A calculated field maybe based on which of the following?

A.

Lookup tables

B.

Extracted fields

C.

Regular expressions

D.

Fields generated within a search string

Which are valid ways to create an event type? (select all that apply)

A.

By using the searchtypes command in the search bar.

B.

By editing the event_type stanza in the props.conf file.

C.

By going to the Settings menu and clicking Event Types > New.

D.

By selecting an event in search results and clicking Event Actions > Build Event Type

Which of the following statements describe the search string below?
dacamodel Application_State All_Application_State search

A.

Events will be returned from dataset named Application_state.

B.

Events will be returned from the data model named Application_State.

C.

Events will be returned from the data model named All_Application_state.

D.

No events will be returned because the pipe should occur after the datamodel command

What is required for a macro to accept three arguments?

A.

The macro's name ends with (3).

B.

The macro's name starts with (3).

C.

The macro's argument count setting is 3 or more.

D.

Nothing, all macros can accept any number of arguments

Which of the following actions can the aval command perform?

A.

Remove fields from results.

B.

Create or replace an existing field.

C.

Group transactions by one or more fields.

D.

Save SPL commands to be reused in other searches.

The Field Extractor (FX) is used to extract a custom field. A report can be created using this custom field. The
created report can then be shared with other people in the organization. If another person in the organization
runs the shared report and no results are returned, why might this be? (select all that apply)
Fast mode is enabled.
The dashboard is private.
The extraction is private-
The person in the organization running the report does not have access to the index.

A.

Fast mode is enabled.

B.

The dashboard is private.

C.

The extraction is private-

D.

The person in the organization running the report does not have access to the index

Which of the following statements describes this search? 
sourcetype=access_combined I transaction JSESSIONID | timechart avg (duration

A.

This is a valid search and will display a timechart of the average duration, of each transaction event.

B.

This is a valid search and will display a stats table showing the maximum pause among transactions.

C.

No results will be returned because the transaction command must include the startswith and endswith
options.

D.

No results will be returned because the transaction command must be the last command used in the
search pipeline.

Which of the following statements describes POST workflow actions?

A.

POST workflow actions are always encrypted.

B.

POST workflow actions cannot use field values in their URI.

C.

POST workflow actions cannot be created on custom sourcetypes.

D.

POST workflow actions can open a web page in either the same window or a new .

What do events in a transaction have In common?

A.

All events In a transaction must have the same timestamp.

B.

All events in a transaction must have the same sourcetype.

C.

All events in a transaction must have the exact same set of fields.

D.

All events in a transaction must be related by one or more fields.

What does the following search do?
index=condlog type=mysterymeat action=eaten I scats count as cornlog_count by us©:

A.

Creates a table of the total count of users and split by corndogs.

B.

Creates a table of the total count of mysterymeat corndogs split by user.

C.

Creates a table with the count of all types of corndogs eaten split by user.

D.

Creates a table that groups the total number of users by vegetarian corndogs