Splunk Core Power User Exam

Selected fields are displayed ________ each event in the results.

a. below

b. interesting fields

c. other fields

d. above

a. below

Search terms are not case sensitive. (T/F)

True

These two searches will NOT return the same results.

SEARCH 1:login failure SEARCH 2: "login failure" (T/F)

True

A space is implied ______________ in a search string.

a. OR

b. AND

c. ()

d. NOT

b. AND

You can not specify a relative time range, such as 45 seconds ago, for a search (T/F)

False

To use field value data from an event in a Workflow Action, we need to:

a. Create tags for the fields.

b. Select the GET method.

c. Wrap the field in dollar signs.

c. Wrap the field in dollar signs.

This Workflow Action type sends field values to external resources.

a. POST

b. GET

c. Search

a. POST

Workflow Actions can only be applied to a single field.

FALSE

TRUE

False

Hidden fields in a data model:

a. will not be displayed to a Pivot user, but can be used to define other datasets

b. will not be displayed in the dataset editor

c. will be displayed to a Pivot user that has permissions to the field

a. will not be displayed to a Pivot user, but can be used to define other datasets

_____ datasets can be added to a root dataset to narrow down the search.

a. event

b. child

c. parent

d. extracted

b. child

Which of these are NOT Data Model dataset types:

a. Searches

b. Events

c. Transactions

d. Lookups

d. Lookups

You can normalize data for CIM use:

Select all that apply.

a. Using Knowledge Objects.

b. At index time.

c. Only after adding the CIM Add-on.

a. Using Knowledge Objects.

b. At index time.

By default, data models in the CIM Add-on will search across all indexes.

FALSE

TRUE

True

The CIM Add-on indexes extra data and will affect license usage.

FALSE

TRUE

False

How many results are shown by default when using a Top or Rare Command?

10

Warm buckets in Splunk indexes are named by:

a. the timestamps of first and last event in the bucket

b. a naming convention the administrator determines

c. the server that sent the events

a. the timestamps of first and last event in the bucket

Which of the following search modes automatically returns all extracted fields in the fields sidebar?

a. fast

b. smart

c. verbose

C. Verbose

Which type of visualization allows you to show a third dimension of data?

a. bubble chart

b. scatter chart

c. pie chart

d. area chart

a. bubble chart

Which option is NOT available with the chart and timechart commands?

a. usefill

b. useother

c. limit

a. usefill

The ______ clause allows you to define which field is represented on the X axis of a chart.

a. over

b. by

a. over

Which of the following are valid options with the chart command?

Select all that apply.

a. usenull

b. usefield

c. fillfield

d. useother

a. usenull d. useother

The geom command allows you to create:

a. radial gauges

b. standard maps

c. choropleth maps

c. choropleth maps

If you want to format values without changing their characteristics, which would you use?

a. The fieldformat command

b. The eval tostring function

a. The fieldformat command

You can only use one eval command per search.

FALSE

TRUE

False

The eval command 'if' function requires the following three arguments (in order):

a. result if false, result if true, boolean expression

b. boolean expression, result if false, result if true

c. boolean expression, result if true, result if false

d. result if true, result if false, boolean expression

c. boolean expression, result if true, result if false

Mark the terms that fill in the blanks in the correct order: Use _____ to see results of a calculation, or group events on a field value. Use _____ to see events correlated together, or grouped by start and end values.

a. transaction, stats

b. stats, transaction

b. stats, transaction

You can create a transaction based on multiple fields.

TRUE

FALSE

True

Which function should you use with the transaction command to set the maximum total time between the earliest and latest events returned?

a. maxduration

b. maxspan

c. maxpause

d. endswith

b. maxspan

Users with this role can reassign Knowledge Objects.

a. Admin

b. User

c. Power

a. Admin

Knowledge Objects can be used to normalize data.

FALSE

TRUE

True

What are the predefined ways Knowledge Objects can be shared?

a. Specific App

b. Private

c. All Apps

d. Sourcetype

a. Specific App

b. Private

c. All Apps

When extracting fields, we may choose to use our own regular expressions.

FALSE

TRUE

True

During the validation step of the Field Extractor workflow:

You cannot modify the field extraction

You can validate where the data originated from

You can remove values that aren't a match for the field you want to define

Once a field is created using the regex method, you cannot modify the underlying regular expression.

FALSE

TRUE

False

Calculated fields are based on underlying:

a. eval expressions

b. keyword searches

c. stats commands

a. eval expressions

Field aliases are used to _____ data.

a. transform

b. clean

c. calculate

d. normalize

d. normalize

Field aliases can only be applied to a single source type, source, or host.

FALSE

TRUE

False

Tags can be added to Event Types.

FALSE

TRUE

True

These allow you to categorize events based on search terms.

a. Macros

b. Groups

c. Event Types

d. Tags

c. Event Types

You can only add one tag per field value pair.

FALSE

TRUE

False

You can pipe the results of a macro to other commands

FALSE

TRUE

True

What is the proper syntax for using a macro named "us_sales"

a. "us_sales"

b. (us_sales)

c. us_sales

d. `us_sales`

d. `us_sales`

The search expansion tool:

a. Allows you to see what a macro will expand to before you run a search.

b. Automatically fills in the variables before you run a search.

c. Must be used before running a search with a macro.

a. Allows you to see what a macro will expand to before you run a search.

Using the export function, you can export a maximum of 2000 results

TRUE

FALSE

False

Which of the following search control will not re-run the search? (Select all that apply)

a. zoom out

b. selecting a bar on the timeline

c. deselect

d. selecting a range of bars on the timeline

b. selecting a bar on the timeline

c. deselect

d. selecting a range of bars on the timeline

Highlighted search terms indicate ________ search results in Splunk

a. display as a selected field

b. Sorted

c. Charred based on time

d. Matching

d. Matching

The Splunk search language does not support wildcards.

TRUE

FALSE

False

Historical searches provide a static snapshot of events at a given time.

TRUE

FALSE

True

Which of the following Statements about macros is true? (select all that apply)

A. Arguments are defined at execution time.

B. Arguments are defined when the macro is created.

C. Argument values are used to resolve the search string at execution time.

D. Argument values are used to resolve the search string when the macro is created

A. Arguments are defined at execution time.

C. Argument values are used to resolve the search string at execution time.

What is required for a macro to accept three arguments?

A. The macro's name ends with (3).

B. The macro's name starts with (3).

C. The macro's argument count setting is 3 or more.

D. Nothing, all macros can accept any number of arguments.

A. The macro's name ends with (3).

Which of the following statements describes POST workflow actions? A. POST workflow actions are always encrypted.

B. POST workflow actions cannot use field values in their URI.

C. POST workflow actions cannot be created on custom sourcetypes. D. POST workflow actions can open a web page in either the same window or a new .

D. POST workflow actions can open a web page in either the same window or a new .

Which of the following searches show a valid use of macro? (Select all that apply)'

a. index=main source=mySource oldField=* | 'makeMyField(oldField)' | table _time newField

b. index=main source=mySource oldField=* | state if ('makeMyField(oldField ' ) | table _time

c. index=main source=mySource oldField=* | eval newField= 'makeMyField(oldField) ' | table _time

d. index=main source=mySource oldField=* | "'newField('makeMyField(oldField) " ) ' " | table _time

a. index=main source=mySource oldField=* | 'makeMyField(oldField)' | table _time newField

c. index=main source=mySource oldField=* | eval newField= 'makeMyField(oldField) ' | table _time

Which of the following workflow actions can be executed from search results? (select all that apply)

A. GET

B. POST

C. LOOKUP

D. Search

A. GET

B. POST

D. Search

Which of the following is the correct way to use the data model command to search field in the data model within the web dataset? A. | datamodel web search | filed web *

B. | Search datamodel web web | filed web*

C. | datamodel web web field | search web*

D. Datamodel=web | search web | filed web*

A. | datamodel web search | filed web *

Which of the following searches will return events contains a tag name Privileged?

A. Tag= Priv

B. Tag= Priv*

C. Tag= Priv*

D. Tag= Privileged

D. Tag= Privileged

Which of the following statements describes this search? sourcetype=access_combined I transaction JSESSIONID | timechart avg (duration)

A. This is a valid search and will display a timechart of the average duration, of each transaction event.

B. This is a valid search and will display a stats table showing the maximum pause among transactions.

C. No results will be returned because the transaction command must include the startswith and endswith options.

D. No results will be returned because the transaction command must be the last command used in the search pipeline.

A. This is a valid search and will display a timechart of the average duration, of each transaction event.

Calculated fields can be based on which of the following?

A. Tags

B. Extracted fields

C. Output fields for a lookup

D. Fields generated from a search string

B. Extracted fields

When multiple event types with different color values are assigned to the same event, what determines the color displayed for the events? A. Rank

B. Weight

C. Priority

D. Precedence

C. Priority

Which of the following statements describes the command below (select all that apply) sourcetype-access_combined | transaction JSESSIONID

A. An additional filed named maxspan is created.

B. An additional Held named duration is created.

C. An additional field named eventcount is created.

D. Events with the same JSESSIONID will be grouped together into a single event.

B. An additional Held named duration is created.

C. An additional field named eventcount is created.

Which of the following can be used with the eval command tostring function (select all that apply)

A. ''hex''

B. ''commas''

C. ''Decimal''

D. ''duration''

A. ''hex''

B. ''commas''

D. ''duration''

Historical searches provide a static snapshot of event at a given time (T/F)

True

Using the export function, you can export a maximum of 2000 results. (T/F)

False

Which of the following search control will not re-run the search? (select all the apply)

a. zoom out

b. selecting a bar on the timeline

c. deselect

d. selecting a range of the bars on the timeline

b. selecting a bar on the timeline

c. deselect

d. selecting a range of the bars on the timeline

Highlighted search terms indicate ______ search results in splunk.

a. display as selected field

b. sorted

c. chart based on time

d. matching

d. matching

The Splunk search language does not support wildcards (T/F)

False

The Splunk search language supports the + wildcard (T/F)

False

When you mouse over and click to add a search term this (these) boolean operator(s) is(are) not implied (select all that apply

a. OR

b. ( )

c. AND

d. NOT

b. ( )

Using the export function, you can export search results as _____ (select all the apply)

a. XML

b. JSON

c. HTML

d. a PHP file

a. XML

b. JSON

These kinds of fields are identified in your data at INDEX time

a. data-specific fields

b. default fields

b. default fields

Default fields are not added to every event in Splunk at INDEX time.

(T/F)

False

The fields sidebar does not show ______ (select all that apply)

a. interesting fields

b. selected fields

c. all extracted fields

c. all extracted fields

Only Splunk Admins can assign selected fields (T/F)

False

This search user!=*

a. displays only events that contain a value for the user

b. displays all events

c. displays only events that do not contain a value for the user

c. displays only events that do not contain a value for the user

The interesting fields in the fields sidebar is based on what fields you have requested in the past. (T/F)

False

Which mode automatically decides how to return fields based on your search?

a. Verbose

b. Fast

c. Smart

c. Smart

Which search mode returns all fields?

a. Verbose

b. Fast

c. Smart

a. Verbose

Splunk alerts can be based on a search that run _________ (select all the apply)

a. in real time

b. on a regular schedule

c. and have no matching events

a. in real time

b. on a regular schedule

Alert throtting is used to ________

a. verify each alert

b. stagger search request in a time sequenced order

c. stop spamming yourself with alerts

d. check severity

c. stop spamming yourself with alerts

Scheduled alerts must be scheduled to run with cron job syntax only (T/F)

False

A report scheduled to run every 15 mins, but it takes 17 mins to complete in danger of being

a. skipped or deferred

b. automatically accelerated

c. deleted

d. all the above

a. skipped or deferred

Custom charts can be created in the fields sidebar (T/F)

False

Which of the following are valid options to speed up reports?

(select all the apply)

a. Edit permissions

b. Edit description

c. Edit acceleration

d. Edit schedule

c. Edit acceleration

After you create a pivot, you can save it as a _________ (select all the apply)

a. tag

b. eventtype

c. report

d. dashboard panel

c. report

d. dashboard panel

Pivot editor has a map visualization option (T/F)

False

New pivots automatically populate with ______ (select all that apply)

a. Split rows

b. Split columns

c. Count of hosts

d. Time range filter

d. Time range filter

Internal fields, such as _raw and _time can be explicitly removed from results with fields command (T/F)

False

This function on the stats command allows you to return the sample standard deviation of a field.

a. stdev

b. dev

c. count deviation

d. by standarddev

a. stdev

This clause is used to group the output of a stats command by a specific name

a. Rex

b. As

c. List

d. By

a. Rex

When a search returns _________ you can view it as a list

a. a list of events

b. transactions

c. statistical values

c. statistical values

Clicking on a SEGMENT on a chart __________.

a. drills down for that data

b. highlights the field value across the chart

c. add the highlighed value to the search criteria

c. add the highlighed value to the search criteria