- (Exam Topic 2)
When would a user select delimited field extractions using the Field Extractor (FX)?
Correct Answer:
A
The correct answer is A. When a log file has values that are separated by the same character, for example, commas.
The Field Extractor (FX) is a utility in Splunk Web that allows you to create new fields from your events by using either regular expressions or delimiters. The FX provides a graphical interface that guides you through the steps of defining and testing your field extractions1.
The FX supports two field extraction methods: regular expression and delimited. The regular expression method works best with unstructured event data, such as logs or messages, that do not have a consistent format or structure. You select a sample event and highlight one or more fields to extract from that event, and the FX generates a regular expression that matches similar events in your data set and extracts the fields from them1.
The delimited method is designed for structured event data: data from files with headers, where all of the fields in the events are separated by a common delimiter, such as a comma, a tab, or a space. You select a sample event, identify the delimiter, and then rename the fields that the FX finds1.
Therefore, you would select the delimited field extraction method when you have a log file that has values that are separated by the same character, for example, commas. This method will allow you to easily extract the fields based on the delimiter without writing complex regular expressions.
The other options are not correct because they are not suitable for the delimited field extraction method. These options are:
B. When a log file contains empty lines or comments: This option does not indicate that the log file has a structured format or a common delimiter. The delimited method might not work well with this type of data, as it might miss some fields or include some unwanted values. C. With structured files such as JSON or XML: This option does not require the delimited method, as Splunk can automatically extract fields from JSON or XML files by using indexed extractions or search-time extractions2. The delimited method might not work well with this type of data, as it might not recognize the nested structure or the special characters. D. When the file has a header that might provide information about its structure or format: This option does not indicate that the file has a common delimiter between the fields. The delimited method might not work well with this type of data, as it might not be able to identify the fields based on the header information.
References: Build field extractions with the field extractor Configure indexed field extraction
- (Exam Topic 2)
Which of the following statements about tags is true?
Correct Answer:
B
Tags are a knowledge object that allow you to assign an alias to one or more field values . Tags are applied to events at search time and can be used as search terms or filters . Tags can help you make your data more understandable by replacing cryptic or complex field values
with meaningful names . For example, you can tag the value 200 in the status field as success, or value 404 as not_found .
- (Exam Topic 2)
What other syntax will produce exactly the same results as | chart count over vendor_action by user?
Correct Answer:
A
https://docs.splunk.com/Documentation/Splunk/8.1.2/SearchReference/Chart
- (Exam Topic 2)
Complete the search, …. | _______ failure>successes
Correct Answer:
B
The where command can be used to complete the search below.
… | where failure>successes
The where command is a search command that allows you to filter events based on complex or custom criteria. The where command can use any boolean expression or function to evaluate each event and determine whether to keep it or discard it. The where command can also compare fields or perform calculations on fields using operators such as >, <, =, +, -, etc. The where command can be used after any transforming command that creates a table or a chart.
The search string below does the following: It uses … to represent any search criteria or commands before the where command. It uses the where command to filter events based on a comparison between two fields: failure and successes. It uses the greater than operator (>) to compare the values of failure and successes fields for each event. It only keeps events where failure is greater than successes.
- (Exam Topic 2)
For choropleth maps,splunk ships with the following KMZ files (select all that apply)
Correct Answer:
AD
Splunk ships with the following KMZ files for choropleth maps: States of the United States and Countries of the World. A KMZ file is a compressed file that contains a KML file and other resources. A KML file is an XML file that defines geographic features and their properties. A KMZ file can be used to create choropleth maps in Splunk by using the geom command. A choropleth map is a type of map that shows geographic regions with different colors based on some metric. Splunk ships with two KMZ files that define the geographic regions for choropleth maps:
States of the United States: This KMZ file defines the 50 states of the United States and their boundaries. The name of this KMZ file is us_states.kmz and it is located in the
$SPLUNK_HOME/etc/apps/maps/appserver/static/geo directory. Countries of the World: This KMZ file defines the countries of the world and their boundaries. The name of this KMZ file is world_countries.kmz and it is located in the
$SPLUNK_HOME/etc/apps/maps/appserver/static/geo directory.
Splunk does not ship with KMZ files for States and provinces of the United States and Canada or Countries of the European Union. However, you can create your own KMZ files or download them from external sources and use them in Splunk.