What is the correct syntax to count the number of events containing a vendor_action field?
C
Explanation:
The stats command calculates statistics based on fields in the events. The count function counts the
number of events that match the criteria. The syntax is stats count (field_name), where field_name is
the name of the field that contains the value to be counted. In this case, vendor_action is the field
name, so stats count (vendor_action) is the correct syntax. Reference:
Splunk Core User Certification
Exam Study Guide
, page 23.
By default, which of the following fields would be listed in the fields sidebar under interesting Fields?
D
Explanation:
The fields sidebar in Splunk shows the default fields and the interesting fields for the events that
match your search. The default fields are host, source, and sourcetype, which are extracted for every
event at index time. The interesting fields are fields that appear in at least 20% of the events in your
search results.
You can also select additional fields to display in the fields sidebar1
.
By default, the index field is not listed in the fields sidebar, because it is not a default field nor an
interesting field. The index field is a metadata field that indicates which index the event belongs to.
Metadata fields are not extracted from the event data, but are added by the indexer as part of the
indexing process.
Metadata fields are not shown in the fields sidebar, but you can use them in your
search queries2
.
Therefore, among the four options, only sourcetype would be listed in the fields sidebar under
interesting fields by default.
Reference
Use fields to search
About default fields
When looking at a dashboard panel that is based on a report, which of the following is true?
C
Explanation:
When looking at a dashboard panel that is based on a report, you cannot modify the search string in
the panel, but you can change and configure the visualization. This is because the dashboard panel
inherits the search string from the report, and any changes to the search string will affect the report
as well. However, you can customize the visualization settings for the dashboard panel without
affecting the report. Reference:
Splunk Core User Certification Exam Study Guide
, page 37.
Which of the following is a best practice when writing a search string?
C
Explanation:
A best practice when writing a search string is to include the search terms at the beginning of the
search string. This helps Splunk narrow down the events that match your search criteria and improve
the search performance. Formatting commands and functions can be added later in the search
pipeline to manipulate and display the results. Reference:
Splunk Core User Certification Exam Study
Guide
, page 13.
What type of search can be saved as a report?
D
Explanation:
Only searches that generate statistics or visualizations can be saved as a report. These are searches
that contain a transforming command, such as stats, chart, timechart, top, rare, etc. Transforming
commands create a data table from the events and enable various types of visualizations. Searches
that do not contain a transforming command can only be saved as an alert or a dashboard panel.
Reference:
Splunk Core User Certification Exam Study Guide
, page 35.
What can be included in the All Fields option in the sidebar?
C
What syntax is used to link key/value pairs in search strings?
B
When viewing the results of a search, what is an Interesting Field?
D
What syntax is used to link key/value pairs in search strings?
D
When a Splunk search generates calculated data that appears in the Statistics tab. in what formats
can the results be exported?
D
Which of the following are functions of the stats command?
C
In a deployment with multiple indexes, what will happen when a search is run and an index is not
specified in the search string?
D
Which search matches the events containing the terms "error" and "fail"?
A
Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchReference/Search
Which of the following is an option after clicking an item in search results?
A
When placed early in a search, which command is most effective at reducing search execution time?
A