SPLK-1003 Advanced Visualization and Lookups • Complete Question Bank
Complete SPLK-1003 Advanced Visualization and Lookups question bank — all 0 questions with answers and detailed explanations.
Refer to the exhibit. ``` | inputlookup usertable.csv | table username, role, department ``` The lookup file usertable.csv contains: username,role,department jsmith,admin,it bjones,user,sales But the search returns no results. The lookup definition is named `usertable` and the file is in the correct directory.
Refer to the exhibit. ``` | inputlookup asset_lookup | where asset_type="server" | stats count by location ``` The lookup definition `asset_lookup` points to a CSV file with columns: asset_id, asset_type, location, owner. The search returns an error: 'Error in 'where' command: The field asset_type does not exist.'
Refer to the exhibit. | inputlookup server_status.csv | where status="down" | stats count by location | sort - count
Refer to the exhibit. Error in search: "The lookup table 'department_lookup' does not exist." The admin verifies that department_lookup.csv is present in the lookups directory. Which additional step is required?
A large e-commerce company uses Splunk to monitor its web application performance. The operations team has created a dashboard with a timechart showing the 95th percentile of page load times over the last 24 hours. Recently, the dashboard stopped showing data for the last hour. The Splunk administrator confirms that the index is receiving data and the sourcetype is correctly configured. The search string is:
`index=web_app sourcetype=access_combined earliest=-24h@h latest=@h | timechart perc95(page_load_time) by host`
The dashboard panel uses a base search and a post-process search. The base search is:
`index=web_app sourcetype=access_combined earliest=-7d@d latest=@h`
What is the most likely cause of the missing last hour of data?
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag a concept onto its matching description — or click a concept then click the description.
Full access to system configuration and all data
Can create and share knowledge objects, run searches
Can run searches and create personal knowledge objects
Allows deletion of search results and events
Allows access to Splunk REST endpoints
Drag a concept onto its matching description — or click a concept then click the description.
The hostname or IP of the data source
The file, script, or input that generated the event
The type of data, determines parsing behavior
The name of the index where the event is stored
The timestamp of the event
Refer to the exhibit. [region_lookup] filename = region.csv match_type = WILDCARD(region_code) default_match = false max_match = 1 Case_sensitive_match = true
Refer to the exhibit. index=main sourcetype=access_combined | eval status=code | lookup status_codes status OUTPUT description | timechart count by description
Refer to the exhibit. WARN LookupProcessor - The lookup table 'user_lookup' is too large to be loaded into memory. File size: 150MB, max memory size: 100MB.
Refer to the exhibit. ``` index=web status=200 | lookup product_lookup product_id OUTPUT product_name, price | where price > 100 | stats count by product_name ``` The 'product_lookup' lookup table contains product_id, product_name, and price fields.
Refer to the exhibit. ``` [lookup_definition] filename = departments.csv case_sensitive_match = false ```
Refer to the exhibit. ``` index=access_logs | stats count by status | pie count by status ```
[mysourcetype] LOOKUP-geo = geo_lookup src_ip OUTPUTNEW city, country [geo_lookup] filename = geo.csv max_matches = 1 default_match = NotFound match_type = CIDR(src_ip)
<dashboard>
<table>
<search>
<query>index=web sourcetype=access | stats count by status</query>
</search>
<drilldown>
<condition field="status">
<set token="selected_status">$click.value$</set>
</condition>
</drilldown>
</table>
<chart depends="$selected_status$">
<search>
<query>index=web sourcetype=access status=$selected_status$ | timechart count by method</query>
</search>
</chart>
</dashboard>Search command: | inputlookup geo_lookup | search src_ip="10.0.0.1" | table src_ip, city, country Error: "Error in 'inputlookup' command: Could not find lookup table 'geo_lookup'"
Refer to the exhibit. | inputlookup server_list.csv | search status="active" | table hostname ip_address
Refer to the exhibit. props.conf stanza: [mysourcetype] LOOKUP-custom = my_lookup OUTPUTNEW field1 field2 transforms.conf stanza: [my_lookup] filename = my_lookup.csv match_type = WILDCARD(field1)
Refer to the exhibit. | timechart span=1h count by host limit=5
[transform:geo_ip] filename = GeoLiteCity.dat max_matches = 1 [match_type = cidr
| inputlookup employee_data.csv | stats count by department | sort - count | top limit=5 department
The security operations center (SOC) team at a medium-sized enterprise uses Splunk to investigate potential threats. They maintain a CSV lookup file named 'threat_intel.csv' that contains a list of known malicious IP addresses along with a threat score. The lookup is configured in transforms.conf as:
[threat_intel]
filename = threat_intel.csv match_type = WILDCARD(ip)
They frequently run the following search to enrich firewall events with threat scores:
index=firewall sourcetype=firewall_logs | lookup threat_intel src_ip OUTPUT threat_score | where threat_score > 5
Recently, analysts noticed that some IP addresses known to be present in the lookup file are not being matched in search results. They have verified that the lookup file is correctly formatted and contains those IPs, and the transforms.conf has not been altered. They also confirmed that the events contain the field src_ip with the correct IP addresses. Which of the following is the most likely cause of the missing matches?
A large e-commerce company uses Splunk to monitor transactions. They have a CSV lookup file named 'customer_lookup.csv' containing 5 million rows of customer data (customer_id, name, address, tier). The lookup is used in a search that runs every hour to generate a report of sales by customer tier:
index=transactions sourcetype=transaction_logs | lookup customer_lookup customer_id OUTPUT name, address, tier | timechart count by tier
The search often times out or takes too long to complete, impacting operational dashboards. The team is considering optimization strategies. The lookup file is updated daily and stored in a custom app directory. The Splunk environment is distributed with a single search head and multiple indexers. Which of the following recommendations would most effectively improve the search performance?
transforms.conf: [lookup_user_info] filename = user_info.csv max_matches = 1 default_match = UNKNOWN user_info.csv headers: User_ID, Department Events have field: user_id (lowercase)