SPLK-1002 Practice Test

A calculated field maybe based on which of the following?

A.

Lookup tables

B.

Extracted fields

C.

Regular expressions

D.

Fields generated within a search string

Which are valid ways to create an event type? (select all that apply)

A.

By using the searchtypes command in the search bar.

B.

By editing the event_type stanza in the props.conf file.

C.

By going to the Settings menu and clicking Event Types > New.

D.

By selecting an event in search results and clicking Event Actions > Build Event Type

Which of the following statements describe the search string below?
dacamodel Application_State All_Application_State search

A.

Events will be returned from dataset named Application_state.

B.

Events will be returned from the data model named Application_State.

C.

Events will be returned from the data model named All_Application_state.

D.

No events will be returned because the pipe should occur after the datamodel command

What is required for a macro to accept three arguments?

A.

The macro's name ends with (3).

B.

The macro's name starts with (3).

C.

The macro's argument count setting is 3 or more.

D.

Nothing, all macros can accept any number of arguments

Which of the following actions can the aval command perform?

A.

Remove fields from results.

B.

Create or replace an existing field.

C.

Group transactions by one or more fields.

D.

Save SPL commands to be reused in other searches.