Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Advanced Searching and Statistics practice sets

SPLK-1003 Advanced Searching and Statistics • Complete Question Bank

SPLK-1003 Advanced Searching and Statistics — All Questions With Answers

Complete SPLK-1003 Advanced Searching and Statistics question bank — all 0 questions with answers and detailed explanations.

150
Questions
Free
No signup
Certifications/SPLK-1003/Practice Test/Advanced Searching and Statistics/All Questions
Question 1mediummultiple choice
Read the full Advanced Searching and Statistics explanation →

A security analyst needs to find all events where the field 'user' has a value that is either 'admin' or 'root', but the search is returning too many results from a noisy source. Which search best filters the events to only include those where the 'user' field exactly matches 'admin' or 'root'?

Question 2hardmultiple choice
Read the full Advanced Searching and Statistics explanation →

A Splunk administrator runs the following search and notices that the results include events where the 'status' field is 200 or 404, but also includes events where the 'status' field is missing. What is the most efficient way to modify the search to exclude events where the 'status' field does not exist?

Question 3easymultiple choice
Read the full Advanced Searching and Statistics explanation →

An analyst wants to find the top 5 users who have the highest total bytes transferred. The data has fields 'user' and 'bytes'. Which search should be used?

Question 4mediummultiple choice
Read the full Advanced Searching and Statistics explanation →

A search returns events with a field 'response_time' in milliseconds. The analyst wants to categorize response times into three buckets: 'fast' (< 100), 'medium' (100-500), 'slow' (> 500). Which search correctly creates this categorization?

Question 5hardmultiple choice
Read the full Advanced Searching and Statistics explanation →

A search uses 'transaction' to group events by session, but the results show too many transactions with only one event. What is the best way to filter out single-event transactions?

Question 6mediummulti select
Read the full Advanced Searching and Statistics explanation →

Which TWO of the following statements about the 'stats' command are true?

Question 7easymulti select
Read the full Advanced Searching and Statistics explanation →

Which THREE of the following are valid Splunk search commands for determining the number of distinct values of a field?

Question 8hardmultiple choice
Read the full Advanced Searching and Statistics explanation →

The search returns zero results, but the lookup file contains users with names like 'admin1', 'admin2'. What is the most likely reason?

Exhibit

Refer to the exhibit.

| inputlookup user_roles.csv
| eval role=if(like(user, "admin%"), "admin", "user")
| search role=admin
| stats count by role
Question 9mediummultiple choice
Read the full Advanced Searching and Statistics explanation →

The search returns unexpected results, including IP addresses that are not in the expected format (e.g., '127.0.0.1' appears as '27.0.0.1'). What is the most likely cause?

Exhibit

Refer to the exhibit.

index=web sourcetype=access_combined
| rex field=_raw "(?<ip>\d+\.\d+\.\d+\.\d+)"
| top ip
Question 10mediummultiple choice
Read the full Advanced Searching and Statistics explanation →

A security analyst needs to find all events where the field `status` has a value of either "error" or "critical" and the field `bytes` is greater than 1000. Which search correctly accomplishes this?

Question 11hardmultiple choice
Read the full Advanced Searching and Statistics explanation →

A Splunk admin wants to track the number of unique users who accessed a system each hour over the past 24 hours. Which search provides the correct result?

Question 12easymultiple choice
Read the full Advanced Searching and Statistics explanation →

A search returns many events, and the analyst wants to see a summary table of the top 5 values of the field `src_ip` along with the count of events for each. Which command should be used?

Question 13hardmultiple choice
Read the full Advanced Searching and Statistics explanation →

An analyst needs to identify events where the field `response_time` is more than 2 standard deviations above the average response_time for the same `host`. Which approach should be used?

Question 14mediummultiple choice
Read the full Advanced Searching and Statistics explanation →

An analyst wants to create a timechart of the count of events per hour, but only for events where the field `status` contains the word "fail" (case-insensitive). Which search is correct?

Question 15hardmulti select
Read the full Advanced Searching and Statistics explanation →

Which TWO of the following statements about the `transaction` command are true? (Choose two.)

Question 16mediummulti select
Read the full Advanced Searching and Statistics explanation →

Which THREE of the following are valid ways to create a subsearch in SPL? (Choose three.)

Question 17mediummultiple choice
Read the full Advanced Searching and Statistics explanation →

A security analyst wants to find all events where the field 'src_ip' matches any IP address in a lookup table named 'malicious_ips.csv'. The lookup has fields 'ip' and 'threat'. Which search correctly enriches events with the threat info and filters to only malicious IPs?

Question 18hardmultiple choice
Read the full Advanced Searching and Statistics explanation →

A search returns events with fields 'user', 'action', and 'count'. The analyst wants to create a timechart showing the number of distinct users performing 'login' actions per hour. Which search is correct?

Question 19easymultiple choice
Read the full Advanced Searching and Statistics explanation →

An analyst runs `index=web status=500 | top 10 uri` and gets results. Which statement is true about the 'top' command's behavior?

Question 20hardmultiple choice
Read the full Advanced Searching and Statistics explanation →

A search returns events with fields 'user', 'duration', and 'status'. The analyst wants to find users whose average duration exceeds 100 and who have more than 5 events. Which search is correct?

Question 21mediummultiple choice
Read the full Advanced Searching and Statistics explanation →

A search includes `... | eval day=strftime(_time, "%A") | stats count by day | sort count`. The results show Monday has the highest count. The analyst wants to confirm that the timezone is correctly applied. Which command should be added before the eval to ensure the day calculation uses the local timezone?

Question 22mediummulti select
Read the full Advanced Searching and Statistics explanation →

Which TWO of the following statements about the 'transaction' command are true? (Choose two.)

Question 23hardmulti select
Read the full Advanced Searching and Statistics explanation →

Which THREE of the following commands can produce a time-based chart (timechart or chart with time buckets)? (Choose three.)

Question 24mediummultiple choice
Read the full NAT/PAT explanation →

The exhibit shows a search to find the top 5 URI-method combinations by count. However, the results show only 5 rows, but the analyst expected to see the top 5 URIs overall, not combinations. Which change to the search would achieve the desired result?

Exhibit

Refer to the exhibit.
```
index=web sourcetype=access_combined
| rex "(?<ip>\d+\.\d+\.\d+\.\d+) (?<method>\w+) (?<uri>[^ ]+)"
| stats count by uri, method
| sort - count
| head 5
```
Question 25easymultiple choice
Read the full Advanced Searching and Statistics explanation →

A security analyst needs to find all events where the field 'status' is either 'error' or 'critical', and then count the number of events per source IP. Which search is correct?

Question 26mediummultiple choice
Read the full Advanced Searching and Statistics explanation →

The search above is executed but returns unexpected results: the count for 'API' is much lower than expected. What is the most likely cause?

Exhibit

Refer to the exhibit.

```
index=web sourcetype=access_combined
| rex field=_raw "(?<method>GET|POST|PUT|DELETE) (?<url>\S+)"
| eval category = case(
    match(url, "^/api/"), "API",
    match(url, "^/images/"), "Images",
    1==1, "Other"
  )
| stats count by category
```
Question 27hardmultiple choice
Read the full Advanced Searching and Statistics explanation →

A Splunk administrator runs the following search to identify the top 5 users by total bytes transferred:

index=proxy sourcetype=webproxy | stats sum(bytes) as total_bytes by user | sort - total_bytes | head 5

The search returns results, but the numbers seem inflated. On closer inspection, the 'bytes' field is a string type. What must be done to correct the search?

Question 28mediummultiple choice
Read the full Advanced Searching and Statistics explanation →

An analyst needs to calculate the average response time for each web server, but only for requests that returned status code 200. The field 'response_time' is numeric. Which search correctly achieves this?

Question 29hardmultiple choice
Review the full subnetting walkthrough →

A security analyst needs to find all login events where the user 'jsmith' attempted to authenticate from an IP address outside the corporate subnet (10.0.0.0/8) after business hours (after 18:00). Which search correctly filters for these events?

Question 30easymultiple choice
Read the full Advanced Searching and Statistics explanation →

An analyst wants to calculate the average response time for each web server, but only for requests that returned status code 200. Which search accomplishes this?

Question 31mediummultiple choice
Read the full Advanced Searching and Statistics explanation →

A dashboard is slow to load because it runs a search that uses `transaction` to group events into sessions. The search is `index=main source=web | transaction clientip maxspan=30m maxpause=5m`. What is the most effective way to improve performance?

Question 32mediumdrag order
Read the full Advanced Searching and Statistics explanation →

Arrange the steps to create a new index in Splunk in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 33mediumdrag order
Read the full Advanced Searching and Statistics explanation →

Arrange the steps to create a knowledge object of type 'Event Type' in Splunk.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 34mediumdrag order
Read the full Advanced Searching and Statistics explanation →

Arrange the steps to configure role-based access control in Splunk.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 35mediummatching
Read the full Advanced Searching and Statistics explanation →

Match each Splunk search command to its primary function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Calculates aggregate statistics on search results

Extracts fields using regular expressions

Creates or modifies fields using expressions

Groups events into transactions based on common fields

Enriches events with external data from a lookup table

Question 36mediummatching
Read the full Advanced Searching and Statistics explanation →

Match each Splunk search operator to its behavior.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Pipes output of one command to the next

Excludes events that match the following term

Matches events that contain either term

Matches events that contain both terms (default)

Groups terms to control evaluation order

Question 37mediummatching
Read the full Advanced Searching and Statistics explanation →

Match each Splunk report type to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Displays results in a tabular format

Visualizes data as a chart (e.g., bar, line, pie)

Shows statistical summaries like count, avg, sum

A collection of panels with visualizations

Triggers actions based on search results

Question 38mediummultiple choice
Read the full Advanced Searching and Statistics explanation →

A security analyst needs to find the top 10 users with the most failed login attempts from the linux_secure sourcetype. Which SPL command is most efficient for this task?

Question 39hardmultiple choice
Read the full Advanced Searching and Statistics explanation →

A search returns 50,000 events. The analyst wants to sample 1% evenly across time. Which sampling command should be used?

Question 40mediummultiple choice
Read the full Advanced Searching and Statistics explanation →

Which of the following searches correctly computes the average response time per host?

Question 41easymultiple choice
Read the full Advanced Searching and Statistics explanation →

Which command adds the overall average of a field to each event in the results?

Question 42hardmultiple choice
Read the full Advanced Searching and Statistics explanation →

A search uses `transaction maxspan=30s maxpause=5s`. Events are sorted by _time. If there is a gap of 10 seconds between two events, what happens?

Question 43easymultiple choice
Read the full NAT/PAT explanation →

Which command extracts a field named 'ip' from the raw event using a regex pattern?

Question 44mediummultiple choice
Read the full Advanced Searching and Statistics explanation →

Which command returns the list of all sourcetypes in a specific index?

Question 45hardmultiple choice
Read the full Advanced Searching and Statistics explanation →

A search produces a field 'count'. You need to find the event with the maximum count. Which approach is correct?

Question 46easymultiple choice
Read the full Advanced Searching and Statistics explanation →

Which command creates a time-based chart showing a count of events over time?

Question 47mediummulti select
Read the full Advanced Searching and Statistics explanation →

Which TWO of the following are valid methods to join two sets of search results?

Question 48hardmulti select
Read the full Advanced Searching and Statistics explanation →

Which TWO of the following eval functions can be used to convert a string to a numeric value?

Question 49easymulti select
Read the full Advanced Searching and Statistics explanation →

Which THREE of the following are valid Splunk search commands?

Question 50hardmultiple choice
Read the full Advanced Searching and Statistics explanation →

Refer to the exhibit. The search returns 50 results after the `where` command. What is the purpose of the `eval` command?

Exhibit

index=web sourcetype=access_combined status=500
| stats count by clientip
| where count > 10
| eval severity = if(count > 100, "high", "low")
Question 51mediummultiple choice
Read the full Advanced Searching and Statistics explanation →

Refer to the exhibit. The search is intended to display users who logged in from IP addresses starting with 10.0, but returns no results. What is the most likely cause?

Exhibit

index=main sourcetype=syslog
| rex field=_raw "User (?<user>\w+) logged in from (?<ip>\d+\.\d+\.\d+\.\d+)"
| search ip="10.0.*"
| table user, ip
Question 52easymultiple choice
Read the full Advanced Searching and Statistics explanation →

Refer to the exhibit. What is the result of this search?

Exhibit

index=main sourcetype=linux_secure "Failed password"
| stats count by user
| sort -count
| head 5
Question 53mediummultiple choice
Read the full Advanced Searching and Statistics explanation →

A security analyst wants to calculate the average latency for each web server over the past hour, but only for requests where the status code is 200. The search result includes fields: server, latency, status. Which search correctly accomplishes this?

Question 54easymultiple choice
Read the full Advanced Searching and Statistics explanation →

An analyst wants to create a time series chart showing the count of errors per hour over the last 24 hours. The errors are logged with sourcetype=error_log. Which search achieves this?

Question 55hardmultiple choice
Read the full Advanced Searching and Statistics explanation →

A Splunk administrator is troubleshooting a search that uses the transaction command to group login and logout events. The search runs but returns no results even though both types of events exist. The events are separated by at most 5 minutes. The current transaction command is:

`index=auth (action=login OR action=logout) | transaction action maxspan=10m maxpause=2s`

What is the most likely cause?

Question 56mediummultiple choice
Read the full Advanced Searching and Statistics explanation →

An analyst wants to create a running total of sales per day over a week. The data has fields: date, sales. Which search would produce a cumulative sum for each day?

Question 57easymultiple choice
Read the full Advanced Searching and Statistics explanation →

A search returns duplicate events for the same user. The analyst wants to keep only the first occurrence of each user based on timestamp. Which sequence of commands is best?

Question 58hardmultiple choice
Read the full Advanced Searching and Statistics explanation →

A search is used to calculate the 95th percentile of response times for each application, and then to find applications where the 95th percentile exceeds 5000 ms. The current search is:

`index=perf sourcetype=app_response | stats perc95(response_time) by app | where perc95(response_time) > 5000`

This search fails with an error. What is the most likely reason?

Question 59mediummultiple choice
Read the full Advanced Searching and Statistics explanation →

A search uses eventstats to add the average response time per server to each event. Which of the following correctly describes the output?

Question 60easymultiple choice
Read the full Advanced Searching and Statistics explanation →

An analyst wants to see the count of distinct users for each department over the last week. The data contains fields: user, department, date. Which search is correct?

Question 61hardmultiple choice
Read the full Advanced Searching and Statistics explanation →

A Splunk search uses a subsearch to find the top 10 client IPs and then retrieve all events from those IPs. The subsearch is:

`index=web sourcetype=access | search [ top clientip | fields clientip ]`

What does this search return?

Question 62mediummulti select
Read the full Advanced Searching and Statistics explanation →

Which TWO of the following are valid uses of the stats command in Splunk? (Choose two.)

Question 63mediummulti select
Read the full Advanced Searching and Statistics explanation →

Which THREE of the following are benefits of using eventstats over stats when analyzing event logs? (Choose three.)

Question 64hardmulti select
Read the full Advanced Searching and Statistics explanation →

Which THREE of the following are correct characteristics of the transaction command? (Choose three.)

Question 65mediummultiple choice
Read the full Advanced Searching and Statistics explanation →

The exhibit shows a search that categorizes HTTP status codes and counts them. If the search returns only three categories, what is the most likely reason?

Exhibit

Refer to the exhibit.

`index=web sourcetype=access | eval category=case(status<300, "success", status<400, "redirect", status<500, "client_error", status<600, "server_error") | stats count by category | sort - count`
Question 66easymultiple choice
Read the full Advanced Searching and Statistics explanation →

A security analyst notices that a timechart command is returning too many data points on the x-axis, making the chart unreadable. Which command modification should be used to reduce the number of data points?

Question 67mediummultiple choice
Read the full Advanced Searching and Statistics explanation →

A search returns raw events with a field 'response_time'. The analyst wants to calculate the average response time excluding any outliers that are more than 3 standard deviations from the mean. Which SPL approach is most efficient?

Question 68hardmultiple choice
Read the full Advanced Searching and Statistics explanation →

An administrator wants to correlate events from the same session but the events span up to 30 minutes apart. The transaction command is being considered. Which transaction option is most appropriate to ensure sessions are correctly grouped without artificially high memory usage?

Question 69easymultiple choice
Read the full Advanced Searching and Statistics explanation →

Which SPL command can be used to create a new field based on a conditional evaluation, such as setting a status field to 'critical' if a numeric threshold is exceeded?

Question 70mediummultiple choice
Read the full NAT/PAT explanation →

A search is producing results that include both internal and external traffic. The analyst wants to approximate the number of distinct destination IPs for internal traffic only, where internal IPs fall within the 10.0.0.0/8 range. Which approach is most efficient?

Question 71hardmultiple choice
Read the full Advanced Searching and Statistics explanation →

A search uses a subsearch to retrieve a list of user IDs, and then the main search uses IN operator to filter events. The subsearch is expected to return up to 10,000 values. What is a potential limitation and how can it be addressed?

Question 72easymultiple choice
Read the full Advanced Searching and Statistics explanation →

An analyst wants to remove events that contain the string 'debug' from a log. Which command should be used?

Question 73mediummultiple choice
Read the full Advanced Searching and Statistics explanation →

When using the stats command with multiple BY fields, the results show many rows with null values. What is the most likely cause and how can it be reduced?

Question 74hardmultiple choice
Read the full NAT/PAT explanation →

A search uses the map command to run a search for each value of a field. The search is taking a very long time. Which alternative approach is recommended for better performance?

Question 75easymultiple choice
Read the full Advanced Searching and Statistics explanation →

Refer to the exhibit. What is the purpose of the eval command in this search?

Exhibit

index=web | eval status_category=case(status>=500, "Server Error", status>=400, "Client Error", 1=1, "Other") | stats count by status_category
Question 76mediummultiple choice
Read the full Advanced Searching and Statistics explanation →

Refer to the exhibit. Which statement about this search is true?

Exhibit

index=network sourcetype=firewall | fields src_ip, dest_ip, action, bytes | iplocation src_ip | stats sum(bytes) as total_bytes by dest_ip, Country | sort - total_bytes | head 10
Question 77hardmultiple choice
Read the full Advanced Searching and Statistics explanation →

Refer to the exhibit. What does the final result represent?

Exhibit

index=security sourcetype=windows_logon | eval logon_hour=strftime(_time, "%H") | stats count by logon_hour, user | eventstats avg(count) as avg_count by logon_hour | where count > avg_count * 2
Question 78easymulti select
Read the full Advanced Searching and Statistics explanation →

A search is running slowly due to a large data volume. Which TWO modifications are likely to improve search performance? (Select two.)

Question 79mediummulti select
Read the full Advanced Searching and Statistics explanation →

An analyst wants to create a time-series comparison of the current week and the previous week. Which TWO commands are commonly used together to achieve this? (Select two.)

Question 80hardmulti select
Read the full Advanced Searching and Statistics explanation →

Which THREE of the following are valid uses of the stats command? (Select three.)

Question 81mediummultiple choice
Read the full Advanced Searching and Statistics explanation →

A security analyst wants to find IP addresses that have attempted to access a specific URL more than 5 times in the last hour and also have a user agent string containing "curl". They need to use a subsearch to pre-filter IPs. Which search is correct?

Question 82hardmultiple choice
Read the full Advanced Searching and Statistics explanation →

A team uses a large index with many sourcetypes. They want to find events where the field "status" contains either "error" or "failure" (case-insensitive), and also ensure that "response_time" > 1000. Which search best optimizes performance?

Question 83easymultiple choice
Read the full Advanced Searching and Statistics explanation →

A user wants to create a chart showing the count of errors per hour for the last 24 hours, with time bucketed hourly. Which search is correct?

Question 84mediummulti select
Read the full Advanced Searching and Statistics explanation →

Which TWO of the following commands can be used to create a table of unique values for a field, along with their counts?

Question 85mediummulti select
Read the full Advanced Searching and Statistics explanation →

Which TWO search commands can be used to calculate a running total (cumulative sum) of a field over time?

Question 86hardmulti select
Read the full Advanced Searching and Statistics explanation →

Which THREE of the following are valid ways to extract a substring from a field named "full_name" that contains "Firstname Lastname" into separate fields?

Question 87easymultiple choice
Read the full Advanced Searching and Statistics explanation →

Refer to the exhibit. What will this search return?

Exhibit

index=web sourcetype=access | search status=404 | timechart count by host
Question 88mediummultiple choice
Read the full Advanced Searching and Statistics explanation →

Refer to the exhibit. What is the purpose of this search?

Exhibit

| inputlookup server_list.csv | fields server_name, location | join type=left server_name [search index=main sourcetype=status | stats latest(status) as current_status by server_name ] | table server_name, location, current_status
Question 89hardmultiple choice
Read the full Advanced Searching and Statistics explanation →

Refer to the exhibit. The search is taking very long and returning few results. Which change would most improve performance?

Exhibit

index=security sourcetype=firewall | eval src_ip=if(isnull(src_ip), nat_ip, src_ip) | transaction src_ip, dest_port maxspan=5m maxpause=1m | search eventcount>10 | table src_ip, dest_port, duration, eventcount
Question 90easymultiple choice
Read the full Advanced Searching and Statistics explanation →

A user wants to see the top 5 most common HTTP methods (field "method") from web access logs, along with their percentage of total. Which search is best?

Question 91mediummultiple choice
Read the full Advanced Searching and Statistics explanation →

A security analyst needs to correlate login events with subsequent actions from the same user within 30 minutes. They need to ensure that only one login per user session is considered, and actions after login are attached. Which command is most appropriate?

Question 92hardmultiple choice
Read the full Advanced Searching and Statistics explanation →

A search uses a subsearch to filter events, but the subsearch returns more than 50,000 results, causing the search to fail. Which approach can avoid this limit while still achieving the goal?

Question 93easymultiple choice
Read the full Advanced Searching and Statistics explanation →

A user wants to calculate the average response time per user, but only for users who have more than 10 events. Which search approach is efficient?

Question 94easymultiple choice
Read the full Advanced Searching and Statistics explanation →

A user wants to create a timechart showing the number of distinct users per hour over the past week. Which search is correct?

Question 95hardmultiple choice
Read the full Advanced Searching and Statistics explanation →

A search uses the transaction command with maxevents=1000 and maxspan=1h. The search is slow and memory-intensive. Which modification can reduce resource usage while still grouping related events?

Question 96mediummultiple choice
Read the full Advanced Searching and Statistics explanation →

A security analyst runs `index=network sourcetype=firewall | stats count by src_ip | sort - count | head 10` to find the top 10 source IPs by event count. The search returns only 5 results. Which of the following is the most likely reason?

Question 97hardmultiple choice
Read the full Advanced Searching and Statistics explanation →

A developer needs to calculate the 95th percentile of response times for each service over the past hour. The data has fields: service, response_time. Which search achieves this correctly and efficiently?

Question 98easymultiple choice
Read the full Advanced Searching and Statistics explanation →

A user wants to add a field showing the average value of a numeric field `latency` for each host, without reducing the number of events. Which command should be used?

Question 99mediummultiple choice
Read the full Advanced Searching and Statistics explanation →

An analyst runs a search that includes a subsearch: `index=web [search index=web status=500 | fields url | dedup url | limit 5]`. The main search returns no results even though the subsearch returns 5 URLs. What is the most likely issue?

Question 100hardmultiple choice
Read the full NAT/PAT explanation →

A search needs to find events where the same user logged in from more than 3 different IP addresses within a 5-minute window. Which combination of commands is most efficient?

Question 101easymultiple choice
Read the full NAT/PAT explanation →

A data scientist wants to extract the domain from email addresses in the `_raw` field. The emails follow the pattern user@domain.tld. Which eval expression should be used to create a new field called `domain` containing only the domain part?

Question 102mediummultiple choice
Read the full Advanced Searching and Statistics explanation →

A search using `tstats` to query a data model returns results but is slow. Which of the following is the most likely cause?

Question 103hardmultiple choice
Read the full Advanced Searching and Statistics explanation →

A search `index=main | eval weekday=strftime(_time,"%A") | stats count by weekday | sort - count` shows that Monday has the highest count. However, the user suspects that Monday data is double-counted due to timezone offset. What should be done to investigate?

Question 104easymultiple choice
Read the full Advanced Searching and Statistics explanation →

A search returns 1000 results per second. The user wants to see a trend of counts over the past hour in 5-minute intervals. Which command should be used?

Question 105mediummulti select
Read the full Advanced Searching and Statistics explanation →

Which TWO of the following are valid aggregation functions in the `stats` command? (Choose 2)

Question 106hardmulti select
Read the full Advanced Searching and Statistics explanation →

Which THREE of the following are true about the `transaction` command? (Choose 3)

Question 107mediummulti select
Read the full Advanced Searching and Statistics explanation →

Which TWO of the following commands are useful for reducing the number of events before a `stats` command to improve performance? (Choose 2)

Question 108hardmultiple choice
Read the full Advanced Searching and Statistics explanation →

Refer to the exhibit. The search above returns no results for api_version. What is the most likely cause?

Exhibit

Refer to the exhibit.

```
index=main sourcetype=access_combined | rex field=uri_path "/api/(?<api_version>v[0-9]+)/.*" | stats count by api_version
```
Question 109mediummultiple choice
Read the full Advanced Searching and Statistics explanation →

Refer to the exhibit. The search results show a large number of hosts, but the `limit=5` only shows the top 5. The eval statement fails with an error. Why?

Exhibit

Refer to the exhibit.

```
index=main | timechart span=1h count by host limit=5 | eval total=count_1+count_2+count_3+count_4+count_5
```
Question 110easymultiple choice
Read the full Advanced Searching and Statistics explanation →

Refer to the exhibit. The search returns results quickly but shows zero events for some src values. What does `summariesonly=t` imply?

Exhibit

Refer to the exhibit.

```
| tstats summariesonly=t count from datamodel=Authentication.Authentication where Authentication.action=failure by Authentication.src
```
Question 111mediummultiple choice
Read the full Advanced Searching and Statistics explanation →

A company uses a large Splunk environment with many users creating dashboards. They notice that some searches are slow and consume excessive resources. What is the best practice to optimize search performance?

Question 112hardmultiple choice
Read the full Advanced Searching and Statistics explanation →

A security analyst wants to find IP addresses that have been involved in both login failures and successful logins within a 5-minute window. Which approach is most efficient?

Question 113easymultiple choice
Read the full Advanced Searching and Statistics explanation →

Which command is used to convert a multi-value field into individual events?

Question 114mediummultiple choice
Read the full Advanced Searching and Statistics explanation →

A user wants to create a report that shows the top 5 sources of errors, excluding a specific source 'host1'. Which SPL is correct?

Question 115hardmultiple choice
Read the full Advanced Searching and Statistics explanation →

An administrator notices that a search using the timechart command returns data for every 15-minute bucket even when no events exist, creating many null values. How can this behavior be suppressed?

Question 116easymultiple choice
Read the full Advanced Searching and Statistics explanation →

Which command creates a new field that contains the string 'high' if a numeric field exceeds 100, otherwise 'low'?

Question 117mediummultiple choice
Read the full Advanced Searching and Statistics explanation →

A user runs a search that returns 1,000,000 results but only sees 5,000 in the Statistics tab. What is the most likely cause?

Question 118hardmultiple choice
Read the full Advanced Searching and Statistics explanation →

A search analyst wants to calculate the average transaction time for each user and then find users whose average transaction time exceeds the overall average. Which approach is most efficient?

Question 119easymultiple choice
Read the full Advanced Searching and Statistics explanation →

Which of the following is true about the sort command?

Question 120mediummulti select
Read the full Advanced Searching and Statistics explanation →

A user needs to identify the top 3 error types by count, but only for the current month, and exclude results with fewer than 100 occurrences. Which TWO steps are necessary? (Select two.)

Question 121hardmulti select
Read the full Advanced Searching and Statistics explanation →

A search administrator wants to ensure that a scheduled search runs efficiently and does not impact other users. Which TWO practices should be implemented? (Select two.)

Question 122mediummulti select
Read the full Advanced Searching and Statistics explanation →

A user needs to find events where a user had a failed login followed by a successful login within 10 minutes, and then list the total number of such occurrences per user. Which THREE steps are necessary? (Select three.)

Question 123hardmultiple choice
Read the full Advanced Searching and Statistics explanation →

Refer to the exhibit. This search returns an error. What is the most likely cause?

Exhibit

index=web sourcetype=access_combined 
| stats count by status, uri_path 
| eval status_group=case(status>=500,"5xx", status>=400,"4xx", status>=300,"3xx", status>=200,"2xx") 
| timechart span=1h count by status_group
Question 124mediummultiple choice
Read the full Advanced Searching and Statistics explanation →

Refer to the exhibit. This search is intended to find users with average duration above overall average. However, it returns no results. Why?

Exhibit

| eventstats avg(duration) as overall_avg
| stats avg(duration) as user_avg by user
| where user_avg > overall_avg
Question 125hardmultiple choice
Read the full Advanced Searching and Statistics explanation →

A large e-commerce company runs Splunk Enterprise on a single indexer cluster with four indexers. They have been experiencing slow search performance during peak hours, especially for searches that cover the last 24 hours. The environment uses a default search time range of 'Last 30 days'. The team has noticed that searches often time out or return partial results. They have also observed high CPU usage on the search head during peak times. The company's data volume is approximately 500 GB per day across various sources. They have implemented some search acceleration for data models, but the issue persists. The security team needs to run ad-hoc searches for threat hunting that cover multiple sourcetypes over the last 7 days. Additionally, the search head has a memory limit that is sometimes reached. The security team's searches are complex and involve joins and subsearches. The existing acceleration only covers a few data models. The team is looking for a quick win that does not require significant infrastructure changes. Which course of action would most effectively improve search performance without compromising data completeness?

Question 126easymultiple choice
Read the full Advanced Searching and Statistics explanation →

A user wants to find the top 5 sourcetypes by event count over the last 24 hours. Which search is correct?

Question 127mediummultiple choice
Read the full Advanced Searching and Statistics explanation →

A Splunk admin notices that a search using the transaction command takes too long. To debug, they want to see how events are grouped into transactions before the transaction command runs. Which command can be added to the search pipeline before transaction to inspect the grouping?

Question 128hardmultiple choice
Read the full Advanced Searching and Statistics explanation →

A web application log contains fields: user, timestamp, response_time. You need to compute the average response time per user, excluding outliers where response_time > 10000ms. Which search produces the correct result?

Question 129easymultiple choice
Read the full Advanced Searching and Statistics explanation →

To count events by host for the last hour, which search is most efficient?

Question 130mediummultiple choice
Read the full Advanced Searching and Statistics explanation →

You need to find the percentage of total events contributed by each sourcetype. Which command should follow index=* | stats count by sourcetype?

Question 131hardmultiple choice
Read the full Advanced Searching and Statistics explanation →

A search includes a subsearch that returns 100,000 results, causing performance issues. Which optimization is best?

Question 132mediummultiple choice
Read the full Advanced Searching and Statistics explanation →

To find users who logged in from more than 3 different IP addresses, which search is correct?

Question 133mediummulti select
Read the full Advanced Searching and Statistics explanation →

Which TWO of the following are valid ways to calculate the median of a numeric field?

Question 134hardmulti select
Read the full Advanced Searching and Statistics explanation →

Which THREE of the following are valid ways to count the number of events per minute for a given sourcetype?

Question 135easymulti select
Read the full Advanced Searching and Statistics explanation →

Which TWO of the following commands can be used to find the most frequent value of a field within each group?

Question 136easymultiple choice
Read the full Advanced Searching and Statistics explanation →

A security analyst is investigating a potential breach. They have a search that uses the transaction command to group events by session_id and calculates the total bytes transferred per session. However, the search takes over 30 minutes to complete on a 24-hour time range. The environment has 10 indexers with default settings. The analyst needs to reduce search time while preserving the ability to group by session_id. Which course of action should they take?

Question 137mediummultiple choice
Read the full Advanced Searching and Statistics explanation →

A Splunk admin is responsible for a search dashboard that displays real-time statistics of application errors. The search uses 'index=app sourcetype=error | timechart count by severity span=5m'. Users report that the dashboard is slow and often times out. The environment has 4 indexers and the data volume is about 500 GB/day. The admin wants to improve performance without changing the dashboard's output. Which step should they take?

Question 138hardmultiple choice
Read the full Advanced Searching and Statistics explanation →

A large e-commerce platform uses Splunk to monitor user sessions. Each session is composed of multiple events with a common 'session_id' field. The current search to compute average session duration is: 'index=web | transaction session_id maxspan=30m | eval duration=_time_last - _time | stats avg(duration)'. This search runs for over an hour on a 6-hour time window. The environment has 20 indexers and data volume is 2 TB/day. The admin suspects that the transaction command is the bottleneck. Which optimization should be applied?

Question 139mediummultiple choice
Read the full Advanced Searching and Statistics explanation →

A network operations team uses Splunk to analyze firewall logs. They need to identify top talkers (source IPs with highest total bytes) over the last hour. The current search: 'index=firewall | stats sum(bytes) as totalBytes by src_ip | sort -totalBytes | head 10' takes 5 minutes to complete. They want to make it faster. The environment has 5 indexers with default configurations. The data volume is 100 GB/day. Which action will most improve search performance?

Question 140easymultiple choice
Read the full Advanced Searching and Statistics explanation →

A developer wants to debug a slow Splunk search that uses multiple eval and where commands. The search returns correct results but takes 2 minutes. The developer wants to identify which parts of the search are slow. The environment is a single instance Splunk with moderate data. What should the developer do?

Question 141easymulti select
Read the full Advanced Searching and Statistics explanation →

Which TWO commands can be used to perform statistical aggregations on streaming events without creating a separate search results set?

Question 142mediummultiple choice
Read the full Advanced Searching and Statistics explanation →

A security team runs a search to count login failures per user over the last 24 hours: `index=security action=failure | stats count by user`. The results show counts, but some users have extremely high counts due to a brute force attack. The team wants to identify users with a count greater than 100. What should they do to get the desired list?

Question 143hardmultiple choice
Read the full Advanced Searching and Statistics explanation →

A Splunk environment ingests 10 TB per day. A user runs a search to count events per sourcetype over the last 7 days: `index=* earliest=-7d | timechart count by sourcetype`. The search returns partial results and eventually times out. The user needs to obtain the complete results efficiently. What is the best course of action?

Question 144easymultiple choice
Read the full Advanced Searching and Statistics explanation →

A user runs a search on web access logs: `index=web | eventstats sum(bytes) as total_bytes by host`. The search returns the correct total bytes per host, but now the user needs to calculate the average bytes per host for each event. Which command should be added to the base search to achieve this?

Question 145mediummultiple choice
Read the full Advanced Searching and Statistics explanation →

A user needs a report showing the number of distinct source IPs per sourcetype over the last hour. They run: `index=* earliest=-1h | stats dc(src_ip) by sourcetype`. The search runs slowly (2 minutes) and they want to speed it up. Which optimization is most effective?

Question 146hardmultiple choice
Read the full Advanced Searching and Statistics explanation →

A security analyst wants to create a comparison report showing the count of login failures by user for today versus yesterday. They run: `index=security action=failure | timechart count by user`. This produces a chart of counts over time, but they want separate columns for today and yesterday. How can they achieve this comparison efficiently?

Question 147easymultiple choice
Read the full Advanced Searching and Statistics explanation →

An analyst wants to identify the top 5 user agents that generated the most 404 errors in the last 24 hours. Which search accomplishes this correctly and efficiently?

Question 148mediummulti select
Read the full Advanced Searching and Statistics explanation →

Which TWO of the following searches are syntactically valid uses of the eventstats command? (Assume all referenced fields exist.)

Question 149hardmultiple choice
Read the full Advanced Searching and Statistics explanation →

Refer to the exhibit. What does the pct field represent?

Exhibit

index=web sourcetype=access_combined
| timechart span=1h count by status
| untable _time, status, count
| eventstats sum(count) as total by _time
| eval pct = round(count/total*100,2)
| table _time, status, pct
Question 150mediummultiple choice
Read the full Advanced Searching and Statistics explanation →

A large e-commerce company uses Splunk to monitor their web application. They have a query that uses the transaction command to group related events into transactions based on session ID and a 30-minute max pause. The query runs slowly and often times out. The environment has 10 indexers with 4 CPU cores each. The search is run over the last 7 days. Which of the following is the best course of action to improve performance?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

SPLK-1003 Practice Test 1 — 10 Questions→SPLK-1003 Practice Test 2 — 10 Questions→SPLK-1003 Practice Test 3 — 10 Questions→SPLK-1003 Practice Test 4 — 10 Questions→SPLK-1003 Practice Test 5 — 10 Questions→SPLK-1003 Practice Exam 1 — 20 Questions→SPLK-1003 Practice Exam 2 — 20 Questions→SPLK-1003 Practice Exam 3 — 20 Questions→SPLK-1003 Practice Exam 4 — 20 Questions→Free SPLK-1003 Practice Test 1 — 30 Questions→Free SPLK-1003 Practice Test 2 — 30 Questions→Free SPLK-1003 Practice Test 3 — 30 Questions→SPLK-1003 Practice Questions 1 — 50 Questions→SPLK-1003 Practice Questions 2 — 50 Questions→SPLK-1003 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Advanced Searching and StatisticsMacros, Saved Searches and CIMAdvanced Visualization and LookupsTransactions and Event Correlation

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Advanced Searching and Statistics setsAll Advanced Searching and Statistics questionsSPLK-1003 Practice Hub