CCNA Macros, Saved Searches and CIM Questions

23 of 98 questions · Page 2/2 · Macros, Saved Searches and CIM · Answers revealed

76
Drag & Dropmedium

Order the steps to create a data model in Splunk in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Data models are created by defining hierarchical objects with constraints and fields.

77
MCQmedium

A systems engineer creates a summary index using a saved search that runs every 30 minutes. The summary index aggregates data from multiple sourcetypes. After a week, the engineer notices that the summary index contains duplicate events for certain time ranges. What is the most likely cause?

A.The macro used in the saved search includes a time zone conversion that shifts events.
B.The saved search schedule is set to run at the wrong time.
C.The summary index acceleration is enabled, causing automatic re-summarization.
D.The summary index time range extends beyond the schedule interval, causing overlapping windows.
AnswerD

For example, if the search runs every 30 minutes but covers a 1-hour window, each event is summarized twice.

Why this answer

Option B is correct: if the summary index time range overlaps with previous runs, duplicates occur. Option A: would cause missing data. Option C: acceleration does not cause duplicates.

Option D: time zone would shift but not create duplicates within same time range.

78
Multi-Selecthard

Which TWO of the following are valid reasons to use the Common Information Model (CIM) in a Splunk environment?

Select 2 answers
A.It improves the ability to correlate events from different technologies.
B.It enables searching across different data sources with common field names.
C.It improves search performance by pre-aggregating data.
D.It provides built-in security monitoring use cases.
E.It eliminates the need for custom field extractions.
AnswersA, B

By standardizing field names, CIM makes it easier to correlate events across different data sources.

Why this answer

Option A is correct because the Common Information Model (CIM) provides a standardized set of field names and event tags across different data sources, enabling correlation of events from disparate technologies (e.g., firewalls, IDS, endpoints) using common fields like 'dest_ip', 'src_ip', 'user', and 'action'. This normalization allows Splunk to join or relate events that share the same CIM-compliant fields, making it possible to build coherent security or operational stories across heterogeneous data.

Exam trap

The trap here is that candidates confuse the CIM's normalization role with performance optimization or built-in security content, leading them to select options about pre-aggregation or pre-built use cases, which are actually features of other Splunk components like data model acceleration or Splunk Security Essentials.

79
Multi-Selectmedium

When designing a macro for use across multiple dashboards, which two considerations are important? (Choose TWO.)

Select 2 answers
A.Use token arguments to parameterize the macro.
B.Include absolute time ranges in the macro definition.
C.Use global permissions to allow all roles to use the macro.
D.Define the macro with a description for documentation.
E.Avoid using macros with subsearches.
AnswersA, C

Correct: Token arguments allow the macro to be customized for different contexts.

Why this answer

Options A and C are correct. Permissions must be set to allow cross-app usage. Token arguments (like $index$) enable flexibility.

Absolute time ranges reduce reusability. Subsearches are allowed but not a primary consideration. Descriptions are helpful but not essential.

80
MCQmedium

A team regularly runs a saved search that joins two large indexes. Performance is poor. Which design change would MOST improve query performance?

A.Convert the saved search to a scheduled report.
B.Create a data model summary to pre-aggregate the data.
C.Replace the join with a subsearch.
D.Use the `fields` command to remove unnecessary fields before the join.
AnswerB

Summaries reduce the amount of data scanned.

Why this answer

Option B is correct because a data model summary pre-aggregates data at search time, reducing the volume of data that the join operation must process. This is the most effective way to improve performance when joining two large indexes, as it avoids scanning and joining raw events repeatedly.

Exam trap

Splunk often tests the misconception that subsearches are always faster than joins, but in reality, subsearches can be equally or more resource-intensive when dealing with large datasets, and the correct optimization is to pre-aggregate data using data model summaries.

How to eliminate wrong answers

Option A is wrong because converting a saved search to a scheduled report does not change the underlying query logic or data volume; it only changes when the search runs, not how efficiently it executes. Option C is wrong because replacing a join with a subsearch does not inherently improve performance — subsearches can still be resource-intensive and may even degrade performance if they return large result sets. Option D is wrong because while using the `fields` command to remove unnecessary fields before the join can reduce memory usage, it does not address the fundamental issue of joining two large indexes; the join still processes all matching events, and the performance gain is minimal compared to pre-aggregation.

81
MCQeasy

An alert saved search runs every 5 minutes and is set to trigger when count > 0. The alert keeps triggering repeatedly for the same events. What is the recommended solution?

A.Set the alert to trigger once per hour.
B.Disable the alert and re-enable.
C.Increase the alert throttle period.
D.Change the condition to count > 1.
AnswerC

Correct: Throttling sets a quiet period after a trigger to avoid duplicate alerts.

Why this answer

Option A is correct: throttling suppresses alerts for a specified time window, preventing repeated alerts for the same events. Changing the condition may miss legitimate events. Disabling and re-enabling does not help.

Reducing trigger frequency is a workaround but not the best practice.

82
Multi-Selecthard

Which TWO of the following are valid ways to reference a macro in a search?

Select 2 answers
A.$macro_name(arg1, arg2)$
B.macro_name:arg1, arg2
C.`macro_name(arg1, arg2)`
D.`macro_name arg1 arg2`
E.| macro_name(arg1, arg2)
AnswersC, D

Backticks with parentheses and comma-separated arguments.

Why this answer

Option C is correct because in Splunk, a macro is invoked using backticks with parentheses around its arguments, as in `macro_name(arg1, arg2)`. This syntax tells the search processor to expand the macro definition with the provided arguments before executing the search.

Exam trap

The trap here is that candidates confuse the backtick macro syntax with the dollar-sign token syntax used in dashboards or the pipe command syntax, leading them to select invalid options like A or E.

83
MCQmedium

Refer to the exhibit. An admin configures acceleration for the Network_Traffic data model as shown. A user runs a search using the data model over the last 60 days. Why might the search be slower for data older than 7 days?

A.The data model is not compatible with acceleration
B.The summary_range is set to 30d, so only data within 30 days is accelerated
C.The earliest_time is set to -7d@d, so the acceleration index only covers the last 7 days
D.The search must use the `| datamodel` command to benefit from acceleration
AnswerC

Correct: Only data after -7d@d is accelerated.

Why this answer

Option B is correct: The `earliest_time` parameter determines the time range for which acceleration is built. Here it is -7d@d, so only the last 7 days of data are precomputed. Data older than 7 days will not be accelerated, causing slower searches.

Option A confuses summary_range (how long to keep accelerated data) with the time range. Option C is false. Option D is true but does not explain slowness for older data.

84
MCQeasy

When creating a saved search that runs every hour and sends an email alert when the count of errors exceeds 10, which action must be configured in addition to the search logic?

A.Add an email alert action in the saved search settings.
B.Include '| alert' command in the search string.
C.Create a lookup table to store error counts.
D.Enable summary indexing for the search.
AnswerA

Alert actions such as email must be configured to trigger notifications.

Why this answer

Option B is correct because saved searches that trigger alerts require at least one alert action (e.g., email) to be defined. Option A is not required; logging is separate. Option C is incorrect because the search string does not include alert logic.

Option D is unrelated.

85
Multi-Selecthard

An admin is troubleshooting a saved search that uses the `| `my_macro` command. The macro definition is `stats count by $1$`. The saved search is scheduled to run hourly. Which of the following issues could cause the saved search to fail? (Choose three.)

Select 3 answers
A.The macro argument passed in the saved search contains a space without quotes
B.The macro definition includes a pipe at the start but the invocation also includes a pipe
C.The saved search's time range is set to 'All time'
D.The macro is not shared to the app where the saved search is stored
E.The saved search has a cron schedule that overlaps with another saved search
AnswersA, B, D

Correct: Spaces in arguments require quoting.

Why this answer

Options A, B, and D are correct. A: If the macro definition includes a pipe at the start but the invocation also includes a pipe, the double pipe causes a syntax error. B: If the macro argument contains a space without quotes, it will be parsed incorrectly.

D: If the macro is not shared to the app where the saved search is stored, the saved search cannot access it. C: 'All time' time range is not a direct cause of failure. E: Overlap might cause skip but not necessarily failure.

86
MCQmedium

An organization uses the Splunk Common Information Model (CIM) to normalize data from various sourcetypes. After onboarding a new firewall vendor, the data is not populating the Network Traffic data model. Which of the following is the most likely cause?

A.The sourcetype is not included in the 'Network Traffic' data model acceleration.
B.The appropriate CIM tags have not been assigned to the new sourcetype.
C.The data is being indexed into a custom index that is not monitored by the data model.
D.The fields in the firewall data do not match the data model field names exactly.
AnswerB

CIM uses tags like 'network' or 'traffic' to map events to data models.

Why this answer

Option C is correct because CIM data models require tagging to map sourcetypes to the appropriate data model. Without proper tags, the data will not appear in the data model acceleration. Option A is incorrect because data models are designed to handle different fields.

Option B is possible but less likely as CIM tags are more fundamental. Option D is incorrect because custom indexes do not affect CIM mapping.

87
Multi-Selectmedium

Which THREE of the following are best practices for creating saved searches?

Select 3 answers
A.Save the search without scheduling it to avoid resource usage.
B.Set an appropriate time range to limit the data scanned.
C.Use the `summary` indexing feature for searches that run frequently.
D.Avoid specifying a time range to use the default.
E.Use descriptive names that indicate the purpose of the search.
AnswersB, C, E

Limiting time range improves performance.

Why this answer

Option B is correct because setting an appropriate time range in a saved search limits the volume of data that Splunk must scan, reducing resource consumption and improving search performance. Without a bounded time range, the search may scan all available data, which can lead to excessive CPU and memory usage, especially in large deployments.

Exam trap

Splunk often tests the misconception that omitting a time range is acceptable because Splunk will use a 'reasonable default,' but in reality the default is often 'All time,' which is the most resource-intensive option.

88
Multi-Selecteasy

Which THREE are components of the Common Information Model (CIM) in Splunk?

Select 3 answers
A.Tags
B.Data models
C.Lookup tables
D.Field extractions
E.Dashboards
AnswersA, B, D

Tags are used to categorize events into CIM data model tags.

Why this answer

Correct answers: B, C, D. Data models (B), field extractions (C), and tags (D) are core CIM components. Option A (lookups) are not part of CIM, though they may be used.

Option E (dashboards) are not part of CIM.

89
MCQmedium

An organization is implementing the Splunk Common Information Model (CIM) to normalize data. They have a source that provides event data with field names `src_ip` and `dst_ip`. To map these to CIM fields, which knowledge object should be created?

A.A tag to tag events with `src_ip` and `dst_ip` as network traffic
B.A field extraction to rename `src_ip` to `src` and `dst_ip` to `dest`
C.A field alias to create `src` from `src_ip` and `dest` from `dst_ip`
D.A calculated field to set `src=src_ip` and `dest=dst_ip`
AnswerC

Correct: Field aliases are designed for this purpose.

Why this answer

Option B is correct: Field aliases allow mapping source-specific field names to CIM field names without modifying the raw data. Option A would require an extraction, which is not standard for renaming. Option C calculated fields compute new fields but are not meant for simple renaming.

Option D tags are for categorization, not field mapping.

90
MCQhard

A security analyst is trying to normalize authentication data from multiple sources using CIM. After mapping sourcetypes to the Authentication data model, the CIM acceleration dashboard shows no data. The data model acceleration is enabled and has completed building. What is the most likely cause?

A.The data model acceleration is not enabled.
B.The tags for the sourcetypes are not correctly assigned to the data model.
C.The field extractions for the sourcetypes do not align with CIM field names.
D.The permissions on the data model are incorrect.
AnswerC

Correct: CIM requires exact field name matches; mismatched extractions cause no data in the data model.

Why this answer

Option D is correct because CIM requires that field extractions produce exactly the CIM field names; if extractions are missing or named differently, the data model will not populate. Permissions affect visibility, not data content. Tags are optional if sourcetypes are mapped via props.

Index change would affect raw data searches as well.

91
Multi-Selecteasy

Which TWO benefits does the Splunk Common Information Model (CIM) provide? (Choose two.)

Select 2 answers
A.Provides a consistent field naming convention across different data sources.
B.Enables real-time correlation of events across multiple data sources.
C.Reduces indexing volume by summarizing data into CIM-compliant indexes.
D.Defines the sourcetypes for common technologies (e.g., firewall, IDS).
E.Accelerates searches using data model acceleration and tstats.
AnswersA, E

CIM standardizes fields like 'user', 'src', 'dest' for similar events.

Why this answer

Options A and D are correct. CIM normalizes data to common fields (making it easier to search across sourcetypes) and provides acceleration through data models. Option B is wrong because CIM does not define sourcetypes; sourcetypes are input-level.

Option C is wrong because CIM does not provide real-time correlation directly; it standardizes fields. Option E is wrong because CIM applies to all indexes, not just summary.

92
MCQeasy

In the CIM, which field is commonly used to identify the user responsible for an authentication event?

A.dest
B.user
C.src_user
D.src
AnswerB

The user field is standard in CIM Authentication data model.

Why this answer

In the Authentication data model, the 'user' field (or 'target' or 'dest_user') is used. The standard field is 'user'. Option D is correct.

Option A (src_user) is not standard in CIM. Option B (src) is for source IP. Option C (dest) is for destination.

93
MCQmedium

A search includes the macro `mysearch(field1, field2)`. The macro definition is `stats count by $1$, $2$`. If the search is `index=main | `mysearch(user, action)`, what is the expanded search?

A.`index=main | stats count by $1$, $2$`
B.`index=main | | stats count by user, action`
C.`index=main | mysearch(user, action)`
D.`index=main | stats count by user, action`

Why this answer

Option D is correct: The macro invocation `| `mysearch(user, action)` expands by replacing `$1$` with `user` and `$2$` with `action` in the definition, resulting in `| stats count by user, action`. Option A includes an extra pipe, Option B has no pipe, Option C literal $1$,$2$.

94
MCQhard

An organization has implemented the Splunk Common Information Model (CIM) for their security data. They have mapped several sourcetypes to the Authentication data model and enabled data model acceleration. However, the CIM dashboard shows no data even though searches against the raw data return results. The admin checks the data model acceleration settings and sees that the acceleration is enabled and has completed building. What is the most likely issue?

A.The field extractions for the sourcetypes do not align with CIM field names.
B.The index where the data is stored is not included in the data model acceleration.
C.The data model has not been assigned the correct permissions.
D.The tags for the sourcetypes are not correctly assigned to the data model.
AnswerA

Correct: Mismatched field names cause the data model to remain empty.

Why this answer

Option D is correct because CIM requires exact field name matches; if extractions are not aligned, the data model will not populate. Permissions affect visibility, not data. Tags are optional when sourcetypes are mapped via props.

The index is searched by acceleration unless explicitly excluded.

95
MCQhard

A macro is defined as `mysearch` with definition `index=main | stats count by $source_type$`. The macro is invoked as `| `mysearch(access_combined)` but the search never finishes. What is the likely issue?

A.The macro definition contains a syntax error
B.The macro argument should not be in quotes
C.The macro definition uses a named argument but the invocation passes an unnamed argument
D.The macro definition requires a filter before the stats command
AnswerC

Correct: Named arguments require name=value syntax.

Why this answer

Option B is correct: The definition uses `$source_type$` which is a named argument. In the invocation, the argument is passed positionally. For named arguments, the invocation must specify the argument name, like `source_type=access_combined`.

The positional argument `$1$` would work if defined. So the macro tries to use literal `$source_type$` instead of the passed value. A and C are not likely, D is possible but less specific.

96
Multi-Selectmedium

Which TWO best practices should be followed when creating saved searches that use macros? (Select exactly 2.)

Select 2 answers
A.Define macros globally so they are accessible by all saved searches.
B.Use static time ranges in macros to avoid unexpected time shifts.
C.Escape special characters in macro arguments to ensure correct parsing.
D.Include inline comments in macro definitions to document the logic.
E.Avoid using subsearches inside macros to prevent performance issues.
AnswersC, E

Unescaped special characters can alter the search syntax unexpectedly.

Why this answer

Options B and C are correct. Option A is not a best practice; comments inside macros can break if not properly escaped. Option D is not always necessary; scoping macros to an app can be appropriate.

Option E is not a best practice; it is better to pass time range as an argument.

97
Multi-Selecthard

Which TWO are correct about saved search permissions and scheduling? (Choose two.)

Select 2 answers
A.A saved search's permissions can be set to 'global' so that any user can run it.
B.Any user can schedule a saved search regardless of role.
C.A saved search that is a report automatically inherits the app's default permissions.
D.When a saved search is scheduled, it runs with the permissions of the owner, not the user who views it.
E.All saved searches are visible to everyone in the app by default.
AnswersA, D

Global permission grants read access to all users.

Why this answer

Options B and D are correct. Saved searches inherit owner permissions, and scheduling requires the 'schedule_search' capability. Option A is wrong because the default is 'private' for owner.

Option C is wrong because only users with schedule capability can set schedules. Option E is wrong because saving a report inherits the user's permissions, not app-wide.

98
MCQhard

Refer to the exhibit. A search uses the macro as `| `fillnull(field=user)`. However, the search fails with a syntax error. What is the most likely issue?

A.The macro argument should be passed without the `field=` prefix
B.The macro definition contains unescaped commas
C.The macro definition should use positional arguments instead of named
D.The macro definition should include a pipe before `eval`
AnswerB

Correct: Commas in the `if` function must be escaped.

Why this answer

Option C is correct: In macro definitions, commas that are part of the code need to be escaped with a backslash because commas are used to separate macro arguments. The `if` function uses commas, and they are not escaped, so the macro expansion is broken. Option A is not the issue; named arguments are valid.

Option B is incorrect; the invocation with `field=` is correct. Option D is incorrect; a leading pipe is not needed as the macro invocation already provides one.

← PreviousPage 2 of 2 · 98 questions total

Ready to test yourself?

Try a timed practice session using only Macros, Saved Searches and CIM questions.