Splunk SPLK-1002 Practice Test - Questions Answers, Page 13

The Field Extractor Utility (FX) is a tool that helps you extract fields from your events using a graphical interface or by manually editing the regular expression2.The FX has a button that displays events that do not contain extracted fields, which is the Non-Matches button2.The Non-Matches button shows you the events that do not match the regular expression that you have defined for your field extraction2.This way, you can check if your field extraction is accurate and complete2. Therefore, option B is correct, while options A, C and D are incorrect because they are not buttons that display events that do not contain extracted fields.

During the validation step of the Field Extractor workflow, you can remove values that aren't a match for the field you want to define2.The validation step allows you to review and edit the values that have been extracted by the FX and make sure they are correct and consistent2.You can remove values that aren't a match by clicking on them and selecting Remove Value from the menu2.This will exclude them from your field extraction and update the regular expression accordingly2. Therefore, option A is correct, while options B and C are incorrect because they are not actions that you can perform during the validation step of the Field Extractor workflow.

The search modes determine how Splunk processes your search and displays your results2.There are three search modes: Fast, Smart and Verbose2.The search mode that automatically returns all extracted fields in the fields sidebar is Verbose2.The Verbose mode shows all the fields that are extracted from your events, including default fields, indexed fields and search-time extracted fields2.The fields sidebar is a panel that shows the fields that are present in your search results2. Therefore, option C is correct, while options A and B are incorrect because they are not search modes that automatically return all extracted fields in the fields sidebar.

https://docs.splunk.com/Documentation/Splunk/8.0.2/SearchReference/Eval

Theevalcommand calculates an expression and puts the resulting value into a search results field.

If the field name that you specify does not match a field in the output, a new field is added to the search results.

If the field name that you specify matches a field name that already exists in the search results, the results of the eval expression overwrite the values in that field.

https://docs.splunk.com/Documentation/Splunk/8.1.2/SearchReference/Chart

There are several ways to access the field extractor. The option that automatically identifies data type, source type, and sample event is Fields sidebar > Extract New Field. The field extractor is a tool that helps you extract fields from your data using delimiters or regular expressions. The field extractor can generate a regex for you based on your selection of sample values or you can enter your own regex in the field extractor. The field extractor can be accessed by using various methods, such as:

Fields sidebar > Extract New Field: This is the easiest way to access the field extractor. The fields sidebar is a panel that shows all available fields for your data and their values. When you click on Extract New Field in the fields sidebar, Splunk will automatically identify the data type, source type, and sample event for your data based on your current search criteria. You can then use the field extractor to select sample values and generate a regex for your new field.

Event Actions > Extract Fields: This is another way to access the field extractor. Event actions are actions that you can perform on individual events in your search results, such as viewing event details, adding to report, adding to dashboard, etc. When you click on Extract Fields in the event actions menu, Splunk will use the current event as the sample event for your data and ask you to select the source type and data type for your data. You can then use the field extractor to select sample values and generate a regex for your new field.

Settings > Field Extractions > New Field Extraction: This is a more advanced way to access the field extractor. Settings is a menu that allows you to configure various aspects of Splunk, such as indexes, inputs, outputs, users, roles, apps, etc. When you click on New Field Extraction in the Settings menu, Splunk will ask you to enter all the details for your new field extraction manually, such as app context, name, source type, data type, sample event, regex, etc. You can then use the field extractor to verify or modify your regex for your new field.

Pivot is used for creating reports and dashboards. Pivot is a tool that allows you to create reports and dashboards from your data models without writing any SPL commands. Pivot can help you visualize and analyze your data using various options, such as filters, rows, columns, cells, charts, tables, maps, etc. Pivot can also help you accelerate your reports and dashboards by using summary data from your accelerated data models.

Pivot is not used for creating datasets or data models. Datasets are collections of events that represent your data in a structured and hierarchical way. Data models are predefined datasets for various domains, such as network traffic, web activity, authentication, etc. Datasets and data models can be created by using commands such as datamodel or pivot.