- (Exam Topic 1)
Which of the following statements describe data model acceleration? (select all that apply)

1. A. Root events cannot be accelerated.
2. B. Accelerated data models cannot be edited.
3. C. Private data models cannot be accelerated.
4. D. You must have administrative permissions or the accelerate_dacamodel capability to accelerate a data model.

Correct Answer: BCD
Data model acceleration is a feature that speeds up searches on data models by creating and storing summaries of the data model datasets1. To enable data model acceleration, you must have administrative permissions or the accelerate_datamodel capability1. Therefore, option D is correct. Accelerated data models cannot be edited unless you disable the acceleration first1. Therefore, option B is correct. Private data models cannot be accelerated because they are not visible to other users1. Therefore, option C is correct. Root events can be accelerated as long as they are not based on a search string1. Therefore, option A is incorrect.

- (Exam Topic 1)
What does the following search do?

1. A. Creates a table of the total count of users and split by corndogs.
2. B. Creates a table of the total count of mysterymeat corndogs split by user.
3. C. Creates a table with the count of all types of corndogs eaten split by user.
4. D. Creates a table that groups the total number of users by vegetarian corndogs.

Correct Answer: B
The search string below creates a table of the total count of mysterymeat corndogs split by user.
| stats count by user | where corndog=mysterymeat The search string does the following:
It uses the stats command to calculate the count of events for each value of the user field. The stats command creates a table with two columns: user and count.
It uses the where command to filter the results by the value of the corndog field. The where command only keeps the rows where corndog equals mysterymeat.
Therefore, the search string creates a table of the total count of mysterymeat corndogs split by user.

- (Exam Topic 2)
which of the following commands are used when creating visualizations(select all that apply.)

1. A. Geom
2. B. Choropleth
3. C. Geostats
4. D. iplocation

Correct Answer: ACD
The following commands are used when creating visualizations: geom, geostats, and iplocation. Visualizations are graphical representations of data that show trends, patterns, or comparisons. Visualizations can have different types, such as charts, tables, maps, etc. Visualizations can be created by using various commands that transform the data into a suitable format for the visualization type. Some of the commands that are used when creating visualizations are:
geom: This command is used to create choropleth maps that show geographic regions with different colors based on some metric. The geom command takes a KMZ file as an argument that defines the geographic regions and their boundaries. The geom command also takes a field name as an argument that specifies the metric to use for coloring the regions.
geostats: This command is used to create cluster maps that show groups of events with different sizes and colors based on some metric. The geostats command takes a latitude and longitude field as arguments that specify the location of the events. The geostats command also takes a statistical function as an argument that specifies the metric to use for sizing and coloring the clusters.
iplocation: This command is used to create location-based visualizations that show events with different attributes based on their IP addresses. The iplocation command takes an IP address field as an argument and adds some additional fields to the events, such as Country, City, Latitude, Longitude, etc. The iplocation command can be used with other commands such as geom or geostats to create maps based on IP addresses.

- (Exam Topic 2)
The macro weekly sales (2) contains the search string: index=games | eval ProductSales = $Price$ * $AmountSold$
Which of the following will return results?

1. A. ‘weekly sales (3)’
2. B. ‘weekly_sales($3.995, $108)’
3. C. 'weekly_sales (3.99, 10)’
4. D. ‘weekly sales (3.99, 10)’

Correct Answer: C
To use a search macro in a search string, you need to place a back tick character (`) before and after the macro name1. You also need to use the same number of arguments as defined in the macro2. The macro weekly sales (2) has two arguments: Price and AmountSold. Therefore, you need to provide two values for these arguments when you call the macro.
The option A is incorrect because it uses parentheses instead of back ticks around the macro name. The option B is incorrect because it uses underscores instead of spaces in the macro name. The option D is incorrect because it uses spaces instead of commas to separate the argument values.
Reference: 1 Use search macros in searches - Splunk Documentation 2 Define search macros in Settings - Splunk Documentation

- (Exam Topic 1)
What does the fillnull command replace null values with, it the value argument is not specified?

1. A. N/A
2. B. NaN
3. C. NULL

Correct Answer: A
Reference: https://answers.splunk.com/answers/653427/fillnull-doesnt-work-without-specfying-a-field.html The fillnull command is a search command that replaces null values with a specified value or 0 if no value is
specified. Null values are values that are missing, empty, or undefined in Splunk. The fillnull command can replace null values for all fields or for specific fields. The fillnull command can take an optional argument called value that specifies the value to replace null values with. If no value argument is specified, the fillnull command will replace null values with 0 by default.