If there are fields in the data with values that are " " or empty but not null, which of the following would add a value?
Correct Answer: D
Explanation The correct answer is D. | eval notNULL = "" fillnull value=0 notNULL Option A is incorrect because it is missing a comma between the "0" and the notNULL in the if function. The correct syntax for the if function is if (condition, true_value, false_value). Option B is incorrect because it is missing the false_value argument in the if function. The correct syntax for the if function is if (condition, true_value, false_value). Option C is incorrect because it uses the nullfill command, which only replaces null values, not empty strings. The nullfill command is equivalent to fillnull value=null. Option D is correct because it uses the eval command to assign an empty string to the notNULL field, and then uses the fillnull command to replace the empty string with a zero. The fillnull command can replace any value with a specified replacement, not just null values.
Question 67
Calculated fields can be based on which of the following?
Correct Answer: B
Explanation "Calculated fields can reference all types of field extractions and field aliasing, but they cannot reference lookups, event types, or tags."
Question 68
Data models are composed of one or more of which of the following datasets? (select all that apply)
Correct Answer: A,B,C
Data model datasets have a hierarchical relationship with each other, meaning they have parent-child relationships. Data models can contain multiple dataset hierarchies. There are three types of dataset hierarchies: event, search, and transaction. https://docs.splunk.com/Splexicon:Datamodeldataset
Question 69
Given the macro definition below, what should be entered into the Name and Arguments fileds to correctly configured the macro?
Correct Answer: B
Reference: The macro definition below shows a macro that tracks user sessions based on two arguments: action and JSESSIONID. sessiontracker(2) The macro definition does the following: It specifies the name of the macro as sessiontracker. This is the name that will be used to execute the macro in a search string. It specifies the number of arguments for the macro as 2. This indicates that the macro takes two arguments when it is executed. It specifies the code for the macro as index=main sourcetype=access_combined_wcookie action=$action$ JSESSIONID=$JSESSIONID$ | stats count by JSESSIONID. This is the search string that will be run when the macro is executed. The search string can contain any part of a search, such as search terms, commands, arguments, etc. The search string can also include variables for the arguments using dollar signs around them. In this case, action and JSESSIONID are variables for the arguments that will be replaced by their values when the macro is executed. Therefore, to correctly configure the macro, you should enter sessiontracker as the name and action, JSESSIONID as the arguments. Alternatively, you can use sessiontracker(2) as the name and leave the arguments blank.
Question 70
Using the export function, you can export search results as __________.( Select all that apply)
