If there are fields in the data with values that are " " or empty but not null, which of the following would add a value?
Correct Answer: D
The correct answer is D. | eval notNULL = "" fillnull value=0 notNULL Option A is incorrect because it is missing a comma between the "0" and the notNULL in the if function. The correct syntax for the if function is if (condition, true_value, false_value). Option B is incorrect because it is missing the false_value argument in the if function. The correct syntax for the if function is if (condition, true_value, false_value). Option C is incorrect because it uses the nullfill command, which only replaces null values, not empty strings. The nullfill command is equivalent to fillnull value=null. Option D is correct because it uses the eval command to assign an empty string to the notNULL field, and then uses the fillnull command to replace the empty string with a zero. The fillnull command can replace any value with a specified replacement, not just null values.
Question 83
Which function should you use with the transaction command to set the maximum total time between the earliest and latest events returned?
Correct Answer: D
Explanation The maxspan function of the transaction command allows you to set the maximum total time between the earliest and latest events returned. The maxspan function is an argument that can be used with the transaction command to specify the start and end constraints for the transactions. The maxspan function takes a time modifier as its value, such as 30s, 5m, 1h, etc. The maxspan function sets the maximum time span between the first and last events in a transaction. If the time span between the first and last events exceeds the maxspan value, the transaction will be split into multiple transactions.
Question 84
Which are valid ways to create an event type? (select all that apply)
Correct Answer: C,D
Event types are custom categories of events that are based on search criteria. Event types can be used to label events with meaningful names, such as error, success, login, logout, etc. Event types can also be used to create transactions, alerts, reports, dashboards, etc. Event types can be created in two ways: By going to the Settings menu and clicking Event Types > New. This will open a form where you can enter the name, description, search string, app context, and tags for the event type. By selecting an event in search results and clicking Event Actions > Build Event Type. This will open a dialog box where you can enter the name and description for the event type. The search string will be automatically populated based on the selected event. Event types cannot be created by using the searchtypes command in the search bar, as this command does not exist in Splunk. Event types can also be created by editing the event_type stanza in the transforms.conf file, not the props.conf file.
Question 85
Which of the following statements describes the command below (select all that apply) Sourcetype=access_combined | transaction JSESSIONID
