Lookup correct: https://docs.splunk.com/Documentation/CIM/4.6.0/User/UsetheCIMtonormalizedataatsearchtime
This one clearly states Lookups and field extractions.
Seems like the answer is BD here, from the above link from some_thing, 5. Make your fields CIM-compliant. Normalize your data via the three methods, Lookup, Field Aliases and Field Extraction.
Reference: Fund 2 - P.268: Leverage CIM when creating field extractions, field aliases, event types and tags ... D is the best-fit in the answer set here.
"Normalize your data for each of these fields using a combination of field aliases, field extractions, and lookups." from https://docs.splunk.com/Documentation/CIM/4.6.0/User/UsetheCIMtonormalizedataatsearchtime
Answer is D
pg 267 F2
Leverage the CIM when creating Field Extractions, Field Aliases, Event Types and Tags.
there is no reason for any answers here to be wrong. there's documentation lol. and the actual PDF that can be found on the internet.
Does this question ask for multiple options? It doesn't say "Choose all that apply" as in the others. If it needs only one, I'd definitely go for D. Field Extraction. If I can choose more than one, I'd go with B and D.
The Answer is D. It can not be B because -
Sure. Lookups are used to map values from one field to another. They cannot be used to normalize data by extracting the same data from different events and storing it in the same field.
For example, a lookup could be used to map the value "John Doe" from the user_name field to the full_name field. This would not normalize the data, as the user_name and full_name fields would still contain different data.
Lookups can be used to normalize data in some cases, but they are not the only knowledge object that can be used for this purpose. Field extractions are a more powerful tool for normalizing data, as they can be used to extract data from events and store it in fields.
If a user wants to convert numeric field values to strings and then sort on those values, they should use the eval command first and then the sort command.
The eval command is used to add a new field to the search results that contains the string representation of the numeric field. For example, the following eval command converts the count field to a string: | eval count_str=tostring(count)
B and D.
https://docs.splunk.com/Documentation/CIM/4.15.0/User/UsetheCIMtonormalizedataatsearchtime
In the above link- Under point 5a.
Normalize your data for each of these fields using a combination of field aliases, field extractions, and lookups.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
sid2051
Highly Voted 4 years, 5 months agosome_thing
3 years, 8 months agogabo1969
3 years, 2 months agoNetworkingguy
1 year, 9 months ago[Removed]
Highly Voted 4 years, 3 months agoExamfish010
Most Recent 2 weeks, 5 days agovoiddraco
5 months, 2 weeks ago[Removed]
10 months, 1 week agoAlexi2415
1 year agoPrincePazol
1 year, 1 month agoDree_Dogg
1 year, 6 months agoDoflamingo
1 year, 7 months agoSam1289
1 year, 8 months agoMntman77
1 year, 8 months agoHereToLearny
1 year, 9 months agoHarrysa
1 year, 10 months agolazer23
1 year, 11 months agoVijayReddy29
1 year, 11 months agotest_12_12
1 year, 11 months agoCRYSYS
1 year, 11 months agoguuillauume
2 years, 1 month ago