Is this exam completely free?

ExamCademy offers a free preview for every exam, covering around 20% of the total questions. Full access to all questions is available for free by signing up for an account. Optional supporters unlock AstroTutor (AI tutor) and advanced study modes.

Can I practice IT certification exams from Microsoft, AWS, or CompTIA?

Yes! ExamCademy supports a wide range of IT certification exams including Microsoft Azure, AWS Cloud Practitioner, and CompTIA A+ and Security+.

How accurate are the mock exams?

Our practice questions are community-created and moderator-reviewed to align with realistic exam objectives, style, and difficulty.

SPLK-1002 by Splunk - Page 1 | ExamCademy

Mode Selection

Question 1

Question 2

Question 3

What is the correct syntax to find events associated with a tag?

A tag:<field>=<value>
B tags=<value>
C tags:<field>=<value>
D tag=<value>

Question 4

Which of the following is true about the Splunk Common Information Model (CIM)?

A The CIM contains 28 pre-configured datasets.
B The data models included in the CIM are configured with data model acceleration turned on.
C The data models included in the CIM are configured with data model acceleration turned off.
D The CIM is an app that needs to run on the indexer.

Question 5

Consider the following search run over a time range of last 7 days:

index=web sourcetype=access_combined | timechart avg(bytes) by product_name

Which option is used to change the default time span so that results are grouped into 12 hour intervals?

A timespan=12
B span=12h
C timespan=12h
D span=12

Question 6

When would transaction be used instead of stats?

A To have a faster and more efficient search.
B To see results of a calculation.
C To group events based on start/end values.
D To group events based on a single field value.

Question 7

Given the following eval statement:

... | eval field1 = if(isnotnull(fieid1),field1,0), field2 = if(isnull
Which of the following is the equivalent using fillnull?

A There is no equivalent expression using fillnull
B ... | fillnull values=(0,"NO-VALUE") fields=(field1,field2)
C ... | fillnull field1|' fillnull value="NO-VALUE" field2
D ... | fillnull value=0 field1 | fillnull field2

Question 8

The Splunk Common Information Model (CIM) is a collection of what type of knowledge object?

A Saved searches
B Lookups
C KV Store
D Data models

Question 9

How is a Search Workflow Action configured to run at the same time range as the original search?

A Select the "Use the same time range as the search that created the field listing" checkbox.
B Set the earliest time to match the original search.
C Select the same time range from the time-range picker.
D Select the "Overwrite time range with the original search" checkbox.

Question 10

A calculated field is a shortcut for performing repetitive, long, or complex transformations using which of the following commands?

A transaction
B eval
C lookup
D stats

Question 11

When using the transaction command, how are evicted transactions identified?

A _txn field is set to 1, or true.
B open_txn field is set to l, or true.
C max_txn field is set to 0, or false.
D closed_txn field is set to 0, or false.

Question 12

How are arguments defined within the macro search string?

A “arg”
B %arg%
C $arg$
D ‘arg’

Question 13

By default, how is acceleration configured in the Splunk Common Information Model (CIM) add-on?

A Turned off.
B Turned on.
C Determined automatically based on the sourcetype.
D Determined automatically based on the data source.

Question 14

Which of the following objects can a calculated field use as a source?

A An alias of a field.
B A field added by an automatic lookup.
C The tag field.
D The eventtype field.

Question 15

How are event types different from saved reports?

A Event types can be shared with Splunk users and added to dashboards.
B Event types include formatting of the search results.
C Event types do not include a time range.
D Event types cannot be used to organize data into categories.

Question 16

When creating a data model, which root dataset requires at least one constraint?

A Root event dataset
B Root transaction dataset
C Root search dataset
D Root child dataset

Question 17

Which search retrieves events with the event type web_errors?

A tag=web_errors
B eventtype=web_errors
C eventtype(web_errors)
D eventtype "web_errors"

Question 18

When used with the timechart command, which value of the limit argument returns all values?

A limit=none
B limit=all
C limit=0
D limit=*

Question 19

Which of the following statements best describes a macro?

A A macro is a method of categorizing events based on a search.
B A macro is a knowledge object that enables you to schedule searches for specific events.
C A macro is a portion of a search that can be reused in multiple places.
D A macro is a way to associate an additional (new) name with an existing field name.

Question 20

The macro weekly_sales(2) contains the search string:

index=games | eval ProductSales = $Price$ * $AmountSold$

Which of the following will return results?

A 'weekly_sales(3.99, 10)'
B 'weekly_sales($3.99$, $10$)'
C 'weekly_sales(3.99, 10)'
D 'weekly_sales(3)'

Question 21

What happens when a user edits the regular expression (regex) field extraction generated in the Field Extractor (FX)?

A There is a limit to the number of fields that can be extracted.
B The user is unable to return to the automatic field extraction workflow.
C The user is unable to preview the extractions.
D The extraction is added at index time.

Question 22

What does the fillnull command replace null values with, if the value argument is not specified?

A NULL
B 0
C NaN
D N/A

Question 23

What is the correct syntax for the transaction command?

A | transaction(clientip,5m,1m)
B | transaction clientip maxspan=5 pause=1
C | transaction clientip maxspan=5m maxpause=1m
D | transaction(clientip, 5, 1)

Question 24

Which of the following statements describe the Common Information Model (CIM)? (Choose all that apply.)

A CIM is a methodology for normalizing data.
B CIM can correlate data from different sources.
C The Knowledge Manager uses the CIM to create knowledge objects.
D CIM is an app that can coexist with other apps on a single Splunk deployment.

Question 25

What is the Splunk Common Information Model (CIM)?

A The CIM is a prerequisite that any data source must meet to be successfully onboarded into Splunk.
B The CIM defines an ecosystem of apps that can be fully supported by Splunk.
C The CIM provides a methodology to normalize data from different sources and source types.
D The CIM is a data exchange initiative between software vendors.

Page 1 of 8 • Questions 1-25 of 184

1 2 3 4 5

→

Know a question that should be here? Contribute to this exam

Which one of the following statements about the search command is true?

A It does not allow the use of wildcards.
B It treats field values in a case-sensitive manner.
C It can only be used at the beginning of the search pipeline.
D It behaves exactly like search strings before the first pipe.

Which of the following statements would help a user choose between the transaction and stats commands?

A stats can only group events using IP addresses.
B The transaction command is faster and more efficient.
C There is a 1000 event limitation with the transaction command.
D Use stats when the events need to be viewed as a single correlated event.

SPLK-1002Preview