- (Exam Topic 2)
Which of the following examples would use a POST workflow action?
Correct Answer:
B
The correct answer is B. Use the field values in an HTTP error event to create a new ticket in an external system.
A workflow action is a knowledge object that enables a variety of interactions between fields in events and other web resources. Workflow actions can create HTML links, generate HTTP POST requests, or launch secondary searches based on field values1.
There are three types of workflow actions that can be set up using Splunk Web: GET, POST, and Search2.
GET workflow actions create typical HTML links to do things like perform Google searches on specific values or run domain name queries against external WHOIS databases2. POST workflow actions generate an HTTP POST request to a specified URI. This action type enables you to do things like creating entries in external issue management systems using a set of relevant field values2. Search workflow actions launch secondary searches that use specific field values from an event, such as a search that looks for the occurrence of specific combinations of ipaddress and http_status field values in your index over a specific time range2.
Therefore, the example that would use a POST workflow action is B. Use the field values in an HTTP error event to create a new ticket in an external system. This example requires sending an HTTP POST request to the URI of the external system with the field values from the event as arguments.
The other examples would use different types of workflow actions. These examples are: A. Perform an external IP lookup based on a domain value found in events: This example would use a GET workflow action to create a link to an external IP lookup service with the domain value as a parameter. C. Launch secondary Splunk searches that use one or more field values from selected events: This example would use a Search workflow action to run another Splunk search with the field values from the event as search terms. D. Open a web browser to look up an HTTP status code: This example would also use a GET workflow action to create a link to a web page that explains the meaning of the HTTP status code.
References: Splexicon:Workflowaction About workflow actions in Splunk Web
- (Exam Topic 2)
Use this command to use lookup fields in a search and see the lookup fields in the field sidebar.
Correct Answer:
B
- (Exam Topic 1)
Which of the following eval command function is valid?
Correct Answer:
D
The eval command supports a number of functions that you can use in your expressions to perform calculations, conversions, string manipulations and more2. One of the eval command functions is tostring(), which converts a numeric value to a string value2. Therefore, option D is correct, while options A, B and C are incorrect because they are not valid eval command functions.
- (Exam Topic 2)
Which of the following eval command functions is valid?
Correct Answer:
D
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonEvalFunctions
The eval command function tostring() is valid. The tostring() function converts a numeric value to a string value. For example, tostring(3.14) returns “3.14”. The other functions are not valid eval command functions.
- (Exam Topic 2)
Which of the following statements describes the use of the Field Extractor (FX)?
Correct Answer:
C
The statement that fields extracted using the Field Extractor persist as knowledge objects is true. The Field Extractor (FX) is a graphical tool that allows you to extract fields from raw events using regular expressions or delimiters. The fields extracted by the FX are saved as knowledge objects that can be used in future searches or shared with other users.