Splunk SPLK-1001 Splunk Core Certified User Exam Exam Practice Test Questions

• Question 1

  What is the purpose of using a by clause with the stats command?

  • To group the results by one or more fields.
  • To compute numerical statistics on each field.
  • To specify how the values in a list are delimited.
  • To partition the input data based on the split-by fields.

  Show Answer Answer: A Next

• Question 2

  In the Fields sidebar, what does the number directly to the right of the field name indicate?

  • The value of the field
  • The number of values for the field
  • The number of unique values for the field
  • The numeric non-unique values of the field

  Show Answer Answer: C Next

• Question 3

  By default, how long does Splunk retain a search job?

  • 10 Minutes
  • 15 Minutes
  • 1 Day
  • 7 Days

  Show Answer Answer: A Next

• Question 4

  When using the top command in the following search, which of the following will be true about the results?index='main' sourcetype='access_*' action='purchase' | top 3 statusCode by user showperc=f countfield=status_code_count

  • The search will fail. The proper top command format is top limit=3 instead of top 3.
  • The top three most common values in statusCode will be displayed for each user.
  • Only the top three overall most common values in statusCode will be displayed.
  • The percentage field will be displayed in the results.

  Show Answer Answer: B Next

• Question 5

  When is an alert triggered?

  • When Splunk encounters a syntax error in a search
  • When a trigger action meets the predefined conditions
  • When an event in a search matches up with a data model
  • When results of a search meet a specifically defined condition

  Show Answer Answer: D Next