Splunk · Free Practice Questions · Last reviewed May 2026
24real exam-style questions organised by domain, each with the correct answer highlighted and a plain-English explanation of why it's right — and why the others are wrong.
A security analyst needs to find all events where the field 'user' has a value that is either 'admin' or 'root', but the search is returning too many results from a noisy source. Which search best filters the events to only include those where the 'user' field exactly matches 'admin' or 'root'?
user="admin" OR user="root"
user=*admin* OR user=*root*
user IN ("admin", "root")
The IN operator matches fields exactly against the listed values, avoiding substring issues.
user=admin OR user=root
A Splunk administrator runs the following search and notices that the results include events where the 'status' field is 200 or 404, but also includes events where the 'status' field is missing. What is the most efficient way to modify the search to exclude events where the 'status' field does not exist?
status=200 OR status=404 | search status!=null
NOT ISNULL(status) (status=200 OR status=404)
ISNULL(status) returns true if field does not exist; NOT ISNULL ensures only events with a status field are considered.
status=200 OR status=404 | where isnotnull(status)
status=200 OR status=404
An analyst wants to find the top 5 users who have the highest total bytes transferred. The data has fields 'user' and 'bytes'. Which search should be used?
| stats max(bytes) as max_bytes by user | sort - max_bytes | head 5
| stats sum(bytes) as total_bytes by user | sort - total_bytes | head 5
This correctly sums bytes per user, sorts descending, and takes top 5.
| sort - bytes | head 5 | table user, bytes
| top limit=5 user
A search returns events with a field 'response_time' in milliseconds. The analyst wants to categorize response times into three buckets: 'fast' (< 100), 'medium' (100-500), 'slow' (> 500). Which search correctly creates this categorization?
| eval bucket=case(response_time<100,"fast", response_time>=100 AND response_time<=500,"medium", response_time>500,"slow")
case evaluates conditions in order and returns the first true match.
| eval bucket=if(response_time<100,"fast",response_time<500,"medium","slow")
| eval bucket=if(response_time<100,"fast",if(response_time<=500,"medium","slow"))
| where response_time<100 | eval bucket="fast" | append [search where response_time>=100 AND response_time<=500 | eval bucket="medium"]
A search uses 'transaction' to group events by session, but the results show too many transactions with only one event. What is the best way to filter out single-event transactions?
| transaction ... | where eventcount > 1
eventcount is a default field added by transaction; filtering >1 removes single-event transactions.
Add maxspan=5m to the transaction command
| transaction maxevents=2 ...
| transaction ... | where eventcount=2
Which TWO of the following statements about the 'stats' command are true?
It can be used with a BY clause to group results.
The BY clause allows grouping by one or more fields.
The count() function must always include a field argument.
It creates one event per input event by default.
It can be used to modify individual field values in raw events.
It can produce multiple output columns by using multiple stats functions.
Multiple functions can be used in a single stats command, e.g., stats count, avg(bytes).
Want more Advanced Searching and Statistics practice?
Practice this domainA security analyst wants to create a macro that extracts IP addresses from a field named `src_ip` and returns a count of unique IPs per source. Which macro definition accomplishes this?
| stats count(src_ip) as unique_ips
| stats distinct_count(src_ip) as unique_ips
| stats unique(src_ip) as unique_ips
| stats dc(src_ip) as unique_ips
`dc` (distinct count) counts unique values.
A team regularly runs a saved search that joins two large indexes. Performance is poor. Which design change would MOST improve query performance?
Convert the saved search to a scheduled report.
Create a data model summary to pre-aggregate the data.
Summaries reduce the amount of data scanned.
Replace the join with a subsearch.
Use the `fields` command to remove unnecessary fields before the join.
An admin created a macro `myfilter(host)` with definition: `host=$host$ | stats count`. When calling `myfilter(webserver)`, the search returns no results. What is the most likely cause?
The host field is case-sensitive.
The macro argument is not being treated as a literal string.
Without quotes, the value is interpreted as a field value literal, but the correct syntax is `host="$host$"`.
The host field is not indexed.
The macro is evaluated before the rest of the search.
Which TWO of the following are valid uses of the Common Information Model (CIM) in Splunk?
Defining user roles and permissions for data access.
Managing license usage across indexers.
Creating new indexes for faster search performance.
Defining tags and event types to categorize data.
CIM uses tags and event types to map data to models.
Normalizing data from different sources to a common field naming convention.
CIM provides data models with standardized field names.
Which THREE of the following are best practices for creating saved searches?
Save the search without scheduling it to avoid resource usage.
Set an appropriate time range to limit the data scanned.
Limiting time range improves performance.
Use the `summary` indexing feature for searches that run frequently.
Summary indexing improves performance for repeated searches.
Avoid specifying a time range to use the default.
Use descriptive names that indicate the purpose of the search.
Descriptive names help with management.
Which TWO of the following are valid ways to reference a macro in a search?
$macro_name(arg1, arg2)$
macro_name:arg1, arg2
`macro_name(arg1, arg2)`
Backticks with parentheses and comma-separated arguments.
`macro_name arg1 arg2`
Backticks with space-separated arguments (if defined that way).
| macro_name(arg1, arg2)
Want more Macros, Saved Searches and CIM practice?
Practice this domainA security analyst creates a timechart of login failures by source IP. The chart shows expected spikes, but the top 5 IPs account for <10% of all failures. The analyst suspects a DDoS attack using spoofed IPs. Which visualization type would BEST highlight the distribution of failures across all IPs?
Pie chart
Treemap
Treemaps effectively show proportions of many categories.
Scatter plot
Stacked column chart
An engineer runs `| inputlookup asset_lookup.csv | table asset_id asset_name` and gets no results despite the file existing in $SPLUNK_HOME/etc/apps/search/lookups/. The lookup definition is correctly configured. What is the MOST likely cause?
The engineer lacks permissions to read the lookup.
The lookup file is not in the correct directory.
The lookup file has a .csv extension but contains other data.
The lookup definition name does not match the filename.
The engineer used the filename, but `inputlookup` expects the lookup definition name.
A dashboard shows a single-value visualization of total sales. The underlying search uses `| stats sum(sales)`. The dashboard refreshes every 5 minutes, but the value only updates when the page is manually reloaded. Which setting is MOST likely missing?
The 'Token delay' is too high.
The search is not scheduled or set to 'Auto' for the panel.
The panel's search must be set to run automatically to refresh data.
The time range picker is set to 'All time'.
The dashboard's 'Auto-refresh' interval is not set.
A user creates a lookup definition for a CSV file containing user roles. The lookup is used in a search: `| lookup user_roles username OUTPUT role`. The search returns no additional field. The lookup file has columns: 'username', 'role', 'department'. What is the MOST likely issue?
The username field in the search is not extracted.
The lookup file is not in the lookups directory.
The lookup definition uses a different filename than the CSV.
If the definition points to a different file, no matches occur.
The 'role' field is misspelled in the search.
A dashboard uses a timechart to show CPU usage over 24 hours. The time range selector is set to 'Last 7 days'. The chart displays data only for the last 24 hours. Which visualization setting is MOST likely causing this?
The chart's 'Time range override' is set to 24 hours.
A time range override on the panel overrides the dashboard selector.
The 'Max rows' is set to 24.
The 'Span' is set to 1 hour.
The data source only retains 24 hours.
Which TWO are valid methods to join data from a CSV file in a Splunk search?
`| append myfile.csv`
`| join myfile.csv`
`| lookup myfile.csv`
`lookup` joins fields from a lookup file.
`| csvlookup myfile.csv`
`| inputlookup myfile.csv`
`inputlookup` reads lookup files.
Want more Advanced Visualization and Lookups practice?
Practice this domainA security analyst needs to correlate login events from multiple authentication servers to track a single user session. The events share a common 'session_id' field but have different timestamps. Which transaction command option should be used to ensure the session is considered complete after 30 minutes of inactivity?
startswith=login endswith=logout
mvlist=session_id
maxspan=30m
maxpause=1800
maxpause=1800 seconds (30 minutes) closes the transaction after 30 minutes of inactivity.
A Splunk administrator notices that the 'transaction' command is consuming excessive memory when processing a large dataset. The dataset contains events with a common field 'user_id', and the goal is to group events per user within 1 hour. Which approach would best reduce memory usage while still achieving the desired correlation?
Use the 'kvform' command instead of transaction.
Use a subsearch to first filter events and then apply transaction on the smaller set.
A subsearch can pre-filter or aggregate events, reducing the input size for transaction and thus memory.
Add more fields to the transaction to make it more specific.
Increase the maxspan value to 2 hours to reduce the number of transactions.
A Splunk user wants to group web server logs into transactions representing a single user visit, where a visit starts with a 'GET' request and ends with a 'POST' request. Which transaction command syntax correctly implements this logic?
transaction startswith="GET" endswith="POST" maxevents=2
transaction startswith="POST" endswith="GET"
transaction startswith="GET" endswith="POST"
Correctly sets start and end conditions.
transaction by src_ip startswith="GET" endswith="POST"
A Splunk administrator is troubleshooting a slow search that uses the transaction command. The search correlates events by 'user_uuid' with a maxspan of 1 hour. The administrator suspects that many orphan events (events that never complete a transaction) are causing performance issues. Which approach can help identify and possibly exclude orphan events from the transaction?
Increase maxspan to allow more events to complete.
Use the 'mvlist' option to list all user_uuid values.
Use the 'keepevicted=true' option and then filter out evicted events in a subsequent search.
keepevicted=true preserves events that were not included in any transaction, allowing you to analyze or exclude them.
Add 'closed_txn=1' to the transaction command to only output complete transactions.
A Splunk user needs to correlate events from different sourcetypes (web_access, auth_log, app_log) that share a common 'transaction_id' field. Each transaction_id may appear many times across sourcetypes. The user wants to group all events with the same transaction_id into one transaction, without any time constraints. Which transaction command is most appropriate?
transaction by transaction_id
Correctly groups by the common field without time limits.
transaction by sourcetype transaction_id
transaction maxspan=1d by transaction_id
transaction startswith=* endswith=* by transaction_id
Which TWO statements about the 'transaction' command are correct? (Choose two.)
It requires all events to be from the same source.
It sums numeric field values across events in the transaction.
It can use the 'by' clause to group events based on common field values.
The 'by' clause is used to specify the field(s) that define a transaction group.
The 'maxevents' option limits the total number of transactions output.
It can combine multiple events into a single event.
The transaction command groups events into one event that contains all fields.
Want more Transactions and Event Correlation practice?
Practice this domainThe SPLK-1003 exam has 65 questions and must be completed in 60 minutes. The passing score is 700/1000.
Scenario-based questions covering exam objectives with detailed answer explanations.
The exam covers 4 domains: Advanced Searching and Statistics, Macros, Saved Searches and CIM, Advanced Visualization and Lookups, Transactions and Event Correlation. Questions are weighted by domain — higher-weight domains appear more on your actual exam.
No. These are original exam-style practice questions written against the official Splunk SPLK-1003 exam objectives. They are not copied from the real exam. Courseiva focuses on genuine understanding, not memorisation of braindumps.
Courseiva tracks your accuracy per domain and routes you toward weak areas automatically. Free, no account required.