Which of the following workflow actions can be executed from search results? (select all that apply)
Correct Answer: A,B,D
As mentioned before, there are two types of workflow actions: GET and POST1. Both types of workflow actions can be executed from search results by clicking on an event field value that has a workflow action configured for it1. Another type of workflow action is Search, which runs another search based on the field value1. Therefore, options A, B and D are correct, while option C is incorrect because LOOKUP is not a type of workflow action.
SPLK-1002 Exam Question 77
Which of the following are required to create a POST workflow action?
Correct Answer: C
Explanation POST workflow actions are custom actions that send a POST request to a web server when you click on a field value in your search results. POST workflow actions can be configured with various options, such as label name, base URL, URI parameters, post arguments, app context, etc. One of the options that are required to create a POST workflow action is post arguments. Post arguments are key-value pairs that are sent in the body of the POST request to provide additional information to the web server. Post arguments can include field values from your data by using dollar signs around the field names.
SPLK-1002 Exam Question 78
Which of the following searches would create a graph similar to the one below?
Correct Answer: C
The following search would create a graph similar to the one below: index_internal sourcetype=Savesplunker | fields sourcetype, status | transaction status maxspan=1d | timechart count by status The search does the following: * It uses index_internal to specify the internal index that contains Splunk logs and metrics. * It uses sourcetype=Savesplunker to filter events by the sourcetype that indicates the Splunk Enterprise Security app. * It uses fields sourcetype, status to keep only the sourcetype and status fields in the events. * It uses transaction status maxspan=1d to group events into transactions based on the status field with a maximum time span of one day between the first and last events in a transaction. * It uses timechart count by status to create a time-based chart that shows the count of transactions for each status value over time. The graph shows the following: * It is a line graph with two lines, one yellow and one blue. * The x-axis is labeled with dates from Wed, Apr 4, 2018 to Tue, Apr 10, 2018. * The y-axis is labeled with numbers from 0 to 15. * The yellow line represents "shipped" and the blue line represents "success". * The yellow line has a steady increase from 0 to 15, while the blue line has a sharp increase from 0 to 5, then a decrease to 0, and then a sharp increase to 10. * The graph is titled "Type". Therefore, option C is the correct answer.
SPLK-1002 Exam Question 79
A user wants to convert numeric field values to strings and also to sort on those values. Which command should be used first, the eval or the sort?
Correct Answer: B
SPLK-1002 Exam Question 80
What are the expected results for a search that contains the command | where A=B?
Correct Answer: C
The correct answer is C. Events where values of field A are equal to values of field B. The where command is used to filter the search results based on an expression that evaluates to true or false. The where command can compare two fields, two values, or a field and a value. The where command can also use functions, operators, and wildcards to create complex expressions1. The syntax for the where command is: | where <expression> The expression can be a comparison, a calculation, a logical operation, or a combination of these. The expression must evaluate to true or false for each event. To compare two fields with the where command, you need to use the field names without any quotation marks. For example, if you want to find events where the values for the field A match the values for the field B, you can use the following syntax: | where A=B This will return only the events where the two fields have the same value. The other options are not correct because they use different syntax or fields that are not related to the where command. These options are: * A. Events that contain the string value where A=B: This option uses the string value where A=B as a search term, which is not valid syntax for the where command. This option will return events that have the literal text "where A=B" in them. * B. Events that contain the string value A=B: This option uses the string value A=B as a search term, which is not valid syntax for the where command. This option will return events that have the literal text "A=B" in them. * D. Events where field A contains the string value B: This option uses quotation marks around the value B, which is not valid syntax for comparing fields with the where command. Quotation marks are used to enclose phrases or exact matches in a search2. This option will return events where the field A contains the string value "B". References: * where command usage * Search command cheatsheet
