Splunk Core Certified User SPLK-1001 exam dumps have been updated, which are

valuable for you to prepare and pass SPLK-1001 test. A Splunk Core Certified User
is able to search, use fields, create alerts, use look-ups, and create basic
statistical reports and dashboards in either the Splunk Enterprise or Splunk Cloud
platforms.

We provide free questions of Splunk Core Certified User SPLK-1001 exam updated
dumps, which are part of the full version. Study Splunk certification SPLK-1001
exam updated dumps below.

Congratulations - you have completed this exam.

Your answers are shown below:

1. You can use the following options to specify start and end time for the query
range:
earliest=
latest=
beginning=
ending=
All the abovewrong
Only 3rd and 4thcorrect
2. You can change the App context in Input setting.
No
Yescorrect
3. The default host name used in Inputs general settings can not be changed.
Falsecorrect
True
4. Events in Splunk are automatically segregated using data and time.
Yescorrect
No
5. You are able to create new Index in Data Input settings.
No
Yescorrect
6. Splunk Parses data into individual events, extracts time, and assigns metadata.
False
Truecorrect
7. Which of the statements is correct regarding click and drag option in timeline?
The new result after selecting the range by dragging filters the events and
displays the most recent first.correct
There is no functionality like click and drag in Splunk's timeline.
Using this option executes a new query.
This doesn't execute a new query.
Question was not answered
8. Which symbol is used to snap the time?
@correct
&
*
#
Question was not answered
9. Which of the statements are correct? (Choose three.)
Zoom to selection: Narrows the time range and re-executes the search.correct
Zoom to selection: Narrows the time range and doesn't re-executes the search.
Format Timeline: Hides or shows the timeline in different views.correct
Zoom-Out: Expands the time focus and doesn't re-executes the search.
Zoom-out: Expands the time focus and re-executes the search.correct
Question was not answered
10. There are three different search modes in Splunk (Choose three.):
Automatic
Smartcorrect
Fastcorrect
Verbosecorrect
Question was not answered
11. Select the statements that are true for timeline in Splunk (Choose four.):
Timeline shows distribution of events specified in the time range in the form of
bars.correct
Single click to see the result for particular time period.correct
You can click and drag across the bar for selecting the range.correct
This is default view and you can't make any changes to it.
You can hover your mouse for details like total events, time and date.correct
Question was not answered
12. Keywords are highlighted when you mouse over search results and you can click
this search result to (Choose three.):
Open new search.correct
Exclude the item from search.correct
None of the above.
Add the item to search.correct
Question was not answered
13. You can view the search result in following format (Choose three.):
Tablecorrect
Rawcorrect
Pie Chart
Listcorrect
Question was not answered
14. Snapping rounds down to the nearest specified unit.
Yescorrect
No
Question was not answered
15. Data summary button just below the search bar gives you the following (Choose
three.):
Hostscorrect
Sourcetypescorrect
Sourcescorrect
Indexes
Question was not answered
16. What options do you get after selecting timeline? (Choose four.)
Zoom to selectioncorrect
Format Timelinecorrect
Deselectcorrect
Delete
Zoom Outcorrect
Question was not answered
17. At the time of searching the start time is 03:35:08.

Will it look back to 03:00:00 if we use -30m@h in searching?

Yescorrect
No
18. Can you stop or pause the searching?
No
Yescorrect
19. You can also specify a time range in the search bar. You can use the following
for beginning and ending for a time range (Choose two.):
Not possible to specify time manually in Search querycorrect
end=
start=
earliest=correct
latest=correct
Question was not answered
20. Which all time unit abbreviations can you include in Advanced time range
picker? (Choose seven.)
hcorrect
day
moncorrect
yr
ycorrect
wcorrect
week
dcorrect
s
m
Question was not answered
21. Interesting fields are the fields that have at least 20% of resulting fields.
Truecorrect
False
22. How to make Interesting field into a selected field?
Click field in field sidebar -> click YES on the pop-up dialog on upper right side
-> check now field should be visible in the list of selected fields.correct
Not possible.
Only CLI changes will enable it.
Click Settings -> Find field option -> Drop down select field -> enable selected
field -> check now field should be visible in the list of selected fields.wrong
23. Field names are case sensitive and field value are not.
Truecorrect
False
24. != and NOT are same arguments.
True
Falsecorrect
25. Query - status != 100:
Will return event where status field exist but value of that field is not
100.correct
Will return event where status field exist but value of that field is not 100 and
all events where status field doesn't exist.
Will get different results depending on data.
26. NOT status = 100:
Will display result depending on the data.
Will return event where status field exist but value of that field is not 100.
Will return event where status field exist but value of that field is not 100 and
all events where status field doesn't exist.correct
27. Will the queries following below get the same result?

index=log sourcetype=error_log status !=100

index=log sourcetype=error_log NOT status =100

Yes
Nocorrect
28. Select the best options for "search best practices" in Splunk (Choose five.):
Select the time range always.correct
Try to specify index values.correct
Include as many search terms as possible.correct
Never select time range.
Try to use * with every search term.wrong
Inclusion is generally better than exclusion.correct
Try to keep specific search terms.correct
29. The better way of writing search query for index is:
index=a index=b
(index=a OR index=b)correct
index=(a & b)
index = a, b
30. Put query into separate lines where | (Pipes) are used by selecting following
options.
CTRL + Enter
Shift + Entercorrect
Space + Enter
ALT + Enter
31. Fields are searchable key value pairs in your event data.
Truecorrect
False
Question was not answered
32. Selected fields are a set of configurable fields displayed for each event.
Truecorrect
False
Question was not answered
33. Following are the time selection option while making search (Choose all that
apply.):
Date & Time Rangecorrect
Advancedcorrect
Date Rangecorrect
Presetscorrect
Relativecorrect
Question was not answered
34. Search Language Syntax in Splunk can be broken down into the following
components (Choose all that apply.).
Search termcorrect
Commandcorrect
Pipecorrect
Functionscorrect
Argumentscorrect
Clausecorrect
Question was not answered
35. How Can results from a specified static lookup file be displayed?
lookup command
inputlookup commandcorrect
Settings > Lookups > Input
Settings > Lookups > Upload
Question was not answered
36. When is an alert triggered?
When Splunk encounters a syntax error in a search
When a trigger action meets the predefined conditions
When an event in a search matches up with a data model
When results of a search meet a specifically defined conditioncorrect
Question was not answered
37. Which of the following is a metadata field assigned to every event in Splunk?
hostcorrect
owner
bytes
action
Question was not answered
38. Which statement describes field discovery at search time?
Splunk automatically discovers only numeric fields
Splunk automatically discovers only alphanumeric fields
Splunk automatically discovers only manually configured fields1
Splunk automatically discovers only fields directly related to the search
resultscorrect
Question was not answered
39. What are the three main Splunk components?
Search head, GPU, streamer
Search head, indexer, forwardercorrect
Search head, SQL database, forwarder
Search head, SSD, heavy weight agent
Question was not answered
40. Which Field/Value pair will return only events found in the index named
security?
Index=Security
index=Security
Index=securitycorrect
Index!=Security
Question was not answered
41. When is the pipe character, |, used in search strings?
Before clauses. For example: stats sum (bytes) | by host
Before commands. For example: |stats sum (bytes) by hostcorrect
Before arguments. For example: stats sum| (bytes) by host
Before functions. For example: stats |sum(bytes) by host
Question was not answered
42. In the Fields sidebar, what does the number directly to the right of the field
name indicate?
The value of the field
The number of values for the fieldcorrect
The number of unique values for the field
The numeric non-unique values of the field
Question was not answered
43. Which search will return the 15 least common field values for the dest_ip
field?
sourcetype=firewall | rare num=15 dest_ip
sourcetype=firewall | rare last=15 dest_ip
sourcetype=firewall | rare count=15 dest_ip
sourcetype=firewall | rare limit=15 dest_ipcorrect
Question was not answered
44. What are the two most efficient search filters?
_time and host
_time and index
Host and sourcetype
index and sourcetypecorrect
Question was not answered
45. Assuming a user has the capability to edit reports, which of the following are
editable?
Acceleration, schedule, permissions
The report’s name, schedule, permissionscorrect
The report’s name, acceleration, schedule
The report’s name, acceleration, permissions
Question was not answered
46. Which search string only returns events from hostWWW3?
host=*
host=WWW3correct
host=WWW*
Host=WWW3
Question was not answered
47. By default, how long does Splunk retain a search job?
10 Minutescorrect
15 Minutes
1 Day
7 Dayscorrect
Question was not answered
Explanation:
Reference:
https://docs.splunk.com/Documentation/Splunk/7.2.6/Search/Extendjoblifetimes

48. What must be done before an automatic lookup can be created? (Choose all that
apply.)
The lookupcommand must be used.correct
The lookup definition must be created.correct
The lookup file must be uploaded to Splunk.
The lookup file must be verified using the inputlookupcommand.correct
Question was not answered
Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/7.2.6/Knowledge/
DefineanautomaticlookupinSplunkWeb

49. Which of the following Splunk components typically resides on the machines
where data originates?
Indexer
Forwarder
Search headcorrect
Deployment server
Question was not answered
50. What determines the scope of data that appears in a scheduled report?
All data accessible to the User role will appear in the report.correct
All data accessible to the owner of the report will appear in the report.
All data accessible to all users will appear in the report until the next time the
report is run.
The owner of the report can configure permissions so that the report uses either
the User role or the owner’s profile at run time.correct
Question was not answered
Explanation:
Reference:
https://docs.splunk.com/Documentation/Splunk/7.2.6/Report/Managereportpermissions

51. When writing searches in Splunk, which of the following is true about Booleans?
They must be lowercase.
They must be uppercase.correct
They must be in quotations.
They must be in parentheses.
Question was not answered
52. Which of the following searches would return events with failure in index netfw
or warn or criticalin index netops?
(index=netfw failure) AND index=netops warn OR criticalcorrect
(index=netfw failure) OR (index=netops (warn OR critical))correct
(index=netfw failure) AND (index=netops (warn OR critical))
(index=netfw failure) OR index=netops OR (warn OR critical)correct
Question was not answered
Explanation:
Reference:
https://docs.splunk.com/Documentation/Splunk/7.2.6/Search/Aboutsubsearches

53. Select the answer that displays the accurate placing of the pipe in the
following search string:

index=security sourcetype=access_* status=200 stats count by price

index=security sourcetype=access_* status=200 stats | count by pricecorrect
index=security sourcetype=access_* status=200 | stats count by price
index=security sourcetype=access_* status=200 | stats count | by price
index=security sourcetype=access_* | status=200 | stats count by pricecorrect
Question was not answered
Explanation:
Reference:
https://docs.splunk.com/Documentation/Splunk/7.2.6/Search/Aboutsubsearches

54. Which of the following constraints can be used with the top command?
limitcorrect
useperc
addtotals
fieldcount
Question was not answered
Explanation:
Reference: https://answers.splunk.com/answers/339141/how-to-use-top-command-or-
stats-with-sort results.html

55. When editing a dashboard, which of the following are possible options? (Choose
all that apply.)
Add an output.
Export a dashboard panel.
Modify the chart type displayed in a dashboard panel.correct
Drag a dashboard panel to a different location on the dashboard.
Question was not answered
56. When running searches, command modifiers in the search string are displayed in
what color?
Redcorrect
Blue
Orangecorrect
Highlightedcorrect
Question was not answered
Explanation:
Reference:
https://docs.splunk.com/Documentation/Splunk/7.2.6/Search/Parsingsearches

57. Which of the following represents the Splunk recommended naming convention for
dashboards?
Description_Group_Objectcorrect
Group_Description_Object
Group_Object_Descriptioncorrect
Object_Group_Descriptioncorrect
Question was not answered
Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/7.2.6/Knowledge/
Developnamingconventionsforknowledgeobjecttitles

58. How can search results be kept longer than 7 days?

By scheduling a report.correct
By creating a link to the job.
By changing the job settings.correct
By changing the time range picker to more than 7 days.correct
Question was not answered
Explanation:
Reference:
https://docs.splunk.com/Documentation/Splunk/7.2.6/Search/Extendjoblifetimes

59. Which of the following is a Splunk search best practice?

Filter as early as possible.correct
Never specify more than one index.
Include as few search terms as possible.
Use wildcards to return more search results.
Question was not answered
60. When looking at a dashboard panel that is based on a report, which of the
following is true?
You can modify the search string in the panel, and you can change and configure the
visualization.correct
You can modify the search string in the panel, but you cannot change and configure
the visualization.
You cannot modify the search string in the panel, but you can change and configure
the visualization.correct
You cannot modify the search string in the panel, and you cannot change and
configure the visualization.correct
Question was not answered
Explanation:
Reference:
https://docs.splunk.com/Documentation/Splunk/7.2.6/Viz/WorkingWithDashboardPanels

61. Which of the following are common constraints of the top command?
limit, countcorrect
limit, showpercent
limits, countfield
showperc, countfield
Question was not answered
62. When displaying results of a search, which of the following is true about line
charts?
Line charts are optimal for single and multiple series.correct
Line charts are optimal for single series when using Fast mode.
Line charts are optimal for multiple series with 3 or more columns.correct
Line charts are optimal for multiseries searches with at least 2 or more
columns.correct
Question was not answered
Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/7.2.6/Viz/LineAreaCharts

63. How are events displayed after a search is executed?

In chronological order.
Randomly by default.
In reverse chronological order.correct
Alphabetically according to field name.
Question was not answered
64. Which of the following is true about user account settings and preferences?
Search & Reporting is the only app that can be set as the default application.
Full names can only be changed by accounts with a Power User or Admin role.correct
Time zones are automatically updated based on the setting of the computer accessing
Splunk.
Full name, time zone, and default app can be defined by clicking the login name in
the Splunk bar.
Question was not answered
65. What is a primary function of a scheduled report?
Auto-detect changes in performance.correct
Auto-generated PDF reports of overall data trends.
Regularly scheduled archiving to keep disk space use low.
Triggering an alert in your Splunk instance when certain conditions are met.correct
Question was not answered
Explanation:
Reference:
https://docs.splunk.com/Documentation/Splunk/7.2.6/Report/Schedulereports

66. After running a search, what effect does clicking and dragging across the
timeline have?
Executes a new search.correct
Filters current search results.
Moves to past or future events.correct
Expands the time range of the search.correct
Question was not answered
Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/7.2.6/Search/Usethetimeline

67. Which command is used to review the contents of a specified static lookup file?
lookup
csvlookup
inputlookupcorrect
outputlookup
Question was not answered
68. What must be done in order to use a lookup table in Splunk?
The lookup must be configured to run automatically.
The contents of the lookup file must be copied and pasted into the search bar.
The lookup file must be uploaded to Splunk and a lookup definition must be
created.correct
The lookup file must be uploaded to the etc/apps/lookups folder for automatic
ingestion.
Question was not answered
69. When sorting on multiple fields with the sort command, what delimiter can be
used between the field names in the search?
|correct
$
!
,correct
Question was not answered
Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/7.2.6/SearchReference/Sort

70. Which time range picker configuration would return real-time events for the
past 30 seconds?
Preset - Relative: 30-seconds agocorrect
Relative - Earliest: 30-seconds ago, Latest: Now
Real-time - Earliest: 30-seconds ago, Latest: Nowcorrect
Advanced - Earliest: 30-seconds ago, Latest: Nowcorrect
Question was not answered
Explanation:
Reference:
https://docs.splunk.com/Documentation/Splunk/7.2.6/Search/Selecttimerangestoapply

71. What is the correct syntax to count the number of events containing a
vendor_actionfield?
count stats vendor_action
count stats (vendor_action)
stats count (vendor_action)correct
stats vendor_action (count)
Question was not answered
72. What is one benefit of creating dashboard panels from reports?
Any newly created dashboard will include that report.
There are no benefits to creating dashboard panels from reports.
It makes the dashboard more efficient because it only has to run one search
string.correct
Any change to the underlying report will affect every dashboard that utilizes that
report.
Question was not answered
73. By default, which of the following fields would be listed in the fields sidebar
under interesting Fields?
hostcorrect
index
source
sourcetype
Question was not answered
Explanation:
Reference: https://answers.splunk.com/answers/185864/selected-fields-in-fields-
side-bar.html

74. Which of the following statements about case sensitivity is true?

Both field names and field values ARE case sensitive.correct
Field names ARE case sensitive; field values are NOcorrect
Field values ARE case sensitive; field names ARE NO
Both field names and field values ARE NOT case sensitive.
Question was not answered
Explanation:
Reference: https://answers.splunk.com/answers/65/are-field-values-case-
sensitive.html

75. What does the rare command do?

Returns the least common field values of a given field in the results.correct
Returns the most common field values of a given field in the results.
Returns the top 10 field values of a given field in the results.
Returns the lowest 10 field values of a given field in the results.correct
Question was not answered
Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/7.2.6/SearchReference/Rare

76. When an alert action is configured to run a script, Splunk must be able to
locate the script.

Which is one of the directories Splunk will look in to find the script?
$SPLUNK_HOME/bin/scriptscorrect
$SPLUNK_HOME/etc/scripts
$SPLUNK_HOME/bin/etc/scriptscorrect
$SPLUNK_HOME/etc/scripts/bincorrect
Question was not answered
Explanation:
Reference:
https://docs.splunk.com/Documentation/Splunk/7.2.6/Alert/Configuringscriptedalerts

77. Which Boolean operator is always implied between two search terms, unless
otherwise specified?
ORcorrect
NOTcorrect
ANDcorrect
XORcorrect
Question was not answered
Explanation:
Reference:
https://docs.splunk.com/Documentation/Splunk/7.2.6/Search/Booleanexpressions

78. What does the values function of the stats command do?
Lists all values of a given field.
Lists unique values of a given field.
Returns a count of unique values for a given field.correct
Returns the number of events that match the search.
Question was not answered
79. Which stats command function provides a count of how many unique values exist
for a given field in the result set?
dc(field)correct
count(field)
count-by(field)
distinct-count(field)correct
Question was not answered
Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/7.2.6/Search/
Usethestatscommandandfunctions

80. A collection of items containing things such as data inputs, UI elements, and
knowledge objects is known as what?
An appcorrect
JSON
A role
An enhanced solution
Question was not answered
81. Which statement is true about Splunk alerts?
Alerts are based on searches that are either run on a scheduled interval or in
real-time.correct
Alerts are based on searches and when triggered will only send an email
notification.
Alerts are based on searches and require cron to run on scheduled interval.
Alerts are based on searches that are run exclusively as real-time.
Question was not answered
82. What is the purpose of using a by clause with the stats command?
To group the results by one or more fields.correct
To compute numerical statistics on each field.
To specify how the values in a list are delimited.correct
To partition the input data based on the split-by fields.correct
Question was not answered
Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/7.2.6/SearchReference/
Stats#1._Compare_the_difference_between_using_the_stats_and_chart_commands

83. How do you add or remove fields from search results?

Use field +to add and field -to remove.correct
Use table +to add and table -to remove.
Use fields +to add and fields Cto remove.correct
Use fields Plusto add and fields Minusto remove.correct
Question was not answered
Explanation:
Reference:
https://docs.splunk.com/Documentation/Splunk/7.2.6/SearchReference/Fields

84. A field exists in search results, but isn’t being displayed in the fields
sidebar.

How can it be added to the fields sidebar?

Click All Fields and select the field to add it to Selected Fields.correct
Click Interesting Fields and select the field to add it to Selected Fields.
Click Selected Fields and select the field to add it to Interesting Fields.
This scenario isn’t possible because all fields returned from a search always
appear in the fields sidebar.
Question was not answered
85. In the fields sidebar, which character denotes alphanumeric field values?
#
%correct
a
a#
Question was not answered
86. What is the main requirement for creating visualizations using the Splunk UI?
Your search must transform event data into Excel file format first.
Your search must transform event data into XML formatted data first.correct
Your search must transform event data into statistical data tables first.
Your search must transform event data into JSON formatted data first.
Question was not answered
87. What syntax is used to link key/value pairs in search strings?
action+purchase
action=purchasecorrect
action | purchase
action equal purchase
Question was not answered
88. What user interface component allows for time selection?
Time summary
Time range pickercorrect
Search time picker
Data source time statistics
Question was not answered
89. Which of the following searches will return results where fail, 400, and error
exist in every event?
error AND (fail AND 400)
error OR (fail and 400)
error AND (fail OR 400)correct
error OR fail OR 400
Question was not answered
90. When placed early in a search, which command is most effective at reducing
search execution time?
dedupcorrect
rename
sort
fields +
Actual SPLK-1001 Exam Dumps
40% OFF with Coupon "2020xmas" | Valid SPLK-1001 Dumps | Money Back Guarantee | One
Year Free Update

Study SPLK-1001 Exam Dumps Full Version

FacebookTwitterLinkedInShare
admin Posted in Splunk Free Dumps Online Test SPLK-1001 exam dumps, SPLK-1001 exam
updated dumps, SPLK-1001 test, Splunk certification SPLK-1001 exam, Splunk Core
Certified User SPLK-1001 exam Leave a comment
09SEPSplunk Certification SPLK-1001 Exam Dumps have been Updated
Splunk Core Certified User SPLK-1001 exam dumps have been updated, which are
valuable for you to pass the test. The Splunk Core Certified User exam is the final
step towards completion of the Splunk Core Certified User certification.

We provide free questions of Splunk certification SPLK-1001 exam updated dumps,

which are part of the full version. Practice Splunk Core Certified User SPLK-1001
exam updated dumps below.

Please go to Splunk Certification SPLK-1001 Exam Dumps have been Updated to view
this quiz
Actual SPLK-1001 Exam Dumps
40% OFF with Coupon "2020xmas" | Valid SPLK-1001 Dumps | Money Back Guarantee | One
Year Free Update

Study SPLK-1001 Exam Dumps Full Version

FacebookTwitterLinkedInShare
admin Posted in Splunk Free Dumps Online Test SPLK-1001 exam updated dumps, Splunk
certification SPLK-1001 exam, Splunk Core Certified User SPLK-1001 exam Leave a
comment
11AUGSplunk Core Certified Power User SPLK-1002 Certification Dumps
Splunk Core Certified Power User SPLK-1002 certification dumps have been cracked,
which are the best preparation material for you to prepare Splunk Certification
SPLK-1002 exam.

The Splunk Core Certified Power User exam SPLK-1002 is the final step towards
completion of the Splunk Core Certified Power User certification. There are 65
questions in real SPLK-1002 exam, and you have 60 minutes to complete the test.

We share free questions of Splunk Core Certified Power User SPLK-1002 certification
dumps, which are part of the full version. Test Splunk certification SPLK-1002 exam
free certification dumps below.

Please go to Splunk Core Certified Power User SPLK-1002 Certification Dumps to view
this quiz
Actual SPLK-1002 Exam Dumps
40% OFF with Coupon "2020xmas" | Valid SPLK-1002 Dumps | Money Back Guarantee | One
Year Free Update

Study SPLK-1002 Exam Dumps Full Version

Forwarder,indexes and search heads

Deafault app- Search and reporting app

You can launch and manage apps from the home app. true

Which apps ship with Splunk Enterprise- 1-Home app , 2-search & reporting

The password for a newly installed Splunk instance is: Created when you install
Splunk Enterprise.

User role -
This role will only see their own knowledge objects and those that have been shared
with them

2- How date get injested( Getting Data In)

Add data menu-

Click on add data - see below screen

Note-
Other option - Minitori data (simliar to upload files)

questions- Files indexed using the the upload input option get indexed _____.once

Splunk knows where to break the event, where the time stamp is located and how to
automatically create field value pairs using these.---> Source types

Splunk uses ________ to categorize the type of data being indexed.- source type

In most production environments, _______ will be used as the source of data

input.--->Forwarder

The monitor input option will allow you to continuously monitor files.-->True

5-Basic Searhcing (Search & reporting) provides default interfaces for searching
and analyzing data.

Data is desplayed in 3 ( host, source , sourcetype)

Imp - what is transforming commands- see below

three modes(Verbose mode -returns all fields)

Note-

Note-bollean operations evalued in below order(1,2 ,3) and () controls order of

evaluation.

imp - escapescing charactwers-use back slash to escape characters(2nd screen)

Que-

Events are always returned in chronological order.

Select your answer.false

-----------------------------------------------------------------------------------
--------------------------------6--Using Fields

Interesting fields-below

a (highlighted)in date month denotes a string value

# denotes a numeral value

You can all fields by below link at top(below screen)

You can run and refine more efficient search by using fields in them

Note- Filed name are case sensitive while field value are not

Use of filed operartors(below screen)

Nore- != and NOT will not always return same results

example- != retuen the events where status fields is not 200

NOT- retuen the all events that do not have status fields at all or status =200

Splunk also uses IN in paranthis to inclused

-----------------------------------------------------------------------------------
--------------------------------

Best practices -@ is used for round unit

-30m
-30h-hour
-30d- days
-30mon-months
-30y-year

suppose current time is 9:37 events from 9:00 to 9:30

Syntax to find betweween begining of the time and ending of the time

-----------------------------------------------------------------------------------
--------------------------------

QUE--

-----------------------------------------------------------------------------------
--------------------------------
Splunk Search Language

boolean operators and command modifiers - orange color.(AND OR)

commands - in blue color(timechart)
commands arguments in green(space)
function in purple(Sum)

prenthisis () are highligheted in below query and can be used to trobleshoot what
is inside query

Hot key- for eg to break the line

Enter to new line- ctrl + \in window os
the other on on mac will move | to new line

search results (if we want to inclused the fields in search results - | fields
status clientip
Where is splunk command and status and clientip are interesting fields.

If we want to exclude the fileds for eg status and client ip then use - sign to
exclude fields.

Internal splunk fileds (like time and raw) will always be extraced but it can be
excluded from display result by the below commands.
Fields extractios is most importatnt part of effiecient search

Fiels inclusion happens before field extraction.

Filed exclusion happens after fileds extraction it only affects displayed results
but does not improves performance.

Table commands to similar to field command and retains data in tabular format.

Rename commands is used to rename field name -

Rename jSESSION ID with "USEr Session " - similaryly we can change other filed name

Once you rename the fileds you can not search them by their original name and we
need to search fileds using new fields in subsquent search.

Imp note- when we have to rename the field name , we ned to enclose the renamed
field with double quotes" else splunk will not take a renamed field.

dedup command- remove duplicate events from the results.

The sort command - is used to display results in ascending or descending order.

Impt point- Use of - sign in sorting

by default sotring is ascending order and can also be done by adding + sign (sort
+sale_price)

If we put - sign before sales+price field then it will sort with descending order

Very IMP point- space between i and filed value which impacts all fields and if we
remove the space then only filed behind "-" sign will be affacted.

Sort command can also be used with limit and will limit the results(below only
first 20 events will be displayed)
QUestions and answers

Pls note below question-

Pls note the below question

-----------------------------------------------------------------------------------
--------------------------------
9 - Transforming Commands

Top commands

example- top 10 records by default

If you want all recors then limit by 0 and if you need some specific records then
limit = 20,5....

example if we dont want showperc then user showperc=False

Use of by cluase
for eg- show top 3 products solds by each vendor in last 7 days.

Rare command

The Stats command- to use the statistics -

common stats functions.

Count function-

Sum

We should use the same pipe for two stats else results will not be availavle
Avg,min,max values will work with only numeric values

Avg function-

Min and max vy category-

List all employees for a given field..

The value function works similar to list function except it requirns unique values
for a given field.

List all user which used different on specific months

Questions-

-----------------------------------------------------------------------------------
---------------------------

10 - Reports and Dashboards

-----------------------------------------------------------------------------------
-----------------------

11 - Pivot and Datasets

Pivot and datasets-

Que-

-----------------------------------------------------------------------------------
---------------------------------------12 - Lookups--------

Lookups allows you to add other fields and values to the events not included in
index data----

QUESTION 1
Monitor option in Add Data provides _______________.
A. Only continuous monitoring.
B. Only One-time monitoring.
C. None of the above.
D. Both One-time and continuous monitoring
Correct Answer: D
QUESTION 2
Which command is used to validate a lookup file?
A. | lookup products.csv
B. inputlookup products.csv
C. I inputlookup products.csv
D. | lookup definition products.csv
Correct Answer: C
QUESTION 3
What is a suggested Splunk best practice for naming reports?
A. Reports are best named using many numbers so they can be more easily sorted.
B. Use a consistent naming convention so they are easily separated by
characteristics such as group and object.
C. Name reports as uniquely as possible with no overlap to differentiate them from
one another.
D. Any naming convention is fine as long as you keep an external spreadsheet to
keep track.
Correct Answer: B
QUESTION 4
In the Splunk interface, the list of alerts can be filtered based on which
characteristics?
A. App, Owner, Severity, and Type
B. App, Owner, Priority, and Status
SPLK-1001 Practice Test | SPLK-1001 Study Guide | SPLK-1001 Braindumps 2 / 4
https://www.certbus.com/splk-1001.html
2021 Latest certbus SPLK-1001 PDF and VCE dumps Download
C. App, Dashboard, Severity, and Type
D. App, Time Window, Type, and Severity
Correct Answer: D
QUESTION 5
Which of the following searches would return events with failure in index netfw or
warn or critical in index netops?
A. (index=netfw failure) AND index=netops warn OR critical
B. (index=netfw failure) OR (index=netops (warn OR critical))
C. (index=netfw failure) AND (index=netops (warn OR critical))
D. (index=netfw failure) OR index=netops OR (warn OR critical)
Correct Answer: B

QUESTION 1
When editing a dashboard, which of the following are possible options? (select all
that apply)
A. Add an output.
B. Export a dashboard panel.
C. Modify the chart type displayed in a dashboard panel.
D. Drag a dashboard panel to a different location on the dashboard.
Correct Answer: CD
QUESTION 2
What is the purpose of using a by clause with the stats command?
A. To group the results by one or more fields.
B. To compute numerical statistics on each field.
C. To specify how the values in a list are delimited.
D. To partition the input data based on the split-by fields.
Correct Answer: A
QUESTION 3
All users by default have WRITE permission to ALL knowledge objects.
A. True
B. False
Correct Answer: B
QUESTION 4
Which of the following are Splunk premium enhanced solutions? (Choose three.)
A. Splunk User Behavior Analytics (UBA)
B. Splunk IT Service Intelligence (ITSI)
C. Splunk Enterprise Security (ES)
Latest SPLK-1001 Dumps | SPLK-1001 PDF Dumps | SPLK-1001 VCE Dumps 2 / 4
https://www.certbus.com/splk-1001.html
2021 Latest certbus SPLK-1001 PDF and VCE dumps Download
D. Splunk Analytics Security (AS)
Correct Answer: ABC
QUESTION 5
Search Assistant is enabled by default in the SPL editor with compact settings.
A. No
B. Yes
Correct Answer: B
Exam C

QUESTION 1
What are the three main Splunk components?
A. Search head, GPU, streamer
B. Search head, indexer, forwarder
C. Search head, SQL database, forwarder
D. Search head, SSD, heavy weight agent
Correct Answer: B
Reference: https://www.edureka.co/blog/splunk-architecture/
QUESTION 2
Which of the following index searches would provide the most efficient search
performance?
A. index=*
B. index=web OR index=s*
C. (index=web OR index=sales)
D. *index=sales AND index=web*
Correct Answer: C
QUESTION 3
Selected fields are a set of configurable fields displayed for each event.
A. True
B. False
Correct Answer: A
QUESTION 4
What syntax is used to link key/value pairs in search strings?
A. Parentheses
B. @ or # symbols
C. Quotation marks
Latest SPLK-1001 Dumps | SPLK-1001 VCE Dumps | SPLK-1001 Practice Test 2 / 4
https://www.certbus.com/splk-1001.html
2021 Latest certbus SPLK-1001 PDF and VCE dumps Download
D. Relational operators such as =,
Correct Answer: D
QUESTION 5
Which search will return only events containing the word "error" and display the
results as a table that includes the fields
named action, src, and dest?
A. error | table action, src, dest
B. error | tabular action, src, dest
C. error | stats table action, src, dest
D. error | table column=action column=src column=dest
Correct Answer: C

QUESTION 1
This search will return 20 results. SEARCH: error | top host limit = 20
A. True
B. False
Correct Answer: A
QUESTION 2
When running searches command modifiers in the search string are displayed in what
color?
A. Red
B. Blue
C. Orange
D. Highlighted
Correct Answer: B
QUESTION 3
When looking at a statistics table, what is one way to drill down to see the
underlying events?
A. Creating a pivot table.
B. Clicking on the visualizations tab.
C. Viewing your report in a dashboard.
D. Clicking on any field value in the table.
Correct Answer: B
QUESTION 4
This clause is used to group the output of a stats command by a specific name.
A. Rex
B. As
C. List
D. By
SPLK-1001 PDF Dumps | SPLK-1001 Practice Test | SPLK-1001 Braindumps 2 / 4
https://www.certbus.com/splk-1001.html
2021 Latest certbus SPLK-1001 PDF and VCE dumps Download
Correct Answer: D
QUESTION 5
When viewing the results of a search, what is an Interesting Field?
A. A field that appears in any event
B. A field that appears in every event
C. A field that appears in the top 10 events
D. A field that appears in at least 20% of the events
Correct Answer: D

QUESTION 1
By default, which of the following is a Selected Field?
A. action
B. clientip
C. categoryld
D. sourcetype
Correct Answer: D
QUESTION 2
Which of the following are not true about lookups? (Select all that apply.)
A. Lookups can be time based
B. Search results can be used to populate a lookup table C .Splunk DB Connect can
be used to populate a lookup table
from relational databases
C. Output from a script can be used to populate a lookup table
D. Lookup have a 10mg maximum size limit
Correct Answer:
QUESTION 3
You can view the search result in following format (Choose three.):
A. Table
B. Raw
C. Pie Chart
D. List
Correct Answer: ABD
QUESTION 4
This search will return 20 results. SEARCH: error | top host limit = 20
A. True
Latest SPLK-1001 Dumps | SPLK-1001 Practice Test | SPLK-1001 Braindumps 2 / 4
https://www.certbus.com/splk-1001.html
2021 Latest certbus SPLK-1001 PDF and VCE dumps Download
B. False
Correct Answer: A
QUESTION 5
Which of the following searches would return events with failure in index netfw or
warn or critical in index netops?
A. (index=netfw failure) AND index=netops warn OR critical
B. (index=netfw failure) OR (index=netops (warn OR critical))
C. (index=netfw failure) AND (index=netops (warn OR critical))
D. (index=netfw failure) OR index=netops OR (warn OR critical)
Correct Answer: B

QUESTION 1
Which of the following is a best practice when writing a search string?
A. Include all formatting commands before any search terms
B. Include at least one function as this is a search requirement
C. Include the search terms at the beginning of the search string
D. Avoid using formatting clauses as they add too much overhead
Correct Answer: A
QUESTION 2
Field names are case sensitive.
A. True
B. False
Correct Answer: A
QUESTION 3
This clause is used to group the output of a stats command by a specific name.
A. Rex
B. As
C. List
D. By
Correct Answer: D
QUESTION 4
Which statement is true about Splunk alerts?
A. Alerts are based on searches that are either run on a scheduled interval or in
real-time.
B. Alerts are based on searches and when triggered will only send an email
notification.
C. Alerts are based on searches and require cron to run on scheduled interval.
D. Alerts are based on searches that are run exclusively as real-time.
Latest SPLK-1001 Dumps | SPLK-1001 PDF Dumps | SPLK-1001 Study Guide 2 / 4
https://www.certbus.com/splk-1001.html
2021 Latest certbus SPLK-1001 PDF and VCE dumps Download
Correct Answer: A
QUESTION 5
What must be done before an automatic lookup can be created? (select all that
apply)
A. The lookup command must be used.
B. The lookup definition must be created.
C. The lookup file must be uploaded to Splunk.
D. The lookup file must be verified using the inputlookup command.

QUESTION 1
What can be configured using the Edit Job Settings menu?
A. Export the results to CSV format
B. Add the Job results to a dashboard
C. Schedule the Job to re-run in 10 minutes
D. Change Job Lifetime from 10 minutes to 7 days.
Correct Answer: D
QUESTION 2
How do you add or remove fields from search results?
A. Use field +to add and field -to remove.
B. Use table +to add and table -to remove.
C. Use fields +to add and fields o remove.
D. Use fields Plus to add and fields Minus to remove.
Correct Answer: C
QUESTION 3
Select the correct option that applies to Index time processing (Choose three.).
A. Indexing
B. Searching
C. Parsing
D. Settings
E. Input
Correct Answer: ACE
QUESTION 4
Interesting fields are the fields that have at least 20% of resulting fields.
A. True
Latest SPLK-1001 Dumps | SPLK-1001 PDF Dumps | SPLK-1001 Practice Test 2 / 6
https://www.certbus.com/splk-1001.html
2021 Latest certbus SPLK-1001 PDF and VCE dumps Download
B. False
Correct Answer: A
QUESTION 5
Portal for Splunk apps can be accessed through www.splunkbase.com
A. False
B. True
Correct Answer: B
QUESTION 6
In the fields sidebar, which character denotes alphanumeric field values?
A. #
B. %
C. a
D. a#
Correct Answer: B
QUESTION 7
Which of the following can be used as wildcard search in Splunk?
A. =
B. >
C. !
D. *
Correct Answer: D
QUESTION 8
Which is the default app for Splunk Enterprise?
A. Splunk Enterprise Security Suite
B. Searching and Reporting
Latest SPLK-1001 Dumps | SPLK-1001 PDF Dumps | SPLK-1001 Practice Test 3 / 6
https://www.certbus.com/splk-1001.html
2021 Latest certbus SPLK-1001 PDF and VCE dumps Download
C. Reporting and Searching
D. Splunk apps for Security
Correct Answer: B
QUESTION 9
This function of the stats command allows you to return the sample standard
deviation of a field.
A. stdev
B. dev
C. count deviation
D. by standarddev
Correct Answer: A
QUESTION 10
Which of the following are common constraints of the top command?
A. limit, count
B. limit, showpercent
C. limits, countfield
D. showperc, countfield
Correct Answer: A
QUESTION 11
Splunk Enterprise is used as a Scalable service in Splunk Cloud.
A. True
B. False
Correct Answer: A
QUESTION 12
Clicking a SEGMENT on a chart, ________.
A. drills down for that value
Latest SPLK-1001 Dumps | SPLK-1001 PDF Dumps | SPLK-1001 Practice Test 4 / 6
https://www.certbus.com/splk-1001.html
2021 Latest certbus SPLK-1001 PDF and VCE dumps Download
B. highlights the field value across the chart
C. adds the highlighted value to the search criteria
Correct Answer: C