Which of the following describes the I transaction command?
Correct Answer: C
The transaction command is a Splunk command that finds transactions based on events that meet various constraints . Transactions are made up of the raw text (the _raw field) of each member, the time and date fields of the earliest member, as well as the union of all other fields of each member . The transaction command groups events together by matching one or more fields that have the same value across the events . For example, | transaction clientip will group events that have the same value in the clientip field.
SPLK-1002 Exam Question 163
A data model consists of which three types of datasets?
Correct Answer: B
The building block of a data model. Each data model is composed of one or more data model datasets. Each dataset within a data model defines a subset of the dataset represented by the data model as a whole. Data model datasets have a hierarchical relationship with each other, meaning they have parent-child relationships. Data models can contain multiple dataset hierarchies. There are three types of dataset hierarchies: event, search, and transaction. https://docs.splunk.com/Splexicon:Datamodeldataset
SPLK-1002 Exam Question 164
These users can create global knowledge objects. (Select all that apply.)
Correct Answer: A,C
SPLK-1002 Exam Question 165
Which of the following statements describe the Common Information Model (CIM)? (select all that apply)
Correct Answer: A,B,C
Reference:https://docs.splunk.com/Documentation/CIM/4.15.0/User/Overview The Common Information Model (CIM) is a methodology for normalizing data from different sources and making it easier to analyze and report on it3. The CIM defines a common set of fields and tags for various domains such as Alerts, Email, Database, Network Traffic, Web and more3. One of the statements that describe the CIM is that it is a methodology for normalizing data, which means that it provides a standard way to name and structure data from different sources so that they can be compared and correlated3. Therefore, option A is correct. Another statement that describes the CIM is that it can correlate data from different sources, which means that it enables you to run searches and reports across data from different sources that share common fields and tags3. Therefore, option B is correct. Another statement that describes the CIM is that the Knowledge Manager uses the CIM tocreate knowledge objects, which means that the person who is responsible for creating and managing knowledge objects such as data models, field aliases, tags and event types can use the CIM as a guide to make their knowledge objects consistent and compatible with other apps and add-ons3. Therefore, option C is correct. Option D is incorrect because it does not describe the CIM but rather one of its components.
