Which of the following searches would create a graph similar to the one below?
Correct Answer: C
The following search would create a graph similar to the one below: index_internal sourcetype=Savesplunker | fields sourcetype, status | transaction status maxspan=1d | timechart count by status The search does the following: * It uses index_internal to specify the internal index that contains Splunk logs and metrics. * It uses sourcetype=Savesplunker to filter events by the sourcetype that indicates the Splunk Enterprise Security app. * It uses fields sourcetype, status to keep only the sourcetype and status fields in the events. * It uses transaction status maxspan=1d to group events into transactions based on the status field with a maximum time span of one day between the first and last events in a transaction. * It uses timechart count by status to create a time-based chart that shows the count of transactions for each status value over time. The graph shows the following: * It is a line graph with two lines, one yellow and one blue. * The x-axis is labeled with dates from Wed, Apr 4, 2018 to Tue, Apr 10, 2018. * The y-axis is labeled with numbers from 0 to 15. * The yellow line represents "shipped" and the blue line represents "success". * The yellow line has a steady increase from 0 to 15, while the blue line has a sharp increase from 0 to 5, then a decrease to 0, and then a sharp increase to 10. * The graph is titled "Type". Therefore, option C is the correct answer.
SPLK-1002 Exam Question 102
When using timechart, how many fields can be listed after a by clause?
Correct Answer: B
Explanation The timechart command is used to create a time-series chart of statistical values based on your search results2. You can use the timechart command with a by clause to split the results by one or more fields and create multiple series in the chart2. However, you can only list one field after the by clause when using the timechart command because _time is already implied as the x-axis of the chart2. Therefore, option B is correct, while options A, C and D are incorrect.
SPLK-1002 Exam Question 103
Calculated fields can be based on which of the following?
Correct Answer: B
"Calculated fields can reference all types of field extractions and field aliasing, but they cannot reference lookups, event types, or tags."
SPLK-1002 Exam Question 104
Which of the following searches show a valid use of a macro? (Choose all that apply.)
Correct Answer: A,C
Explanation The searches A and C show a valid use of a macro. A macro is a reusable piece of SPL code that can be called by using single quotes (''). A macro can take arguments, which are passed inside parentheses after the macro name. For example, 'makeMyField(oldField)' calls a macro named makeMyField with an argument oldField. The searches B and D are not valid because they use double quotes ("") instead of single quotes ('').
SPLK-1002 Exam Question 105
How is an event type created from the search window? (select all that apply)
Correct Answer: A,C
In Splunk, you can create an event type from the search window by running a search that would make a good event type, then clicking Save As and selecting Event Type1. This opens the Save as Event Type dialog, where you can provide the event type name and optionally apply tags to it1. You can also create an event type by editing the eventtypes.conf file and adding a new stanza1. Each stanza in the eventtypes.conf file represents an event type1. The stanza name is the name of the event type, and the search attribute specifies the search string that defines the event type1. It's important to note that while you can use the eventtype command in a search to find events associated with a specific event type, adding | eventtype to the SPL and executing the search does not create a new event type1. Similarly, clicking Event Actions > Build Event Type in an event's detail dropdown does not create a new event type1.
