Splunk

SPLK-1001

Splunk Core Certified

User
Version: 12.0

[ Total Questions: 229]

Web: [Link]

Email: support@[Link]
IMPORTANT NOTICE
Feedback
We have developed quality product and state-of-art service to ensure our customers interest. If you have any
suggestions, please feel free to contact us at feedback@[Link]

Support
If you have any questions about our product, please provide the following items:

exam code
screenshot of the question
login id/email

please contact us at support@[Link] and our technical experts will provide support within 24 hours.

Copyright
The product of each order has its own encryption code, so you should use it independently. Any unauthorized
changes will inflict legal punishment. We reserve the right of final explanation for this statement.
Practice Exam Splunk - SPLK-1001

Question #:1

Fields are searchable key value pairs in your event data.

A. True

B. False

Answer: A

Question #:2

Splunk extracts fields from event data at index time and at search time.

A. True

B. False

Answer: A
Question #:3

When running searches command modifiers in the search string are displayed in what color?

A. Red

B. Blue

C. Orange

D. Highlighted

Answer: B

Question #:4

How do you add or remove fields from search results?

A. Use field +to add and field -to remove.

B. Use table +to add and table -to remove.

C. Use fields +to add and fields –to remove.

D. Use fields Plus to add and fields Minus to remove.

Answer: C

Leaders in it certification 1 of 68
Practice Exam Splunk - SPLK-1001

Question #:5

You are able to create new Index in Data Input settings.

A. No

B. Yes

Answer: B

Question #:6

Documentations for Splunk can be found at [Link]

A. True

B. False

Answer: A

Question #:7

When editing a dashboard, which of the following are possible options? (select all that apply)

A. Add an output.

B. Export a dashboard panel.

C. Modify the chart type displayed in a dashboard panel.

D. Drag a dashboard panel to a different location on the dashboard.

Answer: D

Question #:8

When a search returns __________, you can view the results as a list.

A. a list of events

B. transactions

C. statistical values

Answer: C

Leaders in it certification 2 of 68
Practice Exam Splunk - SPLK-1001

Question #:9

What is the correct way to use a time range specifier in the search bar so that the search looks back 2 hours?

A. latest=-2h

B. earliest=-2h

C. latest=-2hour@d

D. earliest=-2hour@d

Answer: B
Question #:10

A field exists in search results, but isn’t being displayed in the fields sidebar. How can it be added to the fields
sidebar?

A. Click All Fields and select the field to add it to Selected Fields.

B. Click Interesting Fields and select the field to add it to Selected Fields.

C. Click Selected Fields and select the field to add it to Interesting Fields.

D. This scenario isn’t possible because all fields returned from a search always appear in the fields sidebar.

Answer: A

Question #:11

Interesting fields are the fields that have at least 20% of resulting fields.

A. True

B. False

Answer: A

Question #:12

Which of the following are common constraints of the top command?

A. limit, count

B. limit, showpercent

C. limits, countfield

Leaders in it certification 3 of 68
Practice Exam Splunk - SPLK-1001

D. showperc, countfield

Answer: B

Question #:13

What is the correct syntax to count the number of events containing a vendor_action field?

A. count stats vendor_action

B. count stats (vendor_action)

C. stats count (vendor_action)

D. stats vendor_action (count)

Answer: C

Question #:14

Which of the following searches would return only events that match the following criteria?

• Events are inside the main index

• The field status exists in the event

• The value in the status field does not equal 200

A. index==main status!==200

B. index=main NOT status=200

C. index==main NOT status==200

D. index-main status!=200

Answer: C

Explanation
The Kusto Query Language (KQL) is the language you use to query data in Azure Data Explorer [1]. It's a
powerful language that allows you to perform advanced queries and extract meaningful insights from your
data.

To query for events that match the criteria you specified, you would use the following KQL query:

index==main NOT status==200

Leaders in it certification 4 of 68
Practice Exam Splunk - SPLK-1001

This query will return all events that are inside the main index and have a status field, but the value of the
status field does not equal 200. It is important to note that the "NOT" operator must be used in order to
exclude events with a status value of 200.

By using the "NOT" operator, the query will return only events that do not match the specified criteria. This is
useful for narrowing down search results to only those events that are relevant to the query.

Question #:15

How many main user roles do you have in Splunk?

A. 2

B. 4

C. 1

D. 3

Answer: D

Question #:16

Universal forwarder is recommended for forwarding the logs to indexers.

A. False

B. True

Answer: B

Question #:17

What is the purpose of using a by clause with the stats command?

A. To group the results by one or more fields.

B. To compute numerical statistics on each field.

C. To specify how the values in a list are delimited.

D. To partition the input data based on the split-by fields.

Answer: A

Leaders in it certification 5 of 68
Practice Exam Splunk - SPLK-1001

Question #:18

Which is a primary function of the timeline located under the search bar?

A. To differentiate between structured and unstructured events in the data

B. To sort the events returned by the search command in chronological order

C. To zoom in and zoom out. although this does not change the scale of the chart

D. To show peaks and/or valleys in the timeline, which can indicate spikes in activity or downtime

Answer: D

Question #:19

Following are the time selection option while making search:

(Choose all that apply.)

A. Date & Time Range

B. Advanced

C. Date Range

D. Presets

E. Relative

Answer: B

Question #:20

Data summary button just below the search bar gives you the following (Choose three.):

A. Hosts

B. Sourcetypes

C. Sources

D. Indexes

Answer: A B D

Question #:21

Leaders in it certification 6 of 68
Practice Exam Splunk - SPLK-1001

Forward Option gather and forward data to indexers over a receiving port from remote machines.

A. False

B. True

Answer: B

Question #:22

Which Boolean operator is always implied between two search terms, unless otherwise specified?

A. OR

B. NOT

C. AND

D. XOR

Answer: C

Question #:23

Which of the following is the most efficient search?

A. index=* “failed password”

B. “failed password” index=*

C. (index=* OR index=security) “failed password”

D. index=security “failed password”

Answer: A

Question #:24

This function of the stats command allows you to return the middle-most value of field X.

A. Median(X)

B. Eval by X

C. Fields(X)

Leaders in it certification 7 of 68
Practice Exam Splunk - SPLK-1001

D. Values(X)

Answer: A

Question #:25

Splunk index time process can be broken down into __________ phases.

A. 3

B. 2

C. 4

D. 1

Answer: A

Question #:26

What is Search Assistant in Splunk?

A. It is only available to Admins.

B. Such feature does not exist in Splunk.

C. Shows options to complete the search string

Answer: C

Question #:27

Zoom Out and Zoom to Selection re-executes the search.

A. No

B. Yes

Answer: B

Question #:28

Splunk internal fields contains general information about events and starts from underscore i.e. _ .

A.

Leaders in it certification 8 of 68
Practice Exam Splunk - SPLK-1001

A. True

B. False

Answer: A

Question #:29

Which of the following is a metadata field assigned to every event in Splunk?

A. host

B. owner

C. bytes

D. action

Answer: A
Question #:30

Portal for Splunk apps can be accessed through [Link]

A. False

B. True

Answer: B

Question #:31

Put query into separate lines where | (Pipes) are used by selecting following options.

A. CTRL + Enter

B. Shift + Enter

C. Space + Enter

D. ALT + Enter

Answer: B

Question #:32

Which command will rename action to Customer Action?

Leaders in it certification 9 of 68
Practice Exam Splunk - SPLK-1001

A. | rename action = CustomerAction

B. | rename Action as “Customer Action”

C. | rename Action to “Customer Action”

D. | rename action as “Customer Action”

Answer: D
Question #:33

What kind of logs can Splunk Index?

A. Only A, B

B. Router and Switch Logs

C. Firewall and Web Server Logs

D. Only C

E. Database logs

F. All firewall, web server, database, router and switch logs

Answer: F

Question #:34

This is what Splunk uses to categorize the data that is being indexed.

A. sourcetype

B. index

C. source

D. host

Answer: A

Question #:35

Which of the following searches will show the number of categoryld used by each host?

A. Sourcetype=access_* |sum bytes by host

B.

Leaders in it certification 10 of 68
Practice Exam Splunk - SPLK-1001

B. Sourcetype=access_* |stats sum(categorylD) by host

C. Sourcetype=access_* |sum(bytes) by host

D. Sourcetype=access_* |stats sum by host

Answer: B

Question #:36

Can you stop or pause the searching?

A. No

B. Yes

Answer: B

Question #:37

In automatic lookup definitions, the _____ fields are those that are not in the event data.

A. input

B. output

Answer: B

Question #:38

Which component of Splunk let us write SPL query to find the required data?

A. Forwarders

B. Indexer

C. Heavy Forwarders

D. Search head

Answer: D

Question #:39

What is a quick, comprehensive way to learn what data is present in a Splunk deployment?

A.

Leaders in it certification 11 of 68
Practice Exam Splunk - SPLK-1001

A. Review Splunk reports

B. Run ./splunk show

C. Click Data Summary in Splunk Web

D. Search index=* sourcetype=* host=*

Answer: C
Question #:40

Which of the statements are correct? (Choose three.)

A. Zoom to selection: Narrows the time range and re-executes the search.

B. Zoom to selection: Narrows the time range and doesn't re-executes the search.

C. Format Timeline: Hides or shows the timeline in different views.

D. Zoom-Out: Expands the time focus and doesn't re-executes the search.

E. Zoom-out: Expands the time focus and re-executes the search.

Answer: A C E

Question #:41

The default host name used in Inputs general settings can not be changed.

A. False

B. True

Answer: A

Question #:42

Which of the following can be used as wildcard search in Splunk?

A. =

B. >

C. !

D. *

Leaders in it certification 12 of 68
Practice Exam Splunk - SPLK-1001

Answer: D

Question #:43

The command shown here does witch of the following: Command: |outputlookup [Link]

A. Writes search results to a file named [Link]

B. Returns the contents of a file named [Link]

Answer: A

Question #:44

Selected fields are a set of configurable fields displayed for each event.

A. True

B. False

Answer: A

Question #:45

According to Splunk best practices, which placement of the wildcard results in the most efficient search?

A. f*il

B. *fail

C. fail*

D. *fail*

Answer: C

Question #:46

What does the stats command do?

A. Automatically correlates related fields

B. Converts field values into numerical values

C. Calculates statistics on data that matches the search criteria

D.

Leaders in it certification 13 of 68
Practice Exam Splunk - SPLK-1001

D. Analyzes numerical fields for their ability to predict another discrete field

Answer: C

Question #:47

What can be configured using the Edit Job Settings menu?

A. Export the results to CSV format

B. Add the Job results to a dashboard

C. Schedule the Job to re-run in 10 minutes

D. Change Job Lifetime from 10 minutes to 7 days.

Answer: D

Question #:48

Which stats command function provides a count of how many unique values exist for a given field in the result
set?

A. dc(field)

B. count(field)

C. count-by(field)

D. distinct-count(field)

Answer: A

Question #:49

Data sources being opened and read applies to:

A. None of the above

B. Indexing Phase

C. Parsing Phase

D. Input Phase

E. License Metering

Leaders in it certification 14 of 68
Practice Exam Splunk - SPLK-1001

Answer: D

Question #:50

When looking at a statistics table, what is one way to drill down to see the underlying events?

A. Creating a pivot table.

B. Clicking on the visualizations tab.

C. Viewing your report in a dashboard.

D. Clicking on any field value in the table.

Answer: B

Question #:51

Three basic components of Splunk are (Choose three.):

A. Forwarders

B. Deployment Server

C. Indexer

D. Knowledge Objects

E. Index

F. Search Head

Answer: A C F

Question #:52

Which of the following searches would return events with failure in index netfw or warn or critical in index
netops?

A. (index=netfw failure) AND index=netops warn OR critical

B. (index=netfw failure) OR (index=netops (warn OR critical))

C. (index=netfw failure) AND (index=netops (warn OR critical))

D. (index=netfw failure) OR index=netops OR (warn OR critical)

Leaders in it certification 15 of 68
Practice Exam Splunk - SPLK-1001

Answer: B

Question #:53

Creating Data Models:

Fields associated with a data set are known as ______.

A. Attributes

B. Constraints

Answer: A

Question #:54

Which of the statements is correct regarding click and drag option in timeline?

A. The new result after selecting the range by dragging filters the events and displays the most recent first.

B. There is no functionality like click and drag in Splunk's timeline.

C. Using this option executes a new query.

D. This doesn't execute a new query

Answer: A

Question #:55

When saving a search directly to a dashboard panel instead of saving as a report first, which of the following is

created?

A. Cloned panel

B. Inline panel

C. Report panel

D. Prebuilt panel

Answer: C

Question #:56

Leaders in it certification 16 of 68
Practice Exam Splunk - SPLK-1001

What is a suggested Splunk best practice for naming reports?

A. Reports are best named using many numbers so they can be more easily sorted.

B. Use a consistent naming convention so they are easily separated by characteristics such as group and
object.

C. Name reports as uniquely as possible with no overlap to differentiate them from one another.

D. Any naming convention is fine as long as you keep an external spreadsheet to keep track.

Answer: B

Question #:57

When is an alert triggered?

A. When Splunk encounters a syntax error in a search

B. When a trigger action meets the predefined conditions

C. When an event in a search matches up with a data model

D. When results of a search meet a specifically defined condition

Answer: D

Explanation
Explanation/Reference:

Question #:58

Field names are case sensitive and field value are not.

A. True

B. False

Answer: A

Question #:59

What user interface component allows for time selection?

A. Time summary

B. Time range picker

Leaders in it certification 17 of 68
Practice Exam Splunk - SPLK-1001

C. Search time picker

D. Data source time statistics

Answer: B

Question #:60

You can view the search result in following format (Choose three.):

A. Table

B. Raw

C. Pie Chart

D. List

Answer: A B D

Question #:61

When viewing the results of a search, what is an Interesting Field?

A. A field that appears in any event

B. A field that appears in every event

C. A field that appears in the top 10 events

D. A field that appears in at least 20% of the events

Answer: D

Question #:62

Which Field/Value pair will return only events found in the index named security?

A. Index=Security

B. index=Security

C. Index=security

D. index!=Security

Answer: B

Leaders in it certification 18 of 68
Practice Exam Splunk - SPLK-1001

Question #:63

Which search string only returns events from hostWWW3?

A. B. host=WWW3

B. C. host=WWW*

C. D. Host=WWW3

Answer: B

Question #:64

Will the queries following below get the same result?

1. index=log sourcetype=error_log status !=100

2. index=log sourcetype=error_log NOT status =100

A. Yes

B. No

Answer: B

Question #:65

This is what Splunk uses to categorize the data that is being indexed.

A. Host

B. Sourcetype

C. Index

D. Source

Answer: B

Question #:66

The new data uploaded in Splunk are shown in ________________.

A. Real-time

B. 10 Minutes

C.

Leaders in it certification 19 of 68
Practice Exam Splunk - SPLK-1001

C. Overnight Download

D. 30 Minutes

Answer: A

Question #:67

What is the correct order of steps for creating a new lookup?

1. Configure the lookup to run automatically

2. Create the lookup table

3. Define the lookup

A. 2, 1, 3

B. 1, 2, 3

C. 2, 3, 1

D. 3, 2, 1

Answer: C

Question #:68

When looking at a dashboard panel that is based on a report, which of the following is true?

A. You can modify the search string in the panel, and you can change and configure the visualization.

B. You can modify the search string in the panel, but you cannot change and configure the visualization.

C. You cannot modify the search string in the panel, but you can change and configure the visualization.

D. You cannot modify the search string in the panel, and you cannot change and configure the
visualization.

Answer: C

Question #:69

Which search will return the 15 least common field values for the dest_ip field?

A. sourcetype=firewall | rare num=15 dest_ip

B.

Leaders in it certification 20 of 68
Practice Exam Splunk - SPLK-1001

B. sourcetype=firewall | rare last=15 dest_ip

C. sourcetype=firewall | rare count=15 dest_ip

D. sourcetype=firewall | rare limit=15 dest_ip

Answer: C
Question #:70

Which of the following statements are correct about Search & Reporting App? (Choose three.)

A. Can be accessed by Apps > Search & Reporting.

B. Provides default interface for searching and analyzing logs.

C. Enables the user to create knowledge object, reports, alerts and dashboards.

D. It only gives us search functionality.

Answer: A B C

Question #:71

In monitor option you can select the following options in GUI.

A. Only HTTP Event Collector (HEC) and TCP/UDP

B. None of the above

C. Only TCP/UDP

D. Only Scripts

E. Filed & Directories, HTTP Event Collector (HEC), TCP/UDP and Scripts

Answer: E

Question #:72

What type of search can be saved as a report?

A. Any search can be saved as a report

B. Only searches that generate visualizations

C. Only searches containing a transforming command

D.

Leaders in it certification 21 of 68
Practice Exam Splunk - SPLK-1001

D. Only searches that generate statistics or visualizations

Answer: D

Question #:73

In a deployment with multiple indexes, what will happen when a search is run and an index is not specified in
the search string?

A. No events will be returned.

B. Splunk will prompt you to specify an index.

C. All non-indexed events to which the user has access will be returned.

D. Events from every index searched by default to which the user has access will be returned.

Answer: D

Question #:74

What is the primary use for the rare command1?

A. To sort field values in descending order

B. To return only fields containing five or fewer values

C. To find the least common values of a field in a dataset

D. To find the fields with the fewest number of values across a dataset

Answer: C

Question #:75

This search will return 20 results. SEARCH: error | top host limit = 20

A. True

B. False

Answer: A

Question #:76

Splunk automatically determines the source type for major data types.

A.

Leaders in it certification 22 of 68
Practice Exam Splunk - SPLK-1001

A. False

B. True

Answer: B

Question #:77

Keywords are highlighted when you mouse over search results and you can click this search result to (Choose
three.):

A. Open new search.

B. Exclude the item from search.

C. None of the above.

D. Add the item to search

Answer: A B D

Question #:78

By default, how long does Splunk retain a search job?

A. 10 Minutes

B. 15 Minutes

C. 1 Day

D. 7 Days

Answer: A

Question #:79

You can on-board data to Splunk using following means (Choose four.):

A. Props

B. CLI

C. Splunk Web

D. [Link]

Leaders in it certification 23 of 68
Practice Exam Splunk - SPLK-1001

E. Splunk apps and add-ons

F. [Link]

G. [Link]

H. [Link]

Answer: B C E G

Question #:80

Parsing of data can happen both in HF and Indexer.

A. Only HF

B. No

C. Yes

Answer: C

Question #:81

When is the pipe character, I, used in search strings?

A. Before clauses. For example: stats sum(bytes) | by host

B. Before commands. For example: | stats sum(bytes) by host

C. Before arguments. For example: stats sum| (bytes) by host

D. Before functions. For example: stats |sum(bytes) by host

Answer: B

Explanation
Explanation/Reference:

Question #:82

What is the main requirement for creating visualizations using the Splunk UI?

A. Your search must transform event data into Excel file format first.

B.

Leaders in it certification 24 of 68
Practice Exam Splunk - SPLK-1001

B. Your search must transform event data into XML formatted data first.

C. Your search must transform event data into statistical data tables first.

D. Your search must transform event data into JSON formatted data first.

Answer: C

Question #:83

Which of the following represents the Splunk recommended naming convention for dashboards?

A. Description_Group_Object

B. Group_Description_Object

C. Group_Object_Description

D. Object_Group_Description

Answer: C

Question #:84

Lookups allow you to overwrite your raw event.

A. True

B. False

Answer: A

Question #:85

Beginning parentheses is automatically highlighted to guide you on the presence of complimenting

parentheses.

A. No

B. Yes

Answer: B

Question #:86

Leaders in it certification 25 of 68
Practice Exam Splunk - SPLK-1001

In the fields sidebar, what indicates that a field is numeric?

A. A number to the right of the field name.

B. A # symbol to the left of the field name.

C. A lowercase n to the left of the field name.

D. A lowercase n to the right of the field name.

Answer: B

Question #:87

Matching of parentheses is a feature of Splunk Assistant.

A. No

B. Yes

Answer: B

Question #:88

Field names are case sensitive.

A. True

B. False

Answer: A

Question #:89

What is Splunk?

A. Splunk is a software platform to search, analyze and visualize the machine-generated data.

B. Database management tool.

C. Security Information and Event Management (SIEM).

D. Cloud based application that help in analyzing logs.

Answer: A

Leaders in it certification 26 of 68
Practice Exam Splunk - SPLK-1001

Question #:90

The better way of writing search query for index is:

A. index=a index=b

B. (index=a OR index=b)

C. index=(a & b)

D. index = a, b

Answer: B

Question #:91

Machine data can be in structured and unstructured format.

A. False

B. True

Answer: B

Question #:92

Which is not a comparison operator in Splunk

A. <=

B. =

C. !=

D. >

E. ?=

Answer: E
Question #:93

This function of the stats command allows you to return the sample standard deviation of a field.

A. stdev

B.

Leaders in it certification 27 of 68
Practice Exam Splunk - SPLK-1001

B. dev

C. count deviation

D. by standarddev

Answer: A

Question #:94

At the time of searching the start time is [Link].

Will it look back to [Link] if we use -30m@h in searching?

A. Yes

B. No

Answer: A

Question #:95

Which of the following statements about case sensitivity is true?

A. Both field names and field values ARE case sensitive.

B. Field names ARE case sensitive; field values are NOT.

C. Field values ARE case sensitive; field names ARE NOT.

D. Both field names and field values ARE NOT case sensitive.

Answer: B

Question #:96

When displaying results of a search, which of the following is true about line charts?

A. Line charts are optimal for single and multiple series.

B. Line charts are optimal for single series when using Fast mode.

C. Line charts are optimal for multiple series with 3 or more columns.

D. Line charts are optimal for multiseries searches with at least 2 or more columns.

Answer: C

Leaders in it certification 28 of 68
Practice Exam Splunk - SPLK-1001

Question #:97

How can search results be kept longer than 7 days?

A. By scheduling a report.

B. By creating a link to the job.

C. By changing the job settings.

D. By changing the time range picker to more than 7 days.

Answer: A

Question #:98

You can also specify a time range in the search bar. You can use the following for beginning and ending for a

time range (Choose two.):

A. Not possible to specify time manually in Search query

B. end=

C. start=

D. earliest=

E. latest=

Answer: D E

Question #:99

Splunk indexes the data on the basis of timestamps.

A. True

B. False

Answer: A

Question #:100

Creating Data Models:

Leaders in it certification 29 of 68
Practice Exam Splunk - SPLK-1001

Object ATTRIBUTES do not define ___________.

A. a base search for the object

B. fields for the object

Answer: A

Question #:101

What are the steps to schedule a report?

A. After saving the report, click Schedule.

B. After saving the report, click Event Type.

C. After saving the report, click Scheduling.

D. After saving the report, click Dashboard Panel.

Answer: A

Question #:102

In the Fields sidebar, what does the number directly to the right of the field name indicate?

A. The value of the field

B. The number of values for the field

C. The number of unique values for the field

D. The numeric non-unique values of the field

Answer: C
Question #:103

Select the statements that are true for timeline in Splunk (Choose four.):

A. Timeline shows distribution of events specified in the time range in the form of bars.

B. Single click to see the result for particular time period.

C. You can click and drag across the bar for selecting the range.

D. This is default view and you can't make any changes to it.

E. You can hover your mouse for details like total events, time and date.

Leaders in it certification 30 of 68
Practice Exam Splunk - SPLK-1001

Answer: A B C E

Question #:104

What does the values function of the stats command do?

A. Lists all values of a given field.

B. Lists unique values of a given field.

C. Returns a count of unique values for a given field.

D. Returns the number of events that match the search.

Answer: B

Question #:105

What is the primary use for the rare command?

A. To sort field values in descending order.

B. To return only fields containing five of fewer values.

C. To find the least common values of a field in a dataset.

D. To find the fields with the fewest number of values across a dataset.

Answer: C

Question #:106

Which of the following is a best practice when writing a search string?

A. Include all formatting commands before any search terms

B. Include at least one function as this is a search requirement

C. Include the search terms at the beginning of the search string

D. Avoid using formatting clauses as they add too much overhead

Answer: A

Leaders in it certification 31 of 68
Practice Exam Splunk - SPLK-1001

Question #:107

Given the following SPL search, how many rows of results would you expect to be returned by default?
index=security sourcetype=linux_secure (fail* OR invalid) I top src__ip

A. 10

B. 50

C. 100

D. 20

Answer: A

Explanation
The SPL search specified above will return 10 rows of results by default, as the "top" command specifies a
limit of 10 results. The query will search for all events in the security index with a sourcetype of linuxsecure
that contain either the terms fail* or invalid and will display the top 10 results according to the src_ip field.

Question #:108

This clause is used to group the output of a stats command by a specific name.

A. Rex

B. As

C. List

D. By

Answer: D

Question #:109

Select the best options for "search best practices" in Splunk:

(Choose five.)

A. Select the time range always.

B. Try to specify index values.

C. Include as many search terms as possible.

D. Never select time range.

E.

Leaders in it certification 32 of 68
Practice Exam Splunk - SPLK-1001

E. Try to use * with every search term.

F. Inclusion is generally better than exclusion.

G. Try to keep specific search terms.

Answer: A B C F G

Question #:110

What is one benefit of creating dashboard panels from reports?

A. Any newly created dashboard will include that report.

B. There are no benefits to creating dashboard panels from reports.

C. It makes the dashboard more efficient because it only has to run one search string.

D. Any change to the underlying report will affect every dashboard that utilizes that report.

Answer: C

Question #:111

Which of the following statements describes a search job?

A. Once a search job begins, it cannot be stopped

B. A search job can only be paused when less than 50% of events are returned

C. A search job can only be stopped when less than 50% of events are returned

D. Once a search job begins, it can be stopped or paused at any point in time

Answer: D
Question #:112

Which of the following file types is an option for exporting Splunk search results?

A. PDF

B. JSON

C. XLS

D. RTF

Answer: B

Leaders in it certification 33 of 68
Practice Exam Splunk - SPLK-1001

Question #:113

Which of the following Splunk components typically resides on the machines where data originates?

A. Indexer

B. Forwarder

C. Search head

D. Deployment server

Answer: B

Question #:114

These users can create global knowledge objects. (Select all that apply.)

A. users

B. power users

C. administrators

Answer: B C

Question #:115

Assuming a user has the capability to edit reports, which of the following are editable?

A. Acceleration, schedule, permissions

B. The report’s name, schedule, permissions

C. The report’s name, acceleration, schedule

D. The report’s name, acceleration, permissions

Answer: B
Question #:116

The stats command will create a _____________ by default.

A. Table

B. Report

C.

Leaders in it certification 34 of 68
Practice Exam Splunk - SPLK-1001

C. Pie chart

Answer: A

Question #:117

Use this command to use lookup fields in a search and see the lookup fields in the field sidebar.

A. inputlookup

B. lookup

Answer: B

Question #:118

Splunk Parses data into individual events, extracts time, and assigns metadata.

A. False

B. True

Answer: B

Question #:119

How does Splunk determine which fields to extract from data?

A. Splunk only extracts the most interesting data from the last 24 hours.

B. Splunk only extracts fields users have manually specified in their data.

C. Splunk automatically extracts any fields that generate interesting visualizations.

D. Splunk automatically discovers many fields based on sourcetype and key/value pairs found in the data.

Answer: D

Question #:120

What are the two most efficient search filters?

A. _time and host

B. _time and index

C.

Leaders in it certification 35 of 68
Practice Exam Splunk - SPLK-1001

C. host and sourcetype

D. index and sourcetype

Answer: B

Question #:121

Which of the following is an option after clicking an item in search results?

A. Saving the item to a report

B. Adding the item to the search.

C. Adding the item to a dashboard

D. Saving the search to a JSON file.

Answer: A

Question #:122

By default, which of the following fields would be listed in the fields sidebar under interesting Fields?

A. host

B. index

C. source

D. sourcetype

Answer: A

Explanation
The "interesting Fields" section of the fields sidebar in the Search & Reporting app will list the fields host,
source, and sourcetype by default. The index field is not listed by default, but can be added to the list manually
if desired.

Question #:123

What will always appear in the Selected Fields list?

A. index

B. action

C.

Leaders in it certification 36 of 68
Practice Exam Splunk - SPLK-1001

C. clientip

D. sourcetype

Answer: D

Question #:124

What does the following specified time range do?

earliest=-72h@h latest=@d

A. Look back 3 days ago and prior

B. Look back 72 hours up to one day ago

C. Look back 72 hours, up to the end of today

D. Look back from 3 days ago up to the beginning of today

Answer: D

Question #:125

Splunk apps are used for following (Choose three.):

A. Designed to cater numerous use cases and empower Splunk.

B. We can not install Splunk App.

C. Allows multiple workspaces for different use cases/user roles.

D. It is collection of different Splunk config files like data inputs, UI and Knowledge Object.

Answer: A C D

Question #:126

Which is the default app for Splunk Enterprise?

A. Splunk Enterprise Security Suite

B. Searching and Reporting

C. Reporting and Searching

D. Splunk apps for Security

Leaders in it certification 37 of 68
Practice Exam Splunk - SPLK-1001

Answer: B

Question #:127

Which of the following is the recommended way to create multiple dashboards displaying data from the same
search?

A. Save the search as a report and use it in multiple dashboards as needed

B. Save the search as a dashboard panel for each dashboard that needs the data

C. Save the search as a scheduled alert and use it in multiple dashboards as needed

D. Export the results of the search to an XML file and use the file as the basis of the dashboards

Answer: A

Question #:128

What syntax is used to link key/value pairs in search strings?

A. Parentheses

B. @ or # symbols

C. Quotation marks

D. Relational operators such as =, <, or >

Answer: D

Question #:129

We should use heavy forwarder for sending event-based data to Indexers.

A. False

B. True

Answer: B

Question #:130

Which of the following are functions of the stats command?

Leaders in it certification 38 of 68
Practice Exam Splunk - SPLK-1001

A. count, sum, add

B. count, sum, less

C. sum, avg, values

D. sum, values, table

Answer: C

Question #:131

Where does Licensing meter happen?

A. Indexer

B. Parsing

C. Heavy Forwarder

D. Input

Answer: A

Question #:132

_______________ transforms raw data into events and distributes the results into an index.

A. Index

B. Search Head

C. Indexer

D. Forwarder

Answer: C

Question #:133

Query - status != 100:

A. Will return event where status field exist but value of that field is not 100.

B. Will return event where status field exist but value of that field is not 100 and all events where status
field

Leaders in it certification 39 of 68
Practice Exam Splunk - SPLK-1001
B.

doesn't exist.

C. Will get different results depending on data

Answer: A

Question #:134

When placed early in a search, which command is most effective at reducing search execution time?

A. dedup

B. rename

C. sort -

D. fields +

Answer: A

Question #:135

What must be done in order to use a lookup table in Splunk?

A. The lookup must be configured to run automatically.

B. The contents of the lookup file must be copied and pasted into the search bar.

C. The lookup file must be uploaded to Splunk and a lookup definition must be created.

D. The lookup file must be uploaded to the etc/apps/lookups folder for automatic ingestion.

Answer: C

Question #:136

Which statement is true about Splunk alerts?

A. Alerts are based on searches that are either run on a scheduled interval or in real-time.

B. Alerts are based on searches and when triggered will only send an email notification.

C. Alerts are based on searches and require cron to run on scheduled interval.

D. Alerts are based on searches that are run exclusively as real-time.

Answer: A

Leaders in it certification 40 of 68
Practice Exam Splunk - SPLK-1001

Question #:137

Which search string returns a filed containing the number of matching events and names that field Event
Count?

A. index=security failure | stats sum as “Event Count”

B. index=security failure | stats count as “Event Count”

C. index=security failure | stats count by “Event Count”

D. index=security failure | stats dc(count) as “Event Count”

Answer: B

Question #:138

How are events displayed after a search is executed?

A. In chronological order.

B. Randomly by default.

C. In reverse chronological order.

D. Alphabetically according to field name.

Answer: C

Question #:139

Splunk shows data in __________________.

A. ASCII Character order.

B. Reverse chronological order.

C. Alphanumeric order.

D. Chronological order.

Answer: B

Leaders in it certification 41 of 68
Practice Exam Splunk - SPLK-1001

Question #:140

When writing searches in Splunk, which of the following is true about Booleans?

A. They must be lowercase.

B. They must be uppercase.

C. They must be in quotations.

D. They must be in parentheses.

Answer: B

Question #:141

Which time range picker configuration would return real-time events for the past 30 seconds?

A. Preset - Relative: 30-seconds ago

B. Relative - Earliest: 30-seconds ago, Latest: Now

C. Real-time - Earliest: 30-seconds ago, Latest: Now

D. Advanced - Earliest: 30-seconds ago, Latest: Now

Answer: C

Question #:142

When a Splunk search generates calculated data that appears in the Statistics tab. in what formats can the
results be exported?

A. CSV, JSON, PDF

B. CSV, XML JSON

C. Raw Events, XML, JSON

D. Raw Events, CSV, XML, JSON

Answer: D

Question #:143

Which symbol is used to snap the time?

A.

Leaders in it certification 42 of 68
Practice Exam Splunk - SPLK-1001

A. @

B. &

C. *

D. #

Answer: A

Question #:144

Which statement describes field discovery at search time?

A. Splunk automatically discovers only numeric fields

B. Splunk automatically discovers only alphanumeric fields

C. Splunk automatically discovers only manually configured fields

D. Splunk automatically discovers only fields directly related to the search results

Answer: D

Explanation
Explanation/Reference:

Question #:145

Which component of Splunk is primarily responsible for saving data?

A. Search Head

B. Heavy Forwarder

C. Indexer

D. Universal Forwarder

Answer: C

Question #:146

When an alert action is configured to run a script, Splunk must be able to locate the script. Which is one of the
directories Splunk will look in to find the script?

A.

Leaders in it certification 43 of 68
Practice Exam Splunk - SPLK-1001

A. $SPLUNK_HOME/bin/scripts

B. $SPLUNK_HOME/etc/scripts

C. $SPLUNK_HOME/bin/etc/scripts

D. $SPLUNK_HOME/etc/scripts/bin

Answer: A

Question #:147

Which search will return only events containing the word “error” and display the results as a table that
includes

the fields named action, src, and dest?

A. error | table action, src, dest

B. error | tabular action, src, dest

C. error | stats table action, src, dest

D. error | table column=action column=src column=dest

Answer: C
Question #:148

Which of the following are Splunk premium enhanced solutions? (Choose three.)

A. Splunk User Behavior Analytics (UBA)

B. Splunk IT Service Intelligence (ITSI)

C. Splunk Enterprise Security (ES)

D. Splunk Analytics Security (AS)

Answer: A B C

Question #:149

Parsing of data can happen both in HF and UF.

A. Yes

B. No

Leaders in it certification 44 of 68
Practice Exam Splunk - SPLK-1001

Answer: B

Question #:150

When viewing results of a search job from the Activity menu, which of the following is displayed?

A. New events based on the current time range picker

B. The same events based on the current time range picker

C. The same events from when the original search was executed

D. New events in addition to the same events from the original search

Answer: C

Question #:151

It is not possible for a single instance of Splunk to manage the input, parsing and indexing of machine.

A. True

B. False

Answer: B

Question #:152

Select the answer that displays the accurate placing of the pipe in the following search string:

index=security sourcetype=access_* status=200 stats count by price

A. index=security sourcetype=access_* status=200 stats | count by price

B. index=security sourcetype=access_* status=200 | stats count by price

C. index=security sourcetype=access_* status=200 | stats count | by price

D. index=security sourcetype=access_* | status=200 | stats count by price

Answer: B

Question #:153

Which of the following fields is stored with the events in the index?

A.

Leaders in it certification 45 of 68
Practice Exam Splunk - SPLK-1001

A. user

B. source

C. location

D. sourcelp

Answer: B

Question #:154

All users by default have WRITE permission to ALL knowledge objects.

A. True

B. False

Answer: B

Question #:155

Which command is used to validate a lookup file?

A. | lookup [Link]

B. inputlookup [Link]

C. I inputlookup [Link]

D. | lookup definition [Link]

Answer: C

Question #:156

What syntax is used to link key/value pairs in search strings?

A. action+purchase

B. action=purchase

C. action | purchase

D. action equal purchase

Answer: B

Leaders in it certification 46 of 68
Practice Exam Splunk - SPLK-1001

Question #:157

Search Assistant is enabled by default in the SPL editor with compact settings.

A. No

B. Yes

Answer: B

Question #:158

Which search would return events from the access_combined sourcetype?

A. Sourcetype=access_combined

B. Sourcetype=Access_Combined

C. sourcetype=Access_Combined

D. SOURCETYPE=access_combined

Answer: C

Question #:159

Prefix wildcards might cause performance issues.

A. False

B. True

Answer: B

Question #:160

How to make Interesting field into a selected field?

A. Click field in field sidebar -> click YES on the pop-up dialog on upper right side -> check now field
should

be visible in the list of selected fields.

B. Not possible.

C.

Leaders in it certification 47 of 68
Practice Exam Splunk - SPLK-1001

C. Only CLI changes will enable it.

D. Click Settings -> Find field option -> Drop down select field -> enable selected field -> check now field

should be visible in the list of selected fields.

Answer: A

Question #:161

By default, which of the following is a Selected Field?

A. action

B. clientip

C. categoryld

D. sourcetype

Answer: D

Question #:162

What happens when a field is added to the Selected Fields list in the fields sidebar'?

A. Splunk will re-run the search job in Verbose Mode to prioritize the new Selected Field

B. Splunk will highlight related fields as a suggestion to add them to the Selected Fields list.

C. Custom selections will replace the Interesting Fields that Splunk populated into the list at search time

D. The selected field and its corresponding values will appear underneath the events in the search results

Answer: D

Question #:163

Which command is used to review the contents of a specified static lookup file?

A. lookup

B. csvlookup

C. inputlookup

D. outputlookup

Leaders in it certification 48 of 68
Practice Exam Splunk - SPLK-1001

Answer: C

Question #:164

Which of the following index searches would provide the most efficient search performance?

A. index=*

B. index=web OR index=s*

C. (index=web OR index=sales)

D. *index=sales AND index=web*

Answer: C

Question #:165

How can another user gain access to a saved report?

A. The owner of the report can edit permissions from the Edit dropdown

B. Only users with an Admin or Power User role can access other users' reports

C. Anyone can access any reports marked as public within a shared Splunk deployment

D. The owner of the report must clone the original report and save it to their user account

Answer: A

Question #:166

All components are installed and administered in Splunk Enterprise on-premise.

A. True

B. False

Answer: A

Question #:167

After running a search, what effect does clicking and dragging across the timeline have?

A. Executes a new search.

Leaders in it certification 49 of 68
Practice Exam Splunk - SPLK-1001

B. Filters current search results.

C. Moves to past or future events.

D. Expands the time range of the search.

Answer: B

Question #:168

It is mandatory for the lookup file to have this for an automatic lookup to work.

A. Source type

B. At least five columns

C. Timestamp

D. Input filed

Answer: D

Question #:169

Which Boolean operator is implied between search terms, unless otherwise specified?

A. OR

B. AND

C. NOT

D. NAND

Answer: B

Question #:170

Which of the following is the most efficient filter for running searches in Splunk?

A. Time

B. Fast mode

C. Sourcetype

D. Selected Fields

Leaders in it certification 50 of 68
Practice Exam Splunk - SPLK-1001

Answer: A

Question #:171

36. Lookups can be private for a user.

A. True

B. False

Answer: A

Question #:172

Select the correct option that applies to Index time processing (Choose three.).

A. Indexing

B. Searching

C. Parsing

D. Settings

E. Input

Answer: A C E

Question #:173

______________ is the default web port used by Splunk.

A. 8089

B. 8000

C. 8080

D. 443

Answer: B

Question #:174

Clicking a SEGMENT on a chart, ________.

Leaders in it certification 51 of 68
Practice Exam Splunk - SPLK-1001

A. drills down for that value

B. highlights the field value across the chart

C. adds the highlighted value to the search criteria

Answer: C

Question #:175

When sorting on multiple fields with the sort command, what delimiter can be used between the field names in
the search?

A. |

B. $

C. !

D. ,

Answer: D

Question #:176

What must be done before an automatic lookup can be created? (select all that apply)

A. The lookup command must be used.

B. The lookup definition must be created.

C. The lookup file must be uploaded to Splunk.

D. The lookup file must be verified using the inputlookup command.

Answer: B

Question #:177

Which of the following is the best way to create a report that shows the last 24 hours of events?

A. Use earliest=-1d@d latest=@d

B. Set a real-time search over a 24-hour window

C. Use the time range picket to select “Yesterday”

D.

Leaders in it certification 52 of 68
Practice Exam Splunk - SPLK-1001

D. Use the time range picker to select “Last 24 hours”

Answer: D

Question #:178

Which of the following is a correct way to limit search results to display the 5 most common values of a field?

A. | rare top=5

B. | top rare=5

C. | top limit=5

D. | rare limit=5

Answer: C

Question #:179

What result will you get with following search index=test sourcetype="The_Questionnaire_P*" ?

A. the_questionnaire _pedia

B. the_questionnaire pedia

C. the_questionnaire_pedia

D. the_questionnaire Pedia

Answer: C

Question #:180

Uploading local files though Upload options index the file only once.

A. No

B. Yes

Answer: B

Question #:181

Which of the following is a Splunk search best practice?

Leaders in it certification 53 of 68
Practice Exam Splunk - SPLK-1001

A. Filter as early as possible.

B. Never specify more than one index.

C. Include as few search terms as possible.

D. Use wildcards to return more search results.

Answer: A

Question #:182

There are three different search modes in Splunk (Choose three.):

A. Automatic

B. Smart

C. Fast

D. Verbose

Answer: B C D

Question #:183

Which Field/Value pair will return only events found in the index named security?

A. index!=Security

B. Index-security

C. Index=Security

D. index=Security

Answer: D

Explanation
The Kusto Query Language (KQL) is the language you use to query data in Azure Data Explorer [1]. To query
for events that are found in the index named security, you would use the following KQL query:

index=Security

This query will return all events that are found in the security index. It is important to note that the "="

Leaders in it certification 54 of 68
Practice Exam Splunk - SPLK-1001

operator must be used in order to match the exact index name.

Question #:184

Splunk Components:

Which of the following are responsible for reducing search results?

A. search heads

B. indexers

C. forwarders

Answer: B

Question #:185

Which of the following is true about user account settings and preferences?

A. Search & Reporting is the only app that can be set as the default application.

B. Full names can only be changed by accounts with a Power User or Admin role.

C. Time zones are automatically updated based on the setting of the computer accessing Splunk.

D. Full name, time zone, and default app can be defined by clicking the login name in the Splunk bar.

Answer: D

Question #:186

A collection of items containing things such as data inputs, UI elements, and knowledge objects is known as
what?

A. An app

B. JSON

C. A role

D. An enhanced solution

Answer: A

Question #:187

Leaders in it certification 55 of 68
Practice Exam Splunk - SPLK-1001

Splunk Enterprise is used as a Scalable service in Splunk Cloud.

A. True

B. False

Answer: A

Question #:188

In the Search and Reporting app, which tab displays timecharts and bar charts?

A. Events

B. Patterns

C. Statistics

D. Visualization

Answer: D
Question #:189

Log filtering/parsing can be done from _____________.

A. Index Forwarders (IF)

B. Universal Forwarders (UF)

C. Super Forwarder (SF)

D. Heavy Forwarders (HF)

Answer: D

Question #:190

Every Search in Splunk is also called _____________.

A. None of the above

B. Job

C. Search Only

Answer: B

Leaders in it certification 56 of 68
Practice Exam Splunk - SPLK-1001

Question #:191

Fields are searchable name and value pairings that differentiates one event from another.

A. False

B. True

Answer: B

Question #:192

What are the three main Splunk components?

A. Search head, GPU, streamer

B. Search head, indexer, forwarder

C. Search head, SQL database, forwarder

D. Search head, SSD, heavy weight agent

Answer: B

Explanation
Explanation/Reference:

Question #:193

By default, all users have DELETE permission to ALL knowledge objects.

A. True

B. False

Answer: B

Question #:194

What options do you get after selecting timeline? (Choose four.)

A. Zoom to selection

B. Format Timeline

C.

Leaders in it certification 57 of 68
Practice Exam Splunk - SPLK-1001

C. Deselect

D. Delete

E. Zoom Out

Answer: A B C E

Question #:195

@ Symbol can be used in advanced time unit option.

A. No

B. Yes

Answer: B

Question #:196

How can results from a specified static lookup file be displayed?

A. lookup command

B. inputlookup command

C. Settings > Lookups > Input

D. Settings > Lookups > Upload

Answer: B

Question #:197

What is a primary function of a scheduled report?

A. Auto-detect changes in performance

B. Auto-generated PDF reports of overall data trends

C. Regularly scheduled archiving to keep disk space use low

D. Triggering an alert in your Splunk instance when certain conditions are met

Answer: D

Leaders in it certification 58 of 68
Practice Exam Splunk - SPLK-1001

Question #:198

By default search results are not returned in ________ order.

A. Chronological

B. Reverser chronological

C. ASCIE

D. Alphabetical

Answer: A D

Question #:199

Field values are case sensitive.

A. True

B. False

Answer: B

Question #:200

Which of the following searches will return results where fail, 400, and error exist in every event?

A. error AND (fail AND 400)

B. error OR (fail and 400)

C. error AND (fail OR 400)

D. error OR fail OR 400

Answer: C

Question #:201

Which of the following reports is available in the Fields window?

A. Top values by time

B. Rare values by time

C. Events with top value fields

Leaders in it certification 59 of 68
Practice Exam Splunk - SPLK-1001

D. Events with rare value fields

Answer: C

Question #:202

Which of the following constraints can be used with the top command?

A. limit

B. useperc

C. addtotals

D. fieldcount

Answer: A

Question #:203

Snapping rounds down to the nearest specified unit.

A. Yes

B. No

Answer: A

Question #:204

Which search string matches only events with the status_code of 4:4?

A. status_code !=404

B. status_code>=400

C. status_code<=404

D. status code>403 status_code<405

Answer: D

Question #:205

Leaders in it certification 60 of 68
Practice Exam Splunk - SPLK-1001

Which events will be returned by the following search string?

host=www3 status=503

A. All events that either have a host of www3 or a status of 503.

B. All events with a host of www3 that also have a status of 503

C. We need more information: we cannot tell without knowing the time range

D. We need more information a search cannot be run without specifying an index

Answer: B

Question #:206

Which search matches the events containing the terms "error" and "fail"?

A. index=security Error Fail

B. index=security error OR fail

C. index=security “error failure”

D. index=security NOT error NOT fail

Answer: A
Question #:207

Events in Splunk are automatically segregated using data and time.

A. Yes

B. No

Answer: A

Question #:208

It is no possible for a single instance of Splunk to manage the input, parsing and indexing of machine data.

A. True

B. False

Answer: B

Leaders in it certification 61 of 68
Practice Exam Splunk - SPLK-1001

Question #:209

In the Splunk interface, the list of alerts can be filtered based on which characteristics?

A. App, Owner, Severity, and Type

B. App, Owner, Priority, and Status

C. App, Dashboard, Severity, and Type

D. App, Time Window, Type, and Severity

Answer: D

Question #:210

NOT status = 100:

A. Will display result depending on the data.

B. Will return event where status field exist but value of that field is not 100.

C. Will return event where status field exist but value of that field is not 100 and all events where status
field

doesn't exist.

Answer: C

Question #:211

Matching search terms are highlighted.

A. Yes

B. No

Answer: A

Question #:212

Which of the following commands will show the maximum bytes?

A. sourcetype=access_* | maximum totals by bytes

B. sourcetype=access_* | avg (bytes)

C.

Leaders in it certification 62 of 68
Practice Exam Splunk - SPLK-1001

C. sourcetype=access_* | stats max(bytes)

D. sourcetype=access_* | max(bytes)

Answer: C

Question #:213

At index time, in which field does Splunk store the timestamp value?

A. time

B. _time

C. EventTime

D. timestamp

Answer: B

Question #:214

Which statement is true about the top command?

A. It returns the top 10 results

B. It displays the output in table format

C. It returns the count and percent columns per row

D. All of the above

Answer: D

Question #:215

What determines the scope of data that appears in a scheduled report?

A. All data accessible to the User role will appear in the report.

B. All data accessible to the owner of the report will appear in the report.

C. All data accessible to all users will appear in the report until the next time the report is run.

D. The owner of the report can configure permissions so that the report uses either the User role or the
owner’s profile at run time.

Answer: D

Leaders in it certification 63 of 68
Practice Exam Splunk - SPLK-1001

Question #:216

Which search string is the most efficient?

A. "failed password"

B. ''failed password"*

C. index=* "failed password"

D. index=security "failed password"

Answer: D

Question #:217

Which of the following is a Splunk internal field?

A. _raw

B. host

C. _host

D. index

Answer: A

Question #:218

In the fields sidebar, which character denotes alphanumeric field values?

A. #

B. %

C. a

D. a#

Answer: B

Question #:219

Which all time unit abbreviations can you include in Advanced time range picker? (Choose seven.)

Leaders in it certification 64 of 68
Practice Exam Splunk - SPLK-1001

A. h

B. day

C. mon

D. yr

E. y

F. w

G. week

H. d

I. s

J. m

Answer: A C E F H I J

Question #:220

What can be included in the All Fields option in the sidebar?

A. Dashboards

B. Metadata only

C. Non-interesting fields

D. Field descriptions

Answer: C

Question #:221

Splunk Components:

Which of the following are responsible for parsing incoming data and storing data on disc?

A. forwarders

B. indexers

C. search heads

Answer: B

Leaders in it certification 65 of 68
Practice Exam Splunk - SPLK-1001

Question #:222

What does the rare command do?

A. Returns the least common field values of a given field in the results.

B. Returns the most common field values of a given field in the results.

C. Returns the top 10 field values of a given field in the results.

D. Returns the lowest 10 field values of a given field in the results.

Answer: A

Question #:223

Monitor option in Add Data provides _______________.

A. Only continuous monitoring.

B. Only One-time monitoring.

C. None of the above.

D. Both One-time and continuous monitoring

Answer: D

Question #:224

!= and NOT are same arguments.

A. True

B. False

Answer: B

Question #:225

Which of the following are not true about lookups? (Select all that apply.)

A. Lookups can be time based

B.

Leaders in it certification 66 of 68
Practice Exam Splunk - SPLK-1001

B. Search results can be used to populate a lookup table

C. Splunk DB Connect can be used to populate a lookup table from relational databases

D. Output from a script can be used to populate a lookup table

E. Lookup have a 10mg maximum size limit

Answer: E

Question #:226

Which command automatically returns percent and count columns when executing searches?

A. top

B. stats

C. table

D. percent

Answer: A

Question #:227

You can use the following options to specify start and end time for the query range:

A. earliest=

B. latest=

C. beginning=

D. ending=

E. All the above

F. Only 3rd and 4th

Answer: F

Question #:228

Which of the following describes lookup files?

A. Lookup fields cannot be used in searches

Leaders in it certification 67 of 68
Practice Exam Splunk - SPLK-1001

B. Lookups contain static data available in the index

C. Lookups add more fields to results returned by a search

D. Lookups pull data at index time and add them to search results

Answer: B

Question #:229

What is the default lifetime of every Splunk search job?

A. All search jobs are saved for 10 days

B. All search jobs are saved for 10 hours

C. All search jobs are saved for 10 weeks

D. All search jobs are saved for 10 minutes

Answer: D

Explanation
Explanation/Reference:

Leaders in it certification 68 of 68
About [Link]
[Link] was founded in 2007. We provide latest & high quality IT / Business Certification Training Exam
Questions, Study Guides, Practice Tests.

We help you pass any IT / Business Certification Exams with 100% Pass Guaranteed or Full Refund. Especially
Cisco, CompTIA, Citrix, EMC, HP, Oracle, VMware, Juniper, Check Point, LPI, Nortel, EXIN and so on.

View list of all certification exams: All vendors

We prepare state-of-the art practice tests for certification exams. You can reach us at any of the email addresses listed
below.

Sales: sales@[Link]
Feedback: feedback@[Link]
Support: support@[Link]

Any problems about IT certification or our products, You can write us back and we will get back to you within 24
hours.