Is this exam completely free?

Examcademy offers a free preview for every exam, covering around 20% of the total questions. Full access is available with a paid upgrade.

Can I practice IT certification exams from Microsoft, AWS, or CompTIA?

Yes! Examcademy supports a wide range of IT certification exams including Microsoft Azure, AWS Cloud Practitioner, and CompTIA A+ and Security+.

How accurate are the mock exams?

Our mock exams are built and reviewed with the help of AI and community contributions, staying aligned with real-world exam objectives.

SPLK-1002Free trial

By splunk

Verified

25Q per page

Question 1

Which one of the following statements about the search command is true?

A: It does not allow the use of wildcards.
B: It treats field values in a case-sensitive manner.
C: It can only be used at the beginning of the search pipeline.
D: It behaves exactly like search strings before the first pipe.

—

Question 2

Which of the following statements would help a user choose between the transaction and stats commands?

A: stats can only group events using IP addresses.
B: The transaction command is faster and more efficient.
C: There is a 1000 event limitation with the transaction command.
D: Use stats when the events need to be viewed as a single correlated event.

—

Question 3

What is the correct syntax to find events associated with a tag?

A: tag:<field>=<value>
B: tags=<value>
C: tags:<field>=<value>
D: tag=<value>

—

Question 4

Which of the following is true about the Splunk Common Information Model (CIM)?

A: The CIM contains 28 pre-configured datasets.
B: The data models included in the CIM are configured with data model acceleration turned on.
C: The data models included in the CIM are configured with data model acceleration turned off.
D: The CIM is an app that needs to run on the indexer.

—

Question 5

Consider the following search run over a time range of last 7 days:

index=web sourcetype=access_combined | timechart avg(bytes) by product_name

Which option is used to change the default time span so that results are grouped into 12 hour intervals?

A: timespan=12
B: span=12h
C: timespan=12h
D: span=12

—

Question 6

When would transaction be used instead of stats?

A: To have a faster and more efficient search.
B: To see results of a calculation.
C: To group events based on start/end values.
D: To group events based on a single field value.

—

Question 7

Given the following eval statement:

... | eval field1 = if(isnotnull(fieid1),field1,0), field2 = if(isnull
Which of the following is the equivalent using fillnull?

A: There is no equivalent expression using fillnull
B: ... | fillnull values=(0,"NO-VALUE") fields=(field1,field2)
C: ... | fillnull field1|' fillnull value="NO-VALUE" field2
D: ... | fillnull value=0 field1 | fillnull field2

—

Question 8

The Splunk Common Information Model (CIM) is a collection of what type of knowledge object?

A: Saved searches
B: Lookups
C: KV Store
D: Data models

—

Question 9

How is a Search Workflow Action configured to run at the same time range as the original search?

A: Select the "Use the same time range as the search that created the field listing" checkbox.
B: Set the earliest time to match the original search.
C: Select the same time range from the time-range picker.
D: Select the "Overwrite time range with the original search" checkbox.

—

Question 10

A calculated field is a shortcut for performing repetitive, long, or complex transformations using which of the following commands?

A: transaction
B: eval
C: lookup
D: stats

—

Question 11

When using the transaction command, how are evicted transactions identified?

A: _txn field is set to 1, or true.
B: open_txn field is set to l, or true.
C: max_txn field is set to 0, or false.
D: closed_txn field is set to 0, or false.

—

Question 12

How are arguments defined within the macro search string?

A: “arg”
B: %arg%
C: $arg$
D: ‘arg’

—

Question 13

By default, how is acceleration configured in the Splunk Common Information Model (CIM) add-on?

A: Turned off.
B: Turned on.
C: Determined automatically based on the sourcetype.
D: Determined automatically based on the data source.

—

Question 14

Which of the following objects can a calculated field use as a source?

A: An alias of a field.
B: A field added by an automatic lookup.
C: The tag field.
D: The eventtype field.

—

Question 15

How are event types different from saved reports?

A: Event types can be shared with Splunk users and added to dashboards.
B: Event types include formatting of the search results.
C: Event types do not include a time range.
D: Event types cannot be used to organize data into categories.

—

Question 16

When creating a data model, which root dataset requires at least one constraint?

A: Root event dataset
B: Root transaction dataset
C: Root search dataset
D: Root child dataset

—

Question 17

Which search retrieves events with the event type web_errors?

A: tag=web_errors
B: eventtype=web_errors
C: eventtype(web_errors)
D: eventtype "web_errors"

—

Question 18

When used with the timechart command, which value of the limit argument returns all values?

A: limit=none
B: limit=all
C: limit=0
D: limit=*

—

Question 19

Which of the following statements best describes a macro?

A: A macro is a method of categorizing events based on a search.
B: A macro is a knowledge object that enables you to schedule searches for specific events.
C: A macro is a portion of a search that can be reused in multiple places.
D: A macro is a way to associate an additional (new) name with an existing field name.

—

Question 20

The macro weekly_sales(2) contains the search string:

index=games | eval ProductSales = $Price$ * $AmountSold$

Which of the following will return results?

A: 'weekly_sales(3.99, 10)'
B: 'weekly_sales($3.99$, $10$)'
C: 'weekly_sales(3.99, 10)'
D: 'weekly_sales(3)'

—

Question 21

What happens when a user edits the regular expression (regex) field extraction generated in the Field Extractor (FX)?

A: There is a limit to the number of fields that can be extracted.
B: The user is unable to return to the automatic field extraction workflow.
C: The user is unable to preview the extractions.
D: The extraction is added at index time.

—

Question 22

What does the fillnull command replace null values with, if the value argument is not specified?

A: NULL
B: 0
C: NaN
D: N/A

—

Question 23

What is the correct syntax for the transaction command?

A: | transaction(clientip,5m,1m)
B: | transaction clientip maxspan=5 pause=1
C: | transaction clientip maxspan=5m maxpause=1m
D: | transaction(clientip, 5, 1)

—

Question 24

Which of the following statements describe the Common Information Model (CIM)? (Choose all that apply.)

A: CIM is a methodology for normalizing data.
B: CIM can correlate data from different sources.
C: The Knowledge Manager uses the CIM to create knowledge objects.
D: CIM is an app that can coexist with other apps on a single Splunk deployment.

—

Question 25

What is the Splunk Common Information Model (CIM)?

A: The CIM is a prerequisite that any data source must meet to be successfully onboarded into Splunk.
B: The CIM defines an ecosystem of apps that can be fully supported by Splunk.
C: The CIM provides a methodology to normalize data from different sources and source types.
D: The CIM is a data exchange initiative between software vendors.

—

Page 1 of 8 • Questions 1-25 of 184

1 2 3 4 5

→

Free preview mode

Enjoy the free questions and consider upgrading to gain full access!