- (Exam Topic 2)
In most large Splunk environments, what is the most efficient command that can be used to group events by fields/

1. A. join
2. B. stats
3. C. streamstats
4. D. transaction

Correct Answer: B
https://docs.splunk.com/Documentation/Splunk/8.0.2/Search/Abouttransactions
In other cases, it's usually better to use the stats command, which performs more efficiently, especially in a distributed environment. Often there is a unique ID in the events and stats can be used.

- (Exam Topic 2)
What are the expected results for a search that contains the command | where A=B?

1. A. Events that contain the string value where A=B.
2. B. Events that contain the string value A=B.
3. C. Events where values of field are equal to values of field B.
4. D. Events where field A contains the string value B.

Correct Answer: C
The correct answer is C. Events where values of field A are equal to values of field B.
The where command is used to filter the search results based on an expression that evaluates to true or false. The where command can compare two fields, two values, or a field and a value. The where command can also use functions, operators, and wildcards to create complex expressions1.
The syntax for the where command is:
| where <expression>
The expression can be a comparison, a calculation, a logical operation, or a combination of these. The expression must evaluate to true or false for each event.
To compare two fields with the where command, you need to use the field names without any quotation marks. For example, if you want to find events where the values for the field A match the values for the field
B, you can use the following syntax:
| where A=B
This will return only the events where the two fields have the same value.
The other options are not correct because they use different syntax or fields that are not related to the where command. These options are:
A. Events that contain the string value where A=B: This option uses the string value where A=B as a search term, which is not valid syntax for the where command. This option will return events that have the literal text “where A=B” in them.
B. Events that contain the string value A=B: This option uses the string value A=B as a search term, which is not valid syntax for the where command. This option will return events that have the literal text “A=B” in them.
D. Events where field A contains the string value B: This option uses quotation marks around the value B, which is not valid syntax for comparing fields with the where command. Quotation marks are used to enclose phrases or exact matches in a search2. This option will return events where the field A contains the string value “B”.
References:
where command usage
Search command cheatsheet

- (Exam Topic 2)
which of the following are valid options with the chart command

1. A. useother
2. B. usenull
3. C. fillfield
4. D. usefiled

Correct Answer: AB

- (Exam Topic 2)
Which of the following statements describes calculated fields?

1. A. Calculated fields are only used on fields added by lookups.
2. B. Calculated fields are a shortcut for repetitive and complex eval commands.
3. C. Calculated fields are a shortcut for repetitive and complex calc commands.
4. D. Calculated fields automatically calculate the simple moving average for indexed fields.

Correct Answer: B

- (Exam Topic 2)
When is a GET workflow action needed?

1. A. To send field values to an external resource.
2. B. To retrieve information from an external resource.
3. C. To use field values to perform a secondary search.
4. D. To define how events flow from forwarders to indexes.

Correct Answer: B