When using the transaction command, what does the argument maxspan do?
Correct Answer: D
SPLK-1002 Exam Question 87
Which of the following knowledge objects can reference field aliases?
Correct Answer: A
Field aliases in Splunk are alternate names assigned to fields. These can be particularly useful for normalizing data from different sources or simply for making field names more intuitive. Once an alias is created for a field, it can be used across various Splunk knowledge objects, enhancing their flexibility and utility. A: Calculated fields, lookups, event types, and tags: This is the correct answer. Field aliases can indeed be referenced in calculated fields, lookups, event types, and tags within Splunk. When you create an alias for a field, that alias can then be used in these knowledge objects just like any standard field name. * Calculated fields: These are expressions that can create new field values based on existing data. You can use an alias in a calculated field expression to refer to the original field. * Lookups: These are used to enrich your event data by referencing external data sources. If you've created an alias for a field that matches a field in your lookup table, you can use that alias in your lookup configurations. * Event types: These are classifications for events that meet certain search criteria. You can use field aliases in the search criteria for defining an event type. * Tags: These allow you to assign meaningful labels to data, making it easier to search and report on. You can use field aliases in the search criteria that you tag.
SPLK-1002 Exam Question 88
These kinds of charts represent a series in a single bar with multiple sections
Correct Answer: B
SPLK-1002 Exam Question 89
Lookups allow you to overwrite your raw event.
Correct Answer: B
SPLK-1002 Exam Question 90
Which of the following statements about calculated fields in Splunk is true?
Correct Answer: B
The correct answer is B. Calculated fields can be chained together to create more complex fields. Calculated fields are fields that are added to events at search time by using eval expressions. They can be used to perform calculations with the values of two or more fields already present in those events. Calculated fields can be defined with Splunk Web or in the props.conf file.They can be used insearches, reports, dashboards, and data models like any other extracted field1. Calculated fields can also be chained together to create more complex fields. This means that you can use a calculated field as an input for another calculated field. For example, if you have a calculated field namedtotalthat sums up the values of two fields namedpriceandtax, you can use thetotalfield to create another calculated field nameddiscountthat applies a percentage discount to thetotalfield. To do this, you need to define thediscountfield with an eval expression that references thetotalfield, such as: discount = total * 0.9 This will create a new field nameddiscountthat is equal to 90% of thetotalfield value for each event2. References: About calculated fields Chaining calculated fields
