SPLUNK CORE CERTIFIED POWER USER MCQ (from SPLUNK WEBSITE)

1. Which of the following searches will return results containing the words fail, failure, or failed?
a) fail
b) fail*
c) fail+
d) *fail

➔ B

2. What are the default roles in Splunk Enterprise?

a) Admin
b) User
c) Power
d) Manager

➔ a,b,c

3. What is the most efficient way to limit search results returned?

a) host
b) time
c) source
d) index

➔ b

4. When a search is run, in what order are events returned?

a) Alphanumeric order
b) Chronological order
c) Reverse alphanumeric order
d) Reverse chronological order

➔ D

5. By default, who is able to view a saved report?

a) any user with the viewreports capability
b) Any user with a power or admin role
c) The user who created it
d) Any user with a power or admin role

➔ C
6. Which search mode behaves differently depending on the type of search being run?
a) Verbose
b) Variable
c) Smart
d) Fast

➔ C

7. By default, how long does a search job remain active?

a) 10 minutes
b) 7 days
c) 30 minutes

➔ A

8. Which character is used in a search before a command?

a) A quotation mark (")
b) A tilde (~)
c) A backtick (`)
d) A pipe (|)

➔ D

9. What determines the timestamp shown on returned events in a search?

a) The time zone where the event originated.
b) Timestamps are displayed in epoch time.
c) The time zone defined in user settings.
d) Timestamps are displayed in Greenwich Mean Time

➔ C

10. Which of the following booleans can be used in a search?

a) NOT
b) AND
c) OR
d) ALSO

➔ A,b,c
11. Which of the following searches will return results containing the terms failed, password, or
failed password?
a) failed password OR "failed password"
b) failed OR password
c) failed OR password OR "failed password"
d) fail*

➔ b,c

12. Which Splunk infrastructure component stores ingested data?

a) Data models
b) Index
c) Dashboards
d) Datasets

➔ B

13. Which command can be used to further filter results in a search?

a) subset
b) search
c) subsearch
d) filter

➔ b

14. By default, which of the following roles are required to share knowledge objects?
a) Admin
b) User
c) Power
d) Manager

➔ A,c

15. True or False: Fields are knowledge objects.

a) TRUE
b) FALSE

➔ True
16. At search time, if an event has an equal(=) sign, the data to the left is treated as a ______ and
the data to the right is treated as a ______.
a) field name, sourcetype
b) lookup, value
c) field name, value
d) lookup, sourcetype

➔ c

17. The fields command allows you to do which of the following? Select all that apply.
a) Exclude fields (fields -)
b) Include fields (fields +)
c) Include fields (fields)

➔ A, b,c

18. At search time, _______ extracts fields from raw event data.
a) field extractor
b) fields command
c) field discovery

➔ c

19. In the Fields sidebar, Interesting Fields occur in at least ________ of resulting events.
a) 3%
b) 10%
c) 20%
d) 50%

➔ C

20. Which of the following fields are default selected fields?

a) sourcetype
b) source
c) host
d) index

➔ a,b,c
21. True or False: Once you rename a field, the new field name must be used in the rest of the
search string.
a) FALSE
b) TRUE

➔ B

22. To remove fields from a search, you would use the _________ command.
a) fields+
b) -fields
c) +fields
d) fields-

➔ d

23. date_time always reflects your local time zone and not the time/date from raw events.
a) TRUE
b) FALSE

➔ B

24. What will the strftime function return when using the %H argument? Select all that apply.
a) time of raw event in UTC
b) convert the hour into your local time based on your time zone setting of your Splunk
web sessions
c) hour of the event generated at index time.

➔ b

25. Choose the search that will sort events into one minute groups. Select all that apply.
a) | bin _time span=1mins
b) | bin span=1minutes _time
c) | bin _time span=1m

➔ a,b,c
26. Using earliest=-30d@d latest=@d is how to return results from 30 days ago up until the time the
search was executed.
a) FALSE
b) TRUE

➔ A

27. When using the following search arguments, what will be returned? | timechart count span=1h
a) chart only events over a 1 hour period
b) chart events in 1 hour chunks
c) determine time range of events to scale
d) events in the last 24 hours

➔ b

28. _______ and _______ are the time modifiers that override the time range picker in a historical
report.
a) last
b) first
c) earliest
d) latest

➔ c,d

29. Which of the following are default time fields? Select all that apply.
a) date_mday
b) date_hour
c) date_day
d) date_year

➔ a,b,d

30. @timeUnit will always round up and go forward through time.

a) FALSE
b) TRUE

➔ A
31. Which of these eval functions takes no arguments?
a) min
b) pow
c) max
d) random

➔ d

32. To round numerical values, use the ___ function of the eval command.

➔ round()

33. To display the least common values of a field, use the ___ command.
a) top
b) timechart with common=f option
c) rare
d) stats

➔ c

34. When renaming fields with spaces or special characters, use the rename command and include
the new field name in ___.
a) None of the above
b) parenthesis
c) double quotes
d) single quotes

➔ c

35. When using the top command, add the BY clause to ___.
a) return a percentage of events
b) return results grouped by the field you specify in the BY clause
c) specify how many results to return
d) specify which search mode to return results by

➔ b
36. True or False: Using an OVER and a BY clause with the chart command will create a multiseries
data series.
a) FALSE
b) TRUE

➔ B

37. The ___ command will always have _time as the X-axis.

➔ Timechart

38. Use ___=false with the chart command if you want to hide the OTHER column.

➔ Useother

39. True or False: You can use wildcards (*) with the rename command to rename multiple fields
that match a pattern.
a) FALSE
b) TRUE

➔ B

40. Which of these functions lists ALL values of the field X?

a) list(X)
b) values(X)

➔ a

41. The ___(X,Y) eval function returns X to the power of Y.

➔ Pow
42. If you use the stats command with two functions and a BY clause, which function is the BY
clause applied to?
a) the first function
b) both functions
c) both functions if they are both aggregate functions
d) the second function

➔ b

43. True or False: Only one field can be created when using the eval command.
a) TRUE
b) FALSE

➔ B

44. By default, the sort command lists results in ___ order.

a) descending
b) ascending

➔ b

45. When you use the stats command with a BY clause, what is returned?
a) numerical statistics on each field if and only if all of the values of that field are numerical
b) one row
c) a statistical output for each value of the named field
d) an error message because you did not include a statistical function

➔ c

46. True or False: eval cannot exist as an expression.

a) FALSE
b) TRUE

➔ A
47. The where command interprets unquoted or single-quoted strings as _____ and double-quoted
strings as _____.
a) fields, field values
b) integers, field values
c) field values, fields
d) field values, integers

➔ a

48. Which are the Boolean operators that can be used by the eval command? Select all that apply.
a) NAND
b) AND
c) XOR
d) OR

➔ B,c,d

49. The where command only returns results that evaluate to TRUE.
a) TRUE
b) FALSE

➔ A

50. The eval command calculates an expression and puts the resulting ____ into a new or existing
field.
a) command
b) value
c) argument

➔ b

51. True of False: When using the eval command, all field values are treated in a case-sensitive
manner and must be double-quoted.
a) FALSE
b) TRUE

➔ B
52. What is the order of Boolean Expression of Evaluation for the where and eval commands?
a) Expressions with parenthesis, NOT, AND, OR
b) AND, OR, NOT, Expressions with parenthesis
c) AND, NOT, Expressions with parenthesis, OR
d) NOT, AND, OR, Expressions with parenthesis

➔ A

53. Which eval function is the best option for masking data?
a) validate
b) case
c) isnotnull
d) replace

➔ d

54. True or False: Specify a wildcard by using the * character with the where command.
a) True
b) False

➔ B

55. True or False: Temporary fields created by using eval can be referenced in the search pipeline
following creation.
a) True
b) False

➔ A

56. True or False: The case function will return NULL if no expressions evaluate to TRUE.
a) True
b) False

➔ A
57. Which of these fillnull expressions will replace NULL data with the string "NOT FOUND"?
a) | fillnull NOTFOUND
b) | fillnull
c) | fillnull value="NOT FOUND"
d) | fillnull NOTFOUND=true

➔ C

58. Which of the following functions must be used with the in function? Select all that apply.
a) sum
b) case
c) validate
d) if

➔ b,d

59. Which of the following functions can be used to filter NULL values?
a) isnotnull
b) usenull=f
c) usenull=t
d) isnull

➔ a,d

60. The ___ command replaces NULL values in fields.

a) isnull
b) null
c) isnotnull
d) fillnull

➔ d

61. Which command uses a template subsearch to replace the values of specific fields?
a) none; commands only use functions to replace field values, not templates or
subsearches
b) foreach
c) eval
d) replace

➔ b
62. ___ is the process of organizing data to appear similar across all records, making the information
easier to search.
a) Normalization
b) Segmentation
c) Collating
d) Splunkification

➔ A

63. True or False: If there is an appendpipe in a search, its subpipeline will always be executed last.
a) True
b) False

➔ B

64. Which of these tostring expressions will format the PROFIT field in the USD currency format,
$x,xxx?
a) | eval PROFIT = tostring(PROFIT,"$x,xxx")
b) | eval PROFIT = tostring(PROFIT,"$"."commas")
c) | eval PROFIT = tostring("$x,xxx",PROFIT)
d) | eval PROFIT = "$".tostring(PROFIT,"commas")

➔ D

65. True or False: eventstats and streamstats support multiple stats functions, just like stats.
a) True
b) False

➔ A

66. Which of these expressions will accurately normalize values from the OperatingSys and
CompSys fields into a new field called OS?
a) | eval OS = case(OperatingSys=OperatingSys,"OS",CompSys=CompSys,"OS",true(),"OS")
b) | eval replace(OperatingSys OR CompSys,OS"
c) | eval OS = coalesce(OperatingSys,CompSys)

➔ C
67. Which statement(s) about appendpipe is false?
a) The subpipeline is executed only when Splunk reaches the appendpipe command
b) Only one appendpipe can exist in a search because the search head can only process
two searches simultaneously
c) appendpipe transforms results and adds new lines to the bottom of the results set
because appendpipe is always the last command to be executed
d) appendpipe transforms results and adds new lines to the bottom of the results set
without overwriting original results

➔ b,c

68. True or False: The foreach command can be used without a subsearch.
a) True
b) False

➔ B

69. You would use the ___ function to convert a string to uppercase and the ___ function to convert
a string to lowercase.
a) uppercase(), lowercase()
b) lower(), upper()
c) lowercase(), uppercase()
d) upper(), lower()

➔ d

70. Which two commands when used together are equivalent to chart <fieldA> over <filedB> by
<fieldC>? Select all that apply.
a) stats <fieldA> by <fieldB>,<fieldC> followed by untable <fieldB> <fieldC> <fieldA>
b) stats <fieldA> by <fieldB>,<fieldC> followed by xyseries <fieldB> <fieldC> <fieldA>
c) stats <fieldA> by <fieldB>,<fieldC> followed by additional commands and then untable
<fieldB> <fieldC> <fieldA>
d) stats <fieldA> by <fieldB>,<fieldC> followed by additional commands and then xyseries
<fieldB> <fieldC> <fieldA>

➔ b,d
71. When a user has left your organization, what happens to their knowledge objects?
a) An admin can reassign them to another user.
b) They are automatically reassigned to a power user.
c) They are automatically reassigned to an admin.
d) A power user can reassign them to another user.

➔ A

72. By default, what user role is required to make a knowledge object available to all apps?
a) Admin
b) User
c) Power User
d) Super User

➔ A

73. By default, when a knowledge object is created, who can access its contents?
a) Any user in the environment
b) Any power user in the environment
c) The user who created it or a user with an admin role
d) Any user of the app in which it was created

➔ C

74. Which two of the following knowledge object types can contain an eval expression?
a) Workflow actions
b) Macros
c) Calculated fields
d) Field aliases

➔ B,c

75. What are the three predefined sharing options for a knowledge object?
a) Private
b) Shared in all apps
c) Blocked in app
d) Shared in app

➔ A,b,d
76. Which knowledge object type can contain an eval expression?
a) Calculated fields
b) Field aliases
c) Tags
d) Event types

➔ A

77. Which knowledge object type can store entire search strings, including commands?
a) Tags
b) Calculated fields
c) Macros
d) Event types

➔ C

78. Which of the following user roles can create knowledge objects?
a) Admin
b) Super User
c) User
d) Power User

➔ A,c,d

79. Which knowledge object type can be searched in Pivot?

a) Event types
b) Dashboards
c) Data models
d) Data types

➔ C

80. Where can you find a list of all fields returned from events?
a) The fields posting list
b) The fields library
c) The fields sidebar
d) The fields dropdown

➔ C
81. Which knowledge objects can be scheduled to execute at specific times?
a) Reports
b) Macros
c) Workflow actions
d) Alerts

➔ A,d

82. Which of the following methods can be used to manually extract fields?
a) Delimiters
b) The Regular Expression Generator
c) The Event Type Builder
d) Regular Expressions, or RegEx

➔ A,d

83. What are the primary functions of a workflow action?

a) Communicating with an external source using the HTTP GET method
b) Passing information to external deployments to query additional indexes
c) Communicating with an external source using the HTTP POST method
d) Passing information back to Splunk to run a secondary search

➔ A,c,d

84. Which of the following file types can be uploaded to create a lookup?
a) XLS
b) PDF
c) XML
d) CSV

➔ D

85. Which knowledge object type can communicate with external sources using the HTTP GET and
POST methods?
a) Lookups
b) Search actions
c) Workflow actions
d) Field extractions

➔ C
86. Which workflow actions require you to specify if the behavior should open in a new window or
current window? Select all that apply.
a) POST
b) PUT
c) Search
d) GET

➔ A,c,d

87. Field aliases are applied after _________ and before ________ . Select all that apply.
a) tags, field extractions
b) field extractions, tags
c) lookups, field extractions
d) field extractions, lookups

➔ b,d

88. When adding arguments to a macro, include the number of arguments in_____
a) Parentheses after the macro name
b) Parentheses before the macro name
c) Using the pipe function
d) Dollar signs with the search definition

➔ A

89. Surround the macro name with the _____ when executing the macro in search.
a) Double quote character
b) Single quote character
c) Dollar sign
d) Backtick character

➔ D

90. To search for a tag associated with a value on a specific field, select the correct string.
a) tag=user::privileged
b) tag-user::privileged
c) tag::user=privileged
d) tag=user=privileged

➔ c
91. If you have a tag label called "homeoffice" associated with the field/value pair system_ip=<your
ip address>, when you run a search using the tag=homeoffice constraint, what events will be
returned?
a) events from _internal
b) events with the value of the system_ip field equal to your ip address
c) field lookup table

➔ b

92. Which statements best describe an Event Type. Select all that apply.
a) Allow users to interact with web resources
b) tags, field extractions
c) Categorizes events based on search constraints
d) Can be used to normalize field names, tags and field extractions

➔ C,d

93. Which of the following are ways you can create an event type. Select all that apply.
a) Run a search, then save as Event Type
b) From event details, select Event Actions > Build Event Type
c) Settings > Event types > "New Event Type"

➔ A,b,c

94. Which function is used to send field values externally in Workflow Actions?
a) POST
b) Search
c) GET
d) PUT

➔ A

95. Which statement best describes the function of a Workflow Action

a) Retrieves information from an external source
b) Sends field values to an external source
c) Allows users to interact with web resources
d) Uses field values to perform a secondary search

➔ A,b,c,d
96. To perform a secondary search, use a _______ workflow action
a) GET
b) POST
c) PUT
d) Search

➔ D

97. True or False: Splunk knowledge objects can only be used privately.
a) True
b) False

➔ B

98. Select all knowledge objects.

a) workflow actions
b) lookups
c) field aliases
d) users

➔ a,b,c

99. True or False If you manually edit the regular expression in the Field Extractor Utility then you
will not be able to go back to validate the results.
a) True
b) False

➔ a

1. Which of the following statements are true about a Regex "capture"?

a) Defined with a matching parantheses: ()
b) Can be referenced with a given name using: ?<name>
c) Allows the Regex to be case insensitive
d) Captures a matching pattern

➔ A,b,d
2. Use this field extraction method when fields are separated by spaces, commas, or characters.
a) delimited field extractions
b) rename field extractions
c) regex field extractions

➔ a

3. Which of the following strings match this Regular Expression: c.t

a) c99t
b) c#t
c) cat
d) c.t

➔ b,c,d

4. There are three ways to get to the Field Extractor (FX). Select all that apply.
a) Settings menu
b) Auto-Extract Fields Workflow
c) Event Actions menu
d) Fields sidebar

➔ A,c,d

5. Which of the following character delimiters are supported for a delimited field extraction?
a) tab
b) comma
c) space
d) pipe

➔ a,b,c,d

6. Which of the following Regex operator can most severly impact performance, and may be
considered "greedy"?
a) . (period)
b) (asterisk)*
c) \ (backslash)
d) + (plus sign)

➔ B
7. True or False. Fields can be extracted only after indexing is complete.
a) TRUE
b) FALSE

➔ B

8. When using regex for field extraction, what's the first thing you have to do in the Field
Extractor?
a) Provide a Field Name
b) Edit the regular expression
c) Select a value to extract
d) Set the Extractions Name and set permissions

➔ C

9. Which of the following do all event datasets contain? Select all that apply.
a) Fields
b) Purchases
c) Children
d) Constraints

➔ A,d

10. Data models contain the following. Select all that apply.
a) constraints
b) inherited and extracted fields
c) event object hierarchy

➔ a,b,c

11. What occurs when setting a field flag to Hidden?

a) Only events that contain the field are returned.
b) The field is not displayed to Pivot users when they select the dataset in Pivot.
c) The field doesn't have to appear in every event.
d) Constraints will ignore the use of this field.

➔ B
12. When adding fields to a dataset, which of the following creates a new field based on an
expression that you define?
a) Auto-Extracted
b) Eval Expression
c) Lookup
d) Geo IP

➔ B

13. When creating a data model, which of the following is true? Select all that apply.
a) The process fails if you are not logged in as an admin user.
b) As the title is entered an ID is automatically generated.
c) Splunk highly recommends overriding the default ID to prevent confusion.
d) Only the Search & Reporting and Monitoring Console apps can be selected.

➔ B

14. What functionality is provided to allow collaboration with other Splunk users to create, modify
or test data models?
a) The data model "clone" functionality
b) Creating data models in the Search & Reporting app
c) Downloading and uploading data models
d) Splunk user integration, such as LDAP

➔ C

15. Which of the following accurately describes data models? Select all that apply.
a) Must contain at least one of each dataset: Events, Searches, and Transactions
b) Can only be designed by users with the admin role
c) A knowledge object that applies information structure to raw data
d) Can be used by the Pivot interface to generate reports and dashboard panels

➔ C,d

16. Which of the following accurately describes pivots? Select all that apply.
a) Quick way to design visualizations of data using Splunk Web
b) Alternate method to access data without using search language
c) Requires the use of simplified search language
d) Requires use of datasets
➔ A,b,d
17. To add a Root Event Dataset, what field is required to be manually added?
a) Dataset Name
b) Dataset ID
c) Duration maxpause maxspan

➔ A

18. True or False: A constraint inherited by the children dataset from the parent dataset can be
removed.
a) True
b) False

➔ B

19. What is required to configure persistent data model acceleration?

a) All 3 root dataset types: events, search, and transaction
b) A private data model
c) A user accessing a data model dataset in Pivot
d) A user role with the accelerate_datamodel capability

➔ D

20. By default, the sort command lists results in __________ order.

a) descending
b) ascending

➔ b

21. A data model can consist of the following three types of datasets. Select all that apply.
a) searches
b) events
c) Pivot reports
d) Transactions

➔ A,b,d
22. What do Pivots require to create visualizations in Splunk? Select all that apply.
a) spreadsheets
b) lookups
c) data models
d) web filters

➔ b,c

23. True of False: You can only split a pivot with a maximum of one row or column.
a) True
b) False

➔ B