- (Exam Topic 2)
Which is not a comparison operator in Splunk
Correct Answer:
E
A comparison operator is a symbol that compares two values and returns a Boolean result (true or
false)2. Splunk supports various comparison operators such as <, >, =, !=, <=, >=, IN and LIKE2. However,
?= is not a valid comparison operator in Splunk and will cause a syntax error if used in a search string2. Therefore, option E is correct, while options A, B, C and D are incorrect because they are valid comparison operators in Splunk
- (Exam Topic 1)
Which of the following statements describe GET workflow actions?
Correct Answer:
D
GET workflow actions are custom actions that open a URL link when you click on a field value in your search results. GET workflow actions can be configured with various options, such as label name, base URL, URI parameters, app context, etc. One of the options is to choose whether to open the URL link in the current window or in a new window. GET workflow actions do not have to be configured with POST arguments, as they use GET method to send requests to web servers. Configuration of GET workflow actions does not include choosing a sourcetype, as they do not generate any data in Splunk. Label names for GET workflow actions must include a field name surrounded by dollar signs, as this indicates the field value that will be used to replace the variable in the URL link.
- (Exam Topic 2)
A field alias is created where field1—fieid2 and the Overwrite Field Values checkbox is selected. What happens if an event only contains values for fieid1?
Correct Answer:
D
The correct answer is D. field2 values are replaced with the value of the field1.
A field alias is a way to associate an additional (new) name with an existing field name. A field alias can be used to normalize fields from different sources that have different names but represent the same data. Field aliases can also be used to rename fields for clarity or convenience1.
When you create a field alias in Splunk Web, you can select the Overwrite Field Values option to change the behavior of the field alias. This option affects how the Splunk software handles situations where the original field has no value or does not exist, as well as situations where the alias field already exists as a field in your events, alongside the original field2.
If you select the Overwrite Field Values option, the following rules apply:
If the original field does not exist or has no value in an event, the alias field is removed from that event. If the original field and the alias field both exist in an event, the value of the alias field is replaced with the value of the original field.
If you do not select the Overwrite Field Values option, the following rules apply: If the original field does not exist or has no value in an event, the alias field is unchanged in that event. If the original field and the alias field both exist in an event, both fields are retained with their respective values.
Therefore, if you create a field alias where field1—field2 and select the Overwrite Field Values option, and an event only contains values for field1, then the value of field2 will be replaced with the value of field1. References: About calculated fields About field aliases Create field aliases in Splunk Web
- (Exam Topic 2)
Why are tags useful in Splunk?
Correct Answer:
C
Tags are a type of knowledge object that enable you to assign descriptive keywords to events based on the values of their fields. Tags can help you to search more efficiently for groups of event data that share common characteristics, such as functionality, location, priority, etc. For example, you can tag all the IP addresses of your routers as router, and then search for tag=router to find all the events related to your routers. Tags can also help you to normalize data from different sources by using the same tag name for equivalent field values. For example, you can tag the field values error, fail, and critical as severity=high, and then search for severity=high to find all the events with high severity level2
1: Splunk Core Certified Power User Track, page 10. 2: Splunk Documentation, About tags and aliases.
- (Exam Topic 2)
What are the expected results for a search that contains the command | where A=B?
Correct Answer:
C
The correct answer is C. Events where values of field A are equal to values of field B.
The where command is used to filter the search results based on an expression that evaluates to true or false. The where command can compare two fields, two values, or a field and a value. The where command can also use functions, operators, and wildcards to create complex expressions1.
The syntax for the where command is:
| where <expression>
The expression can be a comparison, a calculation, a logical operation, or a combination of these. The expression must evaluate to true or false for each event.
To compare two fields with the where command, you need to use the field names without any quotation marks. For example, if you want to find events where the values for the field A match the values for the field
B, you can use the following syntax:
| where A=B
This will return only the events where the two fields have the same value.
The other options are not correct because they use different syntax or fields that are not related to the where command. These options are: A. Events that contain the string value where A=B: This option uses the string value where A=B as a search term, which is not valid syntax for the where command. This option will return events that have the literal text “where A=B” in them. B. Events that contain the string value A=B: This option uses the string value A=B as a search term, which is not valid syntax for the where command. This option will return events that have the literal text “A=B” in them. D. Events where field A contains the string value B: This option uses quotation marks around the value B, which is not valid syntax for comparing fields with the where command. Quotation marks are used to enclose phrases or exact matches in a search2. This option will return events where the field A contains the string value “B”.
References:
where command usage Search command cheatsheet
