SPLK-1001 Online Practice Questions and Answers

The better way of writing search query for index is:

A. index=a index=b

B. (index=a OR index=b)

C. index=(a and b)

D. index = a, b

Creating Data Models:

Fields associated with a data set are known as ______.

A. Attributes

B. Constraints

Splunk internal fields contains general information about events and starts from underscore

A. e. _ .

B. True

C. False

Splunk automatically determines the source type for major data types.

A. False

B. True

What is the default lifetime of every Splunk search job?

A. All search jobs are saved for 10 days

B. All search jobs are saved for 10 hours

C. All search jobs are saved for 10 weeks

D. All search jobs are saved for 10 minutes

Assuming a user has the capability to edit reports, which of the following are editable?

A. Acceleration, schedule, permissions

B. The report's name, schedule, permissions

C. The report's name, acceleration, schedule

D. The report's name, acceleration, permissions

Which of the following is an accurate definition of fields within Splunk?

A. Inherent entities that exist in event data.

B. A searchable key/value pair in event data.

C. Values pulled exclusively from lookup tables.

D. A non-searchable name/value pair used while indexing data.

Which of the following is the most efficient search?

A. index=* "failed password"

B. "failed password" index=*

C. (index=* OR index=security) "failed password"

D. index=security "failed password"

Which command will rename action to Customer Action?

A. | rename action = CustomerAction

B. | rename Action as "Customer Action"

C. | rename Action to "Customer Action"

D. | rename action as "Customer Action"

Which of the following is a correct way to limit search results to display the 5 most common values of a field?

A. | rare top=5

B. | top rare=5

C. | top limit=5

D. | rare limit=5

Selected fields are a set of configurable fields displayed for each event.

A. True

B. False

Data sources being opened and read applies to:

A. None of the above

B. Indexing Phase

C. Parsing Phase

D. Input Phase

E. License Metering

Which of the following is the best way to create a report that shows the last 24 hours of events?

A. Use earliest=-1d@d latest=@d

B. Set a real-time search over a 24-hour window

C. Use the time range picket to select "Yesterday"

D. Use the time range picker to select "Last 24 hours"

When an alert action is configured to run a script, Splunk must be able to locate the script. Which is one of the directories Splunk will look in to find the script?

A. $SPLUNK_HOME/bin/scripts

B. $SPLUNK_HOME/etc/scripts

C. $SPLUNK_HOME/bin/etc/scripts

D. $SPLUNK_HOME/etc/scripts/bin

Which search string matches only events with the status_code of 4:4?

A. status_code !=404

B. status_code>=400

C. status_code<=404

D. status code>403 status_code<405