Practice SPLK-1003 Advanced Visualization and Lookups questions with full explanations on every answer.
Start practicing
Advanced Visualization and Lookups — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A security analyst creates a timechart of login failures by source IP. The chart shows expected spikes, but the top 5 IPs account for <10% of all failures. The analyst suspects a DDoS attack using spoofed IPs. Which visualization type would BEST highlight the distribution of failures across all IPs?
2An engineer runs `| inputlookup asset_lookup.csv | table asset_id asset_name` and gets no results despite the file existing in $SPLUNK_HOME/etc/apps/search/lookups/. The lookup definition is correctly configured. What is the MOST likely cause?
3A dashboard shows a single-value visualization of total sales. The underlying search uses `| stats sum(sales)`. The dashboard refreshes every 5 minutes, but the value only updates when the page is manually reloaded. Which setting is MOST likely missing?
4A user creates a lookup definition for a CSV file containing user roles. The lookup is used in a search: `| lookup user_roles username OUTPUT role`. The search returns no additional field. The lookup file has columns: 'username', 'role', 'department'. What is the MOST likely issue?
5A dashboard uses a timechart to show CPU usage over 24 hours. The time range selector is set to 'Last 7 days'. The chart displays data only for the last 24 hours. Which visualization setting is MOST likely causing this?
6Which TWO are valid methods to join data from a CSV file in a Splunk search?
7Which THREE are best practices for creating lookups in Splunk?
8What is the MOST likely reason the search returns no results?
9What is the MOST likely cause of this error?
10A security analyst needs to correlate IP addresses from firewall logs with a lookup table containing known malicious IPs. The lookup table is updated hourly and contains 10,000 entries. Which lookup type should be used to ensure the fastest search performance?
11A Splunk admin notices that a scheduled search using inputlookup is returning inconsistent results. The lookup file is stored on the search head and is updated via a script every 15 minutes. What is the most likely cause of the inconsistency?
12A dashboard developer wants to create a single-value visualization that shows the current server status from a lookup table. Which Splunk command should be used to retrieve the lookup data in a real-time context?
13An organization uses Splunk to monitor network traffic. They have a CIDR lookup file that maps IP ranges to departments. When they run a search using `| lookup cidr_lookup IP OUTPUT department`, some IP addresses do not return a department even though the IPs are within the defined ranges. What is the most likely issue?
14A team wants to visualize sales data on a map. They have a lookup table containing city names and their latitude/longitude coordinates. Which visualization type should they use in Splunk to plot the sales amounts on a map?
15Which TWO of the following are valid methods to create a lookup table in Splunk?
16Which THREE of the following are best practices when using lookups in Splunk?
17The exhibit shows a search that reads a lookup file. Which of the following must be true for this search to work correctly?
18The exhibit shows an error when using a lookup. What is the most likely missing configuration?
19A security analyst wants to visualize the count of login failures by source IP over the last 24 hours, but only for IPs with more than 10 failures. Which visualization type and SPL command combination is most appropriate?
20A team uses a lookup table to map employee IDs to department names. The lookup is defined in transforms.conf with max_matches=1. Some events have multiple employee IDs in the emp_id field (comma-separated). The analyst wants to see the department for each ID. Which approach should be used?
21A Splunk admin notices that a time-based lookup (defined in transforms.conf with time_range=TRUE) is not returning correct results for events outside the lookup's time boundaries. The lookup file contains rows with a valid time range. What is the most likely cause?
22Which TWO statements about lookups in Splunk are correct? (Choose two.)
23Refer to the exhibit. An analyst runs a search over access_combined events and notices that some events are not getting the region_name and region_code fields. Which TWO changes could resolve this issue? (Choose two.)
24A large e-commerce company has a Splunk environment ingesting web server logs from multiple data centers. The security team needs to visualize failed login attempts over time, grouped by geographic region. They have a lookup file geo_region.csv that maps IP addresses to regions. The lookup is defined in transforms.conf with max_matches=0 (all matches) and is used as an automatic lookup in props.conf for the sourcetype 'web_access'. The search returns events with multiple region values per IP (because max_matches=0). The team wants a single region per event for accurate counting. They also need to reduce the number of events processed by filtering only login failures (status=401). Which approach should be taken?
25A Splunk admin is tasked with creating a dashboard that shows the average response time per server over the last hour, updated every 60 seconds. The data comes from a sourcetype 'app_log' with fields: server, response_time. The admin wants to use a single search with a timechart and set the dashboard's time range picker to 'Last 60 minutes'. However, the chart shows only one data point (the average for the entire hour) instead of per-minute intervals. What is the most likely cause and solution?
26A security analyst needs to correlate authentication events from multiple Windows domain controllers to identify failed logon attempts from a specific user account, and then enrich the results with the user's department and manager from an HR database. Which TWO Splunk features should the analyst use?
27A large e-commerce company uses Splunk to monitor its web application performance. The operations team has created a dashboard with a timechart showing the 95th percentile of page load times over the last 24 hours. Recently, the dashboard stopped showing data for the last hour. The Splunk administrator confirms that the index is receiving data and the sourcetype is correctly configured. The search string is: `index=web_app sourcetype=access_combined earliest=-24h@h latest=@h | timechart perc95(page_load_time) by host` The dashboard panel uses a base search and a post-process search. The base search is: `index=web_app sourcetype=access_combined earliest=-7d@d latest=@h` What is the most likely cause of the missing last hour of data?
28Arrange the steps to create a scheduled report in Splunk in the correct order.
29Arrange the steps to configure a lookup table file in Splunk.
30Match each Splunk role to its typical permission level.
31Match each Splunk index time field to its meaning.
32An analyst needs to add a field called 'Region' to events based on a lookup table that maps 'StoreID' to 'Region'. The lookup table is defined in transforms.conf as a CSV lookup. Which command should be used in the search to perform this enrichment?
33A company has a lookup table that contains product prices that change over time. The lookup has a 'valid_from' and 'valid_to' field. Which lookup type should be defined in transforms.conf to automatically match events to the correct price based on the event timestamp?
34A dashboard developer wants to display the count of errors over the last 24 hours with a line chart. Which search command should be the final command before the visualization?
35A search includes a lookup that is used for every event. The lookup file has 500,000 rows. The search is running slowly. Which change could improve performance?
36A SOC manager wants to plot locations of security incidents on a map using latitude and longitude fields. Which visualization type should be used in a Splunk dashboard?
37A lookup table maps combinations of 'source_ip' and 'dest_port' to a 'policy' field. The lookup is defined in transforms.conf with a max_match of 1. Which lookup command syntax will correctly perform the lookup?
38A team wants to create a custom visualization that requires JavaScript and CSS modifications. Which Splunk feature should be used?
39A lookup is not returning any results even though the search events contain the matching field. The lookup definition in transforms.conf includes 'default_match = false'. What is the most likely issue?
40During peak hours, a search that uses a KV Store lookup frequently times out. The search runs on daily data but the KV Store collection has millions of records. Which approach is most effective to reduce lookup time while maintaining data freshness?
41Which two lookup types in Splunk support automatic time-based matching? (Choose 2)
42Which three considerations are important when creating a visualization for a dashboard that will be displayed on a large monitor? (Choose 3)
43Which two methods can reduce the resource consumption of a large CSV lookup in Splunk? (Choose 2)
44An analyst runs a search with the command 'lookup region_lookup region_code OUTPUT region_name'. The events have a region_code field with values like 'us-east' and 'eu-west'. The lookup file contains 'US-EAST' and 'EU-WEST'. The lookup returns no results. What is the most likely cause?
45The search returns a timechart with multiple series but the series colors are all the same. What is the most likely reason?
46What action can the administrator take to resolve this warning?
47A security analyst needs to enrich authentication logs with employee department information stored in a CSV file called 'employees.csv'. The CSV has fields: 'emp_id', 'name', 'department'. The authentication logs contain a field 'user_id' that matches 'emp_id'. Which search correctly enriches the events with the department field?
48A Splunk administrator wants to create a static lookup table from a search result. Which approach is recommended?
49A lookup definition is correctly configured, but when used in a search, no results are returned. The lookup file exists and contains data. What is the most likely cause?
50An analyst uses the following search: `... | timechart span=1h count by status`. What is the purpose of the span argument?
51Which of the following is a recommended practice when creating a lookup table file?
52A team uses a lookup to enrich web logs with customer region. The lookup is file-based and updated daily. Some events are not being enriched even though the lookup file has matching keys. What could be the issue?
53An analyst wants to create a visualization showing the average response time by hour over the past day, with each server in a separate line. Which command should they use?
54What is the purpose of an automatic lookup?
55An analyst uses the following search: `index=web status=500 | timechart count by method`. What does the timechart command do?
56Which TWO of the following are best practices when creating lookup table files?
57Which THREE of the following are features of the `timechart` command?
58Which THREE steps are necessary to create a file-based lookup?
59Which statement best describes the search result?
60Where must the file 'departments.csv' be placed for this lookup definition to work?
61What is the type of visualization produced?
62A company needs to enrich events with lookup data that changes over time, such as daily exchange rates. Which lookup method is most appropriate?
63A security analyst wants to visualize the count of login failures per hour, grouped by source IP. Which SPL command should they use?
64A large CSV lookup file (over 10 million rows) is causing search performance degradation. Which solution best improves performance without sacrificing accuracy?
65In a dashboard, a bar chart shows sales by region. The user wants to click on a bar and have a table filter to show only that region's details. Which drilldown technique should be used?
66An analyst needs to create a time-series chart showing the percentage of total HTTP status codes per day. Which approach is most efficient?
67A network engineer wants to add geographic location (city, country) to firewall logs based on source IP. Which lookup type is most appropriate?
68An automatic lookup is configured in props.conf and transforms.conf, but the expected fields are not appearing in search results. Which is the first thing to verify?
69A lookup table must be updated multiple times per minute from an external API. Which lookup method provides the best performance for search-time enrichment?
70A dashboard developer wants to color-code the bars in a column chart based on a severity field (critical=red, high=orange, medium=yellow, low=green). How can this be achieved?
71Which TWO settings are required in a transforms.conf stanza for a file-based lookup to work? (Select two.)
72Which THREE practices improve lookup performance in Splunk? (Select three.)
73Which TWO SPL commands can be used to create a time-based chart showing event counts over time? (Select two.)
74Refer to the exhibit. When a source IP does not match any entry in geo.csv, what values will be added to the event?
75Refer to the exhibit. What happens when a user clicks on a status value in the table?
76Refer to the exhibit. What is the most likely cause of this error?
77A company needs to enrich search results with additional fields from a CSV file. Which method should they use to define the lookup table so that it is available in all searches?
78An analyst creates a timechart to display the average CPU usage over time for multiple hosts. The chart shows a single line representing the overall average instead of separate lines per host. What is the most likely cause?
79A lookup table file contains 10GB of data. When performing a lookup using the lookup command, search performance is extremely slow. Which approach will most effectively improve performance without losing functionality?
80A search produces a table with many rows. Which visualization type is best suited to show the distribution of a single field's values?
81A lookup configured with WILDCARD match_type for pattern '10.*.25' is not matching some events. Which of the following event values would NOT be matched by this lookup?
82An admin wants to create a dashboard that shows the count of errors by sourcetype over the last 7 days, with the ability to click on a sourcetype to drill down to a detailed search. Which visualization and configuration supports this?
83An analyst notices that a timechart command with 'by host' shows only 10 hosts even though there are 50 distinct hosts. What could be the reason?
84An analyst observes that a lookup command with a large lookup file is causing the search to timeout. The lookup is used to extract additional fields based on a field value. What is the most effective immediate solution?
85An admin creates a dashboard with a timechart panel that drills down to a search for that time range. The drilldown search works but does not include the time range. What is the likely cause?
86Which TWO configurations are required to create a geospatial visualization of server locations?
87Which TWO components must be configured to enable an automatic lookup that populates fields at index time?
88Which THREE of the following are valid methods to create a lookup table in Splunk?
89An analyst runs this search and gets no results. The lookup file server_list.csv exists and contains data. What is the most likely issue?
90An admin configured an automatic lookup but events for mysourcetype are not being enriched. What is the most likely problem?
91An analyst runs this search and gets a chart with only the top 5 hosts per time bucket, but the total count per bucket is much higher than the displayed counts. What is the issue?
92A security analyst wants to create a visualization that shows the count of failed login attempts per user over the last 7 days. Which visualization type is most appropriate?
93An IT administrator notices that a lookup table used to enrich firewall logs is not updating correctly. The lookup file is stored in $SPLUNK_HOME/etc/apps/search/lookups/. What is the most likely cause if the lookup is defined as a 'file-based lookup' with automatic lookup?
94A team is designing a dashboard to monitor real-time server CPU utilization. They want to update every 10 seconds and use a gauge visualization. What is the best search mode to use for real-time performance?
95A user wants to join data from two datasets in a search. Which command is used to combine results based on a common field, but only returns matching results?
96A Splunk administrator is troubleshooting a slow dashboard that uses a timechart with a large dataset. Which of the following is a best practice to improve performance?
97An analyst needs to create a visualization that shows the relationship between source IP and destination port in network traffic. Which visualization type is most appropriate?
98Which of the following is required to create a dynamic lookup that automatically updates from a CSV file?
99A user wants to create a trellis chart with multiple panels, each showing data for a different department. What attribute should be used to split the visualization?
100A dashboard uses a drop-down input to select a server. The drop-down is populated by a search that returns server names. Which setting ensures that the drop-down updates automatically when the underlying data changes?
101A Splunk user wants to create a stacked bar chart showing the count of events by status (success, failure) over time. Which TWO configuration steps are necessary?
102A security analyst is using a lookup table to enrich IP addresses with threat intelligence. Which THREE statements about lookups are true?
103An administrator is designing a dashboard with multiple panels that share a common time picker. Which THREE dashboard features can be used to synchronize time across panels?
104Refer to the exhibit. An administrator is configuring a CIDR match lookup for geo-IP. The lookup is not working. What is most likely the issue?
105Refer to the exhibit. A user runs this search expecting to see the top 5 departments by count, but the results show all departments. What is the error?
106A company has a Splunk environment with multiple indexers and a search head. They have a large CSV lookup file for user permissions that is used in many dashboards. Recently, users have reported that dashboards are timing out or slow. The lookup file is about 500 MB and is stored in $SPLUNK_HOME/etc/apps/app_name/lookups/. The lookup is defined as an automatic lookup in props.conf for the source type 'user_activity'. The dashboards use the lookup to enrich events and then perform aggregations. The administrator checks the search logs and sees that searches using the lookup are taking a long time, and some are failing with 'Search head timeout'. The lookup file is updated daily by a script that replaces the file. Which course of action would best improve performance without sacrificing data enrichment?
107A security analyst wants to map IP addresses to hostnames using a CSV lookup file. Which command is correct to define a lookup that maps the IP field to hostname field, with the file named 'ip_host.csv'?
108A dashboard panel uses a timechart to show error counts over time. Users report that the time range picker does not affect the panel. What is the most likely cause?
109A large lookup file with 10 million rows is used in a search that joins with main index data. The search is slow. Which optimization should be applied first?
110Which visualization type is best for comparing the proportion of each error type to the total errors over time?
111A lookup definition includes the option 'batch_index_query=True'. What is the effect?
112In a dashboard panel, a table shows event counts by source. The user wants to click on a sourcetype to drill down to a new search showing all events from that source. Which token-based drilldown approach is correct?
113Which TWO statements about lookup tables are true?
114Which THREE factors should be considered when deciding between using a lookup table and a KV store for enriching data?
115Which TWO features are available for customizing dashboards in Splunk's Simple XML?
116You are a Splunk administrator at a large e-commerce company with over 5,000 employees and millions of customers. The development team has created a dashboard that displays sales data by region, using a lookup table to map customer IDs to region names. The lookup file, 'customer_region.csv', is stored on the search head. Recently, the lookup table was updated with new customer IDs, but the dashboard continues to show old region names for new customers. You have verified that the lookup file contains the new mappings and that the file is correctly formatted. The dashboard uses the 'lookup' command in its base search. You have also confirmed that the lookup definition in transforms.conf points to the correct file. The lookup file is approximately 100 MB and is updated weekly. The dashboard is accessed by multiple users across the organization. The issue only affects new customers added in the latest update. Old customers still show correct regions. You have checked the file size and timestamp, and the new file is present. The Splunk version is 8.2. The search head is not clustered. No errors are appearing in the splunkd.log related to lookups. The dashboard uses a simple XML with a timechart and a lookup. The search string is: index=sales sourcetype=transactions | lookup customer_region.csv customer_id OUTPUT region | timechart count by region. You have also tried restarting the search head, but the issue persists. What is the most likely cause?
117You are a Splunk power user working for a healthcare organization. You have created a visualization that shows patient wait times by department over the last 30 days. The chart uses a timechart command with a 'stacked' option. Recently, the chart started showing negative values for some departments, which is impossible because wait times cannot be negative. You have verified that the raw data is correct and contains only positive wait times. The search is: index=healthcare sourcetype=patient_wait | timechart span=1d avg(wait_time) by department. The chart is displayed as a stacked area chart. The negative values appear only for a few departments sporadically. You suspect the issue is related to how null values are handled. What could be causing the negative values?
118You are a Splunk consultant for a financial services firm. They have a large lookup table containing customer account numbers and risk scores. This lookup is used in a critical compliance search that runs every hour. The search is failing with a memory error 'The search coordinator stopped the search due to memory usage'. You have already tried increasing the memory limit for the search via limits.conf, but the error persists. The lookup file is a CSV file of 2GB, with approximately 20 million rows. The search is: index=compliance sourcetype=transactions | lookup risk_scores.csv account_id OUTPUT risk_score | stats avg(risk_score) by transaction_type. The search runs on a single search head with 16GB RAM. The lookup is defined as static. What is the most effective optimization to resolve the memory error?
119A user has created a dashboard panel using a 'chart' command with 'datacount by host'. The chart shows counts per host, but the hosts appear in alphabetical order. The user wants to sort the chart by count descending, so that the host with the most events appears first. The search is: index=main sourcetype=access | chart count by host. The dashboard is built using Simple XML. Which approach should be used to achieve the desired sorting?
120You are a Splunk power user at a manufacturing company. You have created a timechart that shows machine temperature readings over time. The data is indexed with timestamps every minute, but the timechart shows gaps where no data exists because some machines may not report at all times. You want to fill the gaps with 0 values to avoid misleading visualizations. The current search is: index=manufacturing sourcetype=temperature | timechart span=1h avg(temp) by machine. Which modification to the timechart command will fill the gaps with 0?
121You are a Splunk administrator for a multi-site deployment with two data centers: primary and remote. Users on the remote site report that a lookup used in a dashboard returns no results for data from their site, but the same lookup works perfectly on the primary site. The lookup is defined with 'local=true' in the transforms.conf. The lookup file is stored on the primary search head. The remote site has its own search head that queries data from both sites. The dashboard search is: index=main | lookup site_mapping.csv site_id OUTPUT location | stats count by location. Users on the remote site see rows with location=null for their data. What is the most likely cause?
122Which TWO of the following statements about lookup tables in Splunk are true?
123The security operations center (SOC) team at a medium-sized enterprise uses Splunk to investigate potential threats. They maintain a CSV lookup file named 'threat_intel.csv' that contains a list of known malicious IP addresses along with a threat score. The lookup is configured in transforms.conf as: [threat_intel] filename = threat_intel.csv match_type = WILDCARD(ip) They frequently run the following search to enrich firewall events with threat scores: index=firewall sourcetype=firewall_logs | lookup threat_intel src_ip OUTPUT threat_score | where threat_score > 5 Recently, analysts noticed that some IP addresses known to be present in the lookup file are not being matched in search results. They have verified that the lookup file is correctly formatted and contains those IPs, and the transforms.conf has not been altered. They also confirmed that the events contain the field src_ip with the correct IP addresses. Which of the following is the most likely cause of the missing matches?
124A large e-commerce company uses Splunk to monitor transactions. They have a CSV lookup file named 'customer_lookup.csv' containing 5 million rows of customer data (customer_id, name, address, tier). The lookup is used in a search that runs every hour to generate a report of sales by customer tier: index=transactions sourcetype=transaction_logs | lookup customer_lookup customer_id OUTPUT name, address, tier | timechart count by tier The search often times out or takes too long to complete, impacting operational dashboards. The team is considering optimization strategies. The lookup file is updated daily and stored in a custom app directory. The Splunk environment is distributed with a single search head and multiple indexers. Which of the following recommendations would most effectively improve the search performance?
125A Splunk administrator is creating a dashboard to visualize real-time network traffic data. The dashboard must include a lookup to enrich source IPs with location data. The lookup file contains 500,000 entries and is updated hourly. Which TWO optimization techniques should the administrator apply to ensure dashboard performance?
126Refer to the exhibit. The lookup 'lookup_user_info' is used in a search: `| lookup lookup_user_info user_id OUTPUT department`. Users report that many events show 'UNKNOWN' as department even though the user_id exists in the CSV. What is the most likely cause?
127A company's security team uses Splunk to monitor firewall logs. They have a lookup file named 'threat_intel.csv' containing 10,000 IP addresses classified by threat level. The lookup is used in a dashboard that shows the number of blocked connections from high-threat IPs over the past 24 hours. Recently, the dashboard has become slow, taking over 30 seconds to load. The lookup file is updated every 15 minutes via a script that replaces the entire file. The search currently uses: `index=firewall | lookup threat_intel.csv src_ip OUTPUT threat_level | where threat_level="high" | stats count`. Which of the following is the MOST efficient way to improve dashboard performance?
The Advanced Visualization and Lookups domain covers the key concepts tested in this area of the SPLK-1003 exam blueprint published by Splunk. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all SPLK-1003 domains — no account required.
The Courseiva SPLK-1003 question bank contains 127 questions in the Advanced Visualization and Lookups domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Advanced Visualization and Lookups domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included