SPLK-1002 Free Practice Test

- (Exam Topic 2)
When is a GET workflow action needed?

1. A. To send field values to an external resource.
2. B. To retrieve information from an external resource.
3. C. To use field values to perform a secondary search.
4. D. To define how events flow from forwarders to indexes.

Correct Answer: B

- (Exam Topic 1)
Which of the following statements describes the command below (select all that apply) Sourcetype=access_combined | transaction JSESSIONID

1. A. An additional filed named maxspan is created.
2. B. An additional field named duration is created.
3. C. An additional field named eventcount is created.
4. D. Events with the same JSESSIONID will be grouped together into a single event.

Correct Answer: BCD
The command sourcetype=access_combined | transaction JSESSIONID does three things:
It filters the events by the sourcetype access_combined, which is a predefined sourcetype for Apache web server logs.
It groups the events by the field JSESSIONID, which is a unique identifier for each user session.
It creates a single event from each group of events that share the same JSESSIONID value. This single event will have some additional fields created by the transaction command, such
as duration, eventcount, and startime.
Therefore, the statements B, C, and D are true.

- (Exam Topic 2)
Which of the following searches show a valid use of a macro? (Choose all that apply.)

1. A. index=main source=mySource oldField=* |’makeMyField(oldField)’| table _time newField
2. B. index=main source=mySource oldField=* | stats if(‘makeMyField(oldField)’) | table _time newField
3. C. index=main source=mySource oldField=* | eval newField=’makeMyField(oldField)’| table _time newField
4. D. index=main source=mySource oldField=* | "’newField(‘makeMyField(oldField)’)’" | table _time newField

Correct Answer: AC
The searches A and C show a valid use of a macro. A macro is a reusable piece of SPL code that can be called by using single quotes (‘’). A macro can take arguments, which are passed inside parentheses after the macro name. For example, ‘makeMyField(oldField)’ calls a macro named makeMyField with an argument oldField. The searches B and D are not valid because they use double quotes (“”) instead of single quotes (‘’).

- (Exam Topic 2)
Which of the following statements describes the use of the Field Extractor (FX)?

1. A. The Field Extractor automatically extracts all fields at search time.
2. B. The Field Extractor uses PERL to extract fields from the raw events.
3. C. Fields extracted using the Field Extractor persist as knowledge objects.
4. D. Fields extracted using the Field Extractor do not persist and must be defined for each search.

Correct Answer: C
The statement that fields extracted using the Field Extractor persist as knowledge objects is true. The Field Extractor (FX) is a graphical tool that allows you to extract fields from raw events using regular expressions or delimiters. The fields extracted by the FX are saved as knowledge objects that can be used in future searches or shared with other users.

- (Exam Topic 1)
Which of the following workflow actions can be executed from search results? (select all that apply)

1. A. GET
2. B. POST
3. C. LOOKUP
4. D. Search

Correct Answer: ABD
As mentioned before, there are two types of workflow actions: GET and POST1. Both types of workflow actions can be executed from search results by clicking on an event field value that has a workflow action configured for it1. Another type of workflow action is Search, which runs another search based on the field value1. Therefore, options A, B and D are correct, while option C is incorrect because LOOKUP is not a type of workflow action.