SPLK-1002 Basic Searching and Transforming Commands • Complete Question Bank
Complete SPLK-1002 Basic Searching and Transforming Commands question bank — all 0 questions with answers and detailed explanations.
Refer to the exhibit.
| makeresults count=5
| eval user = mvappend("alice","bob","charlie")
| mvexpand user
| stats count by userRefer to the exhibit. index=web sourcetype=access_combined | stats count by status | sort - count | head 5
A large e-commerce company uses Splunk to monitor their web application. The operations team has noticed that the search for tracking user sessions is taking too long and consuming excessive resources. The current search is:
index=web sourcetype=access_combined | stats count by clientip, sessionid, productid | sort - count
The index contains over 10 billion events per day. The team wants to reduce the search time while still being able to identify the top 10 most active sessions (combinations of clientip and sessionid) that involve more than 5 product views. They also need to exclude any sessions that originated from internal IPs (10.0.0.0/8). Which approach would achieve this most efficiently?
Refer to the exhibit. Search: `index=web sourcetype=access_combined | top limit=5 uri_path` Result table: uri_path count percent / 4523 23.45 /login 2341 12.14 /products 1890 9.80 /about 1234 6.40 /contact 987 5.12
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag a concept onto its matching description — or click a concept then click the description.
Full system access including settings and users
Create and share knowledge objects and run searches
Run searches and create personal knowledge objects
Ability to delete events from indexes
Drag a concept onto its matching description — or click a concept then click the description.
Full-featured license for production use
Limited to 500 MB/day, no authentication or distributed search
Free license for forwarders only
Full features for a limited time period
Refer to the exhibit. index=main | eval severity = case(error=1, "Error", warning=1, "Warning", 1=1, "Info") | stats count by severity
Refer to the exhibit. index=main | stats count by host | sort - count | head 10
Refer to the exhibit. index=main | eval user=lowercase(user)
index=weblogic sourcetype=accesslog | rex "status=(?<status_code>\d+)" | stats count by status_code | where count > 100
index=network sourcetype=firewall | eval threat_level = if(threat_score > 90, "high", "low") | stats count by threat_level
index=web sourcetype=access_combined | top limit=10 uri_path
index=web sourcetype=access status=200 | stats count by productId | sort - count | head 10
index=web sourcetype=access_combined | stats count by status | where status >= 400 | sort - count
index=security sourcetype=linux_secure | regex _raw="Failed password for .* from (?<src_ip>\d+\.\d+\.\d+\.\d+)" | top 5 src_ip
index=main sourcetype=apache | timechart count by host span=1h | where count > 100
index=app sourcetype=json_logs | spath input=raw_data path=response.status | search response.status=200 | stats count by response.status
index=network sourcetype=cisco:asa | eval src_zone=case(src_ip="10.0.0.0/8","internal", 1=1,"external") | search src_zone=internal | stats count by src_zone