Which are the boolean operators that can be used by the eval command? select all that apply.

Use the eval command to calculate the value of an expression and display the value in a new field.

For examples of using this command in typical scenarios, see:

• Rename the Fields by Editing the Query in Using Oracle Log Analytics
• Histogram Chart Options in Using Oracle Log Analytics
• Visualize Time Series Data Using the Link Trend Feature in Using Oracle Log Analytics
• Generate Charts with Virtual Fields in Using Oracle Log Analytics
• Link by Using SQL Statement as the Field of Analysis in Using Oracle Log Analytics
• Analyze the Time Taken Between Steps in a Transaction in Using Oracle Log Analytics
• Use Link Navigation Functions to Identify Events in a Database in Using Oracle Log Analytics
• Use the Currency Symbols in Your Log Analysis in Using Oracle Log Analytics

Following are some examples of the eval command.

*|eval newField = 'foo'*|eval newField = 123*|eval newField = upper(Target)*|eval newField = length('hello world')*|eval newField = replace('aabbcc', 'bb', 'xx')*|eval newField = concat(host, concat (':', port))*|eval newField = host || ':'|| port*|eval newField = url('Destination URL')*|eval newField = substr('aabbcc', 2, 4)*|eval newField = round(123.4)*|eval newField = unit('Content Size', KB)eval 'File Size (bytes)' = unit('File Size', 'byte') eval 'File Size (KB)' = unit('File Size'/1024, 'kb')eval 'File Size (MB)' = unit('File Size'/(1024*1024), 'mb')eval 'Time Taken (Sec)' = unit('Time Taken (ms)'/1000, 'SEC')*|eval newField = floor(4096/1024)+Length*|eval newField = if (max(Length)(Target), length(Severity)) <= 20, 'OK', 'ERROR')*|eval newField = urldecode('http%3A%2F%2Fexample.com%3A893%2Fsolr%2FCORE_0_0%2Fquery')*|eval newField = 'Host Name (Destination)' in (host1, host2)

The following example compares the IP addresses in the field srvrhostip to a subnet range.

*|eval newField = if (cidrmatch(srvrhostip, '192.0.2.254/25') = 1, 'local', 'not local')

The following example returns the string “Target”.

*|eval newField = literal(Target)

The following example removes the spaces and tabs from both the ends.

*|eval newField = trim(Label)

The following example removes the matching character from both the ends.

*|eval newField = trim('User Name',h)

The following example removes the matching character from the left end.

*|eval newField = ltrim('Error ID',0)

The following example removes the matching character from the right end.

*|eval newField = rtrim('OS Process ID',2)

The following example sets the field date to Start Date and defines the format of the date as MM/dd/yyyy HH:mm.

*|eval date = toDate('Start Date', 'MM/dd/yyyy HH:mm')

The following example sets the value of the field duration to 1.30.

*|eval duration = toduration("1.30")

The following example sets the value of the field duration to a numerical value which is the difference of End Time and Start Time.

*|eval duration = formatDuration('End Time' - 'Start Time')

The following examples illustrate the use of date functions.

*| eval lastHour = dateAdd(now(), hour, -1) *| eval midnight = dateSet(now(), hour, 0, minute, 0, sec, 0, msec, 0) *| eval timeOnly = formatDate(now(), 'HH:mm:ss') *| eval now = now()

The following example sets the value of the field newField with the position of .com in the uri string.

*|eval newField = indexOf(uri, '.com')

You can use the md5, sha1, and sha256 hash functions with the eval command to filter log data. The following example sets the value of the field user with the value sha1("jane").

*|eval user = sha1("jane")

A field with a size or duration type unit would be used to format the values in the Link Analyze chart, addfields histograms and the Link Table:

'Log Source' = 'FMW WebLogic Server Access Logs' | link span = 5minute Time, Server | stats avg('Duration') as 'Raw Avg. Duration' avg('Content Size') as 'Raw Avg. Transfer Size' | eval 'Average Duration' = unit('Raw Avg. Duration', ms) | eval 'Average Transfer Size' = unit('Raw Avg. Transfer Size', byte) | classify 'Start Time', 'Average Duration', 'Average Transfer Size' as 'Response Time vs. Download Sizes'

Mark a field as containing US Dollars, thousands of US Dollars, millions of US Dollars, or billions of US Dollars, respectively:

| eval 'Amount in USD' = unit('Sales Price', usd) | eval 'Amount in Thousands (USD)' = usd('Quarterly Sales', usd_thousand) | eval 'Amount in Millions (USD)' = usd('Annual Profit', usd_million) | eval 'Amount in Billions (USD)' = usd('Annual Sales', usd_billion)

True or False. Tags, field values with "eval" and "where," and "field values from lookup" are case insensitive.

False. They are case sensitive.

True or False. Field names, regular expressions and Boolean operators are case sensitive.

True

As events come into Splunk, they are placed into an index's ____ ___ (which is the only writable bucket).

hot bucket

Which command returns tables containing only specified fields in a result set?

table

Which command renames a field in results?

rename

Which command includes or excludes specified fields?

fields

Which command sorts results by specified field?

sort

Which command adds field values from an external source (e.g., csv files)?

lookup

Are Boolean operators case sensitive?

yes

Are field names case sensitive?

yes

Using a ____ ____ in Splunk is a way to search through text to find pattern matches in your data.Are they case sensitive?

regular expressionyes

True or False. Field values from lookup, tags, and field values with "eval" and "where" commands are not case sensitive.

False. They are case sensitive.

Are command names (i.e. stats, STATS), command clauses (i.e. "as," "by," "with), statistical functions (i.e. avg, AVG, Avg), search terms (i.e. failed, FAILED) and field values (i.e. host=www1, host=WWW1) case sensitive or case insensitive?

case insensitive

As events age in Splunk, they move from the ____ bucket, to the ____ bucket and finally to the ____ bucket.

hot, warm, cold

Who can configure settings and add more to buckets? Users, admins or power users?

admins

What is the most efficient filter to use when searching events? After time, the most powerful fields to filter are what?

timeindex, host, source and sourcetype

What command would you use in order to only extract (discover) the fields you need?

fields command

____ mode in Splunk = performance over completeness.____ mode in Splunk balances speed and completeness.____ mode in Splunk focuses on completeness over performance

fastsmartverbose

Removing duplicates then sorting is ____ (faster or slower) than sorting then removing duplicates?

faster

____ commands massage raw data in tables and transform specified cell values for each event into numerical values that you can use for statistical purposes.

transforming

What commands are required to 'transform' search results into visualizations?

transforming

What type of commands are the following?toprarecharttimechartstatsgeostats

transforming

In fast mode, verbose mode, and smart mode what is not available for non-transforming searches?

statistics and visualizations

Only metadata fields (host, source and sourcetype) and fields specified in a search are available in ___ mode.

fast

In fast mode transforming searches, ____ and ___ are not available. However, statistics and visualizations are.

events, patterns

In ___ mode, events and patterns are available in non-transforming searches, but statistics and visualizations are not.Are events, patterns, statistics and visualizations available for transforming searches?

verboseyes

In smart mode, events and patterns are NOT available. However ____ and ____ are.

statistics and visualizations

What tool allows you to examine the:Overall stats of search (e.g., records processed and returned, processing time)How search was processed Where Splunk spent its time

Search Job Inspector tool

What is used to troubleshoot a search’s performance and understand the impact of knowledge objects on processing (e.g., event types, tags, lookups)?

Search Job Inspector tool

Header, execution costs and search job properties are the 3 ____ of what tool?

componentsSearch Job Inspector tool

Which component of the Search Job Inspector tool provides basic information, including time to run and # of events scanned?

header

Which component of the Search Job Inspector tool provides details on the cost to retrieve results?

execution costs

command.search.index, command.search.filter, and command.search.rawdata are all ____ ___ shown in the Search Job Inspector tool.

execution costs

Which execution cost of the Search Job Inspector tool specifies the time that it took to filter out events that did not match?a. command.search.rawdatab. command.search.indexc. command.search.filter

c. command.search.filter

Which execution cost of the Search Job Inspector tool specifies the time that it took to search the index for the location to read in rawdata files?a. command.search.rawdatab. command.search.indexc. command.search.filter

b. command.search.index

Which execution cost of the Search Job Inspector tool specifies the time that it took to read events from the rawdata files?a. command.search.rawdatab. command.search.indexc. command.search.filter

a. command.search.rawdata

As events are stored by time, ______ is the most efficient filter.a. _timeb. _rawc. _introspection

a. _time

Select all that are considered case sensitive.a. Boolean operatorsb. tagsc. keywordsd. command functions

a. Boolean operatorsb. tags

The Search Job Inspector has three components. Select all that apply.a. Headerb. Health checkc. Search job propertiesd. Execution costs

a. Headerc. Search job propertiesd. Execution costs

For general search best practices, only use________ wildcards to make efficient use of index.a. trailingb. beginningc. middle-of-string

a. trailing

When a search returns statistical values, results can be viewed in a table on the ___ tab or as a ____.

statisticsvisualization

Lines, column charts, pie charts, single values, gauges, maps and many more are all examples of what?

visualizations

A ___ ____ is a sequence of related data points that are plotted in a visualization. They can generate various statistical or visualization results.

data series

Most visualizations require a ____ ___ table. A ___ ___ table consists of search results structured as a table with at least two columns.

single series

The leftmost column of a single series table provides x-axis values or y-axis values? What axis are subsequent columns on?

x-axis valuesthe y-axis

To get ___ ____ tables, you need to set up the underlying search with transforming commands such as "chart" and "timechart."

multi-series tables

___ ___ tables display statistical trends over time. They can be single-series or multi-series.

time series

What command do you have to use for a time series result?

timechart command

What type of chart shows trends in the relationships between discrete data values?

scatter charts

____ charts show discrete values that do not occur at regular intervals or belong to a series.

scatter

The ____ command can display any data series plotted across one or two dimensions.

chart

What chart command function is being used in the following search strings? (Note: The difference between the two are the "over" clause and the "by" clause in the second lines).index=security sourcetype=linux_secure| chart count over vendor_actionindex=security sourcetype=linux_secure| chart count by vendor_action

count function

When you use the ___ function in Splunk, a table is created with a column that tallies the number of events for each value in the result set.

count

With the ____ command, you can use the "by" clause with the "over" clause to split results (ie. over vendor_action by user). Or you can just use two "by" clauses (i.e. by vendor_action, user).

chart

You can only split chart results over a maximumof how many dimensions using the chart command?

two

Chart and timechart commands automatically filter results to include the ____ highest values. Surplus values are grouped in "OTHER." Results can be skewed by "NULL" and "OTHER."a. fiveb. tenc. twentyd. fifteen

b. ten

What chart and timechart command values are shown by default?

NULL and OTHER

"useother=f" and "usenull=f" can be used to remove empty ____ and ____ values from display in a visualization using the chart command.

NULL and OTHER

What can be used to adjust the default number of plotted series (10) when using the chart command?

limit argument

The ____ command performs statistical aggregations against time. It also plots and trends data over time.

timechart command

"_time" using the timechart command is always on the x-axis or y-axis?

x-axis

Line or area charts are the best representation of what type of chart?

timecharts

With the timechart command,the default time intervals (or time ranges of a search) that can be used are span=1m which equals _____ minutes and span=30m which equals ____ hours.

60 minutes24 hours

You can adjust the time interval of a timechart by using what argument?

"span" argument

The ____ layout allows you to display multiple charts based on one result set and allows visual comparison between different categories.

trellis layout

Which command displays the output of the timechart command, so that each time period is a separate series?a. timechart commandb. chart commandc. timewrap command

c. timewrap command

Which command can compare data over a specific time period, such as day-over-day or month-over-month?a. timechart commandb. timewrap commandc. chart command

b. timewrap command

What command is being used here?index=security sourcetype=linux_secure| stats count by src_ip, user, vendor_action, app

stats command

What clause would you use to calculate statistics for two or more non time-based fields?

"by" clause

To get multi-series tables, you need to set up the underlying search with transforming commands. Select all that apply.a. chartb. abstractc. timechart

a. chartc. timechart

When using the timechart command, what option is used to specify the _time interval?a. groupb. trendc. span

c. span

Which of the three transforming commands below allows you to split results over a maximum of TWO dimensions?a. statsb. chartc. timechart

b. chart

Which of the three transforming commands below allows you to split results over a maximum of ONE dimension?a. statsb. chartc. timechart

c. timechart

Which of the three transforming commands below allows you to split results over MANY dimensions?a. statsb. chartc. timechart

a. stats

Which of the three transforming commands below does not allow you to limit the number of series shown, filter "other" and "null" series, and set value groups along the x-axis?a. statsb. chartc. timechart

a. stats

Which transforming commands allow you to use "span" in order to set value groups along the x-axis?a. statsb. chartc. timechart

b. chartc. timechart

Which commands would you use to count the frequency of a field(s)?a. statsb. chartc. top/rared. timechart

c. top/rare

Which command is non time-based and would be used to calculate statistics for two or more "by" fields?a. statsb. chartc. top/rared. timechart

a. stats

Which command is used to calculate statistics using an arbitrary field as the x-axis? This command also allows you to use "over" or "by" to specify the x-axis, and WILL NOT allow you to use "_time" on the x-axis.a. statsb. chartc. top/rared. timechart

b. chart

You would use the ____ command to calculatestatistics with "_time" as the x-axis.a. statsb. chartc. top/rared. timechart

d. timechart

If a "by" field is used for the timechart command, the output is a ____.

table

To get multi-series tables, you need to set up the underlying search with transforming commands. Select all that apply.a. chartb. abstractc. timechart

a. chartc. timechart

When using the timechart command, what option is used to specify the _time interval?a. groupb. trendc. span

c. span

____ are aliases to field values. For example, if two host names refer to the same computer, you could give both host values the same ___ (for example, hal9000). When you search for ___=hal9000, Splunk returns events involving both host name values.Note: Answers for all blanks are the same

tags

top, stats, chart, and timechart are all what type of commands?a. Sorting Results b. Filtering Results c. Grouping Results d. Reporting Resultse. Filtering, Modifying, and Adding Fields

d. Reporting Results

Which transforming command returns the most frequently occurring typle of field values, along with their count and percent?a. statsb. chartc. topd. raree. timechart

c. top

This command computes the moving averages of a field.

trendline

There are 3 ____ that must be included when using the trendline command. ____ (acronym for simple moving average), _____ (acronym for exponential moving average), and ____ (acronym for weighted moving average).

trendtypessmaemawma

The ___ over which to compute a trend (which can be between whole numbers of 2 and 10,000) must be included when using the trend line command.

period

When displaying data on maps, there are two types that can be used:A ____ map (which shades areas based on metrics).A ____ map (which displays statistical grouping based on geo location).

ChoroplethCluster

Which command is used to look up and add location information to an event (including city, country, region, latitude and longitude)?a. geostatsb. iplocationc. statsd. charte. timechart

b. iplocation

True or False. The iplocation command DOES NOT automatically define default lat and lon fields required by geostats.

FalseThe iplocation command AUTOMATICALLY defines default lat and lon fields required by geostats.

The ____ command is used to compute statistical functions and render a cluster map. Data must include latitude and longitude values.a. chartb. iplocationc. statsd. geostatse. timechart

d. geostats

When using the geostats command, you can control the column count, using the ______ argument.

globallimit

____ maps use shading to show relative metrics, such as sales, network intruders, etc. for predefined geographic regions.

Choropleth

To define regional boundaries for a choropleth map, you must have what type of files? Select all that apply.a. CSVb. KML (Keyhole Markup Language)c. JSONd. KMZ (compressed Keyhole Markup Language)e. XML

b. KML (Keyhole Markup Language)d. KMZ (compressed Keyhole Markup Language)

The standard geo searches that Splunk ships with for the choropleth maps is:1. geo_us_states (which for what country?)2. geo_countries (which is for ____)and…| geom [featureCollection] [featureIdField=string](Note: No answer needed for this one)

United Statescountries of the world

With gauge visualizations, you can make adjustments to color by using UI or the ____ command.

gauge

____ layout displays multiple gauges when using a by clause in the stats command.

trellis

With the timechart command, you can add a _____ and a trend. A ____ is an inline chart and is designed to display time-based trends associated with the primary key.(Note: Same answer for both)

sparkline

The ____ command is used to compute the sum of all or selected columns, and place the total in the last row and last column.a. topb. statsc. chartd. addtotalse. timechartf. iplocationg. geostats

d. addtotals

When using the add totals command, ___=t counts the fields in each row under a column named, while ____=t counts the fields in each row in a row named.

row=tcolumn=t

The trendline command provides three trend types. Select all that apply.a. tma (time)b. sma (simple)c. ema (exponential)d. wma (weighted)

b. sma (simple)c. ema (exponential)d. wma (weighted)

By default, the iplocation command adds fields to the results. Select all that apply.a. Cityb. lonc. pidd. Region

b. lon

When using the addtotals command, the labelfield argument is valid only when _______.a. col=trueb. row=truec. fieldname=f

a. col=true

This command calculates an expression and puts the resulting value into a new field. For instance if a user creates the following search string:… | eval velocity=distance/timeThe resulting table would have the value for distance in one column, the value for time in another column and the eval velocity column would be the result of the # for distance divided by the number for time.

eval command

When using the eval command, expressions must be separated by what character?a. >= b. ,c. !=

b. ,

The ____ command allows you to:Calculate expressionsPlace the results in a fieldUse that field in searches or other expressions

eval

When using the eval command, the ____ function sets the value of a field to the number of decimals you specify. (ie. one number after the decimal, two numbers after the decimal, etc.)

round

Which type of eval command is represented by the following operators?+ - * / %a. Booleanb. Comparisonc. Arithmeticd. Concatenation

Arithmetic

Which type of eval command is represented by the following operators?NOT AND OR XORa. Booleanb. Comparisonc. Arithmeticd. Concatenation

a. Boolean

Which type of eval command is represented by the following operators?< > <= >= != = LIKEa. Booleanb. Comparisonc. Arithmeticd. Concatenation

b. Comparison

Which type of eval command is represented by the following operators?+ .a. Booleanb. Comparisonc. Arithmeticd. Concatenation

d. Concatenation

When using the eval command, and the round function for results, If the number of decimals is unspecified, what is the result?

a whole number

When using the eval command, the ____ function converts a numeric field value to a string.

tostring

When using the eval command and tostring function, there are 3 options that you can use to format the numbers in the table that is created:a. _____ which apply commas to the numbersb. _____ which format the numbers as hh:mm:ssc. _____ which formats the number in a hexadecimalPlace the following terms in the correct blank:"duration," "commas," "hex"

a. commasb. durationc. hex

Which eval command function is described below?1. takes three arguments2. the first argument, X, is a boolean expression3. if argument X evaluates to TRUE, the result evaluates to the second argument, Y4. if argument X evaluates to FALSE, the result evaluates to the third argument, Z

"if" function

When using the eval command "if" function, non numeric values must be enclosed in _______.Are field values case sensitive when using this function, or case insensitive?

double quotescase sensitive

The eval command ____ function works similar to that of the "if" function. However, rather than the first argument being X, it's X1. The following arguments are Y1, X2, Y2, etc.Also, if none of the boolean expressions are true, the result evaluates to NULL.

case

If none of the boolean expressions were true using the eval command "case" function, what would the result be?

NULL

Identify the functions used in both search strings:Search string #1:index=network sourcetype=cisco_wsa_squid| eval Risk = case(x_wbrs_score >= 5,"1 Very Safe",x_wbrs_score >= 3,"2 Safe",x_wbrs_score >= 0,"3 Neutral",x_wbrs_score >= -5,"4 Dangerous",x_wbrs_score < -5, "5 Very Dangerous")Search string #2index=sales sourcetype=vendor_sales| eval SalesTerritory =if ((VendorID >= 7000 AND VendorID < 8000), "Asia", "Rest of the World")

1. case function2. if function

The _____ command calculates an expression and puts the resulting value into a search results field.

eval

Unlike the eval "command" (which calculates an expression and puts the resulting value into a search results field), the eval "____" counts the number of events that have a specific field value.What function must be used along with the eval "____"?Note: Same answers for the blank spaces.

functioncount

True or False. Field values ARE case sensitive when using the eval "FUNCTION."

True

Which command is described below? The "search" command, or the "where" command?1. Can be used at any point in the search pipeline2. Allows searching on keywords3. Treats field values in a "case insensitive" manner

search

Is the "search" command, or the "where" command being described below?1. Functions are available, such as isnotnull()2. Can’t appear before first pipe in search pipeline3. Can’t filter with keywords3. Treats field values in a "case-sensitive" manner4. Can compare values from two different fields

where

Which command is used here? Also describe what is happening?source=job_listings | where salary > industry_average

"where" commandretrieves jobs listings and discards those whose salary is not greater than the industry average

When using the "like" operator with the "where" command, you must use (_) for __ character and(%) for _____ characters.Note: The blank spaces should be filled with quantities (i.e. one, a couple, multiple)

one multiple

What where command operator is being used in the following search string?index=security sourcetype=linux_secure| where like (user,"adm%")| dedup user| table user

like

When using the "where" command, use _____ to find events with an empty value for a specific field, and ____ to find events that contain a non-empty value for a particular field. On the other hand, _____ should be used to replace null values in fields. a. fillnullb. isnullc. isnotnull

b. isnullc. isnotnulla. fillnull

Create a new field called velocity in each event. Calculate the velocity by dividing the values in the distance field by the values in the time field.a. |eval {velocity} = Value, distance OVER timeb. |eval velocity=distance/timec. |eval velocity=split(distance,time)

b. |eval velocity=distance/time

If you use the following eval command with the round() function, select a possible result:|eval bandwidth = round(Bytes/pow(1024,2), 2)a. 28b. 124.032c. 273.02

c. 273.02

The eval command supports comparison and conditional functions. Select all that apply.a. case (X1,"Y1",X2,"Y2",…)b. if (X,Y,Z)c. like (TEXT,PATTERN)d. tostring(X,Y)

a. case (X1,"Y1",X2,"Y2",…)b. if (X,Y,Z)

If you want to use the fillnull command and show a specific text, which syntax would be correct?a. | fillnull value="nada"b. | fillnull NULL=nadac. | fillnull 0 as nada

a. | fillnull value="nada"

The ____ command groups related events that meet various constraints. The events are grouped into ____, which are collections of events, possibly from multiple sources.Note: Same answer for both blank spaces.

transaction

The following are common ____ that are used when the transaction command is used:maxspan maxpause startswith endswith

constraints

What command would you use at any point in the search pipeline to filter the transactions created by the transaction command?

search command

The transaction command produces two fields:1. ____: difference between the timestamps for the first and last events in the transaction.2. ____: number of events in the transaction.

durationeventcount

When using the transaction command, you can define a max overall time span and max gap between events.Which definition describes maxspan, and which describes maxpause?_____ is the maximum total time between events_____ is the maximum total time between theearliest and latest events

maxpausemaxspan

What would the following indicate in an event where the transaction command is used?maxspan=5m

The maximum total time between the first and last event of all of the transactions combined should be no more than 5 minutes.

To form transactions based on terms, field values, or evaluations, use ____ and ___ options. For example, if you were determining how long it took for customers to complete a purchase online over the last 24 hours you might want the FIRST event in your transactions to include "addtocart" and the LAST event to include "purchase."

startswithendswith

_____ can be useful when a single event does not provide enough information.

transactions

True or False. You can use statistics and transforming commands with transactions.

True

When you have a choice, would you use the transaction or stats command? Why?

statsit's more efficient

Which of the following definitions describe the stats command? Which definition describes the transaction command?The ____ command when you:• Need to see events correlated together• Must define event grouping based on start/end values or segment on timeThe ____ command when you:• Want to see the results of a calculation• Can group events based on a field value (e.g., by src_ip)

transactionstats

There is a limit of ____ events when using the ____ command. However there is no limit when using the ____ command.Note:first blank: #second and third blanks: pick transaction or stats

1,000transactionstats

What’s the maximum number of events that can be grouped per transaction?a. 100 eventsb. 1,000 eventsc. 10,000 events

b. 1,000 events

What are the options that can be used to constrain transactions? Select all that apply.a. startswithb. endswithc. maxspand. maxpause

c. maxspand. maxpause

Which fields are created by the transaction command? Select all that apply.a. durationb. memcontrolc. eventcountd. txn_definitions

a. durationc. eventcount

What are tools you use to discover and analyze various aspects of your data?

knowledge objects

Data interpretation, data classification, data enrichment, normalization and data sets are all different types of what?

knowledge objects

Which knowledge object deals with fields and field extractions?a. data classificationb. data setsc. data interpretationd. data enrichment

c. data interpretation

Which knowledge object deals with event types?a. data classificationb. data setsc. data interpretationd. data enrichment

a. data classification

This type of knowledge object consists of lookups and workflow actions.a. data classificationb. data setsc. data interpretationd. data enrichment

d. data enrichment

This type of knowledge object deals with tags and field aliases.a. data classificationb. data setsc. data interpretationd. data enrichmente. normalization

e. normalization

This type of knowledge object contains data models.a. data classificationb. data setsc. data interpretationd. data enrichmente. normalization

b. data sets

____ ___ are also persistent objects that can be used by multiple people or apps, such as macros and reports.

knowledge objects

A Knowledge Object Manager could be any of the 3 Splunk roles, but a person usually has to at least be a ______.a. userb. adminc. power user

c. power user

Select all knowledge objects.a. lookupsb. field aliasesc. usersd. workflow actions

a. lookupsb. field aliasesd. workflow actions

Splunk knowledge objects are persistent objects that can be used by multiple ________. Select all that apply.a. usersb. appsc. searches

a. usersb. apps

Search-time operations are always applied in the same order when generating knowledge objects. Use the following information to put search time operation in the correct order.a. Lookups b. Calculated fieldsc. Tagsd. Extractionse. Field aliasesf. Event types

d. Extractionse. Field aliasesb. Calculated fieldsa. Lookupsf. Event typesc. Tags

Field aliases are applied after __________, before ___________. Select all that apply.a. lookups, field extractionsb. field extractions, lookupsc. field extractions, tags

b. field extractions, lookupsc. field extractions, tags

Prior to search time in Splunk, some fields are already stored with the event in the index. ____ fields, such as host, source, and sourcetype, and ____ fields such as _time and _raw are those fields. However at search time, ____ _____extracts fields from raw event data,including those directly related to the search’s results. Use the following answers to fill in the blanks.a. internalb. field discoveryc. meta

c. metaa. internalb. field discovery

In addition to the many fields Splunk auto-extracts, you can also extract your own fields with the ____ ____.(FX)

Field Extractor

You can use ___ __ to extract fields that are static and that you use often in searches.

Field Extractor

You can extract fields in FX from events using ____ and ____.

regex, delimiter

The are two extraction methods in Splunk. The first, ____ is used when your event contains unstructured data like a system log file. The second, ____ is used when your event contains structured data like a .csv file.

regex, delimiter

You would use _____ field extractions when a consistently structured log has values that are separated by spaces, commas, or characters.

delimited

Use _________ field extractions when fields are separated by spaces, commas, or characters.a. delimitedb. regexc. rename

a. delimited

There are three ways to get to the Field Extractor (FX). Select all that apply.a. Event Actions menub. Fields sidebarc. Settings menud. Auto-Extract Fields Workflow

a. Event Actions menub. Fields sidebarc. Settings menu

Use ___ ____ to extract fields that are static and that you use often in searches including:-Graphical UI-Extract fields from events using regex or delimiter-Extracted fields persist as knowledge objects-Can be shared and re-used in multiple searches

Field Extractor

When using regex for field extraction, what's the first thing you have to do in the Field Extractor?a. Select a value to extractb. Provide a Field Namec. Edit the regular expressiond. Set the Extractions Name

a. Select a value to extract

____ ___ are a way to associate an additional (new) name with an existing field name, like a nickname (possibly for normalization purposes), and are evaluated by the “search parser” after field extractions, before ____.

field aliaseslookups

Many source types contain some type of user name. In order to make data correlation and searching easier, you can normalize the username field by using a ____ ____.

field alias

Put the following steps for creating a field alias in Splunk in sequential order:a. Fieldsb. New Field Aliasc. Settingsd. Field Aliases

c. Settingsa. Fieldsd. Field Aliasesb. New Field Alias

True or False. A new field alias is required for each sourcetype.

True

True or False. When you create a field alias, the original field IS affected.

False. The original field is not affected.

True or False. When you create a field alias, both fields appear in the all fields and Interesting Fields lists, if they appear in at least 20% of events.

True

When you create a field alias, both fields appear in the all fields and Interesting Fields lists, if they appear in at least ____% of events.

20%

After you have defined your field aliases, you can reference them in a ____ table.

lookup

____ fields are shortcuts for performing repetitive, long, or complex transformations using the eval command. ____ fields must be based on an extracted field.Note: Answer for both blanks are the same.

calculated

When you create a field alias, the default behavior is that the original field is:a. overwrittenb. not affectedc. cached

b. not affected

When you create a calculated field, the field in the expression must be __________.a. an extracted fieldb. a lookup tablec. field/column generated from within

a. an extracted field

____ fields reference field aliases. ___ ____ are created to rename an existing field extraction.

calculated fields, field aliases

Can you, or can't you do the following?1. Create a field alias that references a calculated field2. Create a calculated field that references a field added through a lookup operation

you CAN'T

A ___ is a knowledge object that enables you to search for events that contain specific field/value combinations. They are like labels that you create for field/value pairs, and make your data more understandable and less ambiguous.

tag

Are tags case sensitive or case insensitive?

case sensitive

To search for a tag associated with a value you would type:a. =b. Use (*) wildcardc. tag=

c. tag=

To search for a tag associated with a value on a specific field you would type:a. tag::=b. Use (*) wildcardc. tag=

a. tag::=

To search for a tag using a partial field value you would:a. =b. Use (*) wildcardc. tag=

b. Use (*) wildcard

In order to manage tags (such as edit permissions and disable all tags for pairs) you would use the _____ ___ ____ ___ ____ menu.Note: Answer contains 5 words.

List by Field Value Pair

How would you change a tag name?a. by editing permissionsb. by first clicking on the field value pairc. by typing "tag="

b. by first clicking on the field value pair

An ___ type is a method of categorizing events based on a search.

event

Can event types be tagged?

Yes, to group similar type of events

What do you use to create event types?

Event Type Builder

These are the two ways that you can ____ event types:1. Settings > Event types2. Event details > Actions

tag

___ ____categorize events based on a search string.

Event types

If you tag the field value of your home office’s IP address as ‘homeoffice’, what events are returned when you search for tag=homeoffice?a. events with that IP addressb. events from _internalc. field lookup table

a. events with that IP address

To search for a tag associated with a value on a specific field, select the correct search string.a. tag::user=privilegedb. tag=user==privilegedc. tag=user::privileged

a. tag::user=privileged

Which of the following are ways you can create an event type. Select all that apply.a. Settings > Event typesb. Run a search, and save as Event Typec. From event details, select Event Actions > Build Event Type

b. Run a search, and save as Event Type

_____ are useful when you frequently run searches or reports with similar search syntax, and can be a full search string or a portion of a search that can be reused in multiple places.

macros

In order to use a basic macro, you need to do the following:1. Type the macro name into the search bar2. Surround the macro name with the ______ (or grave accent) character... NOT single quotes

backtick

monthly_sales(3)The Splunker that typed the above is trying to add an argument to a macro. What have they done first in order to get the process started?

added the number of arguments in parentheses after the macro name

Within a search, macro _____ should look like the following examples:$currency$ (which would be the argument for currency)$symbol$(which would be the argument for symbol)$rate$(which would be the argument for rate)

arguments

When using a macro with arguments, you have to include the argument(s) in _____ following the macro name and list them in the EXACT SAME order that you listed them when creating the macro.

parentheses

When working with macros, the time range is _____________.a. Always set to Last 24 hoursb. Selected at search timec. Always set to All time

b. Selected at search time

When adding arguments to a macro, include the number of arguments in _____________.a. Parentheses after the macro nameb. Parentheses before the macro namec. Dollar signs within the search definition

a. Parentheses after the macro name

Surround the macro name with the _______ when executing a macro.a. Dollar signsb. Backtick characterc. Single quote character

b. Backtick character

You can execute ____ ____ from an event or field in your search results to interact with external resources or run another search.

workflow actions

______ workflow actions retrieve information from an external resource.a. POSTb. GETc. Search

a. GET

______ workflow actions send field values to an external resource.a. POSTb. GETc. Search

a. POST

______ workflow actions use field values to perform a secondary search.a. POSTb. GETc. Search

c. Search

Do GET workflow actions have spaces or special characters?

No

In order to create GET and POST workflow actions, you have to enter the _____ (this is an acronym) for where the user will be directed. What does the acronym stand for?

URI (Uniform Resource Identifier)

To perform a secondary search, use a _______ workflow action.a. Searchb. POSTc. GET

a. Search

Which workflow actions require you to specify if the behavior should open in a new window or current window? Select all that apply.a. Searchb. POSTc. GET

a. Searchb. POSTc. GET

_____ is used for creating dashboards, and its reports are based on datasets.

Pivot

Hierarchically structured datasets used in Pivot that contain searches and fields are called _____ _____ (two words). Each event, search, or transaction is saved as a separate ______ (one word).

data modelsdata set

The following are the 3 types of ____ that a data model can consist of.EventsSearchesTransactions

datasets

Which type of dataset contains constraints and fields?a. Eventsb. Transactionsc. Searches

a. Events

_____ in "event" datasets are essentially a search broken down into a hierarchy. ____ are associated with the events.

constraintsfields

Dataset fields are inherited from ____ ____.a. data modelsb. parent objectsc. root events

a. parent objects

The inherited attributes in the root event of a data model are called _____ fields.

default

You can add fields to a dataset through the auto-extracted menu, eval expression, lookup, regular expression and Geo IP. Which of the following is described below?can be default fields or manually extracted fields...a. lookupb. auto-extractedc. Geo IPd. regular expressione. eval expression

b. auto-extracted

Which method of adding fields to a data set is described below?leverage an existing lookup table...a. lookupb. auto-extractedc. Geo IPd. regular expressione. eval expression

a. lookup

Which method of adding fields to a data set is described below?add geographical fields such as latitude/longitude, country, etc. ...a. lookupb. auto-extractedc. Geo IPd. regular expressione. eval expression

c. Geo IP

Which method of adding fields to a data set is described below?a new field based on an expression that you define...a. lookupb. auto-extractedc. Geo IPd. regular expressione. eval expression

e. eval expression

Which method of adding fields to a data set is described below?extract a new field based on regex...a. lookupb. auto-extractedc. Geo IPd. regular expressione. eval expression

d. regular expression

This tool in the Splunk platform allows you to examine the overall stats of your search, examine how your search was processed and see where Splunk spent its time. You can use this tool to troubleshoot a search’s performance and understand impact of knowledge objects on processing.

Search Job Inspector Tool

The 3 components of the Search Job Inspector tool are (select all that apply):a. Headerb. Field Namec. Execution costsd. Search job propertiese. Tags

a. Headerc. Execution costd. Search job properties

This component of the Job Search Inspector tool in Splunk provides basic information, including time to run and # of events scanned.

Header

This component of the Job Search Inspector tool provides details on cost to retrieve results, such as:command.search.indexcommand.search.filtercommand.search.rawdata

Execution Costs

The chart and timechart commands automatically filter results to include how many of the highest values?a. fifteenb. tenc. five

b. ten

After the chart and timechart commands automatically filter results to include the ten highest values, surplus values are grouped into...a. otherb. nullc. not

a. other

A ____ allows you to overlay a computed moving average on a chart. An example of one of these are stock market visualizations.

trendline

____ reports are used for creating reports and dashboards. They are also based on datasets.

Pivot

___ ____ are hierarchically structured datasets containing searches and fields. Each event, search, or transaction is saved as a separate dataset.

data models

A data model can consist of 3 types of datasets. Select answers from below.a. eventsb. field valuesc. searchesd. field namese. lookupsf. transactions

a. eventsc. searchesf. transactions

Which type of dataset that's used in Pivot contain constraints and fields?a. eventsb. field valuesc. searchesd. field namese. lookupsf. transactions

a. events

In data models events, ____ are search terms used to further narrow your search, while fields are associated with the events.

constraints

You can add more fields when creating a data model. There are four types of fields that you can add. Read the descriptions below and match the fields below with the correct description.1. a new field based on an expression that you define2. geographical fields such as latitude/longitude, country, etc.3. default fields or manually extracted fields4. a new field based on regex5. leverage an existing lookup tablea. Auto-Extractedb. Eval Expressionc. Lookupd. Regular Expressione. Geo IP

b. Eval Expressione. Geo IPa. Auto-Extractedd. Regular Expressionc. Lookup

Which type of Pivot dataset defines a dataset based on a search that includes transforming commands?a. eventb. field valuec. searchd. field namee. lookupf. transaction

c. search

Which type of Pivot dataset defines a dataset based on a transaction?a. eventb. field valuec. searchd. field namee. lookupf. transaction

f. transaction

A ___ event dataset represents a set of data that is defined by a constraint: a simple search that filters out events that aren't relevant to the dataset.

root

____ views allows you to create table datasets without using SPL.

table

The Splunk ______ _____ _____ (CIM) provides a methodology to normalize data

Common Information Model

____ is leveraged when creating field extractions, field aliases, event types, and tags to ensure:1. Multiple apps can co-exist on a single Splunk deployment2. Object permissions can be set to global for the use of multiple apps3. Easier and more efficient correlation of data from different sources and source types

CIM (Common Information Model)

True or False. If other apps in a Splunk environment are CIM compliant, then data is normalized across apps, making it easier to search for similar data.

True

True or False. If other apps in a Splunk environment are NOT CIM compliant, then field aliases, tags, and event types can be used to normalize data

True

The Splunk CIM Add-on has a set of ___ pre-configured data models.Note: Answer is a number

26

The ____ should be leveraged so that knowledge objects in multiple apps can co-exist on a single Splunk deployment.

CIM or Common Information Model

What commands can be used to retrieve data from a specified data model dataset? Choose the answers below.a. fieldsb. transformingc. fromd. datamodel

c. fromd. datamodel

The CIM ___ and ___ commands are generating commands, meaning that they have to be the first command in the pipeline.a. fieldsb. transformingc. fromd. datamodel

c. fromd. datamodel

The Common Information Model ____ command retrieves data from a named dataset, saved search, report or lookup file.a. fromb. datamodel

a. from

The Common Information Model ____ command allows users to examine data models and search data model datasets.a. fromb. datamodel

b. datamodel

Select the available ways you can validate against a data model. Select all that apply.a. | datamodelb. Pivotc. | transactiond. Workflow actions

a. | datamodel

What are the primary knowledge objects the CIM includes or relies upon? Select all that apply.a. data modelsb. field aliases and tagsc. event typesd. field extractions

b. field aliases and tagsc. event typesd. field extractions

A data model can consist of the following three types of datasets. Select all that apply.a. eventsb. searchesc. Pivot reportsd. transactions

a. eventsb. searchesd. transactions

To add a Root Event Dataset, what field is required to be manually added?a. Dataset Nameb. Dataset IDc. Duration maxpause maxspan

c. Duration maxpause maxspan

2. Data models contain the following. Select all that apply.a. inherited and extracted fieldsb. constraintsc. event object hierarchy

b. constraintsc. event object hierarchy

The transaction command produces additional fields such as:_____ which is the difference between the timestamps for the first and last event in a transactionand_____ which is the number of events in a transactiona. timeb. durationc. evencountd. field

b. durationc. evencount

What command creates a single correlated event from a group of events based on the same field value?

transaction command

What are the Boolean operators that can be used by the eval command?

What does eval command in Splunk?

Which of the following functions must be used with the in function in Splunk?

How do you create a new field in Splunk using eval?