SPLK-1002 Practice Exam Questions and Answers

A.  

Select an additional sample event with the Field Extractor (FX) and highlight the missing value in the event.

B.  

Re-ingest the data and attempt to extract from a new dataset.

C.  

Click on the event where the field was not extracted and choose “Change to Delimited".

D.  

Edit the regular expression manually.

A.  

Sets the maximum total time between events in a transaction.

B.  

Sets the maximum length of all events within a transaction.

C.  

Sets the maximum total time between the earliest and latest events in a transaction.

D.  

Sets the maximum length that any single event can reach to be included in the transaction.

A.  

| chart count by vendor_action, user

B.  

| chart count over vendor_action, user

C.  

| chart count by vendor_action over user

D.  

| chart count over user by vendor_action

A.  

Macros

B.  

Lookups

C.  

Workflow actions

D.  

Field extractions

A.  

Turned off

B.  

Turned on

C.  

Determined automatically based on the sourcetype.

D.  

Determined automatically based on the data source.

A.  

The CIM is a prerequisite that any data source must meet to be successfully onboarded into Splunk.

B.  

The CIM provides a methodology to normalize data from different sources and source types.

C.  

The CIM defines an ecosystem of apps that can be fully supported by Splunk.

D.  

The CIM is a data exchange initiative between software vendors.

A.  

Search

B.  

Where

C.  

If

D.  

Any of the above

A.  

Median(X)

B.  

Eval by X

C.  

Fields(X)

D.  

Values(X)

A.  

Examplemacro [1,2]

B.  

samplemacro(1,2)

C.  

u amp -CJEUCXG (2)

D.  

samplemacro[2]

A.  

Lookup definitions in lookup tables.

B.  

Reusable pieces of search processing language.

C.  

A method to normalize fields.

D.  

Categories of search results.