Pass the Splunk Core Certified User SPLK-1001 Questions and answers with ExamsMirror

Practice at least 50% of the questions to maximize your chances of passing.

Exam SPLK-1001 Premium Access

View all detail and faqs for the SPLK-1001 exam

Go to Exam

704 Students Passed

92% Average Score

96% Same Questions

Viewing page 2 out of 8 pages

Viewing questions 11-20 out of questions

Questions # 11:

When using the top command in the following search, which of the following will be true about the results?

index="main" sourcetype="access_*" action="purchase" | top 3 statusCode by user showperc=f countfield=status_code_count

Options:

The search will fail. The proper top command format is top limit=3 instead of top 3.

The top three most common values in statusCode will be displayed for each user.

Only the top three overall most common values in statusCode will be displayed.

The percentage field will be displayed in the results.

Answer

Explanation

The top command returns the most common values of a field and their count. By using the by clause, you can group the results by another field. In this case, the top command will return the top three most common values in statusCode for each user. The showperc=f option will suppress the percentage column in the output. The countfield option will rename the count column to status_code_count2.

Questions # 12:

Universal forwarder is recommended for forwarding the logs to indexers.

Options:

False

True

Answer

Questions # 13:

What is the result of the following search?

index=myindex source=c: \mydata. txt NOT error=*

Options:

Only data where the error field is present and does not contain a value will be displayed.

Only data with a value in the field error will be displayed.

Only data that does not contain the error field will be displayed.

Only data where the value of the field error does not equal an asterisk (*) will be displayed.

Answer

Explanation

The search query index=myindex source=c: \mydata. txt NOT error=* specifies three criteria for the events to be returned:

The index must be myindex, which is a user-defined index that contains the data from a specific source or sources.

The source must be c: \mydata. txt, which is the name of the file or directory where the data came from.

The error field must not exist in the events, which is indicated by the NOT operator and the wildcard character (*).

The NOT operator negates the following expression, which means that it returns the events that do not match the expression. The wildcard character () matches any value, including an empty value or a null value. Therefore, the expression NOT error= means that the events must not have an error field at all, regardless of its value.

The search query does not use quotation marks around the source value, which means that it is case-sensitive and exact. If there are any variations in the source name, such as capitalization or spacing, they will not match the query.

References

Search command syntax details

Search command examples

Basic searches and search results

Questions # 14:

You can view the search result in following format (Choose three.):