Splunk SPLK-1001 Exam Practice Test Instant Access

Question 1

By default, which of the following fields would be listed in the fields sidebar under interesting Fields?

Ahost

Bindex

Csource

Dsourcetype

Answer : D

The fields sidebar in Splunk shows the default fields and the interesting fields for the events that match your search. The default fields are host, source, and sourcetype, which are extracted for every event at index time. The interesting fields are fields that appear in at least 20% of the events in your search results.You can also select additional fields to display in the fields sidebar1.

By default, the index field is not listed in the fields sidebar, because it is not a default field nor an interesting field. The index field is a metadata field that indicates which index the event belongs to. Metadata fields are not extracted from the event data, but are added by the indexer as part of the indexing process.Metadata fields are not shown in the fields sidebar, but you can use them in your search queries2.

Therefore, among the four options, only sourcetype would be listed in the fields sidebar under interesting fields by default.

Reference

Use fields to search

About default fields

Question 2

All components are installed and administered in Splunk Enterprise on-premise.

ATrue

BFalse

Answer : A

Question 3

Universal forwarder is recommended for forwarding the logs to indexers.

AFalse

BTrue

Answer : B

Question 4

The default host name used in Inputs general settings can not be changed.

AFalse

BTrue

Answer : A

Question 5

What is the correct syntax to count the number of events containing a vendor_action field?

Acount stats vendor_action

Bcount stats (vendor_action)

Cstats count (vendor_action)

Dstats vendor_action (count)

Answer : C

The stats command calculates statistics based on fields in the events. The count function counts the number of events that match the criteria. The syntax is stats count (field_name), where field_name is the name of the field that contains the value to be counted. In this case, vendor_action is the field name, so stats count (vendor_action) is the correct syntax. Reference:Splunk Core User Certification Exam Study Guide, page 23.

Question 6

What determines the scope of data that appears in a scheduled report?

AAll data accessible to the User role will appear in the report.

BAll data accessible to the owner of the report will appear in the report.

CAll data accessible to all users will appear in the report until the next time the report is run.

DThe owner of the report can configure permissions so that the report uses either the User role or the owner's profile at run time.

Answer : D

Question 7

When a Splunk search generates calculated data that appears in the Statistics tab. in what formats can the results be exported?

ACSV, JSON, PDF

BCSV, XML JSON

CRaw Events, XML, JSON

DRaw Events, CSV, XML, JSON

Answer : D

Splunk Core Certified User SPLK-1001 Exam Practice Test