calculated fields can be based on which of the following?

Tags

Extracted fields

Output fields for a lookup

Fields generated from a search string

Reference:
https://docs.splunk.com/Documentation/Splunk/8.0.3/Knowledge/definecalcfields

Q70. All users by default have WRITE permission to ALL knowledge objects.

True

False

Q71. Scheduled alerts must be scheduled to run with cron job syntax only.

True

False

Q72. Which of the following statements are true for this search? (Select all that apply.) SEARCH:
sourcetype=access* |fields action productld status

is looking for all events that include the search terms: fields AND action AND productld AND status

users the table command to improve performance

limits the fields are extracted

returns a table with 3 columns

Q73. The following searches will return the same results. SEARCH 1: ssh error SEARCH 2: ssh AND error

True

False

Q74. In which of the following scenarios is an event type more effective than a saved search?

When a search should always include the same time range.

When a search needs to be added to other users’ dashboards.

When the search string needs to be used in future searches.

When formatting needs to be included with the search string.

Reference:
https://answers.splunk.com/answers/4993/eventtype-vs-saved-search.html

Q75. Which of the following searches would create a graph similar to the one below?

index_internal seourcetype=Savesplunker | fields sourcetype, status | transaction status maxspan-id | start count states

index_internal seourcetype=Savesplunker | fields sourcetype, status | transaction status maxspan-id | chart count states by -time

index_internal seourcetype=Savesplunker | fields sourcetype, status | transaction status maxspan-id | timechart count by status

None of these searches would generate a similart graph.

Q76. What does the fillnull command replace null values with, it the value argument is not specified?

N/A

NaN

NULL

Reference:https://answers.splunk.com/answers/653427/fillnull-doesnt-work-without-specfying-a-field.html

Q77. Which of the following statements are true for this search? (Select all that apply.) SEARCH: sourcetype=access* |fields action productld status

is looking for all events that include the search terms: fields AND action AND productld AND status

users the table command to improve performance

limits the fields are extracted

returns a table with 3 columns

Q78. Which of the following statements describes macros?

A macro is a reusable search string that must contain the full search.

A macro is a reusable search string that must have a fixed time range.

A macro is a reusable search string that may have a flexible time range.

A macro is a reusable search string that must contain only a portion of the search.

Explanation/Reference: https://docs.splunk.com/Documentation/Splunk/8.0.3/Knowledge/Definesearchmacros

Q79. Which of the following statements describes macros?

A macro is a reusable search string that must contain the full search.

A macro is a reusable search string that must have a fixed time range.

A macro Is a reusable search string that may have a flexible time range.

A macro Is a reusable search string that must contain only a portion of the search.

Q80. Which of the following can be used with the evalcommand tostringfunction? (Choose all that apply.)

“hex”

“commas”

“decimal”

“duration”

Explanation/Reference: https://splunkonbigdata.com/2018/10/27/usage-of-splunk-eval-function-tostring/

Q81. Which workflow action method can be used the action type is set to link?

GET

PUT

UPDATE

https://docs.splunk.com/Documentation/Splunk/8.0.2/Knowledge/SetupaGETworkflowaction Define a GET workflow action Steps
* Navigate to Settings > Fields > Workflow Actions.
* Click New to open up a new workflow action form.
* Define a Label for the action.
The Label field enables you to define the text that is displayed in either the field or event workflow menu. Labels can be static or include the value of relevant fields.
* Determine whether the workflow action applies to specific fields or event types in your data.
Use Apply only to the following fields to identify one or more fields. When you identify fields, the workflow action only appears for events that have those fields, either in their event menu or field menus. If you leave it blank or enter an asterisk the action appears in menus for all fields.
Use Apply only to the following event types to identify one or more event types. If you identify an event type, the workflow action only appears in the event menus for events that belong to the event type.
* For Show action in determine whether you want the action to appear in the Event menu, the Fields menus, or Both.
* Set Action type to link.
* In URI provide a URI for the location of the external resource that you want to send your field values to.
Similar to the Label setting, when you declare the value of a field, you use the name of the field enclosed by dollar signs.
Variables passed in GET actions via URIs are automatically URL encoded during transmission. This means you can include values that have spaces between words or punctuation characters.
* Under Open link in, determine whether the workflow action displays in the current window or if it opens the link in a new window.
* Set the Link method to get.
* Click Save to save your workflow action definition.

Loading …