ExamGecko
Search Search Login
Home Home / Splunk / SPLK-1001

Splunk SPLK-1001 Practice Test - Questions Answers, Page 23

Question list
Search
Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

Which all time unit abbreviations can you include in Advanced time range picker? (Choose seven.)
Which of the following is a metadata field assigned to every event in Splunk?
Beginning parentheses is automatically highlighted to guide you on the presence of complimenting parentheses.
Which of the following is an accurate definition of fields within Splunk?
In the Search and Reporting app, which is a default selected field?
What are the three main Splunk components?
Which search will return the 15 least common field values for the dest_ip field?
Selected fields are a set of configurable fields displayed for each event.
Field names are case sensitive and field value are not.
You are able to create new Index in Data Input settings.

Question 221

Report
Export
Collapse

What is the default lifetime of every Splunk search job?

A.
All search jobs are saved for 10 days
A.
All search jobs are saved for 10 days
Answers
B.
All search jobs are saved for 10 hours
B.
All search jobs are saved for 10 hours
Answers
C.
All search jobs are saved for 10 weeks
C.
All search jobs are saved for 10 weeks
Answers
D.
All search jobs are saved for 10 minutes
D.
All search jobs are saved for 10 minutes
Answers
Suggested answer: D

Explanation:

Reference:

https://docs.splunk.com/Documentation/Splunk/8.0.3/Search/Extendjoblifetimes

Explanation:

Question 222

Report
Export
Collapse

Which search will return the 15 least common field values for the dest_ip field?

A.
sourcetype=firewall | rare num=15 dest_ip
A.
sourcetype=firewall | rare num=15 dest_ip
Answers
B.
sourcetype=firewall | rare last=15 dest_ip
B.
sourcetype=firewall | rare last=15 dest_ip
Answers
C.
sourcetype=firewall | rare count=15 dest_ip
C.
sourcetype=firewall | rare count=15 dest_ip
Answers
D.
sourcetype=firewall | rare limit=15 dest_ip
D.
sourcetype=firewall | rare limit=15 dest_ip
Answers
Suggested answer: C

Explanation:

Reference:

https://answers.splunk.com/answers/41928/add-a-lookup-csv-colum-information-to-the-results-ofainputlookup-search.html

Explanation:

Question 223

Report
Export
Collapse

When is an alert triggered?

A.
When Splunk encounters a syntax error in a search
A.
When Splunk encounters a syntax error in a search
Answers
B.
When a trigger action meets the predefined conditions
B.
When a trigger action meets the predefined conditions
Answers
C.
When an event in a search matches up with a data model
C.
When an event in a search matches up with a data model
Answers
D.
When results of a search meet a specifically defined condition
D.
When results of a search meet a specifically defined condition
Answers
Suggested answer: D

Explanation:

Reference:

https://books.google.com.pk/books?id=sNwkBQAAQBAJ&pg=PT525&lpg=PT525&dq=splunk+alert+triggered+When+results+of+a+search+meet+a+specifically+defined+condition&source=bl&ots=avtEx5luxo&sig=ACfU3U1ZVob_j9nU243Te2vhqwxI3YvJuA&hl=en&sa=X&ved=2ahUKEwjm48rmkfXoAhUlMewKHb_FAbkQ6AEwB3oECBYQJg

Explanation:

Question 224

Report
Export
Collapse

What are the three main Splunk components?

A.
Search head, GPU, streamer
A.
Search head, GPU, streamer
Answers
B.
Search head, indexer, forwarder
B.
Search head, indexer, forwarder
Answers
C.
Search head, SQL database, forwarder
C.
Search head, SQL database, forwarder
Answers
D.
Search head, SSD, heavy weight agent
D.
Search head, SSD, heavy weight agent
Answers
Suggested answer: B

Explanation:

Reference:

https://www.edureka.co/blog/splunk-architecture/

Explanation:

Question 225

Report
Export
Collapse

Which statement describes field discovery at search time?

A.
Splunk automatically discovers only numeric fields
A.
Splunk automatically discovers only numeric fields
Answers
B.
Splunk automatically discovers only alphanumeric fields
B.
Splunk automatically discovers only alphanumeric fields
Answers
C.
Splunk automatically discovers only manually configured fields
C.
Splunk automatically discovers only manually configured fields
Answers
D.
Splunk automatically discovers only fields directly related to the search results
D.
Splunk automatically discovers only fields directly related to the search results
Answers
Suggested answer: D

Explanation:

Reference:

https://docs.splunk.com/Documentation/Splunk/8.0.2/Search/Changethesearchmode

Explanation:

Question 226

Report
Export
Collapse

Which Field/Value pair will return only events found in the index named security?

A.
Index=Security
A.
Index=Security
Answers
B.
index=Security
B.
index=Security
Answers
C.
Index=security
C.
Index=security
Answers
D.
index!=Security
D.
index!=Security
Answers
Suggested answer: B

Explanation:

Reference:

https://answers.splunk.com/answers/712164/why-are-the-wineventlogssecurity-indexingindiffe.html

Explanation:

Question 227

Report
Export
Collapse

Which of the following searches would return only events that match the following criteria?

• Events are inside the main index

• The field status exists in the event

• The value in the status field does not equal 200

A.
index==main status!==200
A.
index==main status!==200
Answers
B.
index=main NOT status=200
B.
index=main NOT status=200
Answers
C.
index==main NOT status==200
C.
index==main NOT status==200
Answers
D.
index-main status!=200
D.
index-main status!=200
Answers
Suggested answer: C

Explanation:

The Kusto Query Language (KQL) is the language you use to query data in Azure Data Explorer [1]. It's a powerful language that allows you to perform advanced queries and extract meaningful insights from your data.

To query for events that match the criteria you specified, you would use the following KQL query:

index==main NOT status==200

This query will return all events that are inside the main index and have a status field, but the value of the status field does not equal 200. It is important to note that the "NOT" operator must be used in order to exclude events with a status value of 200.

By using the "NOT" operator, the query will return only events that do not match the specified criteria. This is useful for narrowing down search results to only those events that are relevant to the query.

Question 228

Report
Export
Collapse

Given the following SPL search, how many rows of results would you expect to be returned by default? index=security sourcetype=linux_secure (fail* OR invalid) I top src__ip

A.
10
A.
10
Answers
B.
50
B.
50
Answers
C.
100
C.
100
Answers
D.
20
D.
20
Answers
Suggested answer: A

Explanation:

The SPL search specified above will return 10 rows of results by default, as the "top" command specifies a limit of 10 results. The query will search for all events in the security index with a sourcetype of linuxsecure that contain either the terms fail* or invalid and will display the top 10 results according to the src_ip field.

Question 229

Report
Export
Collapse

Which Field/Value pair will return only events found in the index named security?

A.
index!=Security
A.
index!=Security
Answers
B.
Index-security
B.
Index-security
Answers
C.
Index=Security
C.
Index=Security
Answers
D.
index=Security
D.
index=Security
Answers
Suggested answer: D

Explanation:

The Kusto Query Language (KQL) is the language you use to query data in Azure Data Explorer [1]. To query for events that are found in the index named security, you would use the following KQL query:

index=Security

This query will return all events that are found in the security index. It is important to note that the "=" operator must be used in order to match the exact index name.

Question 230

Report
Export
Collapse

How many minutes, by default, is the time to live (ttl) for an ad-hoc search job?

A.
5 minutes
A.
5 minutes
Answers
B.
1 minute
B.
1 minute
Answers
C.
10 minutes
C.
10 minutes
Answers
D.
60 minutes
D.
60 minutes
Answers
Suggested answer: C

Explanation:

The default time to live (ttl) for an ad-hoc search job is 10 minutes. This means that if no one views the results of a search within 10 minutes, the search job is canceled and the results are deleted. You can change this setting in the limits.conf file1.

Total 246 questions
Go to page: of 25
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms