SPLK-1002 Free Practice Test

- (Exam Topic 1)
When creating a Search workflow action, which field is required?

1. A. Search string
2. B. Data model name
3. C. Permission setting
4. D. An eval statement

Correct Answer: A
Reference: https://docs.splunk.com/Documentation/Splunk/8.0.3/Knowledge/Setupasearchworkflowaction A workflow action is a link that appears when you click an event field value in your search results2. A
workflow action can open a web page or run another search based on the field value2. There are two types of workflow actions: GET and POST2. A GET workflow action appends the field value to the end of a URI and opens it in a web browser2. A POST workflow action sends the field value as part of an HTTP request to a web server2. When creating a Search workflow action, which is a type of GET workflow action that runs another search based on the field value, the only required field is the search string2. The search string defines the search that will be run when the workflow action is clicked2. Therefore, option A is correct, while options B, C and D are incorrect because they are not required fields for creating a Search workflow action.

- (Exam Topic 2)
How is an event type created from the search window? (select all that apply)

1. A. In the top right corner, click Save As > Event Type.
2. B. In an event's detail dropdown, click Event Actions > Build Event Type.
3. C. Edit eventtypes.conf and add a new stanza.
4. D. Add | eventtype to the SPL and execute the search.

Correct Answer: AC
In Splunk, you can create an event type from the search window by running a search that would make a good event type, then clicking Save As and selecting Event Type1. This opens the Save as Event Type dial you can provide the event type name and optionally apply tags to it1.
You can also create an event type by editing the eventtypes.conf file and adding a new stanza1. Each stanz the eventtypes.conf file represents an event type1. The stanza name is the name of the event type, and
the search attribute specifies the search string that defines the event type1.
It’s important to note that while you can use the eventtype command in a search to find events associated wit a specific event type, adding | eventtype to the SPL and executing the search does not create a new event type1. Similarly, clicking Event Actions > Build Event Type in an event’s detail dropdown does not create new event type1.

- (Exam Topic 1)
Which of the following statements describes this search? sourcetype=access_combined I transaction JSESSIONID | timechart avg (duration)

1. A. This is a valid search and will display a timechart of the average duration, of each transaction event.
2. B. This is a valid search and will display a stats table showing the maximum pause among transactions.
3. C. No results will be returned because the transaction command must include the startswith and endswith options.
4. D. No results will be returned because the transaction command must be the last command used in the search pipeline.

Correct Answer: A
This search uses the transaction command to group events that share a common value for JSESSIONID into transactions1. The transaction command assigns a duration field to each transaction, which is the difference between the latest and earliest timestamps of the events in the transaction1. The search then uses the timechart command to create a time-series chart of the average duration of each transaction1. Therefore, option A is correct because it describes the search accurately. Option B is incorrect because the search does not use the stats command or the pause field. Option C is incorrect because the transaction command does not require the startswith and endswith options, although they can be used to specify how to identify the beginning and end of a transaction1. Option D is incorrect because the transaction command does not have to be the last command in the search pipeline, although it is often used near the end of a search1.

- (Exam Topic 2)
Highlighted search terms indicate ________ search results in Splunk.

1. A. Display as selected fields.
2. B. Sorted
3. C. Charted based on time
4. D. Matching

Correct Answer: D
Highlighted search terms indicate matching search results in Splunk, which means that they show which parts of your events match your search string2. For example, if you search for error OR fail, Splunk will highlight error or fail in your events to show which events match your search string2. Therefore, option D is correct, while options A, B and C are incorrect because they are not indicated by highlighted search terms.

- (Exam Topic 2)
How are event types different from saved reports?

1. A. Event types cannot be used to organize data into categories.
2. B. Event types include formatting of the search results.
3. C. Event types can be shared with Splunk users and added to dashboards.
4. D. Event types do not include a time range.

Correct Answer: D
Hello, this is Bing. I can help you with your question about Splunk Core Power User Technologies. The correct answer is D. Event types do not include a time range.
The explanation is as follows:
Event types are a categorization system that help you make sense of your data by matching events with the same search string1. Event types are applied to events at search time and can be used as search terms or filters12.
Saved reports are results saved from a search action that can show statistics and visualizations of
events3. Saved reports can be run anytime, and they fetch fresh results each time they are run34. Saved reports can be shared with other users and added to dashboards4.
The main difference between event types and saved reports is that event types do not include a time range, while saved reports do14. This means that event types can match events from any time period, while saved reports are limited by the time range specified when they are created or run14.