SPLK-1002 Creating Reports, Dashboards and Visualizations • Complete Question Bank
Complete SPLK-1002 Creating Reports, Dashboards and Visualizations question bank — all 0 questions with answers and detailed explanations.
index=main sourcetype=access_combined status=503 | timechart count by host
index=web sourcetype=access_combined | chart count over host by status
| inputlookup app_errors.csv | where severity > 3 | stats count by app, error_type | sort -count | head 10
Refer to the exhibit. ``` index=web sourcetype=access_combined | stats count by status | eval status_category = case(status>=200 AND status<300, "2xx", status>=300 AND status<400, "3xx", status>=400 AND status<500, "4xx", status>=500, "5xx") | stats count by status_category ```
You are a Splunk administrator for a large e-commerce company. The marketing team has a dashboard that displays daily sales metrics, including revenue, number of transactions, and average order value. The dashboard is built using a single search that runs a 'timechart' command across all events. Recently, the dashboard has been timing out and failing to load during peak hours (10 AM - 2 PM) when traffic is highest. The team needs the dashboard to be available with minimal latency. You have the following options:
A. Reduce the time range on the dashboard to the last hour instead of the default last 24 hours. B. Create a summary index that pre-aggregates the sales metrics every hour and modify the dashboard to search this summary index. C. Increase the search time limit in the Splunk settings to allow the search to run longer. D. Split the single search into multiple smaller searches, each for a different metric, and run them concurrently on separate panels.
Which option best addresses the performance issue while maintaining data accuracy?
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag a concept onto its matching description — or click a concept then click the description.
Processes incoming data and stores it in indexes
Handles search requests and distributes to indexers
Sends data to indexers or other forwarders
Manages configuration of forwarders
Manages license usage across the deployment
Drag a concept onto its matching description — or click a concept then click the description.
Stores lookup data in a CSV file
Stores lookup data in a key-value store collection
Runs an external script to perform lookup
Matches coordinates to geographic regions
| inputlookup user_activity.csv | search error=* | stats count by user | sort - count | head 10
<dashboard>
<label>Network Dashboard</label>
<search id="base">
<query>index=network sourcetype=traffic | eval dest=if(dest=="unknown", "other", dest) | stats count by dest</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<row>
<panel>
<chart>
<search base="base">
<query>| top limit=10 dest</query>
</search>
<option name="charting.chart">pie</option>
</chart>
</panel>
</row>
</dashboard>| tstats summariesonly=t count where index=main by _time, sourcetype span=1h | timechart count by sourcetype
<form>
<label>Example Dashboard</label>
<fieldset submitButton="false">
<input type="dropdown" token="source" searchWhenChanged="true">
<label>Source</label>
<choice value="access_combined">Web Access</choice>
<choice value="secure">Secure</choice>
</input>
</fieldset>
<row>
<panel>
<chart>
<search>
<query>index=main sourcetype=$token$ | timechart count by host</query>
</search>
</chart>
</panel>
</row>
</form>index=web status=* | stats count by status | sort -count | head 5
index=apache | timechart count by source | rename count as "MyCount"
index=security sourcetype=linux_secure | stats count by action | sort -count
index=web | timechart count by status useother=f limit=5
<dashboard>
<label>Network Dashboard</label>
<row>
<panel>
<title>Traffic by Protocol</title>
<chart>
<search>
<query>index=network sourcetype=traffic | stats sum(bytes) by protocol</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="charting.chart">column</option>
</chart>
</panel>
</row>
</dashboard>[saved_search_name] search = index=main sourcetype=access | stats count by status cron_schedule = * * * *
index=web sourcetype=access_combined | timechart span=1h count by status | eval status=if(status>=400, "error", "success") | stats sum(count) as total by _time, status | eval color=if(status="error", "red", "green") | table _time, status, total, color
| inputlookup app_errors.csv | search error_code=* AND severity="high" | table app_name, error_code, count | sort - count | head 10
dashboard.xml:
<dashboard>
<label>Web Performance</label>
<row>
<panel>
<title>Error Rate</title>
<chart>
<search>index=web sourcetype=access_combined status>=400 | timechart count by status</search>
<option name="charting.chart">column</option>
</chart>
</panel>
<panel>
<title>Response Time</title>
<chart>
<search>index=web sourcetype=access_combined | stats avg(response_time) by host</search>
<option name="charting.chart">bar</option>
</chart>
</panel>
</row>
</dashboard>| rest /services/saved/searches
| search title="Daily Error Summary"
| table title, actions, is_scheduled, schedule
| spath input=actions
| table title, {}.type, is_scheduled, scheduleindex=security sourcetype=windows_security | eval account_type=if(match(user, "^Admin"), "admin", "user") | stats count by account_type, action | where account_type="admin" AND action="Failed" | sort - count | head 5