Free SPLK-1002 Sample Questions — Splunk Core Certified Power User

Which of the following statements describes macros?

• A. macro is a reusable search string that must contain the full search
• B. macro is a reusable search string that must have a fixed time range
• C. macro is a reusable search string that may have a flexible time range
• D. macro is a reusable search string that must contain only a portion of the search

When would a user select delimited field extractions using the Field Extractor (FX)?

• A. With structured files such as JSON or XML
• B. When the file has a header that might provide information about its structure or format
• C. When a log file has values that are separated by the same character, for example, commas
• D. When a log file contains empty lines or comments

When should you use the transaction command instead of the stats command?

• A. When you need to group on multiple values
• B. When duration is irrelevant in search results
• C. When you have over 1000 events in a transaction
• D. When you need to group based on start and end constraints

Which field extraction method should be selected for comma-separated data?

• A. table extraction
• B. eval expression
• C. Regular expression
• D. Delimiters

What are the expected results for a search that contains the command | where A=B?

• A. Events where field A contains the string value B
• B. Events that contain the string value A=B
• C. Events where values of field A are equal to values of field B
• D. Events that contain the string value where A=B

Which of the following statements describe the command below? (Choose all that apply.) sourcetype=access_combined | transaction JSESSIONID

• A. An additional field named maxspan is created
• B. An additional field named duration is created
• C. An additional field named eventcount is created
• D. Events with the same JSESSIONID will be grouped together into a single event

Which of these stats commands will show the total bytes for each unique combination of page and server?

• A. index=web | stats sum(bytes) BY values(page) values(server)
• B. index=web | stats sum(bytes) BY page AND server
• C. index=web | stats sum(bytes) BY page BY server
• D. index=web | stats sum(bytes) BY page server

Ben created a macro named airport_code_translator(2). His coworker, Alice, wants to use the macro to find the name of a nearby airport. Which of the following search strings will return the results that Alice needs?

• A. "airport_code_translator(LAX, English)"
• B. 'airport_code_translator(LAX, English)'
• C. $airport_code_translator(LAX, English)$
• D. airport_code_translator(LAX, English)

What is required for a macro to accept three arguments?

• A. The macro's name ends with (3)
• B. The macro's name starts with (3)
• C. The macro's argument count setting is 3 or more
• D. Nothing, all macros can accept any number of arguments

Which type of visualization shows relationships between discrete values in three dimensions?

• A. Pie chart
• B. Line chart
• C. Bubble chart
• D. Scatter chart

What approach is recommended when using the Splunk Common Information Model (CIM) add-on to normalize data?

• A. Run a search using the authentication command
• B. Consult the CIM event type reference tables
• C. Consult the CIM data model reference tables
• D. Run a search using the correlation command

What is the correct Boolean order of evaluation for the where command from first to last?

• A. NOT, Parentheses, OR, AND
• B. Parentheses, NOT, OR, AND
• C. Parentheses, NOT, AND, OR
• D. AND, Parentheses, NOT, OR

When using | timechart by host, which field is represented in the x-axis?

• A. date
• B. host
• C. time
• D. _time

What field delimiter should be used for the event below? 2023-10-25:11:30:00.000 Logout john.doe Chromium splunk.com

• A. tab
• B. comma
• C. space
• D. pipe

Which of the following is true about a datamodel that has been accelerated?

• A. They can no longer be used in the Pivot tool
• B. They can still be used in the Pivot tool but only with the accelerate_pivot capability
• C. They can be used with Pivot, the |tstats command, or the |datamodel command
• D. They can be used with the |tstats command, but will only return that data which has been accelerated

A user runs the following search: index=X sourcetype=Y | chart count(domain) as count, sum(price) as sum by product, action usenull useother=f Which of the following table headers match the order this command creates?

• A. The chart command does not allow for multiple statistical functions
• B. Product, count: addtocart, count: remove, count: purchase, sum: addtocart, sum: remove, sum: purchase
• C. Product, sum: addtocart, sum: remove, sum: purchase, count: addtocart, count: remove, count: purchase
• D. Count: product, sum: product, count: action, sum: action

Which of the following are required to create a POST workflow action?

• A. Label, URI, search string
• B. XML attributes, URI, name
• C. Label, URI, post arguments
• D. URI, search string, time range picker

A data model consists of which three types of datasets?

• A. Constraint, field, value
• B. Events, searches, transactions
• C. Field extraction, regex, delimited
• D. Transaction, session ID, metadata

Consider the following search run over a time range of last 7 days: index=web sourcetype=access_combined | timechart avg(bytes) by product_name Which option is used to change the default time span so that results are grouped into 12 hour intervals?

• A. timespan=12
• B. span=12h
• C. timespan=12h
• D. span=12

Which tool uses data models to generate reports and dashboard panels without using SPL?

• A. Visualization tab
• B. Pivot
• C. Splunk CIM
• D. Datasets