Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsSPLK-1003Exam Questions

Splunk · Free Practice Questions · Last reviewed May 2026

SPLK-1003 Exam Questions and Answers

24real exam-style questions organised by domain, each with the correct answer highlighted and a plain-English explanation of why it's right — and why the others are wrong.

65 exam questions
60 min time limit
Pass: 700/1000 / 1000
4 exam domains
OverviewDomain BlueprintStudy GuideAll QuestionsSample by Domain
1. Advanced Searching and Statistics2. Macros, Saved Searches and CIM3. Advanced Visualization and Lookups4. Transactions and Event Correlation
1

Domain 1: Advanced Searching and Statistics

All Advanced Searching and Statistics questions
Q1
mediumFull explanation →

A security analyst needs to find all events where the field 'user' has a value that is either 'admin' or 'root', but the search is returning too many results from a noisy source. Which search best filters the events to only include those where the 'user' field exactly matches 'admin' or 'root'?

A

user="admin" OR user="root"

B

user=*admin* OR user=*root*

C

user IN ("admin", "root")

The IN operator matches fields exactly against the listed values, avoiding substring issues.

D

user=admin OR user=root

Why: Option C is correct because the `IN` operator in Splunk's Search Processing Language (SPL) performs an exact match against a list of values, ensuring that only events where the `user` field is exactly 'admin' or 'root' are returned. This is the most precise and efficient way to filter for multiple exact values without introducing wildcard behavior or relying on implicit field-value parsing that may include surrounding whitespace or punctuation.
Q2
hardFull explanation →

A Splunk administrator runs the following search and notices that the results include events where the 'status' field is 200 or 404, but also includes events where the 'status' field is missing. What is the most efficient way to modify the search to exclude events where the 'status' field does not exist?

A

status=200 OR status=404 | search status!=null

B

NOT ISNULL(status) (status=200 OR status=404)

ISNULL(status) returns true if field does not exist; NOT ISNULL ensures only events with a status field are considered.

C

status=200 OR status=404 | where isnotnull(status)

D

status=200 OR status=404

Why: Option B is correct because it uses the `NOT ISNULL(status)` filter before the OR conditions, which efficiently excludes events where the `status` field does not exist. In Splunk, `ISNULL()` returns true if a field is missing or null, so `NOT ISNULL(status)` ensures only events with a defined `status` field are considered, and then the parentheses group the OR conditions correctly. This approach is more efficient than post-filtering because it reduces the result set early in the search pipeline.
Q3
easyFull explanation →

An analyst wants to find the top 5 users who have the highest total bytes transferred. The data has fields 'user' and 'bytes'. Which search should be used?

A

| stats max(bytes) as max_bytes by user | sort - max_bytes | head 5

B

| stats sum(bytes) as total_bytes by user | sort - total_bytes | head 5

This correctly sums bytes per user, sorts descending, and takes top 5.

C

| sort - bytes | head 5 | table user, bytes

D

| top limit=5 user

Why: Option B is correct because it uses `stats sum(bytes) as total_bytes by user` to aggregate the total bytes transferred per user, then sorts the results in descending order with `sort - total_bytes`, and finally limits the output to the top 5 users with `head 5`. This directly answers the requirement for the highest total bytes transferred.
Q4
mediumFull explanation →

A search returns events with a field 'response_time' in milliseconds. The analyst wants to categorize response times into three buckets: 'fast' (< 100), 'medium' (100-500), 'slow' (> 500). Which search correctly creates this categorization?

A

| eval bucket=case(response_time<100,"fast", response_time>=100 AND response_time<=500,"medium", response_time>500,"slow")

case evaluates conditions in order and returns the first true match.

B

| eval bucket=if(response_time<100,"fast",response_time<500,"medium","slow")

C

| eval bucket=if(response_time<100,"fast",if(response_time<=500,"medium","slow"))

D

| where response_time<100 | eval bucket="fast" | append [search where response_time>=100 AND response_time<=500 | eval bucket="medium"]

Why: Option A is correct because it uses the `case` function to evaluate multiple conditions in order, assigning 'fast' for response_time < 100, 'medium' for values between 100 and 500 inclusive, and 'slow' for values > 500. The `case` function returns the result of the first true condition, making it ideal for mutually exclusive buckets without overlapping logic.
Q5
hardFull explanation →

A search uses 'transaction' to group events by session, but the results show too many transactions with only one event. What is the best way to filter out single-event transactions?

A

| transaction ... | where eventcount > 1

eventcount is a default field added by transaction; filtering >1 removes single-event transactions.

B

Add maxspan=5m to the transaction command

C

| transaction maxevents=2 ...

D

| transaction ... | where eventcount=2

Why: Option A is correct because the `transaction` command groups events into transactions, and appending `| where eventcount > 1` filters out any transaction that consists of only a single event. This directly addresses the requirement to remove single-event transactions, as `eventcount` is a default field added by `transaction` that counts the number of events in each transaction.
Q6
mediumFull explanation →

Which TWO of the following statements about the 'stats' command are true?

A

It can be used with a BY clause to group results.

The BY clause allows grouping by one or more fields.

B

The count() function must always include a field argument.

C

It creates one event per input event by default.

D

It can be used to modify individual field values in raw events.

E

It can produce multiple output columns by using multiple stats functions.

Multiple functions can be used in a single stats command, e.g., stats count, avg(bytes).

Why: Option A is correct because the 'stats' command in Splunk supports a BY clause that allows you to group results by one or more fields, similar to a SQL GROUP BY. This enables you to compute aggregate statistics (e.g., count, sum, avg) for each distinct value of the specified field(s), which is a core feature for summarizing event data.

Want more Advanced Searching and Statistics practice?

Practice this domain
2

Domain 2: Macros, Saved Searches and CIM

All Macros, Saved Searches and CIM questions
Q1
easyFull explanation →

A security analyst wants to create a macro that extracts IP addresses from a field named `src_ip` and returns a count of unique IPs per source. Which macro definition accomplishes this?

A

| stats count(src_ip) as unique_ips

B

| stats distinct_count(src_ip) as unique_ips

C

| stats unique(src_ip) as unique_ips

D

| stats dc(src_ip) as unique_ips

`dc` (distinct count) counts unique values.

Why: Option D is correct because `dc(src_ip)` is the Splunk command for distinct count, which returns the number of unique IP addresses in the `src_ip` field. This macro definition directly fulfills the requirement to count unique IPs per source, as `dc` is the standard abbreviation for distinct count in Splunk's `stats` command.
Q2
mediumFull explanation →

A team regularly runs a saved search that joins two large indexes. Performance is poor. Which design change would MOST improve query performance?

A

Convert the saved search to a scheduled report.

B

Create a data model summary to pre-aggregate the data.

Summaries reduce the amount of data scanned.

C

Replace the join with a subsearch.

D

Use the `fields` command to remove unnecessary fields before the join.

Why: Option B is correct because a data model summary pre-aggregates data at search time, reducing the volume of data that the join operation must process. This is the most effective way to improve performance when joining two large indexes, as it avoids scanning and joining raw events repeatedly.
Q3
hardFull explanation →

An admin created a macro `myfilter(host)` with definition: `host=$host$ | stats count`. When calling `myfilter(webserver)`, the search returns no results. What is the most likely cause?

A

The host field is case-sensitive.

B

The macro argument is not being treated as a literal string.

Without quotes, the value is interpreted as a field value literal, but the correct syntax is `host="$host$"`.

C

The host field is not indexed.

D

The macro is evaluated before the rest of the search.

Why: The macro definition uses `host=$host$`, but when called with `myfilter(webserver)`, the argument `webserver` is passed as a literal string. However, the macro expands to `host=webserver | stats count`, which Splunk interprets as a field-value comparison where `webserver` is treated as a literal string value for the `host` field. The issue is that the macro argument is not being treated as a literal string in the context of the search; instead, it's being substituted directly, which is correct. The real problem is that the macro definition uses `$host$` without quotes, so the argument is not being treated as a literal string value—it's being interpreted as a field name or search term. The correct syntax should be `host="$host$"` to ensure the argument is treated as a literal string. Option B is correct because the macro argument is not being treated as a literal string, causing the search to fail to match events.
Q4
easyFull explanation →

Which TWO of the following are valid uses of the Common Information Model (CIM) in Splunk?

A

Defining user roles and permissions for data access.

B

Managing license usage across indexers.

C

Creating new indexes for faster search performance.

D

Defining tags and event types to categorize data.

CIM uses tags and event types to map data to models.

E

Normalizing data from different sources to a common field naming convention.

CIM provides data models with standardized field names.

Why: Option D is correct because the CIM provides a standardized set of tags and event types that allow you to categorize and classify data from diverse sources, enabling consistent searching and correlation across your Splunk environment. Option E is correct because the CIM defines common field names (e.g., src_ip, dest_ip, user) to normalize data from different technologies, ensuring that searches and dashboards work uniformly regardless of the original data source.
Q5
mediumFull explanation →

Which THREE of the following are best practices for creating saved searches?

A

Save the search without scheduling it to avoid resource usage.

B

Set an appropriate time range to limit the data scanned.

Limiting time range improves performance.

C

Use the `summary` indexing feature for searches that run frequently.

Summary indexing improves performance for repeated searches.

D

Avoid specifying a time range to use the default.

E

Use descriptive names that indicate the purpose of the search.

Descriptive names help with management.

Why: Option B is correct because setting an appropriate time range in a saved search limits the volume of data that Splunk must scan, reducing resource consumption and improving search performance. Without a bounded time range, the search may scan all available data, which can lead to excessive CPU and memory usage, especially in large deployments.
Q6
hardFull explanation →

Which TWO of the following are valid ways to reference a macro in a search?

A

$macro_name(arg1, arg2)$

B

macro_name:arg1, arg2

C

`macro_name(arg1, arg2)`

Backticks with parentheses and comma-separated arguments.

D

`macro_name arg1 arg2`

Backticks with space-separated arguments (if defined that way).

E

| macro_name(arg1, arg2)

Why: Option C is correct because in Splunk, a macro is invoked using backticks with parentheses around its arguments, as in `macro_name(arg1, arg2)`. This syntax tells the search processor to expand the macro definition with the provided arguments before executing the search.

Want more Macros, Saved Searches and CIM practice?

Practice this domain
3

Domain 3: Advanced Visualization and Lookups

All Advanced Visualization and Lookups questions
Q1
mediumFull explanation →

A security analyst creates a timechart of login failures by source IP. The chart shows expected spikes, but the top 5 IPs account for <10% of all failures. The analyst suspects a DDoS attack using spoofed IPs. Which visualization type would BEST highlight the distribution of failures across all IPs?

A

Pie chart

B

Treemap

Treemaps effectively show proportions of many categories.

C

Scatter plot

D

Stacked column chart

Why: A treemap is the best choice because it uses nested rectangles to represent the proportional contribution of each source IP to the total login failures, making it easy to visually identify the distribution across all IPs, even when no single IP dominates. Unlike other chart types, a treemap can efficiently display hundreds of IPs without cluttering the view, which is critical when the top 5 IPs account for less than 10% of failures, indicating a highly distributed attack pattern.
Q2
hardFull explanation →

An engineer runs `| inputlookup asset_lookup.csv | table asset_id asset_name` and gets no results despite the file existing in $SPLUNK_HOME/etc/apps/search/lookups/. The lookup definition is correctly configured. What is the MOST likely cause?

A

The engineer lacks permissions to read the lookup.

B

The lookup file is not in the correct directory.

C

The lookup file has a .csv extension but contains other data.

D

The lookup definition name does not match the filename.

The engineer used the filename, but `inputlookup` expects the lookup definition name.

Why: The `inputlookup` command references a lookup by its definition name, not the filename. Even if the file exists in the correct directory, the command will fail if the lookup definition name in the configuration does not match the filename. Option D is correct because the engineer likely used the filename in the command instead of the lookup definition name.
Q3
easyFull explanation →

A dashboard shows a single-value visualization of total sales. The underlying search uses `| stats sum(sales)`. The dashboard refreshes every 5 minutes, but the value only updates when the page is manually reloaded. Which setting is MOST likely missing?

A

The 'Token delay' is too high.

B

The search is not scheduled or set to 'Auto' for the panel.

The panel's search must be set to run automatically to refresh data.

C

The time range picker is set to 'All time'.

D

The dashboard's 'Auto-refresh' interval is not set.

Why: Option B is correct because the single-value visualization's search must be scheduled or set to 'Auto' to automatically re-execute on dashboard refresh. Without this setting, the search runs once when the dashboard loads and caches the result, so even with a 5-minute auto-refresh interval, the displayed value remains stale until the page is manually reloaded.
Q4
mediumFull explanation →

A user creates a lookup definition for a CSV file containing user roles. The lookup is used in a search: `| lookup user_roles username OUTPUT role`. The search returns no additional field. The lookup file has columns: 'username', 'role', 'department'. What is the MOST likely issue?

A

The username field in the search is not extracted.

B

The lookup file is not in the lookups directory.

C

The lookup definition uses a different filename than the CSV.

If the definition points to a different file, no matches occur.

D

The 'role' field is misspelled in the search.

Why: Option C is correct because the lookup definition must reference the exact filename of the CSV file. If the definition points to a different filename than the actual CSV, the lookup will fail to load the file, and no fields will be returned. The search syntax is otherwise correct, so the issue lies in the mismatch between the definition and the file.
Q5
hardFull explanation →

A dashboard uses a timechart to show CPU usage over 24 hours. The time range selector is set to 'Last 7 days'. The chart displays data only for the last 24 hours. Which visualization setting is MOST likely causing this?

A

The chart's 'Time range override' is set to 24 hours.

A time range override on the panel overrides the dashboard selector.

B

The 'Max rows' is set to 24.

C

The 'Span' is set to 1 hour.

D

The data source only retains 24 hours.

Why: The 'Time range override' setting on a visualization explicitly overrides the dashboard's global time picker. When set to a fixed duration like 24 hours, the chart ignores the 'Last 7 days' selection and only displays data for that specific window. This explains why the chart shows only the last 24 hours despite the dashboard time range being 7 days.
Q6
mediumFull explanation →

Which TWO are valid methods to join data from a CSV file in a Splunk search?

A

`| append myfile.csv`

B

`| join myfile.csv`

C

`| lookup myfile.csv`

`lookup` joins fields from a lookup file.

D

`| csvlookup myfile.csv`

E

`| inputlookup myfile.csv`

`inputlookup` reads lookup files.

Why: Option C is correct because the `| lookup` command can reference a CSV file defined as a lookup table in Splunk, allowing field-based enrichment of search results. This is a standard method for joining data from a CSV file within a search, provided the lookup is properly configured in transforms.conf and props.conf.

Want more Advanced Visualization and Lookups practice?

Practice this domain
4

Domain 4: Transactions and Event Correlation

All Transactions and Event Correlation questions
Q1
mediumFull explanation →

A security analyst needs to correlate login events from multiple authentication servers to track a single user session. The events share a common 'session_id' field but have different timestamps. Which transaction command option should be used to ensure the session is considered complete after 30 minutes of inactivity?

A

startswith=login endswith=logout

B

mvlist=session_id

C

maxspan=30m

D

maxpause=1800

maxpause=1800 seconds (30 minutes) closes the transaction after 30 minutes of inactivity.

Why: Option D (maxpause=1800) is correct because it sets a maximum inactivity period of 1800 seconds (30 minutes) between events in a transaction. When no new events with the same session_id arrive within that window, the transaction is considered complete. This directly addresses the requirement to end a session after 30 minutes of inactivity, regardless of the total duration of the session.
Q2
hardFull explanation →

A Splunk administrator notices that the 'transaction' command is consuming excessive memory when processing a large dataset. The dataset contains events with a common field 'user_id', and the goal is to group events per user within 1 hour. Which approach would best reduce memory usage while still achieving the desired correlation?

A

Use the 'kvform' command instead of transaction.

B

Use a subsearch to first filter events and then apply transaction on the smaller set.

A subsearch can pre-filter or aggregate events, reducing the input size for transaction and thus memory.

C

Add more fields to the transaction to make it more specific.

D

Increase the maxspan value to 2 hours to reduce the number of transactions.

Why: Option B is correct because using a subsearch first reduces the dataset size before the 'transaction' command processes it, directly addressing the memory issue. The 'transaction' command groups events into memory until they are finalized, so a smaller input set means fewer events held simultaneously, lowering memory consumption while still allowing the 1-hour maxspan correlation per user_id.
Q3
easyFull explanation →

A Splunk user wants to group web server logs into transactions representing a single user visit, where a visit starts with a 'GET' request and ends with a 'POST' request. Which transaction command syntax correctly implements this logic?

A

transaction startswith="GET" endswith="POST" maxevents=2

B

transaction startswith="POST" endswith="GET"

C

transaction startswith="GET" endswith="POST"

Correctly sets start and end conditions.

D

transaction by src_ip startswith="GET" endswith="POST"

Why: Option C is correct because the `transaction` command with `startswith="GET"` and `endswith="POST"` groups events into a single transaction that begins with a GET request and ends with a POST request, which matches the requirement for a user visit. The `startswith` and `endswith` arguments define the boundary events for the transaction, and no additional constraints like `maxevents` or `by` fields are needed to implement the basic logic.
Q4
mediumFull explanation →

A Splunk administrator is troubleshooting a slow search that uses the transaction command. The search correlates events by 'user_uuid' with a maxspan of 1 hour. The administrator suspects that many orphan events (events that never complete a transaction) are causing performance issues. Which approach can help identify and possibly exclude orphan events from the transaction?

A

Increase maxspan to allow more events to complete.

B

Use the 'mvlist' option to list all user_uuid values.

C

Use the 'keepevicted=true' option and then filter out evicted events in a subsequent search.

keepevicted=true preserves events that were not included in any transaction, allowing you to analyze or exclude them.

D

Add 'closed_txn=1' to the transaction command to only output complete transactions.

Why: Option C is correct because the `keepevicted=true` parameter causes the `transaction` command to output events that were evicted from the transaction window (orphans) with an `evicted` field set to 1. You can then filter out these evicted events in a subsequent search using `where evicted=0`, which isolates only complete transactions and removes the performance overhead of orphan events.
Q5
hardFull explanation →

A Splunk user needs to correlate events from different sourcetypes (web_access, auth_log, app_log) that share a common 'transaction_id' field. Each transaction_id may appear many times across sourcetypes. The user wants to group all events with the same transaction_id into one transaction, without any time constraints. Which transaction command is most appropriate?

A

transaction by transaction_id

Correctly groups by the common field without time limits.

B

transaction by sourcetype transaction_id

C

transaction maxspan=1d by transaction_id

D

transaction startswith=* endswith=* by transaction_id

Why: Option A is correct because the `transaction` command with `by transaction_id` groups all events sharing the same `transaction_id` field value into a single transaction, with no default time constraints. This matches the requirement to correlate events across `web_access`, `auth_log`, and `app_log` sourcetypes without any time window restrictions.
Q6
mediumFull explanation →

Which TWO statements about the 'transaction' command are correct? (Choose two.)

A

It requires all events to be from the same source.

B

It sums numeric field values across events in the transaction.

C

It can use the 'by' clause to group events based on common field values.

The 'by' clause is used to specify the field(s) that define a transaction group.

D

The 'maxevents' option limits the total number of transactions output.

E

It can combine multiple events into a single event.

The transaction command groups events into one event that contains all fields.

Why: Option C is correct because the 'transaction' command can use a 'by' clause to group events that share common field values into a single transaction. This allows you to correlate events from different sources or sourcetypes as long as they have matching field values, enabling flexible event correlation.

Want more Transactions and Event Correlation practice?

Practice this domain

Frequently asked questions

How many questions are on the SPLK-1003 exam?

The SPLK-1003 exam has 65 questions and must be completed in 60 minutes. The passing score is 700/1000.

What types of questions appear on the SPLK-1003 exam?

Scenario-based questions covering exam objectives with detailed answer explanations.

How are SPLK-1003 questions organised by domain?

The exam covers 4 domains: Advanced Searching and Statistics, Macros, Saved Searches and CIM, Advanced Visualization and Lookups, Transactions and Event Correlation. Questions are weighted by domain — higher-weight domains appear more on your actual exam.

Are these the actual SPLK-1003 exam questions?

No. These are original exam-style practice questions written against the official Splunk SPLK-1003 exam objectives. They are not copied from the real exam. Courseiva focuses on genuine understanding, not memorisation of braindumps.

Ready to practice all 65 SPLK-1003 questions?

Courseiva tracks your accuracy per domain and routes you toward weak areas automatically. Free, no account required.

Browse all SPLK-1003 questionsTake a timed practice test