Question 1

What functionality does the Splunk Common Information Model (CIM) rely on to normalize fields with different names?

Options :

A : Macros.

B : Field aliases.

C : The rename command.

D : CIM does not work with different names for the same field.

Answer: B

Question 2

Which search retrieves events with the event type web_errors?

Options :

A : tag=web_errors

B : eventtype=web_errors

C : eventtype "web errors"

D : eventtype (web_errors)

Answer: B

Question 3

When defining a macro, what are the required elements?

Options :

A : Name and arguments.

B : Name and a validation error message.

C : Name and definition.

D : Definition and arguments.

Answer: C

Question 4

Where are the results of eval commands stored?

Options :

A : In a field.

B : In an index.

C : In a KV Store.

D : In a database.

Answer: A

Question 5

Which of the following statements describe calculated fields? (select all that apply)

Options :

A : Calculated fields can be used in the search bar.

B : Calculated fields can be based on an extracted field.

C : Calculated fields can only be applied to host and sourcetype.

D : Calculated fields are shortcuts for performing calculations using the eval command.

Answer: A,B,D