What is a limitation of searches generated by workflow actions?
A. Searches generated by workflow action cannot use macros.
B. Searches generated by workflow actions must be less than 256 characters long.
C. Searches generated by workflow action must run in the same app as the workflow action.
D. Searches generated by workflow action run with the same permissions as the user running them.
Correct Answer: D

Select this in the fields sidebar to automatically pipe you search results to the rare command
A. events with this field
B. rare values
C. top values by time
D. top values
Correct Answer: B

Which of the following searches show a valid use of macro? (Select all that apply)
A. index=main source=mySource oldField=* |\\’makeMyField(oldField)\\’| table _time newField
B. index=main source=mySource oldField=* | stats if(\\’makeMyField(oldField)\\’) | table _time newField
C. index=main source=mySource oldField=* | eval newField=\\’makeMyField(oldField)\\’| table _time newField
D. index=main source=mySource oldField=* | “\\’newField(\\’makeMyField(oldField)\\’)\\'” | table _time newField
Correct Answer: AB
Reference: https://answers.splunk.com/answers/574643/field-showing-an-additional-and-not-visible-value-1.html

A data model can consist of what three types of datasets?
A. Pivot, searches, and events.
B. Pivot, events, and transactions.
C. Searches, transactions, and pivot.
D. Events, searches, and transactions.
Correct Answer: D
Reference: https://docs.splunk.com/Splexicon:Datamodeldataset

Which of the following about reports is/are true?
A. Reports are knowledge objects.
B. Reports can be scheduled.
C. Reports can run a script.
D. All of the above.
Correct Answer: D

Which search would limit an “alert” tag to the “host” field?
A. tag=alert
B. host::tag::alert
C. tag==alert
D. tag::host=alert
Correct Answer: D

These allow you to categorize events based on search terms. Select your answer.
A. Groups
B. Event Types
C. Macros
D. Tags
Correct Answer: B

Selected fields are displayed ______each event in the search results.
A. below
B. interesting fields
C. other fields
D. above
Correct Answer: A

In the following eval statement, what is the value of description if the status is 503?
index=main | eval description=case(status==200, “OK”, status==404, “Not found”, status==500, “Internal Server Error”)
A. The description field would contain no value.
B. The description field would contain the value 0.
C. The description field would contain the value “Internal Server Error”.
D. This statement would produce an error in Splunk because it is incomplete.
Correct Answer: C
Reference: https://docs.splunk.com/Documentation/Splunk/8.1.1/SearchReference/ConditionalFunctions

When extracting fields, we may choose to use our own regular expressions
A. True
B. False
Correct Answer: A

which of the following are valid options with the chart command
A. useother
B. usenull
C. fillfield
D. usefiled
Correct Answer: AB

The time range specified for a historical search defines the ____________ .——questionable on ans
A. Amount of data shown on the timeline as data streams in
B. Amount of data fetched from index matching that time range
C. Time range for the static results
Correct Answer: B

Data model are composed of one or more of which of the fo-owing datasets? (select all that apply.)
A. Events datasets
B. Search datasets
C. Transaction datasets
D. Any child of event, transaction, and search datasets
Correct Answer: ABC
Reference: https://docs.splunk.com/Documentation/Splunk/8.0.3/Knowledge/Aboutdatamodels

