Practice SPLK-1003 Macros, Saved Searches and CIM questions with full explanations on every answer.
Start practicing
Macros, Saved Searches and CIM — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A security analyst wants to create a macro that extracts IP addresses from a field named `src_ip` and returns a count of unique IPs per source. Which macro definition accomplishes this?
2A team regularly runs a saved search that joins two large indexes. Performance is poor. Which design change would MOST improve query performance?
3An admin created a macro `myfilter(host)` with definition: `host=$host$ | stats count`. When calling `myfilter(webserver)`, the search returns no results. What is the most likely cause?
4Which TWO of the following are valid uses of the Common Information Model (CIM) in Splunk?
5Which THREE of the following are best practices for creating saved searches?
6Which TWO of the following are valid ways to reference a macro in a search?
7A Splunk administrator notices that a scheduled saved search `Daily Summary` fails every day at 2:00 AM with the error "Search job expired due to inactivity." The search runs against a large index and takes about 30 minutes to complete. What is the most likely cause?
8A security analyst wants to create a saved search that triggers an alert when more than 100 failed login attempts occur within a 5-minute window from the same source IP. The search should run every 5 minutes and alert only once per window. Which setting should be configured?
9A Splunk admin wants to create a macro that extracts the username from a log line that always starts with 'User: <username>'. The macro should be reusable across searches. Which definition is correct?
10An organization uses Splunk CIM to normalize data from multiple sources. They have a custom data source that logs firewall events with a field 'action' containing values 'accept', 'deny', 'drop'. They want to map this to the CIM field 'action'. Which configuration is required?
11A Splunk admin notices that a saved search scheduled to run every 10 minutes is consistently taking 15 minutes to complete, causing overlapping runs. The search aggregates data across multiple indexes and uses a large time window. What is the best way to prevent overlap and ensure the search completes?
12Which TWO of the following are valid ways to create a macro in Splunk? (choose two)
13Which THREE of the following are components of the Splunk Common Information Model (CIM)? (choose three)
14A user wants to create a macro that calculates the average response time for web requests. The macro should accept a field name as an argument and return the average. Which syntax is correct for defining the macro?
15What is the most likely cause of the error?
16A security analyst needs to monitor failed login attempts across multiple Windows domain controllers. The environment has a custom sourcetype 'WinEventLog:Security' and the data is indexed under 'windows_security'. The analyst wants to create a saved search that runs every 10 minutes, searches for EventCode 4625 (failed logon), and triggers an alert if more than 10 failures occur from the same source IP within the last 10 minutes. The saved search should use the Common Information Model (CIM) to ensure compatibility with other security apps. Which of the following saved search definitions best meets these requirements?
17A Splunk administrator notices that a scheduled saved search titled 'Nightly_Threat_Report' is not completing on time. The search runs at 2:00 AM daily and typically takes 15 minutes, but recently it has been timing out after 30 minutes. The search query is complex, joining data from multiple indexes. The administrator checks the 'savedsearch.log' and sees entries like 'Search job terminated due to dispatch time limit' and 'Search job exceeded max time'. The administrator wants to resolve the issue without changing the search logic or increasing system resource limits. Which action should the administrator take first?
18Which TWO of the following are valid reasons to use the Common Information Model (CIM) in a Splunk environment?
19A Splunk admin has created several macros to simplify complex search commands. One macro, named `time_filter`, is defined as `earliest=-7d@d latest=@d`. The admin also has a saved search that uses this macro. Recently, users have complained that the saved search reports data from the wrong time range: it appears to be showing data from the last 24 hours instead of the last 7 days. The admin inspects the saved search and finds that the search string is: `index=main | eval days=now() | where days > relative_time(now(), "-7d@d") | `time_filter`` The admin suspects the macro is not being expanded correctly. Which of the following is the most likely cause of the issue?
20Order the steps to configure a field extraction using the Field Extractor (FX) in Splunk.
21Order the steps to create a data model in Splunk in the correct order.
22Order the steps to create a dashboard panel using the XML source editor in Splunk.
23Match each Splunk knowledge object to its purpose.
24Match each Splunk macro to its definition.
25Match each Splunk license violation type to its consequence.
26A Splunk user wants to create a macro named `nunique` that takes a field name as an argument and returns the count of distinct values for that field. Which macro definition should be used?
27A Splunk admin needs to schedule a search to run every day at 2 AM and send an email alert if more than 100 events are found. Which saved search configuration achieves this?
28An organization is implementing the Splunk Common Information Model (CIM) to normalize data. They have a source that provides event data with field names `src_ip` and `dst_ip`. To map these to CIM fields, which knowledge object should be created?
29A search includes the macro `mysearch(field1, field2)`. The macro definition is `stats count by $1$, $2$`. If the search is `index=main | `mysearch(user, action)`, what is the expanded search?
30A saved search is configured to run every hour and generate a summary index. The original search returns data that is then summarized. Which of the following best describes the purpose of summary indexing?
31A Splunk admin creates a macro named `lookup_user` that is defined as `| lookup user_lookup user AS $1$ OUTPUT full_name as user_name`. The macro is used in a search like `index=main | `lookup_user(user_id)`. However, the results show no matches even though valid user_id values exist. What is the most likely cause?
32A Splunk admin is accelerating a CIM data model for the "Network_Traffic" dataset. After acceleration, some searches that use the data model are slower than expected. What is the most likely reason?
33A macro is defined as `mysearch` with definition `index=main | stats count by $source_type$`. The macro is invoked as `| `mysearch(access_combined)` but the search never finishes. What is the likely issue?
34A saved search is configured with a schedule but is not triggering at the expected time. The admin checks the "Job Inspector" and sees that the scheduled search is "skipped". What is a common reason for a scheduled search to be skipped?
35Which of the following are valid ways to define a macro in Splunk? (Choose two.)
36Which of the following are characteristics of the Splunk Common Information Model (CIM)? (Choose three.)
37An admin is troubleshooting a saved search that uses the `| `my_macro` command. The macro definition is `stats count by $1$`. The saved search is scheduled to run hourly. Which of the following issues could cause the saved search to fail? (Choose three.)
38Refer to the exhibit. The macro `count_by_host` is defined as shown. The macro is invoked as `| `count_by_host`. What will the expanded search look like?
39Refer to the exhibit. An admin configures acceleration for the Network_Traffic data model as shown. A user runs a search using the data model over the last 60 days. Why might the search be slower for data older than 7 days?
40Refer to the exhibit. A search uses the macro as `| `fillnull(field=user)`. However, the search fails with a syntax error. What is the most likely issue?
41A Splunk admin wants to create a reusable macro that accepts a time range parameter and searches all indexes for events within that range. The macro will be used in dashboards and reports. Which macro definition is correct?
42When creating a saved search that runs every hour and sends an email alert when the count of errors exceeds 10, which action must be configured in addition to the search logic?
43An organization uses the Splunk Common Information Model (CIM) to normalize data from various sourcetypes. After onboarding a new firewall vendor, the data is not populating the Network Traffic data model. Which of the following is the most likely cause?
44A Splunk administrator is asked to create a dashboard that shows the top 10 source IPs by count of failed logins over the past week. The data is already CIM-compliant and uses the Authentication data model. Which search is most appropriate?
45A security team has a saved search that runs every 5 minutes and looks for 'FAILED' events in Windows Security logs. The search uses a macro 'failed_logins' defined as: `define failed_logins() [search index=windows sourcetype=WinEventLog:Security EventCode=4625]`. Recently, the team noticed that the search is returning no results even though there are failed login events. What is the most likely issue?
46A large enterprise uses multiple Splunk search heads. An admin wants to create a saved search that automatically runs on all search heads and sends a single alert email per triggered result, not per search head. Which saved search setting should be configured?
47A team needs to create a saved search that runs automatically every Monday at 8 AM and emails a CSV file of the results. Besides configuring the search string, which steps are required?
48An admin notices that a saved search with a scheduled alert is not triggering as expected even though the search returns results. The search uses a macro with arguments. Which troubleshooting step should the admin take first?
49A Splunk admin wants to create a saved search that triggers an alert when the average CPU usage across all servers exceeds 80% over a 5-minute window. The data is in a 'perfmon' sourcetype. Which search best fits this requirement?
50Which TWO benefits does the Splunk Common Information Model (CIM) provide? (Choose two.)
51Which THREE are valid uses of macros in Splunk? (Choose three.)
52Which TWO are correct about saved search permissions and scheduling? (Choose two.)
53The admin calls the macro as shown. What will be the expanded search string?
54What is the most likely reason for this behavior?
55What is the most likely cause of this error?
56A Splunk administrator wants to create a reusable search component that accepts a sourcetype and a time range. What is the correct method to define this in Splunk?
57A user reports that a macro named `my_macro` is not expanding in a search. The macro is defined in a private app called 'App_A'. The user is running the search in a different app called 'App_B'. What is the most likely cause of the issue?
58A user defined a macro that includes a lookup command. The macro works correctly in ad-hoc searches. However, when the macro is used in a scheduled saved search, the macro fails to expand. Administration confirms the macro is shared globally. What is the most likely cause of this failure?
59Which Common Information Model (CIM) data model is appropriate for standardizing authentication events?
60A Splunk administrator needs to schedule a saved search to run every second Friday at 10:00 AM. Which cron expression should be used?
61An administrator defines a macro that calls another macro. Both macros are defined in the same app. The first macro works correctly, but when executed, it triggers an error: 'Recursive macro call detected'. What is the most likely cause?
62In the CIM, which field is commonly used to identify the user responsible for an authentication event?
63A saved search is configured to run every 5 minutes and send an alert when the count of failures exceeds 10. After several days, users report they are not receiving alerts even though failures are occurring. The saved search runs successfully and produces results. What is the most likely cause?
64A Splunk administrator uses a macro to normalize firewall logs into the CIM Network Traffic data model. The macro includes a field alias that maps `bytes_sent` to `bytes_out`. The mapping works in ad-hoc searches, but when the macro is used in a summary index search, the field is not populated. What is the most likely reason?
65Which TWO of the following are valid considerations when defining macros in Splunk?
66Which THREE of the following are required steps to properly schedule a saved search for summary indexing that runs a macro?
67Which THREE are components of the Common Information Model (CIM) in Splunk?
68A Splunk admin wants to create a macro named `filter_by_app` that accepts an application name as an argument and returns a search string filtering by that application. The application name may contain spaces. Which of the following correctly defines the macro's arguments and usage?
69An administrator configures a saved search that uses a macro to generate a summary index every hour. The macro includes a time range argument with default value `earliest=-1h@h latest=@h`. The saved search does not pass any time range argument, so the default is used. After a few days, the summary index is missing data for the last hour of each day. What is the most likely cause?
70A security team uses the CIM 'Authentication' data model to investigate failed logins. They have enabled acceleration on the data model and set a summary range of '1d'. After one week, searches against the data model are still slow and use the `search` command instead of `tstats`. What should they check first?
71A Splunk administrator wants to reduce maintenance effort when the same search logic is used in multiple saved searches. Which approach is most effective?
72A security analyst sets up a saved search alert to trigger when more than 100 failed logins occur in 5 minutes. To avoid alert fatigue, they want to suppress the alert if the number of failed logins is the same as the previous evaluation. Which alert action setting should they configure?
73A data engineer has defined a CIM data model for 'Network_Traffic'. They have also created field aliases using `| fieldaliases` to map custom fields like `src_ip` and `dest_ip` to the CIM fields. When running searches against the data model, some events do not appear. The engineer verified that the tags are correctly applied. What is the most likely remaining issue?
74An analyst creates a macro that uses `| inputlookup` to validate a macro argument. Which statement about macro validation is true?
75A systems engineer creates a summary index using a saved search that runs every 30 minutes. The summary index aggregates data from multiple sourcetypes. After a week, the engineer notices that the summary index contains duplicate events for certain time ranges. What is the most likely cause?
76A performance analyst notices that a saved search running a macro with multiple `| eval` statements takes significantly longer than expected. The macro includes conditions like `| eval status=if(success=="true", "OK", "Fail")`. Which change would most likely improve performance?
77Which TWO of the following are valid ways to define macro arguments in Splunk? (Select exactly 2.)
78Which THREE of the following are true considerations when using CIM data model acceleration? (Select exactly 3.)
79Which TWO best practices should be followed when creating saved searches that use macros? (Select exactly 2.)
80A large organization uses Splunk to monitor its network infrastructure. They have a single saved search that runs every hour to create a summary index for each of the 50 network device sourcetypes. The saved search uses a macro named `build_network_summary` that accepts two arguments: `sourcetype` and `time_range`. The macro definition is: ``` [build_network_summary] definition = index=network sourcetype=$sourcetype$ earliest=$time_range$ latest=now | stats count by src_ip, dest_ip, protocol | collect index=network_summary args = sourcetype, time_range iseval = 0 ``` The saved search iterates over the 50 sourcetypes using a separate lookup or list. Recently, the security team noticed that the network_summary index is missing data for certain sourcetypes, specifically those with hyphens in their names (e.g., `cisco-asa`, `juniper-srx`). For other sourcetypes, the summary is complete. The saved search runs without errors in Splunk's job inspector. Which course of action should the administrator take to resolve the issue?
81A user reports that a macro named `my_macro` is not working in a search. The macro is defined with no arguments and uses a simple search string. What is the most likely issue?
82An engineer wants to create a saved search that runs every hour and searches against 90 days of data. To optimize performance, they should...
83A security analyst is trying to normalize authentication data from multiple sources using CIM. After mapping sourcetypes to the Authentication data model, the CIM acceleration dashboard shows no data. The data model acceleration is enabled and has completed building. What is the most likely cause?
84A team develops multiple dashboards that share common search logic. What is the best practice for managing these searches?
85An alert saved search runs every 5 minutes and is set to trigger when count > 0. The alert keeps triggering repeatedly for the same events. What is the recommended solution?
86When designing a macro for use across multiple dashboards, which two considerations are important? (Choose TWO.)
87A saved search that runs every hour is showing 'No results' in its history, but the same search when run manually returns results. Which two of the following are likely causes? (Choose TWO.)
88Which three of the following are benefits of using the Common Information Model (CIM)? (Choose THREE.)
89A company has over 2000 saved searches that are used across multiple teams. Each team has its own app, and many searches share common logic, such as filtering by a specific index or time range. The system is experiencing slow search performance and difficulty in managing changes. The administrator wants to improve maintainability and performance. Which action would best address these issues?
90An organization has implemented the Splunk Common Information Model (CIM) for their security data. They have mapped several sourcetypes to the Authentication data model and enabled data model acceleration. However, the CIM dashboard shows no data even though searches against the raw data return results. The admin checks the data model acceleration settings and sees that the acceleration is enabled and has completed building. What is the most likely issue?
91A Splunk admin created a macro named `filter_by_region` that takes one argument: the region code. The macro definition is: `index=main sourcetype=web region=$region$`. When a user runs the search `| `filter_by_region US`` they get no results, but when they replace the macro with the actual string `index=main sourcetype=web region=US`, they get results. What is the problem?
92A saved search alert is configured to run every 10 minutes and trigger when the count of error events exceeds 5. The search returns results when run manually, but the alert never triggers. The admin checks the alert history and sees entries for the previous runs but all show 'Trigger: False'. They also confirm that the search returns count > 5 for those periods. What is the likely cause?
93After upgrading Splunk to a new version, the Security team notices that the CIM Authentication dashboard is showing a much lower number of events than before. They verify that the data is still being indexed and that the sourcetype mappings to the Authentication data model are unchanged. The admin runs a search against the data model and sees some fields are missing. What is the most likely cause of the issue?
94A Splunk admin is tasked with creating a set of macros that will be used by multiple app developers to standardize searches across the organization. The macros need to accept parameters such as index, sourcetype, and time range. Some macros will be complex and include subsearches. Which approach should the admin take to ensure maximum reusability and maintainability?
95A team wants to create a dashboard that displays daily user activity over the past 30 days. The underlying data is voluminous (hundreds of millions of events per day). They need the dashboard to load quickly. The admin considers two options: using a summary index with a scheduled search to pre-compute the daily counts, or using data model acceleration on a CIM data model. Which approach is most appropriate for this specific requirement?
96Which TWO of the following are valid ways to define arguments in a Splunk macro?
97Refer to the exhibit. An analyst executes the following search: `| filter_status(status_code=500)`. What will be the result?
98GlobalTech runs Splunk Enterprise Security with CIM compliance. Their security operations center uses a scheduled saved search named 'Brute Force Detection' that runs every 30 minutes. The search definition is: `| tstats count from datamodel=Authentication where Authentication.action=failure by Authentication.user, Authentication.src | where count > 5 | join type=outer user [search index=* sourcetype=linux_secure | stats count by user | where count > 5]`. This search has been working for months. Recently, after an upgrade to the Splunk environment, the saved search started returning no results. The administrator checks the search log and sees that the tstats portion runs fine but the secondary search (the subsearch) returns no events even though there are matching events in the index. The subsearch uses a macro named 'get_failed_users' defined as `search index=* sourcetype=linux_secure "Failed password" | stats count by user | where count>5` with no arguments. The administrator confirms that the macro's search works when run manually in the same time range. What is the most likely reason the subsearch returns no results?
The Macros, Saved Searches and CIM domain covers the key concepts tested in this area of the SPLK-1003 exam blueprint published by Splunk. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all SPLK-1003 domains — no account required.
The Courseiva SPLK-1003 question bank contains 98 questions in the Macros, Saved Searches and CIM domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Macros, Saved Searches and CIM domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included