Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsSPLK-1003DomainsAdvanced Searching and Statistics
SPLK-1003Free — No Signup

Advanced Searching and Statistics

Practice SPLK-1003 Advanced Searching and Statistics questions with full explanations on every answer.

150questions

Start practicing

Advanced Searching and Statistics — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

SPLK-1003 Domains

Advanced Searching and StatisticsMacros, Saved Searches and CIMAdvanced Visualization and LookupsTransactions and Event Correlation

Practice Advanced Searching and Statistics questions

10Q20Q30Q50Q

All SPLK-1003 Advanced Searching and Statistics questions (150)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A security analyst needs to find all events where the field 'user' has a value that is either 'admin' or 'root', but the search is returning too many results from a noisy source. Which search best filters the events to only include those where the 'user' field exactly matches 'admin' or 'root'?

2

A Splunk administrator runs the following search and notices that the results include events where the 'status' field is 200 or 404, but also includes events where the 'status' field is missing. What is the most efficient way to modify the search to exclude events where the 'status' field does not exist?

3

An analyst wants to find the top 5 users who have the highest total bytes transferred. The data has fields 'user' and 'bytes'. Which search should be used?

4

A search returns events with a field 'response_time' in milliseconds. The analyst wants to categorize response times into three buckets: 'fast' (< 100), 'medium' (100-500), 'slow' (> 500). Which search correctly creates this categorization?

5

A search uses 'transaction' to group events by session, but the results show too many transactions with only one event. What is the best way to filter out single-event transactions?

6

Which TWO of the following statements about the 'stats' command are true?

7

Which THREE of the following are valid Splunk search commands for determining the number of distinct values of a field?

8

The search returns zero results, but the lookup file contains users with names like 'admin1', 'admin2'. What is the most likely reason?

9

The search returns unexpected results, including IP addresses that are not in the expected format (e.g., '127.0.0.1' appears as '27.0.0.1'). What is the most likely cause?

10

A security analyst needs to find all events where the field `status` has a value of either "error" or "critical" and the field `bytes` is greater than 1000. Which search correctly accomplishes this?

11

A Splunk admin wants to track the number of unique users who accessed a system each hour over the past 24 hours. Which search provides the correct result?

12

A search returns many events, and the analyst wants to see a summary table of the top 5 values of the field `src_ip` along with the count of events for each. Which command should be used?

13

An analyst needs to identify events where the field `response_time` is more than 2 standard deviations above the average response_time for the same `host`. Which approach should be used?

14

An analyst wants to create a timechart of the count of events per hour, but only for events where the field `status` contains the word "fail" (case-insensitive). Which search is correct?

15

Which TWO of the following statements about the `transaction` command are true? (Choose two.)

16

Which THREE of the following are valid ways to create a subsearch in SPL? (Choose three.)

17

A security analyst wants to find all events where the field 'src_ip' matches any IP address in a lookup table named 'malicious_ips.csv'. The lookup has fields 'ip' and 'threat'. Which search correctly enriches events with the threat info and filters to only malicious IPs?

18

A search returns events with fields 'user', 'action', and 'count'. The analyst wants to create a timechart showing the number of distinct users performing 'login' actions per hour. Which search is correct?

19

An analyst runs `index=web status=500 | top 10 uri` and gets results. Which statement is true about the 'top' command's behavior?

20

A search returns events with fields 'user', 'duration', and 'status'. The analyst wants to find users whose average duration exceeds 100 and who have more than 5 events. Which search is correct?

21

A search includes `... | eval day=strftime(_time, "%A") | stats count by day | sort count`. The results show Monday has the highest count. The analyst wants to confirm that the timezone is correctly applied. Which command should be added before the eval to ensure the day calculation uses the local timezone?

22

Which TWO of the following statements about the 'transaction' command are true? (Choose two.)

23

Which THREE of the following commands can produce a time-based chart (timechart or chart with time buckets)? (Choose three.)

24

The exhibit shows a search to find the top 5 URI-method combinations by count. However, the results show only 5 rows, but the analyst expected to see the top 5 URIs overall, not combinations. Which change to the search would achieve the desired result?

25

A security analyst needs to find all events where the field 'status' is either 'error' or 'critical', and then count the number of events per source IP. Which search is correct?

26

The search above is executed but returns unexpected results: the count for 'API' is much lower than expected. What is the most likely cause?

27

A Splunk administrator runs the following search to identify the top 5 users by total bytes transferred: index=proxy sourcetype=webproxy | stats sum(bytes) as total_bytes by user | sort - total_bytes | head 5 The search returns results, but the numbers seem inflated. On closer inspection, the 'bytes' field is a string type. What must be done to correct the search?

28

An analyst needs to calculate the average response time for each web server, but only for requests that returned status code 200. The field 'response_time' is numeric. Which search correctly achieves this?

29

A security analyst needs to find all login events where the user 'jsmith' attempted to authenticate from an IP address outside the corporate subnet (10.0.0.0/8) after business hours (after 18:00). Which search correctly filters for these events?

30

An analyst wants to calculate the average response time for each web server, but only for requests that returned status code 200. Which search accomplishes this?

31

A dashboard is slow to load because it runs a search that uses `transaction` to group events into sessions. The search is `index=main source=web | transaction clientip maxspan=30m maxpause=5m`. What is the most effective way to improve performance?

32

Arrange the steps to create a new index in Splunk in the correct order.

33

Arrange the steps to create a knowledge object of type 'Event Type' in Splunk.

34

Arrange the steps to configure role-based access control in Splunk.

35

Match each Splunk search command to its primary function.

36

Match each Splunk search operator to its behavior.

37

Match each Splunk report type to its description.

38

A security analyst needs to find the top 10 users with the most failed login attempts from the linux_secure sourcetype. Which SPL command is most efficient for this task?

39

A search returns 50,000 events. The analyst wants to sample 1% evenly across time. Which sampling command should be used?

40

Which of the following searches correctly computes the average response time per host?

41

Which command adds the overall average of a field to each event in the results?

42

A search uses `transaction maxspan=30s maxpause=5s`. Events are sorted by _time. If there is a gap of 10 seconds between two events, what happens?

43

Which command extracts a field named 'ip' from the raw event using a regex pattern?

44

Which command returns the list of all sourcetypes in a specific index?

45

A search produces a field 'count'. You need to find the event with the maximum count. Which approach is correct?

46

Which command creates a time-based chart showing a count of events over time?

47

Which TWO of the following are valid methods to join two sets of search results?

48

Which TWO of the following eval functions can be used to convert a string to a numeric value?

49

Which THREE of the following are valid Splunk search commands?

50

Refer to the exhibit. The search returns 50 results after the `where` command. What is the purpose of the `eval` command?

51

Refer to the exhibit. The search is intended to display users who logged in from IP addresses starting with 10.0, but returns no results. What is the most likely cause?

52

Refer to the exhibit. What is the result of this search?

53

A security analyst wants to calculate the average latency for each web server over the past hour, but only for requests where the status code is 200. The search result includes fields: server, latency, status. Which search correctly accomplishes this?

54

An analyst wants to create a time series chart showing the count of errors per hour over the last 24 hours. The errors are logged with sourcetype=error_log. Which search achieves this?

55

A Splunk administrator is troubleshooting a search that uses the transaction command to group login and logout events. The search runs but returns no results even though both types of events exist. The events are separated by at most 5 minutes. The current transaction command is: `index=auth (action=login OR action=logout) | transaction action maxspan=10m maxpause=2s` What is the most likely cause?

56

An analyst wants to create a running total of sales per day over a week. The data has fields: date, sales. Which search would produce a cumulative sum for each day?

57

A search returns duplicate events for the same user. The analyst wants to keep only the first occurrence of each user based on timestamp. Which sequence of commands is best?

58

A search is used to calculate the 95th percentile of response times for each application, and then to find applications where the 95th percentile exceeds 5000 ms. The current search is: `index=perf sourcetype=app_response | stats perc95(response_time) by app | where perc95(response_time) > 5000` This search fails with an error. What is the most likely reason?

59

A search uses eventstats to add the average response time per server to each event. Which of the following correctly describes the output?

60

An analyst wants to see the count of distinct users for each department over the last week. The data contains fields: user, department, date. Which search is correct?

61

A Splunk search uses a subsearch to find the top 10 client IPs and then retrieve all events from those IPs. The subsearch is: `index=web sourcetype=access | search [ top clientip | fields clientip ]` What does this search return?

62

Which TWO of the following are valid uses of the stats command in Splunk? (Choose two.)

63

Which THREE of the following are benefits of using eventstats over stats when analyzing event logs? (Choose three.)

64

Which THREE of the following are correct characteristics of the transaction command? (Choose three.)

65

The exhibit shows a search that categorizes HTTP status codes and counts them. If the search returns only three categories, what is the most likely reason?

66

A security analyst notices that a timechart command is returning too many data points on the x-axis, making the chart unreadable. Which command modification should be used to reduce the number of data points?

67

A search returns raw events with a field 'response_time'. The analyst wants to calculate the average response time excluding any outliers that are more than 3 standard deviations from the mean. Which SPL approach is most efficient?

68

An administrator wants to correlate events from the same session but the events span up to 30 minutes apart. The transaction command is being considered. Which transaction option is most appropriate to ensure sessions are correctly grouped without artificially high memory usage?

69

Which SPL command can be used to create a new field based on a conditional evaluation, such as setting a status field to 'critical' if a numeric threshold is exceeded?

70

A search is producing results that include both internal and external traffic. The analyst wants to approximate the number of distinct destination IPs for internal traffic only, where internal IPs fall within the 10.0.0.0/8 range. Which approach is most efficient?

71

A search uses a subsearch to retrieve a list of user IDs, and then the main search uses IN operator to filter events. The subsearch is expected to return up to 10,000 values. What is a potential limitation and how can it be addressed?

72

An analyst wants to remove events that contain the string 'debug' from a log. Which command should be used?

73

When using the stats command with multiple BY fields, the results show many rows with null values. What is the most likely cause and how can it be reduced?

74

A search uses the map command to run a search for each value of a field. The search is taking a very long time. Which alternative approach is recommended for better performance?

75

Refer to the exhibit. What is the purpose of the eval command in this search?

76

Refer to the exhibit. Which statement about this search is true?

77

Refer to the exhibit. What does the final result represent?

78

A search is running slowly due to a large data volume. Which TWO modifications are likely to improve search performance? (Select two.)

79

An analyst wants to create a time-series comparison of the current week and the previous week. Which TWO commands are commonly used together to achieve this? (Select two.)

80

Which THREE of the following are valid uses of the stats command? (Select three.)

81

A security analyst wants to find IP addresses that have attempted to access a specific URL more than 5 times in the last hour and also have a user agent string containing "curl". They need to use a subsearch to pre-filter IPs. Which search is correct?

82

A team uses a large index with many sourcetypes. They want to find events where the field "status" contains either "error" or "failure" (case-insensitive), and also ensure that "response_time" > 1000. Which search best optimizes performance?

83

A user wants to create a chart showing the count of errors per hour for the last 24 hours, with time bucketed hourly. Which search is correct?

84

Which TWO of the following commands can be used to create a table of unique values for a field, along with their counts?

85

Which TWO search commands can be used to calculate a running total (cumulative sum) of a field over time?

86

Which THREE of the following are valid ways to extract a substring from a field named "full_name" that contains "Firstname Lastname" into separate fields?

87

Refer to the exhibit. What will this search return?

88

Refer to the exhibit. What is the purpose of this search?

89

Refer to the exhibit. The search is taking very long and returning few results. Which change would most improve performance?

90

A user wants to see the top 5 most common HTTP methods (field "method") from web access logs, along with their percentage of total. Which search is best?

91

A security analyst needs to correlate login events with subsequent actions from the same user within 30 minutes. They need to ensure that only one login per user session is considered, and actions after login are attached. Which command is most appropriate?

92

A search uses a subsearch to filter events, but the subsearch returns more than 50,000 results, causing the search to fail. Which approach can avoid this limit while still achieving the goal?

93

A user wants to calculate the average response time per user, but only for users who have more than 10 events. Which search approach is efficient?

94

A user wants to create a timechart showing the number of distinct users per hour over the past week. Which search is correct?

95

A search uses the transaction command with maxevents=1000 and maxspan=1h. The search is slow and memory-intensive. Which modification can reduce resource usage while still grouping related events?

96

A security analyst runs `index=network sourcetype=firewall | stats count by src_ip | sort - count | head 10` to find the top 10 source IPs by event count. The search returns only 5 results. Which of the following is the most likely reason?

97

A developer needs to calculate the 95th percentile of response times for each service over the past hour. The data has fields: service, response_time. Which search achieves this correctly and efficiently?

98

A user wants to add a field showing the average value of a numeric field `latency` for each host, without reducing the number of events. Which command should be used?

99

An analyst runs a search that includes a subsearch: `index=web [search index=web status=500 | fields url | dedup url | limit 5]`. The main search returns no results even though the subsearch returns 5 URLs. What is the most likely issue?

100

A search needs to find events where the same user logged in from more than 3 different IP addresses within a 5-minute window. Which combination of commands is most efficient?

101

A data scientist wants to extract the domain from email addresses in the `_raw` field. The emails follow the pattern user@domain.tld. Which eval expression should be used to create a new field called `domain` containing only the domain part?

102

A search using `tstats` to query a data model returns results but is slow. Which of the following is the most likely cause?

103

A search `index=main | eval weekday=strftime(_time,"%A") | stats count by weekday | sort - count` shows that Monday has the highest count. However, the user suspects that Monday data is double-counted due to timezone offset. What should be done to investigate?

104

A search returns 1000 results per second. The user wants to see a trend of counts over the past hour in 5-minute intervals. Which command should be used?

105

Which TWO of the following are valid aggregation functions in the `stats` command? (Choose 2)

106

Which THREE of the following are true about the `transaction` command? (Choose 3)

107

Which TWO of the following commands are useful for reducing the number of events before a `stats` command to improve performance? (Choose 2)

108

Refer to the exhibit. The search above returns no results for api_version. What is the most likely cause?

109

Refer to the exhibit. The search results show a large number of hosts, but the `limit=5` only shows the top 5. The eval statement fails with an error. Why?

110

Refer to the exhibit. The search returns results quickly but shows zero events for some src values. What does `summariesonly=t` imply?

111

A company uses a large Splunk environment with many users creating dashboards. They notice that some searches are slow and consume excessive resources. What is the best practice to optimize search performance?

112

A security analyst wants to find IP addresses that have been involved in both login failures and successful logins within a 5-minute window. Which approach is most efficient?

113

Which command is used to convert a multi-value field into individual events?

114

A user wants to create a report that shows the top 5 sources of errors, excluding a specific source 'host1'. Which SPL is correct?

115

An administrator notices that a search using the timechart command returns data for every 15-minute bucket even when no events exist, creating many null values. How can this behavior be suppressed?

116

Which command creates a new field that contains the string 'high' if a numeric field exceeds 100, otherwise 'low'?

117

A user runs a search that returns 1,000,000 results but only sees 5,000 in the Statistics tab. What is the most likely cause?

118

A search analyst wants to calculate the average transaction time for each user and then find users whose average transaction time exceeds the overall average. Which approach is most efficient?

119

Which of the following is true about the sort command?

120

A user needs to identify the top 3 error types by count, but only for the current month, and exclude results with fewer than 100 occurrences. Which TWO steps are necessary? (Select two.)

121

A search administrator wants to ensure that a scheduled search runs efficiently and does not impact other users. Which TWO practices should be implemented? (Select two.)

122

A user needs to find events where a user had a failed login followed by a successful login within 10 minutes, and then list the total number of such occurrences per user. Which THREE steps are necessary? (Select three.)

123

Refer to the exhibit. This search returns an error. What is the most likely cause?

124

Refer to the exhibit. This search is intended to find users with average duration above overall average. However, it returns no results. Why?

125

A large e-commerce company runs Splunk Enterprise on a single indexer cluster with four indexers. They have been experiencing slow search performance during peak hours, especially for searches that cover the last 24 hours. The environment uses a default search time range of 'Last 30 days'. The team has noticed that searches often time out or return partial results. They have also observed high CPU usage on the search head during peak times. The company's data volume is approximately 500 GB per day across various sources. They have implemented some search acceleration for data models, but the issue persists. The security team needs to run ad-hoc searches for threat hunting that cover multiple sourcetypes over the last 7 days. Additionally, the search head has a memory limit that is sometimes reached. The security team's searches are complex and involve joins and subsearches. The existing acceleration only covers a few data models. The team is looking for a quick win that does not require significant infrastructure changes. Which course of action would most effectively improve search performance without compromising data completeness?

126

A user wants to find the top 5 sourcetypes by event count over the last 24 hours. Which search is correct?

127

A Splunk admin notices that a search using the transaction command takes too long. To debug, they want to see how events are grouped into transactions before the transaction command runs. Which command can be added to the search pipeline before transaction to inspect the grouping?

128

A web application log contains fields: user, timestamp, response_time. You need to compute the average response time per user, excluding outliers where response_time > 10000ms. Which search produces the correct result?

129

To count events by host for the last hour, which search is most efficient?

130

You need to find the percentage of total events contributed by each sourcetype. Which command should follow index=* | stats count by sourcetype?

131

A search includes a subsearch that returns 100,000 results, causing performance issues. Which optimization is best?

132

To find users who logged in from more than 3 different IP addresses, which search is correct?

133

Which TWO of the following are valid ways to calculate the median of a numeric field?

134

Which THREE of the following are valid ways to count the number of events per minute for a given sourcetype?

135

Which TWO of the following commands can be used to find the most frequent value of a field within each group?

136

A security analyst is investigating a potential breach. They have a search that uses the transaction command to group events by session_id and calculates the total bytes transferred per session. However, the search takes over 30 minutes to complete on a 24-hour time range. The environment has 10 indexers with default settings. The analyst needs to reduce search time while preserving the ability to group by session_id. Which course of action should they take?

137

A Splunk admin is responsible for a search dashboard that displays real-time statistics of application errors. The search uses 'index=app sourcetype=error | timechart count by severity span=5m'. Users report that the dashboard is slow and often times out. The environment has 4 indexers and the data volume is about 500 GB/day. The admin wants to improve performance without changing the dashboard's output. Which step should they take?

138

A large e-commerce platform uses Splunk to monitor user sessions. Each session is composed of multiple events with a common 'session_id' field. The current search to compute average session duration is: 'index=web | transaction session_id maxspan=30m | eval duration=_time_last - _time | stats avg(duration)'. This search runs for over an hour on a 6-hour time window. The environment has 20 indexers and data volume is 2 TB/day. The admin suspects that the transaction command is the bottleneck. Which optimization should be applied?

139

A network operations team uses Splunk to analyze firewall logs. They need to identify top talkers (source IPs with highest total bytes) over the last hour. The current search: 'index=firewall | stats sum(bytes) as totalBytes by src_ip | sort -totalBytes | head 10' takes 5 minutes to complete. They want to make it faster. The environment has 5 indexers with default configurations. The data volume is 100 GB/day. Which action will most improve search performance?

140

A developer wants to debug a slow Splunk search that uses multiple eval and where commands. The search returns correct results but takes 2 minutes. The developer wants to identify which parts of the search are slow. The environment is a single instance Splunk with moderate data. What should the developer do?

141

Which TWO commands can be used to perform statistical aggregations on streaming events without creating a separate search results set?

142

A security team runs a search to count login failures per user over the last 24 hours: `index=security action=failure | stats count by user`. The results show counts, but some users have extremely high counts due to a brute force attack. The team wants to identify users with a count greater than 100. What should they do to get the desired list?

143

A Splunk environment ingests 10 TB per day. A user runs a search to count events per sourcetype over the last 7 days: `index=* earliest=-7d | timechart count by sourcetype`. The search returns partial results and eventually times out. The user needs to obtain the complete results efficiently. What is the best course of action?

144

A user runs a search on web access logs: `index=web | eventstats sum(bytes) as total_bytes by host`. The search returns the correct total bytes per host, but now the user needs to calculate the average bytes per host for each event. Which command should be added to the base search to achieve this?

145

A user needs a report showing the number of distinct source IPs per sourcetype over the last hour. They run: `index=* earliest=-1h | stats dc(src_ip) by sourcetype`. The search runs slowly (2 minutes) and they want to speed it up. Which optimization is most effective?

146

A security analyst wants to create a comparison report showing the count of login failures by user for today versus yesterday. They run: `index=security action=failure | timechart count by user`. This produces a chart of counts over time, but they want separate columns for today and yesterday. How can they achieve this comparison efficiently?

147

An analyst wants to identify the top 5 user agents that generated the most 404 errors in the last 24 hours. Which search accomplishes this correctly and efficiently?

148

Which TWO of the following searches are syntactically valid uses of the eventstats command? (Assume all referenced fields exist.)

149

Refer to the exhibit. What does the pct field represent?

150

A large e-commerce company uses Splunk to monitor their web application. They have a query that uses the transaction command to group related events into transactions based on session ID and a 30-minute max pause. The query runs slowly and often times out. The environment has 10 indexers with 4 CPU cores each. The search is run over the last 7 days. Which of the following is the best course of action to improve performance?

Practice all 150 Advanced Searching and Statistics questions

Other SPLK-1003 exam domains

Macros, Saved Searches and CIMAdvanced Visualization and LookupsTransactions and Event Correlation

Frequently asked questions

What does the Advanced Searching and Statistics domain cover on the SPLK-1003 exam?

The Advanced Searching and Statistics domain covers the key concepts tested in this area of the SPLK-1003 exam blueprint published by Splunk. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all SPLK-1003 domains — no account required.

How many Advanced Searching and Statistics questions are in the SPLK-1003 question bank?

The Courseiva SPLK-1003 question bank contains 150 questions in the Advanced Searching and Statistics domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Advanced Searching and Statistics for SPLK-1003?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Advanced Searching and Statistics questions for SPLK-1003?

Yes — the session launcher on this page draws questions exclusively from the Advanced Searching and Statistics domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your SPLK-1003 domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide