Business > EXAM > Splunk Core Certified Power User 156 Questions with Answers,100% CORRECT (All)

Splunk Core Certified Power User 156 Questions with Answers,100% CORRECT

Document Content and Description Below

Splunk Core Certified Power User 156 Questions with Answers What is the only writeable bucket type? - CORRECT ANSWER The hot bucket By what filter are indexes divided into buckets? - CORRECT A... NSWER By time What are the 4 types of searches in Splunk (by performance) - CORRECT ANSWER Dense, Sparse, Super Sparse, Rare In searches, what is the scanCount? - CORRECT ANSWER The number of events scanned for that particular search What are the requirement of the underlying search in order to get multi-series table? - CORRECT ANSWER The underlying search must use reporting search commands like chart or timechart What are the seven chart types? - CORRECT ANSWER Line, Area, Column, Bar, Bubble, Scatter and Pie What is a trait of scatter charts? - CORRECT ANSWER Can only show two dimensions. Shows trends in the relationsgip between discrete data values What is a trait of bubble charts? - CORRECT ANSWER Provides a visual way to view a three dimensional series What are two commonly used clauses for chart? - CORRECT ANSWER over and by What does the over and by clauses do when used with chart? - CORRECT ANSWER divides the data into sub-groupings (True/False) You can only split chart results over two dimensions - CORRECT ANSWER True chart and timechart commands automatically filter results to include how many values? - CORRECT ANSWER 10 What happens to surplus resulting values of chart and timechart commands? - CORRECT ANSWER They are grouped into other (True/False) Null values are not shown by default by chart and timechart - CORRECT ANSWER False What is always the value on the x-axis for timechart? - CORRECT ANSWER _time (True/False) Functions and arguments used with stats and chart can not be used with timechart - CORRECT ANSWER False (True/False) As with chart, it is possible to split timechart by two fields - CORRECT ANSWER False. It is only possible to split by one field What is the argument for adjusting sampling interval of timechart? - CORRECT ANSWER span What does the trendline command do? - CORRECT ANSWER allows you to overlay a computed moving average on a chart What is the syntax of the trendline command? - CORRECT ANSWER trendline <trendtype><period>(field) [AS newfield] What command can be used to look up and add location information to an event? - CORRECT ANSWER iploaction What information does the iplocation command include? - CORRECT ANSWER city, country, region, latitude and longitude What is the data-requirement for the geostats command? - CORRECT ANSWER Data must include latitude and longitude values These arguments are used to control column counts when using the geostats command - CORRECT ANSWER gloabllimit and locallimit This command is used to compute statisticalm functions and render a cluster map - CORRECT ANSWER geostats What command can be used to show relative metrics for predefined geographic regions? - CORRECT ANSWER geom (True/False) A sparkline is an inline chart, that can be added to timechart - CORRECT ANSWER True (True/False) Automatically totaling of every columns can be done by using the Format option - CORRECT ANSWER True This command can be used to add total of all or selected fields - CORRECT ANSWER addtotals the row option for addtotals does (if enabled) - CORRECT ANSWER create a column that contains numeric totals for each row the column option for addtotals does (if enabled) - CORRECT ANSWER create a row that contains numeric totals for each column What does the labelfield option for addtotals specify? - CORRECT ANSWER What field the label should be placed in (in general, this should be the leftermost and first field) The eval command can be used to - CORRECT ANSWER perform calculations, convert, round and format values, use conditional statements This command allows you to calculate and manipulate field values in your report - CORRECT ANSWER eval (True/false) Results of eval can be written to existing field - CORRECT ANSWER True What happens with a destination field value if the field is the same as the resulting field of the eval command? - CORRECT ANSWER The field value gets overwritten by the resulting value outputted from the eval command (True/False) Indexed data get modified after field values are overwritten by the eval command. - CORRECT ANSWER False This operator is used for concatenation - CORRECT ANSWER +. This function can be used to set the value of a field to the number of decimals you specify - CORRECT ANSWER round (True/False) The tostring function can be used with eval - CORRECT ANSWER True How can you use eval to format numeric field values to strings? - CORRECT ANSWER By adding characters to the field values What separator is used when having multiple expressions used with eval command? - CORRECT ANSWER comma If function used with eval: What is field value of SalesTerritory for a VendorID of 80000 in the following evaluation?: | eval SalesTerritory = if((VendorID >= 7000 AND VendorID <8000), "Asia", "Rest of the World") - CORRECT ANSWER "Rest of the World" (True/False) The search command treats field values in a case-insensitive manner - CORRECT ANSWER True (True/False) The where command treats field values in a case-insensitive manner - CORRECT ANSWER False (True/False) Unqouted or single-quoted strings are treated as fields. - CORRECT ANSWER True To be able to do wildcard searches with the where command, this operator must be used - CORRECT ANSWER like What is the fillnull value used for? - CORRECT ANSWER To replace null values in fields. Default replacement value is 0. What is a transaction? - CORRECT ANSWER A transaction is any group of related events that span time What is the syntax of the transaction command? - CORRECT ANSWER transaction field-list. field-list argument is a list of one or multiple fields. (True/False) Transaction command creates a single event from a group of events - CORRECT ANSWER True This field is produced by running the transaction command - CORRECT ANSWER duration - difference between timestamp of first and last event in the transaction What does the maxpan argument do when used for transaction? - CORRECT ANSWER Defines the maximum total time between the earliest and latest events What does the maxpause argument do when used for transaction? - CORRECT ANSWER Specify maximum total time between events. What can be said about the events returned from the following search? index=web sourcetype=access_combined | transaction clientip JSESSIONID startswith=eval(action="addtocart") endswith=eval(action="purchase") - CORRECT ANSWER The first event in this transaction includes the action "addtocart", the last include the action "purchase" What are the limited number of events per transaction by default? - CORRECT ANSWER 1000 Why is stats recommended over transaction? - CORRECT ANSWER Faster and more efficient When do you need to use transaction? - CORRECT ANSWER When you need to see events correlated together, and/or must define event grouping based on start/end values or segments on time How can admins change the limit of numbers of events per transaction? - CORRECT ANSWER by configuring max_events_per_bucket in limits.conf What are Knowledge Objects? - CORRECT ANSWER Knowledge objects are tools you use to discover and analyze various aspects of your data (True/false) Knowledge Objects are shareable, reusable and searchable - CORRECT ANSWER True (True/False) The Power User role can create an object that persists globally across all apps - CORRECT ANSWER False (True/False) The Power User role can create an object that persists in the context of a specific app - CORRECT ANSWER True What is the Splunk Common Information Model (CIM) - CORRECT ANSWER A methodology for normalizing data, easily correlate data from different sources and source type. Which meta fields are already stored in the index prior to search time? - CORRECT ANSWER host, source and sourcetype Which internal fields are stored in the index prior to search time? - CORRECT ANSWER _time and _raw At this time, field discovery discovers fields directly related to the search's results - CORRECT ANSWER search time (True/False) After extracting fields using the field extractor (FX), it is possible to share the extracted fields. - CORRECT ANSWER True. Extracted fields exists as knowledge objects. What are the two methods for doing field extractions? - CORRECT ANSWER Regex and delimiter These knowledge objects provide a way of normalizing data over any default field - CORRECT ANSWER field aliases (True/false) Field aliases are applied after field extraction, before lookups - CORRECT ANSWER True (True/false) It is not possible to apply field aliases to lookups - CORRECT ANSWER False (True/false) Multiple aliases can be applied to one field - CORRECT ANSWER True (True/false) After a field alias have been made, the field alias can be used as an ordinary field in SPL - CORRECT ANSWER True What is a calculated field? - CORRECT ANSWER Shortcut for performing repetitive, long, or complex transformations using the eval command What is true about a calculated field? - CORRECT ANSWER Must be based on an extracted field Where can both calculated field and field aliases be set up (using the GUI)? - CORRECT ANSWER Settings->Fields These knowledge objects are like nicknames that are created for related field/value pairs - CORRECT ANSWER Tags (True/False) Tags are case sensitive - CORRECT ANSWER True (True/False) You can only create one tag for any field/value combination - CORRECT ANSWER False (True/False)Knowledge objects like tags, field aliases and calculated fields are searchable - CORRECT ANSWER True How does a tag appear after being selected? - CORRECT ANSWER In the results as tags, in parantheses next to the associated field/value pairs The syntax for searching for a tag associated with a value is? - CORRECT ANSWER tag=<tag name> The syntax for searching for a tag associated with a value on a specific field is? - CORRECT ANSWER tag::<field> = <tagname> Where can tag-settings (including permissions) be edited? - CORRECT ANSWER Settings->Tags-> List by field value pair This knowledge object can be used to group similar types of events - CORRECT ANSWER Event types How do you create an event type? - CORRECT ANSWER Create and execute a search, press "save as"-> Event types (True/False) Event type names can contain spaces - CORRECT ANSWER False Which criterias must be reviewed and refined when using the Event Type Builder? - CORRECT ANSWER Search string, Field values, tags What is the syntax for using eventtypes in a search? - CORRECT ANSWER eventtype=<eventtype_name> At what time does Splunk evalute the events when searching and using event types in your search? - CORRECT ANSWER Search time How can you tag event types? (GUI) - CORRECT ANSWER Either by using "Settings-> Event Types" or by using "Event details->Actions" (True/False) It is not possible to add tag to an Event Type - CORRECT ANSWER False (True/false) Event Types does not include a time range, while a saved report does - CORRECT ANSWER True These knowledge objects are useful when you frequently run searches or reports with similar search syntax - CORRECT ANSWER macros (True/false) Macros are shareable - CORRECT ANSWER True What happens if an event fits in multiple eventtypes? - CORRECT ANSWER Priority decides which event takes precident in the display order At what time are parameter values passed to macro? - CORRECT ANSWER At execution time How can you create a macro?(GUI) - CORRECT ANSWER Settings->Advanced search-> Search macros What is the syntax for using macros in searches? - CORRECT ANSWER `macro` How do you include the number of arguments to a macro? - CORRECT ANSWER By adding the number in parantheses after the macro name When setting up arguments for macros in the macro definition, with what character must the argument(s) be surrounded by? - CORRECT ANSWER $ (T/F) This is a valid search: | 'monthly_sales(euro, £, 0.79)' - CORRECT ANSWER False What is the validation expression for macros? - CORRECT ANSWER An expression for each argument to the macro can be made, with a corresponding error message, to ensure that the macro is being used correctly Should macros including leading pipes? - CORRECT ANSWER No, it is not considered best practice, as someone may put a pipe in front of the macro when using it in a search string What is a workflow action? - CORRECT ANSWER Execute workflow actions from an event in your search results to interact with external resources or run another search Which types of workflow actions does exists? - CORRECT ANSWER GET, POST, Search What is a Search workflow action? - CORRECT ANSWER A search workflow action use field values to perform a secondary search What is a POST workflow action? - CORRECT ANSWER A POST workflow action send field values to an external resource What is a GET workflow action? - CORRECT ANSWER A GET workflow action retrieve information from an external resource How do you create a new Workflow action? - CORRECT ANSWER Settings-> Fields-> Workflow actions-> New workflow action (T/F) A workflow action can be applied to both fields and event types. - CORRECT ANSWER True How can workflow actions be tested? - CORRECT ANSWER By pressing event actions on event in the search, and clicking the name of the created Workflow action What is a pivot? - CORRECT ANSWER Its essentially a subset of data based on a data model What is a data model? - CORRECT ANSWER Hierarchically structured datasets that generate searches and drive pivots What three types of datasets can a data model consist of? - CORRECT ANSWER Events, searches and transactions How are datasets saved in pivots? - CORRECT ANSWER Each event, search or transaction is saved as a separate dataset What are constraint when it comes to data model events? - CORRECT ANSWER Constraints are essentially the search broken down into a hierarchy (True/false) Datamodels are hierarchical structures where children datasets inherit constraints and field from their parent dataset(s) - CORRECT ANSWER True What is the benefit of using root events to root transactions and root searches when creating data models? - CORRECT ANSWER root events can be accelerated, while the others can not. What are constraints for a root event? - CORRECT ANSWER Essentially search terms What methods can be used for adding fields to a data model? - CORRECT ANSWER Auto-extraction, eval expression, lookup, regular expression, Geo IP What are the different field types for a data model? - CORRECT ANSWER String, Number, Boolean, IPV4 What are field flags for data models? - CORRECT ANSWER Field flags are used for setting options for how the field should be used and the necessity of the field for events in the pivot driven by the data model What different field flags exists? - CORRECT ANSWER Optional, required, Hidden, Hidden & required What is the use of hidden fields? - CORRECT ANSWER They can be used for fields that are only being used to define another field, such as an eval expression What does the "Required" Field flag imply? - CORRECT ANSWER Only events that contain this field are returned in Pivot What is the data model name in this search? | pivot Buttercup_Games_Site_Activity failed_request count(failed_request) AS "Count of Failed requests" - CORRECT ANSWER Buttercup_Games_Site_Activity What is the object name in this search? | pivot Buttercup_Games_Site_Activity failed_request count(failed_request) AS "Count of Failed requests" - CORRECT ANSWER failed_request What is the split row field in this search? | pivot Buttercup_Games_Site_Activity failed_request count(failed_request) AS "Count of Failed requests" - CORRECT ANSWER count(failed_request) What are Data Model Search datasets? - CORRECT ANSWER Arbitrary searches that include transforming commands to define the dataset that they represent What fields are available for use by a transaction dataset? - CORRECT ANSWER Fields that have already been added to the model using event or search datasets. What is required for a transaction dataset? - CORRECT ANSWER At least one event or search dataset to the data model How can permissions be set for data models? - CORRECT ANSWER Based on Users, or owner, app or all apps How can data models be moved from the test environment to prod environment? - CORRECT ANSWER By uploading/download via the Splunk Web interface How are data models accelerated? - CORRECT ANSWER By creating summaries defined in time-series index files (tsidx) that have been optimized for speed What happens with fields in when accelerating a data model? - CORRECT ANSWER All fields in the model become "indexed" fields, i.e they are available in tsidx files. (True/False) A private data model can be accelerated - CORRECT ANSWER False (True/False) Accelerated data models can be edited - CORRECT ANSWER False (True/False) Only root events can be accelerated. - CORRECT ANSWER True What is the Common Information Model (CIM)? - CORRECT ANSWER The Splunk Common Information Model provides a methodology to normalize data What are some of the benefits of using the Common Information Model? - CORRECT ANSWER -Easier and more efficient correlation of data from different sources and source types - Multiple apps can co-exist on a single Splunk deployment When should the CIM be leveraged? - CORRECT ANSWER When creating field extractions, field aliases, event types and tags What are included in the CIM Add-on? - CORRECT ANSWER Set of 22 pre-configured data models - fields and event category tags - Least common denominator of a domain of interest (True/false) The data models included in the CIM add-on are configured with data model acceleration turned off. - CORRECT ANSWER True How can you use the CIM add-on? - CORRECT ANSWER By going to settings-> Data models, and identify a data model relevant to your dataset What can the CIM add-on be used for? - CORRECT ANSWER Creating new event types, tags, field aliases and field extractions How can you validate that a field extraction is correctly set up according to CIM? - CORRECT ANSWER by using the datamodel command and search against a specified data model object to see that the extracted field exists in the data model (True/false) data model name and dataset name are case sensitive - CORRECT ANSWER True What is the data set name in the following search: | datamodel Web Email search | fields Web* - CORRECT ANSWER Email What does the "from" command do? - CORRECT ANSWER retrives data from a data model or named dataset How does the "from" command differ to the "datamodel" command? - CORRECT ANSWER datamodel returns all fields prepended with data model name, from datamodel returns specified fields only (True/false) "from" command can also retrieve data from saved searches, reports or lookup files - CORRECT ANSWER True What is true about event type? - CORRECT ANSWER Event types cannot include pipes or subsearches What does the duration field for transaction mean? - CORRECT ANSWER difference between timestamp of first and last event in the transaction (True/False) Data models from CIM search across all indexes by default - CORRECT ANSWER True [Show More]

Last updated: 10 months ago

Preview 1 out of 14 pages

Add to cart

Instant download

Reviews( 0 )

$11.00

Add to cart

Instant download

Can't find what you want? Try our AI powered Search

OR

REQUEST DOCUMENT
95
0

Document information


Connected school, study & course


About the document


Uploaded On

Jul 09, 2023

Number of pages

14

Written in

Seller


seller-icon
Nolan19

Member since 2 years

10 Documents Sold


Additional information

This document has been written for:

Uploaded

Jul 09, 2023

Downloads

 0

Views

 95

Recommended For You

Get more on EXAM »

$11.00
What is Browsegrades

In Browsegrades, a student can earn by offering help to other student. Students can help other students with materials by upploading their notes and earn money.

We are here to help

We're available through e-mail, Twitter, Facebook, and live chat.
 FAQ
 Questions? Leave a message!

Follow us on
 Twitter

Copyright © Browsegrades · High quality services·