SPLK-1002 Question #175: Real Exam Question with Answer & Explanation

The correct answer is B: A field added by an automatic lookup.. A field added by an automatic lookup. A calculated field is a field that is added to events at search time by using an eval expression. A calculated field can use the values of two or more fields that are already present in the events to perform calculations. A calculated field c

Creating Field Aliases and Calculated Fields

Question

Which of the following objects can a calculated field use as a source?

Options

AAn alias of a field.
BA field added by an automatic lookup.
CThe tag field.
DThe eventtype field.

Explanation

A field added by an automatic lookup. A calculated field is a field that is added to events at search time by using an eval expression. A calculated field can use the values of two or more fields that are already present in the events to perform calculations. A calculated field can use any field as a source, as long as the field is extracted before the calculated field is defined. An automatic lookup is a way to enrich events with additional fields from an external source, such as a CSV file or a database. An automatic lookup can add fields to events based on the values of existing fields, such as host, source, sourcetype, or any other extracted field. An automatic lookup is performed before the calculated fields are defined, so the fields added by the lookup can be used as sources for the calculated fields. Therefore, a calculated field can use a field added by an automatic lookup as a source.

Topics

#Calculated Fields#Field Sources#Lookups#Knowledge Objects

Community Discussion

No community discussion yet for this question.

Full SPLK-1002 Practice Browse All SPLK-1002 Questions