Question No. 1

When using the Field Extractor (FX) to perform a field extraction, which delimiter can be used?

AA period or comma.

BA comma.

CA tab or space.

DAny consistent character.

Show Answer

Correct Answer: D

When using the Field Extractor (FX) in Splunk to perform field extraction, any consistent character can be used as a delimiter. The Field Extractor allows users to define how fields are separated in the raw event data, and as long as the delimiter is consistent, the FX tool can parse and extract the fields correctly.

Splunk Docs: Field Extractor

Splunk Answers: Field extraction delimiters

Question No. 2

The fields sidebar does not show________. (Select all that apply.)

Ainteresting fields

Bselected fields

Call extracted fields

Show Answer

Correct Answer: C

The fields sidebar is a panel that shows the fields that are present in your search results2.The fields sidebar does not show all extracted fields, which are fields that are extracted from your raw data using various methods such as regular expressions, delimiters or key-value pairs2.The fields sidebar only shows selected fields and interesting fields2.Selected fields are fields that you choose to display in your search results by clicking on them in the fields sidebar or by using the fields command2.Interesting fields are fields that appear in at least 20 percent of events or have high variability among values2. Therefore, option C is correct, while options A and B are incorrect because they are types of fields that the fields sidebar does show.

Question No. 3

A search contains example(100,200). What is the name of the macro?

Aexample(2)

Bexample(var1,var2)

Cexample($,$)

Dexample[2]

Show Answer

Correct Answer: B

In Splunk, macros that accept arguments are defined with placeholders for those arguments in the format example(var1, var2). In the search example(100,200), '100' and '200' are the values passed for var1 and var2 respectively.

Splunk Docs -- Macros

Question No. 4

Which type of workflow action sends field values to an external resource (e.g. a ticketing system)?

APOST

BSearch

CGET

DFormat

Show Answer

Correct Answer: A

The type of workflow action that sends field values to an external resource (e.g. a ticketing system) is POST. A POST workflow action allows you to send a POST request to a URI location with field values or static values as arguments. For example, you can use a POST workflow action to create a ticket in an external system with information from an event.

Question No. 5

Given the following eval statement:

...| eval fieldl - if(isnotnull(fieldl),fieldl,0), field2 = if(isnull, "NO-VALUE", fieid2)

Which of the following is the equivalent using f ilinull?

AThere is no equivalent expression using f ilinull

B... t filinull values=(0,'NO-VALUE') fields=(fieldl,field2)

C... I filinull value=0 fieldl I fillnull fields

D... I fillnull fieldl I filinull value='NO-VALUE' field2

Show Answer

Correct Answer: B

The fillnull command replaces null values in one or more fields with a specified value. The values option allows you to specify a comma-separated list of values to fill the null values in the corresponding fields. The fields option allows you to specify a comma-separated list of fields to apply the fillnull command to. The eval statement in the question uses the if and isnull functions to check if field1 and field2 have null values and replace them with 0 and ''NO-VALUE'' respectively.The equivalent expression using fillnull is to use the values option to specify 0 and ''NO-VALUE'' and the fields option to specify field1 and field22

1: Splunk Core Certified Power User Track, page 9.2: Splunk Documentation, fillnull command.

Free Splunk SPLK-1002 Exam Actual Questions

The questions for SPLK-1002 were last updated On Nov 19, 2024