Explanation: The transaction command is used to group events that are related by some common fields or conditions, such as start/end values, time span, or pauses. The stats command is used to calculate statistics on a group of events by a common field value.

Explanation:
In Splunk, you can create an event type from the search window by running a search that would make a good event type, then clicking Save As and selecting Event Type1. This opens the Save as Event Type dialog, where you can provide the event type name and optionally apply tags to it1.
You can also create an event type by editing the eventtypes.conf file and adding a new stanza1. Each stanza in the eventtypes.conf file represents an event type1. The stanza name isthe name of the event type, and the search attribute specifies the search string that defines the event type1.

Explanation: The rex command allows you to extract fields from events using regular expressions. You can use the rex command to specify a named group that matches the port number in the event. For example:
rex "\+\+\+\+port (?\d+)"
This will create a field called port with the value 54 for the event.
The delimiter method is not suitable for this event because there is no consistent delimiter between the fields. The regular expression method is not a valid option for the Field Extractor tool. The Field Extractor tool can extract regular expressions, but it is not a method by itself.

Explanation: The correct answer is B. A field added by an automatic lookup.
A calculated field is a field that is added to events at search time by using an eval expression. A calculated field can use the values of two or more fields that are already present in the events to perform calculations.A calculated field can use any field as a source, as long as the field is extracted before the calculated field is defined1. An automatic lookup is a way to enrich events with additional fields from an external source, such as a CSV file or a database.An automatic lookup can add fields to eventsbased on the values ofexisting fields, such as host, source, sourcetype, or any other extracted field2.An automatic lookup is performed before the calculated fields are defined, so the fields added by the lookup can be used as sources for the calculated fields3. Therefore, a calculated field can use a field added by an automatic lookup as a source.

Explanation: The correct answer is B. Event category tags. This is because the CIM addon contains a collection of preconfigured data models that you can apply to your data at search time. Each data model in the CIM consists of a set of field names and tags that define the least common denominator of a domain of interest. Event category tags are used to classify events into high-level categories, such as authentication, network traffic, or web activity. You can use these tags to filter and analyze events based on their category. You can learn more about event category tags from the Splunk documentation12. The other options are incorrect because they are not included with the CIM add-on. Search macros are reusable pieces of search syntax that you can invoke from other searches. They are not specific to the CIM add-on, although some Splunk apps may provide their own search macros. Workflow actions are custom links or scripts that you can run on specific fields or events. They are also not specific to the CIM add-on, although some Splunk apps may provide their own workflow actions. tsidx files are index files that store the terms and pointers to the raw data in Splunk buckets. They are part of the Splunk indexing process and have nothing to do with the CIM add-on.

Explanation: The following search would create a graph similar to the one below:
index_internal sourcetype=Savesplunker | fields sourcetype, status | transaction status maxspan=1d | timechart count by status The search does the following:
It uses index_internal to specify the internal index that contains Splunk logs and metrics.
It uses sourcetype=Savesplunker to filter events by the sourcetype that indicates the Splunk Enterprise Security app.
It uses fields sourcetype, status to keep only the sourcetype and status fields in the events.
It uses transaction status maxspan=1d to group events into transactions based on the status field with a maximum time span of one day between the first and last events in a transaction.
It uses timechart count by status to create a time-based chart that shows the count of transactions for each status value over time.

The graph shows the following:
It is a line graph with two lines, one yellow and one blue.
The x-axis is labeled with dates from Wed, Apr 4, 2018 to Tue, Apr 10, 2018.
The y-axis is labeled with numbers from 0 to 15.
The yellow line represents “shipped” and the blue line represents “success”.
The yellow line has a steady increase from 0 to 15, while the blue line has a sharp increase from 0 to 5, then a decrease to 0, and then a sharp increase to 10.
The graph is titled “Type”.