SPLK-1002 Exam - Question 18

ABD is the ans

ABD . A is also correct

Might just be AD B says it CAN be based on extracted field - which suggests other alternatives. pg 187 of F2: "Must be based on an extracted field"

ABD is correct

ABD, 188-190 of the PDF

"MUST be based on extracted field", not CAN be based on extracted field.

ABD is correct

To answer this question you must pay attention at the search time operations sequence: 1. Extractions 2. Aliases 3. Calculated 4. Lookups 5. Event types 6. Tags A. That's correct B. Yes, since calculated fields are evaluate after field extractions D. That's correct since this is the definition of calculated fields

A. Calculated fields can be used in the search bar. True. Calculated fields can be referenced in the search bar like any other extracted field1. B. Calculated fields can be based on an extracted field. True. Calculated fields can use extracted fields in their calculations1. C. Calculated fields can only be applied to host and sourcetype. False. While you can select a host, source, or source type to apply to the calculated field2, it’s not limited to only these options. D. Calculated fields are shortcuts for performing calculations using the eval command. True. Calculated fields are indeed used as shortcuts for performing repetitive, long, or complex transformations using the eval command1.

F2, P188 + P189

I know that F2 says it MUST be based on extracted field, not CAN be based. But in reality it doesn't need to be. "| eval newField = 1" works just fine, no extracted field. So ABD is correct.

The documentation say: "Select host, source or sourcetype to apply to the calculated field and specifi the related name", not only host and source, I have my doubts!

Answer: ABD