- (Exam Topic 1)
What functionality does the Splunk Common Information Model (CIM) rely on to normalize fields with different names?

1. A. Macros.
2. B. Field aliases.
3. C. The rename command.
4. D. CIM does not work with different names for the same field.

Correct Answer: B
The Splunk Common Information Model (CIM) add-on helps you normalize your data from different sources and make it easier to analyze and report on it3. One of the functionalities that the CIM add-on relies on to normalize fields with different names is field aliases3. Field aliases allow you to assign an alternative name to an existing field without changing the original field name or value2. By using field aliases, you can map different field names from different sources or sourcetypes to a common field name that conforms to the CIM standard3. Therefore, option B is correct, while options A, C and D are incorrect.

- (Exam Topic 2)
In the Field Extractor, when would the regular expression method be used?

1. A. When events contain JSON data.
2. B. When events contain comma-separated data.
3. C. When events contain unstructured data.
4. D. When events contain table-based data.

Correct Answer: C
The correct answer is C. When events contain unstructured data.
The regular expression method works best with unstructured event data, such as log files or text messages, where the fields are not separated by a common delimiter, such as a comma or space1. You select a sample event and highlight one or more fields to extract from that event, and the field extractor generates a regular expression that matches similar events in your dataset and extracts the fields from them1. The regular expression method provides several tools for testing and refining the accuracy of the regular expression. It also allows you to manually edit the regular expression1.
The delimiters method is designed for structured event data: data from files with headers, where all of the fields in the events are separated by a common delimiter, such as a comma or space1. You select a sample event, identify the delimiter, and then rename the fields that the field extractor finds1. This method is simpler and faster than the regular expression method, but it may not work well with complex or irregular data formats1.
Reference:
1: Build field extractions with the field extractor - Splunk Documentation

- (Exam Topic 2)
_________ datasets can be added to root dataset to narrow down the search

1. A. parent
2. B. extracted
3. C. event
4. D. child

Correct Answer: D
Child datasets can be added to root datasets to narrow down the search. Datasets are collections of events that represent your data in a structured and hierarchical way. Datasets can be created by using commands such as datamodel or pivot. Datasets can have different types, such as events, search, transaction, etc. Datasets can also have different levels, such as root or child. Root datasets are base datasets that contain all events from a data model or an index. Child datasets are derived datasets that contain a subset of events from a parent dataset based on some constraints, such as search terms, fields, time range, etc. Child datasets can be added to root datasets to narrow down the search and filter out irrelevant events.

- (Exam Topic 1)
What is the correct syntax to search for a tag associated with a value on a specific fields?

1. A. Tag-<field?
2. B. Tag<filed(tagname.)
3. C. Tag=<filed>::<tagname>
4. D. Tag::<filed>=<tagname>

Correct Answer: D
Reference: https://docs.splunk.com/Documentation/Splunk/8.0.3/Knowledge/TagandaliasfieldvaluesinSplunkWeb
A tag is a descriptive label that you can apply to one or more fields or field values in your events2. You can use tags to simplify your searches by replacing long or complex field names or values with short and simple tags2. To search for a tag associated with a value on a specific field, you can use the following
syntax: tag::<field>=<tagname>2. For example, tag::status=error will search for events where the status fie
has a tag named error. Therefore, option D is correct, while options A, B and C are incorrect because they do not follow the correct syntax for searching tags.

- (Exam Topic 2)
When using the transaction command, how are evicted transactions identified?

1. A. Closed_txn field is set to o, or false.
2. B. Max_txn field is set to O, or false.
3. C. Txn_field is set to 1, or true.
4. D. open_txn field is set to 1, or true.

Correct Answer: A
The transaction command is a Splunk command that finds transactions based on events that meet various constraints1.
Transactions are made up of the raw text (the _raw field) of each member, the time and date fields of the earliest member, as well as the union of all other fields of each member1.
The transaction command adds some fields to the raw events that are part of the transaction12. These fields are:
duration: The difference, in seconds, between the timestamps for the first and last events in the transaction12.
eventcount: The number of events in the transaction12.
closed_txn: A Boolean field that indicates whether the transaction is closed or evicted2. A transaction is closed if it meets one of the following conditions: maxevents, maxpause, maxsp or startswith2. A transaction is evicted if it does not meet any of these conditions and exceeds th memory limit specified by maxopentxn or maxopenevents23.
Therefore, evicted transactions can be distinguished from non-evicted transactions by checking the value of the closed_txn field. The closed_txn field is set to 0, or false, for evicted transactions and 1 for non-evicted, or closed, transactions23.