SPLK-1002 Free Practice Test

- (Exam Topic 2)
A data model can consist of what three types of datasets?

1. A. Pivot, searches, and events.
2. B. Pivot, events, and transactions.
3. C. Searches, transactions, and pivot.
4. D. Events, searches, and transactions.

Correct Answer: D

- (Exam Topic 1)
Which are valid ways to create an event type? (select all that apply)

1. A. By using the searchtypes command in the search bar.
2. B. By editing the event_type stanza in the props.conf file.
3. C. By going to the Settings menu and clicking Event Types > New.
4. D. By selecting an event in search results and clicking Event Actions > Build Event Type.

Correct Answer: CD
Event types are custom categories of events that are based on search criteria. Event types can be used to label events with meaningful names, such as error, success, login, logout, etc. Event types can also be used to create transactions, alerts, reports, dashboards, etc. Event types can be created in two ways:
By going to the Settings menu and clicking Event Types > New. This will open a form where you can enter the name, description, search string, app context, and tags for the event type.
By selecting an event in search results and clicking Event Actions > Build Event Type. This will open a dialog box where you can enter the name and description for the event type. The search string will be automatically populated based on the selected event.
Event types cannot be created by using the searchtypes command in the search bar, as this command does not exist in Splunk. Event types can also be created by editing the event_type stanza in the transforms.conf file, not the props.conf file.

- (Exam Topic 2)
What is the correct format for naming a macro with multiple arguments?

1. A. monthly_sales(argument 1, argument 2, argument 3)
2. B. monthly_sales(3)
3. C. monthly_sales[3]
4. D. monthly_sales[argument 1, argument 2, argument 3)

Correct Answer: C
The correct format for naming a macro with multiple arguments is monthly_sales3. The square brackets indicate that the macro has arguments, and the number indicates how many arguments it has. The arguments are separated by commas when calling the macro, such as monthly_sales[region,salesperson,date].

- (Exam Topic 2)
Which of the following options will define the first event in a transaction?

1. A. startswith
2. B. with
3. C. startingwith
4. D. firstevent

Correct Answer: A
The correct answer is A. startswith. The Explanation: is as follows:
The transaction command is used to find transactions based on events that meet various constraints12.
Transactions are made up of the raw text (the _raw field) of each member, the time and date fields of the earliest member, as well as the union of all other fields of each member1.
The startswith option is used to define the first event in a transaction by specifying a search term or an expression that matches the event13.
For example, | transaction clientip JSESSIONID startswith="view" will create transactions based on the clientip and JSESSIONID fields, and the first event in each transaction will contain the term “view” in the _raw field2.

- (Exam Topic 2)
Which search would limit an "alert" tag to the "host" field?

1. A. tag=alert
2. B. host::tag::alert
3. C. tag==alert
4. D. tag::host=alert

Correct Answer: D
The search below would limit an “alert” tag to the “host” field. tag::host=alert
The search does the following:
It uses tag syntax to filter events by tags. Tags are custom labels that can be applied to fields or field values to provide additional context or meaning for your data.
It specifies tag::host=alert as the tag filter. This means that it will only return events that have an “alert” tag applied to their host field or host field value.
It uses an equal sign (=) to indicate an exact match between the tag and the field or field value.