- (Exam Topic 2)
When defining a macro, what are the required elements?

1. A. Name and arguments.
2. B. Name and a validation error message.
3. C. Name and definition.
4. D. Definition and arguments.

Correct Answer: C
When defining a search macro, the required elements are the name and the definition of the macro. The name is a unique identifier for the macro that can be used to invoke it in other searches. The definition is the search string that the macro expands to when referenced. The arguments, validation expression, and validation error message are optional elements that can be used to customize the macro behavior and input validation2
1: Splunk Core Certified Power User Track, page 9. 2: Splunk Documentation, Define search macros in Settings.

- (Exam Topic 1)
When using the Field Extractor (FX), which of the following delimiters will work? (select all that apply)

1. A. Tabs
2. B. Pipes
3. C. Colons
4. D. Spaces

Correct Answer: ABD
Reference: https://docs.splunk.com/Documentation/Splunk/8.0.3/Knowledge/FXSelectMethodstep https://community.splunk.com/t5/Splunk-Search/Field-Extraction-Separate-on-Colon/m-p/29751
The Field Extractor (FX) is a tool that helps you extract fields from your data using delimiters or regular expressions. Delimiters are characters or strings that separate fields in your data. Some of the delimiters that will work with FX are:
Tabs: horizontal spaces that align text in columns.
Pipes: vertical bars that often indicate logical OR operations. Spaces: blank characters that separate words or symbols. Therefore, the delimiters A, B, and D will work with FX.

- (Exam Topic 2)
In this search, ________ will appear on the y-axis. SEARCH: sourcetype=access_combined status!=200 | chart count over host

1. A. status
2. B. host
3. C. count

Correct Answer: C
In this search, count will appear on the y-axis2. This search uses the chart command to create a chart of the count of events over host for events that have status not equal to 2002. The chart command creates a table with one column for each value of the field after the over clause and one row for each value of the field after the by clause (if any)2. The values in the table are calculated by applying the function before the over clause to the events in each group2. In this case, the chart command creates a table with one column for each host and one row for the count of events for each host. The y-axis of the chart shows the values of the count function applied to each host. Therefore, option C is correct, while options A and B are incorrect because they appear on the x-axis or as labels of the chart.

- (Exam Topic 2)
Clicking a SEGMENT on a chart, _______.

1. A. drills down for that value
2. B. highlights the field value across the chart
3. C. adds the highlighted value to the search criteria

Correct Answer: C

- (Exam Topic 2)
Which of the following statements are true for this search? (Select all that apply.)
SEARCH: sourcetype=access* |fields action productld status

1. A. is looking for all events that include the search terms: fields AND action AND productld AND status
2. B. users the table command to improve performance
3. C. limits the fields are extracted
4. D. returns a table with 3 columns

Correct Answer: C