SPLK-1001.

43q

Number: SPLK-1001
Passing Score: 800
Time Limit: 120 min

SPLK-1001

https://www.gratisexam.com/

Splunk Core Certified User

https://www.gratisexam.com/
Exam A

QUESTION 1
Which of the following searches would return events with failure in index netfw or warn or critical in index netops?

https://www.gratisexam.com/

A. (index=netfw failure) AND index=netops warn OR critical

B. (index=netfw failure) OR (index=netops (warn OR critical))
C. (index=netfw failure) AND (index=netops (warn OR critical))
D. (index=netfw failure) OR index=netops OR (warn OR critical)

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Reference: https://docs.splunk.com/Documentation/Splunk/7.2.6/Search/Aboutsubsearches

QUESTION 2
Select the answer that displays the accurate placing of the pipe in the following search string:
index=security sourcetype=access_* status=200 stats count by price

A. index=security sourcetype=access_* status=200 stats | count by price

B. index=security sourcetype=access_* status=200 | stats count by price
C. index=security sourcetype=access_* status=200 | stats count | by price
D. index=security sourcetype=access_* | status=200 | stats count by price

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:

https://www.gratisexam.com/
Reference: https://docs.splunk.com/Documentation/Splunk/7.2.6/Search/Aboutsubsearches

QUESTION 3
When editing a dashboard, which of the following are possible options? (select all that apply)

A. Add an output.
B. Export a dashboard panel.
C. Modify the chart type displayed in a dashboard panel.
D. Drag a dashboard panel to a different location on the dashboard.

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:

QUESTION 4
When looking at a dashboard panel that is based on a report, which of the following is true?

A. You can modify the search string in the panel, and you can change and configure the visualization.
B. You can modify the search string in the panel, but you cannot change and configure the visualization.
C. You cannot modify the search string in the panel, but you can change and configure the visualization.
D. You cannot modify the search string in the panel, and you cannot change and configure the visualization.

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Reference: https://docs.splunk.com/Documentation/Splunk/7.2.6/Viz/WorkingWithDashboardPanels

QUESTION 5
Which of the following are common constraints of the top command?

A. limit, count
B. limit, showpercent
C. limits, countfield

https://www.gratisexam.com/
D. showperc, countfield

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:

QUESTION 6
When displaying results of a search, which of the following is true about line charts?

A. Line charts are optimal for single and multiple series.

B. Line charts are optimal for single series when using Fast mode.
C. Line charts are optimal for multiple series with 3 or more columns.
D. Line charts are optimal for multiseries searches with at least 2 or more columns.

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Reference: https://docs.splunk.com/Documentation/Splunk/7.2.6/Viz/LineAreaCharts

QUESTION 7
How are events displayed after a search is executed?

A. In chronological order.
B. Randomly by default.
C. In reverse chronological order.
D. Alphabetically according to field name.

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:

https://www.gratisexam.com/
QUESTION 8
Which of the following is true about user account settings and preferences?

A. Search & Reporting is the only app that can be set as the default application.
B. Full names can only be changed by accounts with a Power User or Admin role.
C. Time zones are automatically updated based on the setting of the computer accessing Splunk.
D. Full name, time zone, and default app can be defined by clicking the login name in the Splunk bar.

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:

QUESTION 9
What is a primary function of a scheduled report?

A. Auto-detect changes in performance.

B. Auto-generated PDF reports of overall data trends.
C. Regularly scheduled archiving to keep disk space use low.
D. Triggering an alert in your Splunk instance when certain conditions are met.

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Reference: https://docs.splunk.com/Documentation/Splunk/7.2.6/Report/Schedulereports

QUESTION 10
After running a search, what effect does clicking and dragging across the timeline have?

A. Executes a new search.

B. Filters current search results.
C. Moves to past or future events.
D. Expands the time range of the search.

https://www.gratisexam.com/
Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Reference: https://docs.splunk.com/Documentation/Splunk/7.2.6/Search/Usethetimeline

QUESTION 11
Which command is used to review the contents of a specified static lookup file?

A. lookup
B. csvlookup
C. inputlookup
D. outputlookup

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:

QUESTION 12
What must be done in order to use a lookup table in Splunk?

A. The lookup must be configured to run automatically.

B. The contents of the lookup file must be copied and pasted into the search bar.
C. The lookup file must be uploaded to Splunk and a lookup definition must be created.
D. The lookup file must be uploaded to the etc/apps/lookups folder for automatic ingestion.

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:

QUESTION 13
When sorting on multiple fields with the sort command, what delimiter can be used between the field names in the search?

https://www.gratisexam.com/
A. |
B. $
C. !
D. ,

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Reference: https://docs.splunk.com/Documentation/Splunk/7.2.6/SearchReference/Sort

QUESTION 14
Which time range picker configuration would return real-time events for the past 30 seconds?

A. Preset - Relative: 30-seconds ago

B. Relative - Earliest: 30-seconds ago, Latest: Now
C. Real-time - Earliest: 30-seconds ago, Latest: Now
D. Advanced - Earliest: 30-seconds ago, Latest: Now

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Reference: https://docs.splunk.com/Documentation/Splunk/7.2.6/Search/Selecttimerangestoapply

QUESTION 15
What is the correct syntax to count the number of events containing a vendor_action field?

A. count stats vendor_action

B. count stats (vendor_action)
C. stats count (vendor_action)
D. stats vendor_action (count)

Correct Answer: C
Section: (none)

https://www.gratisexam.com/
Explanation

Explanation/Reference:

https://www.gratisexam.com/

QUESTION 16
Which Boolean operator is always implied between two search terms, unless otherwise specified?

A. OR
B. NOT
C. AND
D. XOR

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Reference: https://docs.splunk.com/Documentation/Splunk/7.2.6/Search/Booleanexpressions

QUESTION 17
What does the values function of the stats command do?

A. Lists all values of a given field.

B. Lists unique values of a given field.
C. Returns a count of unique values for a given field.
D. Returns the number of events that match the search.

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:

https://www.gratisexam.com/
QUESTION 18
Which stats command function provides a count of how many unique values exist for a given field in the result set?

A. dc(field)
B. count(field)
C. count-by(field)
D. distinct-count(field)

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Reference: https://docs.splunk.com/Documentation/Splunk/7.2.6/Search/Usethestatscommandandfunctions

QUESTION 19
A collection of items containing things such as data inputs, UI elements, and knowledge objects is known as what?

A. An app
B. JSON
C. A role
D. An enhanced solution

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:

QUESTION 20
Which statement is true about Splunk alerts?

A. Alerts are based on searches that are either run on a scheduled interval or in real-time.
B. Alerts are based on searches and when triggered will only send an email notification.
C. Alerts are based on searches and require cron to run on scheduled interval.
D. Alerts are based on searches that are run exclusively as real-time.

https://www.gratisexam.com/
Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:

QUESTION 21
What is the purpose of using a by clause with the stats command?

A. To group the results by one or more fields.

B. To compute numerical statistics on each field.
C. To specify how the values in a list are delimited.
D. To partition the input data based on the split-by fields.

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Reference: https://docs.splunk.com/Documentation/Splunk/7.2.6/SearchReference/
Stats#1._Compare_the_difference_between_using_the_stats_and_chart_commands

QUESTION 22
How do you add or remove fields from search results?

A. Use field +to add and field -to remove.

B. Use table +to add and table -to remove.
C. Use fields +to add and fields –to remove.
D. Use fields Plus to add and fields Minus to remove.

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Reference: https://docs.splunk.com/Documentation/Splunk/7.2.6/SearchReference/Fields

https://www.gratisexam.com/
QUESTION 23
A field exists in search results, but isn’t being displayed in the fields sidebar. How can it be added to the fields sidebar?

A. Click All Fields and select the field to add it to Selected Fields.
B. Click Interesting Fields and select the field to add it to Selected Fields.
C. Click Selected Fields and select the field to add it to Interesting Fields.
D. This scenario isn’t possible because all fields returned from a search always appear in the fields sidebar.

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:

QUESTION 24
In the fields sidebar, which character denotes alphanumeric field values?

A. #
B. %
C. a
D. a#

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:

QUESTION 25
What is the main requirement for creating visualizations using the Splunk UI?

A. Your search must transform event data into Excel file format first.
B. Your search must transform event data into XML formatted data first.
C. Your search must transform event data into statistical data tables first.
D. Your search must transform event data into JSON formatted data first.

https://www.gratisexam.com/
Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:

QUESTION 26
Which of the following file types is an option for exporting Splunk search results?

A. PDF
B. JSON
C. XLS
D. RTF

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Reference: https://docs.splunk.com/Documentation/Splunk/7.2.6/Search/ExportdatausingSplunkWeb

QUESTION 27
What syntax is used to link key/value pairs in search strings?

A. Parentheses
B. @ or # symbols
C. Quotation marks
D. Relational operators such as =, <, or >

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:

QUESTION 28
Which search string returns a filed containing the number of matching events and names that field Event Count?

https://www.gratisexam.com/
A. index=security failure | stats sum as “Event Count”
B. index=security failure | stats count as “Event Count”
C. index=security failure | stats count by “Event Count”
D. index=security failure | stats dc(count) as “Event Count”

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:

QUESTION 29
Which search would return events from the access_combined sourcetype?

A. Sourcetype=access_combined
B. Sourcetype=Access_Combined
C. sourcetype=Access_Combined
D. SOURCETYPE=access_combined

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:

QUESTION 30
Which of the following index searches would provide the most efficient search performance?

A. index=*
B. index=web OR index=s*
C. (index=web OR index=sales)
D. *index=sales AND index=web*

Correct Answer: A
Section: (none)

https://www.gratisexam.com/
Explanation

Explanation/Reference:

QUESTION 31
What is a suggested Splunk best practice for naming reports?

A. Reports are best named using many numbers so they can be more easily sorted.
B. Use a consistent naming convention so they are easily separated by characteristics such as group and object.
C. Name reports as uniquely as possible with no overlap to differentiate them from one another.
D. Any naming convention is fine as long as you keep an external spreadsheet to keep track.

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:

QUESTION 32
In a deployment with multiple indexes, what will happen when a search is run and an index is not specified in the search string?

A. No events will be returned.

B. Splunk will prompt you to specify an index.
C. All non-indexed events to which the user has access will be returned.
D. Events from every index searched by default to which the user has access will be returned.

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:

QUESTION 33
Which of the following is a best practice when writing a search string?

A. Include all formatting commands before any search terms.

https://www.gratisexam.com/
B. Include at least one function as this is a search requirement.
C. Include the search terms at the beginning of the search string.
D. Avoid using formatting clauses, as they add too much overhead.

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:

QUESTION 34
What type of search can be saved as a report?

A. Any search can be saved as a report.

B. Only searches that generate visualizations.
C. Only searches containing a transforming command.
D. Only searches that generate statistics or visualizations.

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Reference: https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchTutorial/Aboutsavingandsharingreports#Save_a_search_as_a_report

QUESTION 35
What can be included in the All Fields option in the sidebar?

A. Dashboards
B. Metadata only
C. Non-interesting fields
D. Field descriptions

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:

https://www.gratisexam.com/
Reference: https://docs.splunk.com/Documentation/Splunk/7.3.1/Knowledge/
ExtractfieldsinteractivelywithIFX#Access_the_field_extractor_from_the_All_Fields_dialog_box

QUESTION 36
When viewing the results of a search, what is an Interesting Field?

https://www.gratisexam.com/

A. A field that appears in any event.

B. A field that appears in every event.
C. A field that appears in the top 10 events.
D. A field that appears in at least 20% of the events.

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Reference: https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchTutorial/Usefieldstosearch

QUESTION 37
Which search matches the events containing the terms “error” and “fail”?

A. index=security Error Fail

B. index=security error OR fail
C. index=security “error failure”
D. index=security NOT error NOT fail

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Reference: https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchReference/Search

https://www.gratisexam.com/
QUESTION 38
Which of the following is an option after clicking an item in search results?

A. Saving the item to a report.

B. Adding the item to the search.
C. Adding the item to a dashboard.
D. Saving the Search to a JSON file.

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Reference: https://docs.splunk.com/Documentation/Splunk/7.3.1/Search/Performsearchactions

QUESTION 39
Which is primary function of the timeline located under the search bar?

A. To differentiate between structured and unstructured events in the data.

B. To sort the events returned by the search command in chronological order.
C. To zoom in and zoom out, although this does not change the scale of the chart.
D. To show peaks and/or valleys in the timeline, which can indicate spikes in activity or downtime.

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Reference: https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchTutorial/Startsearching

QUESTION 40
What can be configured using the Edit Job Settings menu?

A. Export the result to CSV format.

B. Add the Job results to a dashboard.
C. Schedule the Job to re-run in 10 minutes.
D. Change Job Lifetime from 10 minutes to 7 days.

https://www.gratisexam.com/
Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:

QUESTION 41
Which command is used to validate a lookup file?

A. | lookup products.csv
B. inputlookup products.csv
C. | inputlookup products.csv
D. | lookup_definition products.csv

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Reference: https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchReference/Inputlookup

QUESTION 42
How can another user gain access to a saved report?

A. The owner of the report can edit permissions from the Edit dropdown.
B. Only users with an Admin or Power User role can access other users’ reports.
C. Anyone can access any reports marked as public within a shared Splunk deployment.
D. The owner of the report must clone the original report and save it to their user account.

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Reference: https://docs.splunk.com/Documentation/Splunk/7.3.1/Report/Managereportpermissions

QUESTION 43
What is the primary use for the rare command?

https://www.gratisexam.com/
A. To sort field values in descending order.
B. To return only fields containing five of fewer values.
C. To find the least common values of a field in a dataset.
D. To find the fields with the fewest number of values across a dataset.

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Reference: https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchReference/Rare

https://www.gratisexam.com/

https://www.gratisexam.com/