Using Fields

Question 1

The fields command allows you to do which of the following? Select all that apply.

• Include fields (fields)
• Exclude fields (fields -)
• Include fields (fields +)

Answer 1

Include fields (fields)
Exclude fields (fields -)
Include fields (fields +)

Question 2

At search time, if an event has an equal(=) sign, the data to the left is treated as a ______ and the data to the right is treated as a ______.

• lookup, sourcetype
• field name, sourcetype
• field name, value
• lookup, value

Answer 2

field name, value

Question 3

Which of the following fields are default selected fields?

• source
• index
• sourcetype
• host

Answer 3

source
sourcetype
host

Question 4

True or False: Fields are knowledge objects.

TRUE
FALSE

Answer 4

True

Question 5

In the Fields sidebar, Interesting Fields occur in at least ________ of resulting events.

• 20%
• 50%
• 10%
• 3%

Answer 5

20%

Question 6

To remove fields from a search, you would use the _________ command.

• fields-
• +fields
• fields+
• -fields

Answer 6

fields-

Question 7

True or False: Once you rename a field, the new field name must be used in the rest of the search string.

FALSE
TRUE

Answer 7

True

Question 8

At search time, _______ extracts fields from raw event data.

• fields command
• field discovery
• field extractor

Answer 8

field discovery