Free Splunk SPLK-1002 Actual Exam Questions - Question 15 Discussion
A calculated field may be based on which of the following?
D, since calculated fields usually use fields extracted during indexing or processing.
Maybe D here too. Calculated fields usually work off fields already available, and extracted fields fit that since they’re specifically pulled out during processing. A sounds tricky because fields generated within a search string might just be temporary or part of the expression itself, not really a base for calculation. B and C seem off since lookup tables and regex are more about data manipulation or extraction, not building new calculated values directly. So D feels like the safest bet based on how calculated fields typically function.
A imo, since fields generated within a search string can be used as a base for calculations, not just extracted fields. That makes A a solid candidate alongside D.
Makes sense to exclude B and C since they’re more about data enrichment, so I’m with D here.
Hey, does the question mean fields created during the search or ones that are already extracted? Feels like it could affect which option fits best.