SPLK-1002 Free Practice Test

- (Exam Topic 2)
Data models are composed of one or more of which of the following datasets? (select all that apply)

1. A. Transaction datasets
2. B. Events datasets
3. C. Search datasets
4. D. Any child of event, transaction, and search datasets

Correct Answer: ABC
Data model datasets have a hierarchical relationship with each other, meaning they have parent-child relationships. Data models can contain multiple dataset hierarchies. There are three types of dataset hierarchies: event, search, and transaction.
https://docs.splunk.com/Splexicon:Datamodeldataset

- (Exam Topic 2)
What information must be included when using the datamodel command?

1. A. status field
2. B. Multiple indexes
3. C. Data model field name.
4. D. Data model dataset name.

Correct Answer: D

- (Exam Topic 1)
Which of the following Statements about macros is true? (select all that apply)

1. A. Arguments are defined at execution time.
2. B. Arguments are defined when the macro is created.
3. C. Argument values are used to resolve the search string at execution time.
4. D. Argument values are used to resolve the search string when the macro is created.

Correct Answer: BC
A macro is a way to save a commonly used search string as a variable that you can reuse in other searches1. When you create a macro, you can define arguments that are placeholders for values that you specify at execution time1. The argument values are used to resolve the search string when the macro is
invoked, not when it is created1. Therefore, statements B and C are true, while statements A and D are false.

- (Exam Topic 2)
Where are the results of eval commands stored?

1. A. In a field.
2. B. In an index.
3. C. In a KV Store.
4. D. In a database.

Correct Answer: A
https://docs.splunk.com/Documentation/Splunk/8.0.2/SearchReference/Eval
The eval command calculates an expression and puts the resulting value into a search results field.
If the field name that you specify does not match a field in the output, a new field is added to the search results.
If the field name that you specify matches a field name that already exists in the search results, the results of the eval expression overwrite the values in that field.

- (Exam Topic 2)
Which of the following about reports is/are true?

1. A. Reports are knowledge objects.
2. B. Reports can be scheduled.
3. C. Reports can run a script.
4. D. All of the above.

Correct Answer: D
A report is a way to save a search and its results in a format that you can reuse and share with others2. A report is also a type of knowledge object, which is an entity that you create to add knowledge to your data and make it easier to search and analyze2. Therefore, option A is correct. A report can be scheduled, which means that you can configure it to run at regular intervals and send the results to yourself or others via email or other methods2. Therefore, option B is correct. A report can run a script, which means that you can specify a script file to execute when the report runs and use it to perform custom actions or integrations2. Therefore, option C is correct. Therefore, option D is correct because all of the above statements are true for reports.