Question 1

What commands can be used to group events from one or more data sources?

Options :

A : eval, coalesce

B : transaction, stats

C : stats, format

D : top, rare

Answer: B

Question 2

Which knowledge object is used to normalize field names to comply with the Splunk Common Information Model (CIM)?

Options :

A : Field alias

B : Event types

C : Search workflow action

D : Tags

Answer: A

Question 3

Which of the following statements best describes a macro?

Options :

A : A macro is a method of categorizing events based on a search.

B : A macro is a way to associate an additional (new) name with an existing field name.

C : A macro is a portion of a search that can be reused in multiple place

D : A macro is a knowledge object that enables you to schedule searches for specific events.

Answer: C

Question 4

The limit attribute will___________.

Options :

A : override default of 10

B : only work with top command

C : override default of 20

D : override default of 15

Answer: A

Question 5

When defining a macro, what are the required elements?

Options :

A : Name and arguments.

B : Name and a validation error message.

C : Name and definition.

D : Definition and arguments.

Answer: C