This is what Splunk uses to categorize the data that is being indexed.
A. source type
B. index
C. source
D. host
Correct Answer: A

What will you learn from the results of the following search? sourcetype=cisco_esa | transaction mid, dcid, icid |
time chart avg(duration)
A. The average time elapsed during each transaction for all transactions
B. The average time for each event within each transaction
C. The average time between each transaction
Correct Answer: A

Which of the following statements describe the Common Information Model (QM)? (select all that apply)
A. CIM is a methodology for normalizing data.
B. CIM can correlate data from different sources.
C. The Knowledge Manager uses the CIM to create knowledge objects.
D. CIM is an app that can coexist with other apps on a single Splunk deployment.
Correct Answer: AB
Reference: https://docs.splunk.com/Documentation/CIM/4.15.0/User/Overview

Which of the following describes the Splunk Common Information Model (CIM) add-on?
A. The CIM add-on uses machine learning to normalize data.
B. The CIM add-on contains dashboards that show how to map data.
C. The CIM add-on contains data models to help you normalize data.
D. The CIM add-on is automatically installed in a Splunk environment.
Correct Answer: C

To identify all of the contributing events within a transaction that contains at least one REJECT event, which syntax is
A. Index-main | REJECT trans session
B. Index-main | transaction sessionid | search REJECT
C. Index=main | transaction sessionid | whose transaction=reject
D. Index=main | transaction sessionid | where transaction=reject\\’\\’
Correct Answer: B

Which of the following statements describes POST workflow actions?
A. Configuration of a POST workflow action includes choosing a source type.
B. POST workflow actions can be configured to send emails to the URI location.
C. By default, POST workflow actions are shown in both the event and field menus.
D. POST workflow actions can be configured to send POST arguments to the URI location.
Correct Answer: C
Reference: https://docs.splunk.com/Documentation/Splunk/8.0.3/Knowledge/SetupaPOSTworkflowaction

Which of the following file formats can be extracted using a delimiter field extraction?
Correct Answer: A

Which of these search strings is NOT valid:
A. index=web status=50* | chart count over the host, status
B. index=web status=50* | chart count over host by status
C. index=web status=50* | chart count by the host, status
Correct Answer: A

A report scheduled to run every 15 mins. but takes 17 mins. to complete is in danger of being_____.
A. skipped or deferred
B. automatically accelerated
C. deleted
D. all of the above
Correct Answer: A

In most large Splunk environments, what is the most efficient command that can be used to group events by fields/
A. join
B. stats
C. stream stats
D. transaction
Correct Answer: B
https://docs.splunk.com/Documentation/Splunk/8.0.2/Search/Abouttransactions In other cases, it\\’s usually better to use
the stats command, which performs more efficiently, especially in a distributed environment. Often there is a unique ID
in the events and stats can be used.

Which of the following statements describes field aliases?
A. Field alias names replace the original field name.
B. Field aliases can be used in lookup file definitions.
C. Field aliases only normalize data across sources and source types.
D. Field alias names are not case sensitive when used as part of a search.
Correct Answer: D

Which of the following searches will show the number of categories used by each host?
A. Sourcetype=access_* |sum bytes by host
B. Sourcetype=access_* |stats sum(categorylD. by host
C. Sourcetype=access_* |sum(bytes) by host
D. Sourcetype=access_* |stats sum by host
Correct Answer: B

When using the | time chart by the host, which field is represented in the x-axis?
A. date
B. host
C. time
D. _time
Correct Answer: C
Reference: https://docs.splunk.com/Documentation/Splunk/8.0.4/SearchReference/Timechart

