During the validation step of the Field Extractor workflow: Select your answer.
Correct Answer: A
During the validation step of the Field Extractor workflow, you can remove values that aren't a match for the field you want to define2. The validation step allows you to review and edit the values that have been extracted by the FX and make sure they are correct and consistent2. You can remove values that aren't a match by clicking on them and selecting Remove Value from the menu2. This will exclude them from your field extraction and update the regular expression accordingly2. Therefore, option A is correct, while options B and C are incorrect because they are not actions that you can perform during the validation step of the Field Extractor workflow.
Question 87
Which Knowledge Object does the Splunk Common Information Model (CIM) use to normalize data, in addition to field aliases, event types, and tags?
Which of the following statements describe calculated fields? (select all that apply)
Correct Answer: A,B,D
Reference:https://docs.splunk.com/Documentation/Splunk/8.0.3/Knowledge/definecalcfields Calculated fields are fields that are created by performing calculations on existing fields using the eval command. Calculated fields can be used in the search bar to filter and transform events based on the calculated values. Calculated fields can also be based on an extracted field, which is a field that is extracted from raw data using various methods, such as regex, delimiters, lookups, etc. Calculated fields are not shortcuts for performing calculations using the eval command, but rather results of performing calculations using the eval command. Calculated fields can be applied to any field in Splunk, not only host and sourcetype. Therefore, statements A, B, and D are true about calculated fields.
