Reinforce SPLK-1003 concepts with active-recall study cards covering all 4 blueprint domains. Each card shows the question on the front and the correct answer with a full explanation on the back.
Flashcards work through active recall — the process of retrieving information from memory rather than passively re-reading it. Research consistently shows that active recall produces stronger, longer-lasting memory than re-reading study guides. For SPLK-1003 preparation, this means flashcards are one of the highest-return study tools available.
Attempt recall first
Read the SPLK-1003 question on each card, pause, and attempt to formulate the answer in your own words before revealing. This retrieval attempt — even if wrong — dramatically strengthens memory compared to immediately reading the answer.
Review wrong cards again
When you get a card wrong, note it and add it back to your review pile. Spaced repetition — seeing difficult cards more frequently — is the mechanism that makes flashcard study far more efficient than linear reading.
Study by domain
Group your SPLK-1003 flashcard sessions by domain for the first 3–4 weeks. Master one domain before moving to the next. In the final week, shuffle all cards together to test cross-domain recall — which is what the real SPLK-1003 exam requires.
Short sessions beat marathon reviews
20–30 flashcard cards per session, done daily, produces better retention than a single 200-card marathon session. Five short daily sessions per week over 4 weeks gives you over 400 total card reviews — enough to reliably pass SPLK-1003.
Sample cards from the SPLK-1003 flashcard bank. Read the question, think of the answer, then read the explanation below.
A security analyst needs to find all events where the field 'user' has a value that is either 'admin' or 'root', but the search is returning too many results from a noisy source. Which search best filters the events to only include those where the 'user' field exactly matches 'admin' or 'root'?
user=admin OR user=root
Option D is correct because using unquoted field comparisons with the OR operator performs an exact match for simple values like 'admin' and 'root'. In Splunk, when field values do not contain spaces or special characters, unquoted values are treated as exact match tokens. Therefore, `user=admin OR user=root` will retrieve events where the user field is exactly 'admin' or 'root'. Option A is also valid but less concise. Option B uses wildcards, matching any occurrence, not exact. Option C uses the IN operator, which is another exact match method, but option D is equally correct and often considered more straightforward for this simple case.
A security analyst wants to create a macro that extracts IP addresses from a field named `src_ip` and returns a count of unique IPs per source. Which macro definition accomplishes this?
| stats dc(src_ip) as unique_ips
Option D is correct because `dc(src_ip)` is the Splunk command for distinct count, which returns the number of unique IP addresses in the `src_ip` field. This macro definition directly fulfills the requirement to count unique IPs per source, as `dc` is the standard abbreviation for distinct count in Splunk's `stats` command.
A security analyst creates a timechart of login failures by source IP. The chart shows expected spikes, but the top 5 IPs account for <10% of all failures. The analyst suspects a DDoS attack using spoofed IPs. Which visualization type would BEST highlight the distribution of failures across all IPs?
Treemap
A treemap is the best choice because it uses nested rectangles to represent the proportional contribution of each source IP to the total login failures, making it easy to visually identify the distribution across all IPs, even when no single IP dominates. Unlike other chart types, a treemap can efficiently display hundreds of IPs without cluttering the view, which is critical when the top 5 IPs account for less than 10% of failures, indicating a highly distributed attack pattern.
A security analyst needs to correlate login events from multiple authentication servers to track a single user session. The events share a common 'session_id' field but have different timestamps. Which transaction command option should be used to ensure the session is considered complete after 30 minutes of inactivity?
maxpause=1800
Option D (maxpause=1800) is correct because it sets a maximum inactivity period of 1800 seconds (30 minutes) between events in a transaction. When no new events with the same session_id arrive within that window, the transaction is considered complete. This directly addresses the requirement to end a session after 30 minutes of inactivity, regardless of the total duration of the session.
A telecom company monitors call detail records (CDR). Each call has a unique call_id, and events are generated at each network node (setup, ringing, answer, hangup) with timestamps. The events are from different sourcetypes (cdr_setup, cdr_ring, etc.) and are indexed in near real-time. The analyst needs to correlate all events for the same call_id to calculate call duration. The current search is: `index=telecom sourcetype=cdr_* | transaction call_id maxspan=2h`. This search works but sometimes produces huge transactions (100+ events) due to noisy data, causing memory errors. The analyst has identified that each call should have exactly 4 events: setup, ringing, answer, hangup. Which approach would best correlation with minimal resource usage?
Use `transaction call_id maxevents=4 maxspan=2h` to limit to exactly 4 events.
Option A is correct because `maxevents=4` directly limits the transaction to exactly four events per call_id, preventing memory errors from noisy data while ensuring each transaction contains the expected setup, ringing, answer, and hangup events. This constraint is applied during the transaction command itself, reducing resource usage by discarding oversized groups immediately rather than post-processing.
A Splunk admin wants to track the number of unique users who accessed a system each hour over the past 24 hours. Which search provides the correct result?
index=main earliest=-24h | timechart span=1h dc(user) as unique_users
Option A is correct because it uses `timechart span=1h dc(user)` to count distinct users per hour over the last 24 hours. The `dc()` function calculates distinct counts, and `span=1h` sets the time bucket to one hour, exactly matching the requirement.
A search returns many events, and the analyst wants to see a summary table of the top 5 values of the field `src_ip` along with the count of events for each. Which command should be used?
top
The `top` command in Splunk is specifically designed to find the most common values of a field and display them in a summary table with counts and percentages. By default, `top` returns the top 10 values, but you can use the `limit=5` parameter to restrict the output to the top 5 values of `src_ip` along with their event counts. This directly meets the analyst's requirement.
An analyst wants to find the top 5 users who have the highest total bytes transferred. The data has fields 'user' and 'bytes'. Which search should be used?
| stats sum(bytes) as total_bytes by user | sort - total_bytes | head 5
Option B is correct because it uses `stats sum(bytes) as total_bytes by user` to aggregate the total bytes transferred per user, then sorts the results in descending order with `sort - total_bytes`, and finally limits the output to the top 5 users with `head 5`. This directly answers the requirement for the highest total bytes transferred.
A team regularly runs a saved search that joins two large indexes. Performance is poor. Which design change would MOST improve query performance?
Create a data model summary to pre-aggregate the data.
Option B is correct because a data model summary pre-aggregates data at search time, reducing the volume of data that the join operation must process. This is the most effective way to improve performance when joining two large indexes, as it avoids scanning and joining raw events repeatedly.
An engineer runs `| inputlookup asset_lookup.csv | table asset_id asset_name` and gets no results despite the file existing in $SPLUNK_HOME/etc/apps/search/lookups/. The lookup definition is correctly configured. What is the MOST likely cause?
The lookup definition name does not match the filename.
The `inputlookup` command references a lookup by its definition name, not the filename. Even if the file exists in the correct directory, the command will fail if the lookup definition name in the configuration does not match the filename. Option D is correct because the engineer likely used the filename in the command instead of the lookup definition name.
A dashboard uses a timechart to show CPU usage over 24 hours. The time range selector is set to 'Last 7 days'. The chart displays data only for the last 24 hours. Which visualization setting is MOST likely causing this?
The chart's 'Time range override' is set to 24 hours.
The 'Time range override' setting on a visualization explicitly overrides the dashboard's global time picker. When set to a fixed duration like 24 hours, the chart ignores the 'Last 7 days' selection and only displays data for that specific window. This explains why the chart shows only the last 24 hours despite the dashboard time range being 7 days.
A dashboard developer wants to create a single-value visualization that shows the current server status from a lookup table. Which Splunk command should be used to retrieve the lookup data in a real-time context?
lookup
Option C is correct because the `lookup` command retrieves field values from a lookup table and can be used in a real-time context to enrich events or display current status. Unlike `inputlookup`, which loads the entire lookup table as events, `lookup` works within the search pipeline, allowing it to match against live data and return the most recent lookup values for a single-value visualization.
A Splunk admin notices that a time-based lookup (defined in transforms.conf with time_range=TRUE) is not returning correct results for events outside the lookup's time boundaries. The lookup file contains rows with a valid time range. What is the most likely cause?
The event time is outside the time range defined in the lookup
When a time-based lookup is configured with time_range=TRUE in transforms.conf, Splunk restricts lookup matches to events whose timestamps fall within the time range specified in the lookup file. If an event's timestamp is outside that range, the lookup will not return any results, even if other fields match. This is the most likely cause because the question explicitly states that events are outside the lookup's time boundaries.
A security analyst wants to visualize the count of login failures by source IP over the last 24 hours, but only for IPs with more than 10 failures. Which visualization type and SPL command combination is most appropriate?
Column chart with | stats count by src_ip | where count > 10
Option B is correct because it uses `stats count by src_ip` to aggregate login failures per source IP, then `where count > 10` to filter only IPs exceeding 10 failures, and a column chart is ideal for comparing discrete counts across categories (IP addresses). This combination directly answers the requirement: visualize count of failures by IP, with a threshold filter applied after aggregation.
A Splunk administrator is troubleshooting a slow search that uses the transaction command. The search correlates events by 'user_uuid' with a maxspan of 1 hour. The administrator suspects that many orphan events (events that never complete a transaction) are causing performance issues. Which approach can help identify and possibly exclude orphan events from the transaction?
Use the 'keepevicted=true' option and then filter out evicted events in a subsequent search.
Option C is correct because the `keepevicted=true` parameter causes the `transaction` command to output events that were evicted from the transaction window (orphans) with an `evicted` field set to 1. You can then filter out these evicted events in a subsequent search using `where evicted=0`, which isolates only complete transactions and removes the performance overhead of orphan events.
A Splunk administrator notices that the 'transaction' command is consuming excessive memory when processing a large dataset. The dataset contains events with a common field 'user_id', and the goal is to group events per user within 1 hour. Which approach would best reduce memory usage while still achieving the desired correlation?
Use a subsearch to first filter events and then apply transaction on the smaller set.
Option B is correct because using a subsearch first reduces the dataset size before the 'transaction' command processes it, directly addressing the memory issue. The 'transaction' command groups events into memory until they are finalized, so a smaller input set means fewer events held simultaneously, lowering memory consumption while still allowing the 1-hour maxspan correlation per user_id.
A security team wants to detect a multi-step attack pattern: a user logs in from a new IP address, then within 10 minutes performs a privilege escalation, and finally accesses a sensitive file. They have events with fields: user, ip, action, and timestamp. Which SPL transaction statement should they use to group these three events into one transaction, ensuring all three actions occur in order?
`transaction user maxspan=10m`
Option B is correct because `transaction user maxspan=10m` groups all events from the same user that occur within a 10-minute window. The events are inherently ordered by timestamp, so the three actions (login, privilege escalation, sensitive file access) will appear in chronological order within the transaction, satisfying the requirement. Including `action` or `ip` in the transaction fields would split the three different actions or IP addresses into separate transactions, preventing detection of the complete pattern.
An analyst needs to correlate events from a web server log and an application log to identify failed login attempts followed within 5 seconds by an error event. The events share a common session ID field. Which approach should the analyst use?
Use `transaction sessionID maxspan=5s` to group events by session ID within 5 seconds
The `transaction` command is designed to group related events based on shared field values (sessionID) within a specified time boundary (maxspan=5s). This allows the analyst to correlate web server and application log events that share the same session ID and occur within 5 seconds, making it straightforward to identify failed login attempts followed by an error event.
A Splunk administrator notices that a transaction command is consuming excessive memory and taking too long to complete. The transaction is defined on a field with high cardinality. Which of the following would most effectively reduce memory usage and improve performance?
Use a different field with lower cardinality for grouping
Option D is correct because the transaction command groups events based on field values, and high cardinality fields create many unique groups, each requiring memory for state tracking. Using a lower-cardinality field reduces the number of concurrent groups, directly lowering memory consumption and processing time. This addresses the root cause rather than adjusting timeouts or eviction policies.
An organization has a transaction that groups firewall events by source IP to detect port scans. The transaction uses `maxpause=1m`. Some valid scans are being missed because events occasionally have gaps longer than 1 minute due to network latency. Which change would best capture these scans without introducing too many false positives?
Increase maxpause to 2 minutes
Increasing maxpause to 2 minutes allows the transaction to tolerate longer gaps between events caused by network latency, ensuring that valid port scans are still captured. This change directly addresses the issue without altering the grouping logic or removing the timeout guard, which would otherwise risk false positives or incorrect grouping.
Refer to the exhibit. The search aims to detect brute-force attacks where there are at least 2 failed logins followed by a successful login from the same source IP within 5 minutes. However, the search returns no results even though such attacks exist. What is the most likely error in the search logic?
The `search stage="*"` command is filtering out all transactions because stage is a multivalue field.
The `search stage="*"` command filters out all transactions because `stage` is a multivalue field created by the `transaction` command. In Splunk, a multivalue field cannot be matched with a simple wildcard search like `stage="*"`; this search only returns events where `stage` is a single literal asterisk. To search for any value in a multivalue field, you must use `mvcount(stage)>0` or `search stage=*` (without quotes).
A financial services company uses Splunk to detect fraudulent transactions. Each transaction event has fields: `user_id`, `amount`, `merchant`, `timestamp`. The fraud detection team wants to identify users who make multiple small transactions (under $50) totaling over $200 within a 1-hour window, which may indicate testing stolen credit cards. They write the following search: `index=transactions sourcetype=payment amount<50 | transaction user_id maxspan=1h | where sum(amount) > 200` This search runs but returns no results, even though manual inspection shows users with such patterns. What is the primary reason the search fails?
The `where sum(amount) > 200` does not work as expected because `sum()` is not an aggregation function in that context; you need to use `stats sum(amount)` or `eval total=mvsum(amount)` first.
Option D is correct because the `transaction` command creates a single multivalue field `amount` containing all amounts from the grouped events. The `where` clause cannot directly aggregate multivalue fields with `sum()`; it requires an explicit `eval` to compute the sum (e.g., `eval total=mvsum(amount)`) or a `stats` command. Without this, the `where` clause evaluates `sum(amount)` as a string operation or fails silently, returning no results.
The SPLK-1003 flashcard bank covers all 4 official blueprint domains published by Splunk. Cards are distributed proportionally, so domains with higher exam weight have more cards.
Domain Coverage
Advanced Searching and Statistics
Macros, Saved Searches and CIM
Advanced Visualization and Lookups
Transactions and Event Correlation
Both flashcards and practice questions are evidence-based study tools. The difference is in what they train:
Flashcards — concept retention
Best for memorising definitions, acronyms, protocol behaviours, command syntax, and conceptual distinctions. Use flashcards to build the foundational vocabulary that SPLK-1003 questions assume you know.
Best in: weeks 1–3
Practice tests — application
Best for applying concepts to realistic scenarios, eliminating distractors, and building exam stamina.SPLK-1003 questions test scenario reasoning — not just recall — so practice tests are essential.
Best in: weeks 3–6
The most effective SPLK-1003 study plan combines both: use flashcards for the first 2–3 weeks to build conceptual foundations, then shift to practice tests and mock exams in the final 2–3 weeks to apply and benchmark that knowledge. Most candidates who pass on their first attempt use both tools.
Yes. Courseiva provides free SPLK-1003 flashcards across all official exam domains. Every card includes the correct answer and a full explanation of why it is right and why the distractors are wrong. The platform also includes topic-based practice, mock exams, and readiness tracking — no account required.
Courseiva has 500+ original SPLK-1003 flashcards across all 4 exam blueprint domains. New cards are added regularly as the question bank grows. All cards are written by certified engineers against the official Splunk exam objectives.
Courseiva flashcards are purpose-built for IT certification exams. Unlike generic flashcard platforms where content quality varies, every Courseiva card is mapped to the official SPLK-1003 exam blueprint, written by engineers who hold the certification, and includes a full explanation of the correct answer and why the distractors are wrong. This explanation quality is what separates genuine learning from rote memorisation.
Courseiva is a web platform — an internet connection is required. For offline study, we recommend creating free Courseiva account, using the platform in your browser, and using your device's offline capabilities if your browser supports offline web apps.
Save your results, see which domains need more work, and get spaced repetition recommendations — all free.
Sign Up FreeFree forever · Every certification included