Labour Day Special Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: suredis

Examstrust Logo
examstrust mcafee
  1. Home
  2. Splunk
  3. Splunk Core Certified User
  4. SPLK-1001 - Splunk Core Certified User Exam

Splunk SPLK-1001 Splunk Core Certified User Exam Exam Practice Test

Page: 1 / 24
Total 244 questions
Get SPLK-1001 Full Access Download SPLK-1001 PDF

Splunk Core Certified User Exam Questions and Answers

PDF + Testing Engine

  • Product Type: PDF + Testing Engine
$59.5  $169.99
Add to Cart

Testing Engine

  • Product Type: Testing Engine
$42  $119.99
Add to Cart

PDF Study Guide

  • Product Type: PDF Study Guide
$36.75  $104.99
Add to Cart
Question 1

Select the answer that displays the accurate placing of the pipe in the following search string:

index=security sourcetype=access_* status=200 stats count by price

Options:

A.

index=security sourcetype=access_* status=200 stats | count by price

B.

index=security sourcetype=access_* status=200 | stats count by price

C.

index=security sourcetype=access_* status=200 | stats count | by price

D.

index=security sourcetype=access_* | status=200 | stats count by price

Question 2

Splunk apps are used for following (Choose three.):

Options:

A.

Designed to cater numerous use cases and empower Splunk.

B.

We can not install Splunk App.

C.

Allows multiple workspaces for different use cases/user roles.

D.

It is collection of different Splunk config files like data inputs, UI and Knowledge Object.

Question 3

What is a primary function of a scheduled report?

Options:

A.

Auto-detect changes in performance

B.

Auto-generated PDF reports of overall data trends

C.

Regularly scheduled archiving to keep disk space use low

D.

Triggering an alert in your Splunk instance when certain conditions are met

Question 4

What user interface component allows for time selection?

Options:

A.

Time summary

B.

Time range picker

C.

Search time picker

D.

Data source time statistics

Question 5

Machine data can be in structured and unstructured format.

Options:

A.

False

B.

True

Question 6

The four types of Lookups that Splunk provides out-of-the-box are External, KV Store, Geospatial and which of the following?

Options:

A.

Correlated

B.

File-based

C.

Total

D.

Segmented

Question 7

By default, how long does Splunk retain a search job?

Options:

A.

10 Minutes

B.

15 Minutes

C.

1 Day

D.

7 Days

Question 8

In monitor option you can select the following options in GUI.

Options:

A.

Only HTTP Event Collector (HEC) and TCP/UDP

B.

None of the above

C.

Only TCP/UDP

D.

Only Scripts

E.

Filed & Directories, HTTP Event Collector (HEC), TCP/UDP and Scripts

Question 9

Data sources being opened and read applies to:

Options:

A.

None of the above

B.

Indexing Phase

C.

Parsing Phase

D.

Input Phase

E.

License Metering

Question 10

Field names are case sensitive and field value are not.

Options:

A.

True

B.

False

Question 11

Uploading local files though Upload options index the file only once.

Options:

A.

No

B.

Yes

Question 12

What are the three main Splunk components?

Options:

A.

Search head, GPU, streamer

B.

Search head, indexer, forwarder

C.

Search head, SQL database, forwarder

D.

Search head, SSD, heavy weight agent

Question 13

Which of the following searches would return only events that match the following criteria?

• Events are inside the main index

• The field status exists in the event

• The value in the status field does not equal 200

Options:

A.

index==main status!==200

B.

index=main NOT status=200

C.

index==main NOT status==200

D.

index-main status!=200

Question 14

Which of the following is a best practice when writing a search string?

Options:

A.

Include all formatting commands before any search terms

B.

Include at least one function as this is a search requirement

C.

Include the search terms at the beginning of the search string

D.

Avoid using formatting clauses as they add too much overhead

Question 15

What result will you get with following search index=test sourcetype="The_Questionnaire_P*" ?

Options:

A.

the_questionnaire _pedia

B.

the_questionnaire pedia

C.

the_questionnaire_pedia

D.

the_questionnaire Pedia

Question 16

The stats command will create a _____________ by default.

Options:

A.

Table

B.

Report

C.

Pie chart

Question 17

When viewing the results of a search, what is an Interesting Field?

Options:

A.

A field that appears in any event

B.

A field that appears in every event

C.

A field that appears in the top 10 events

D.

A field that appears in at least 20% of the events

Question 18

Where does Licensing meter happen?

Options:

A.

Indexer

B.

Parsing

C.

Heavy Forwarder

D.

Input

Question 19

Put query into separate lines where | (Pipes) are used by selecting following options.

Options:

A.

CTRL + Enter

B.

Shift + Enter

C.

Space + Enter

D.

ALT + Enter

Question 20

What is one benefit of creating dashboard panels from reports?

Options:

A.

Any newly created dashboard will include that report.

B.

There are no benefits to creating dashboard panels from reports.

C.

It makes the dashboard more efficient because it only has to run one search string.

D.

Any change to the underlying report will affect every dashboard that utilizes that report.

Question 21

How does Splunk determine which fields to extract from data?

Options:

A.

Splunk only extracts the most interesting data from the last 24 hours.

B.

Splunk only extracts fields users have manually specified in their data.

C.

Splunk automatically extracts any fields that generate interesting visualizations.

D.

Splunk automatically discovers many fields based on sourcetype and key/value pairs found in the data.

Question 22

Beginning parentheses is automatically highlighted to guide you on the presence of complimenting

parentheses.

Options:

A.

No

B.

Yes

Question 23

Which of the following searches would return events with failure in index netfw or warn or critical in index netops?

Options:

A.

(index=netfw failure) AND index=netops warn OR critical

B.

(index=netfw failure) OR (index=netops (warn OR critical))

C.

(index=netfw failure) AND (index=netops (warn OR critical))

D.

(index=netfw failure) OR index=netops OR (warn OR critical)

Question 24

These users can create global knowledge objects. (Select all that apply.)

Options:

A.

users

B.

power users

C.

administrators

Question 25

Which Boolean operator is implied between search terms, unless otherwise specified?

Options:

A.

OR

B.

AND

C.

NOT

D.

NAND

Question 26

Which of the following are common constraints of the top command?

Options:

A.

limit, count

B.

limit, showpercent

C.

limits, countfield

D.

showperc, countfield

Question 27

It is not possible for a single instance of Splunk to manage the input, parsing and indexing of machine.

Options:

A.

True

B.

False

Question 28

We should use heavy forwarder for sending event-based data to Indexers.

Options:

A.

False

B.

True

Question 29

What happens when a field is added to the Selected Fields list in the fields sidebar'?

Options:

A.

Splunk will re-run the search job in Verbose Mode to prioritize the new Selected Field

B.

Splunk will highlight related fields as a suggestion to add them to the Selected Fields list.

C.

Custom selections will replace the Interesting Fields that Splunk populated into the list at search time

D.

The selected field and its corresponding values will appear underneath the events in the search results

Question 30

What does the stats command do?

Options:

A.

Automatically correlates related fields

B.

Converts field values into numerical values

C.

Calculates statistics on data that matches the search criteria

D.

Analyzes numerical fields for their ability to predict another discrete field

Question 31

Which of the following Splunk components typically resides on the machines where data originates?

Options:

A.

Indexer

B.

Forwarder

C.

Search head

D.

Deployment server

Question 32

Which is a primary function of the timeline located under the search bar?

Options:

A.

To differentiate between structured and unstructured events in the data

B.

To sort the events returned by the search command in chronological order

C.

To zoom in and zoom out. although this does not change the scale of the chart

D.

To show peaks and/or valleys in the timeline, which can indicate spikes in activity or downtime

Question 33

In automatic lookup definitions, the _____ fields are those that are not in the event data.

Options:

A.

input

B.

output

Question 34

When writing searches in Splunk, which of the following is true about Booleans?

Options:

A.

They must be lowercase.

B.

They must be uppercase.

C.

They must be in quotations.

D.

They must be in parentheses.

Question 35

Splunk internal fields contains general information about events and starts from underscore i.e. _ .

Options:

A.

True

B.

False

Question 36

Select the correct option that applies to Index time processing (Choose three.).

Options:

A.

Indexing

B.

Searching

C.

Parsing

D.

Settings

E.

Input

Question 37

When is an alert triggered?

Options:

A.

When Splunk encounters a syntax error in a search

B.

When a trigger action meets the predefined conditions

C.

When an event in a search matches up with a data model

D.

When results of a search meet a specifically defined condition

Question 38

Which command is used to validate a lookup file?

Options:

A.

| lookup products.csv

B.

inputlookup products.csv

C.

I inputlookup products.csv

D.

| lookup definition products.csv

Question 39

By default, which of the following is a Selected Field?

Options:

A.

action

B.

clientip

C.

categoryld

D.

sourcetype

Question 40

Which component of Splunk is primarily responsible for saving data?

Options:

A.

Search Head

B.

Heavy Forwarder

C.

Indexer

D.

Universal Forwarder

Question 41

Which of the following searches will show the number of categoryld used by each host?

Options:

A.

Sourcetype=access_* |sum bytes by host

B.

Sourcetype=access_* |stats sum(categorylD) by host

C.

Sourcetype=access_* |sum(bytes) by host

D.

Sourcetype=access_* |stats sum by host

Question 42

Documentations for Splunk can be found at docs.splunk.com

Options:

A.

True

B.

False

Question 43

Prefix wildcards might cause performance issues.

Options:

A.

False

B.

True

Question 44

Which of the statements are correct? (Choose three.)

Options:

A.

Zoom to selection: Narrows the time range and re-executes the search.

B.

Zoom to selection: Narrows the time range and doesn't re-executes the search.

C.

Format Timeline: Hides or shows the timeline in different views.

D.

Zoom-Out: Expands the time focus and doesn't re-executes the search.

E.

Zoom-out: Expands the time focus and re-executes the search.

Question 45

Which is the default app for Splunk Enterprise?

Options:

A.

Splunk Enterprise Security Suite

B.

Searching and Reporting

C.

Reporting and Searching

D.

Splunk apps for Security

Question 46

How are events displayed after a search is executed?

Options:

A.

In chronological order.

B.

Randomly by default.

C.

In reverse chronological order.

D.

Alphabetically according to field name.

Question 47

This clause is used to group the output of a stats command by a specific name.

Options:

A.

Rex

B.

As

C.

List

D.

By

Question 48

Zoom Out and Zoom to Selection re-executes the search.

Options:

A.

No

B.

Yes

Question 49

!= and NOT are same arguments.

Options:

A.

True

B.

False

Question 50

Which of the following is a metadata field assigned to every event in Splunk?

Options:

A.

host

B.

owner

C.

bytes

D.

action

Question 51

Which component of Splunk let us write SPL query to find the required data?

Options:

A.

Forwarders

B.

Indexer

C.

Heavy Forwarders

D.

Search head

Question 52

NOT status = 100:

Options:

A.

Will display result depending on the data.

B.

Will return event where status field exist but value of that field is not 100.

C.

Will return event where status field exist but value of that field is not 100 and all events where status field

doesn't exist.

Question 53

Which search string matches only events with the status_code of 4:4?

Options:

A.

status_code !=404

B.

status_code>=400

C.

status_code<=404

D.

status code>403 status_code<405

Question 54

Which command will rename action to Customer Action?

Options:

A.

| rename action = CustomerAction

B.

| rename Action as “Customer Action”

C.

| rename Action to “Customer Action”

D.

| rename action as “Customer Action”

Question 55

Given the following SPL search, how many rows of results would you expect to be returned by default? index=security sourcetype=linux_secure (fail* OR invalid) I top src__ip

Options:

A.

10

B.

50

C.

100

D.

20

Question 56

According to Splunk best practices, which placement of the wildcard results in the most efficient search?

Options:

A.

f*il

B.

*fail

C.

fail*

D.

*fail*

Question 57

How can another user gain access to a saved report?

Options:

A.

The owner of the report can edit permissions from the Edit dropdown

B.

Only users with an Admin or Power User role can access other users' reports

C.

Anyone can access any reports marked as public within a shared Splunk deployment

D.

The owner of the report must clone the original report and save it to their user account

Question 58

Which search string only returns events from hostWWW3?

Options:

A.

B. host=WWW3

B.

C. host=WWW*

C.

D. Host=WWW3

Question 59

36. Lookups can be private for a user.

Options:

A.

True

B.

False

Question 60

Select the statements that are true for timeline in Splunk (Choose four.):

Options:

A.

Timeline shows distribution of events specified in the time range in the form of bars.

B.

Single click to see the result for particular time period.

C.

You can click and drag across the bar for selecting the range.

D.

This is default view and you can't make any changes to it.

E.

You can hover your mouse for details like total events, time and date.

Question 61

What is the proper SPL terminology for specifying a particular index in a search?

Options:

A.

indexer—index_name

B.

indexer name—index_name

C.

index=index_name

D.

index name=index_name

Question 62

How many main user roles do you have in Splunk?

Options:

A.

2

B.

4

C.

1

D.

3

Question 63

What is a suggested Splunk best practice for naming reports?

Options:

A.

Reports are best named using many numbers so they can be more easily sorted.

B.

Use a consistent naming convention so they are easily separated by characteristics such as group and object.

C.

Name reports as uniquely as possible with no overlap to differentiate them from one another.

D.

Any naming convention is fine as long as you keep an external spreadsheet to keep track.

Question 64

Which of the following file types is an option for exporting Splunk search results?

Options:

A.

PDF

B.

JSON

C.

XLS

D.

RTF

Question 65

Which statement is true about Splunk alerts?

Options:

A.

Alerts are based on searches that are either run on a scheduled interval or in real-time.

B.

Alerts are based on searches and when triggered will only send an email notification.

C.

Alerts are based on searches and require cron to run on scheduled interval.

D.

Alerts are based on searches that are run exclusively as real-time.

Question 66

Splunk Components:

Which of the following are responsible for reducing search results?

Options:

A.

search heads

B.

indexers

C.

forwarders

Question 67

At index time, in which field does Splunk store the timestamp value?

Options:

A.

time

B.

_time

C.

EventTime

D.

timestamp

Question 68

Can you stop or pause the searching?

Options:

A.

No

B.

Yes

Question 69

Which of the following are Splunk premium enhanced solutions? (Choose three.)

Options:

A.

Splunk User Behavior Analytics (UBA)

B.

Splunk IT Service Intelligence (ITSI)

C.

Splunk Enterprise Security (ES)

D.

Splunk Analytics Security (AS)

Question 70

Splunk Enterprise is used as a Scalable service in Splunk Cloud.

Options:

A.

True

B.

False

Question 71

How do you add or remove fields from search results?

Options:

A.

Use field +to add and field -to remove.

B.

Use table +to add and table -to remove.

C.

Use fields +to add and fields –to remove.

D.

Use fields Plus to add and fields Minus to remove.

Question 72

You can view the search result in following format (Choose three.):

Options:

A.

Table

B.

Raw

C.

Pie Chart

D.

List

Question 73

Events in Splunk are automatically segregated using data and time.

Options:

A.

Yes

B.

No

Load More SPLK-1001 Questions
Page: 1 / 24
Total 244 questions
Get SPLK-1001 Full Access Download SPLK-1001 PDF