Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Macros, Saved Searches and CIM practice sets

SPLK-1003 Macros, Saved Searches and CIM • Complete Question Bank

SPLK-1003 Macros, Saved Searches and CIM — All Questions With Answers

Complete SPLK-1003 Macros, Saved Searches and CIM question bank — all 0 questions with answers and detailed explanations.

98
Questions
Free
No signup
Certifications/SPLK-1003/Practice Test/Macros, Saved Searches and CIM/All Questions
Question 1easymultiple choice
Read the full Macros, Saved Searches and CIM explanation →

A security analyst wants to create a macro that extracts IP addresses from a field named `src_ip` and returns a count of unique IPs per source. Which macro definition accomplishes this?

Question 2mediummultiple choice
Read the full Macros, Saved Searches and CIM explanation →

A team regularly runs a saved search that joins two large indexes. Performance is poor. Which design change would MOST improve query performance?

Question 3hardmultiple choice
Read the full Macros, Saved Searches and CIM explanation →

An admin created a macro `myfilter(host)` with definition: `host=$host$ | stats count`. When calling `myfilter(webserver)`, the search returns no results. What is the most likely cause?

Question 4easymulti select
Read the full Macros, Saved Searches and CIM explanation →

Which TWO of the following are valid uses of the Common Information Model (CIM) in Splunk?

Question 5mediummulti select
Read the full Macros, Saved Searches and CIM explanation →

Which THREE of the following are best practices for creating saved searches?

Question 6hardmulti select
Read the full Macros, Saved Searches and CIM explanation →

Which TWO of the following are valid ways to reference a macro in a search?

Question 7hardmultiple choice
Read the full Macros, Saved Searches and CIM explanation →

A Splunk administrator notices that a scheduled saved search `Daily Summary` fails every day at 2:00 AM with the error "Search job expired due to inactivity." The search runs against a large index and takes about 30 minutes to complete. What is the most likely cause?

Question 8mediummultiple choice
Read the full Macros, Saved Searches and CIM explanation →

A security analyst wants to create a saved search that triggers an alert when more than 100 failed login attempts occur within a 5-minute window from the same source IP. The search should run every 5 minutes and alert only once per window. Which setting should be configured?

Question 9easymultiple choice
Read the full Macros, Saved Searches and CIM explanation →

A Splunk admin wants to create a macro that extracts the username from a log line that always starts with 'User: <username>'. The macro should be reusable across searches. Which definition is correct?

Question 10hardmultiple choice
Read the full Macros, Saved Searches and CIM explanation →

An organization uses Splunk CIM to normalize data from multiple sources. They have a custom data source that logs firewall events with a field 'action' containing values 'accept', 'deny', 'drop'. They want to map this to the CIM field 'action'. Which configuration is required?

Question 11hardmultiple choice
Read the full Macros, Saved Searches and CIM explanation →

A Splunk admin notices that a saved search scheduled to run every 10 minutes is consistently taking 15 minutes to complete, causing overlapping runs. The search aggregates data across multiple indexes and uses a large time window. What is the best way to prevent overlap and ensure the search completes?

Question 12mediummulti select
Read the full Macros, Saved Searches and CIM explanation →

Which TWO of the following are valid ways to create a macro in Splunk? (choose two)

Question 13mediummulti select
Read the full Macros, Saved Searches and CIM explanation →

Which THREE of the following are components of the Splunk Common Information Model (CIM)? (choose three)

Question 14easymultiple choice
Read the full Macros, Saved Searches and CIM explanation →

A user wants to create a macro that calculates the average response time for web requests. The macro should accept a field name as an argument and return the average. Which syntax is correct for defining the macro?

Question 15hardmultiple choice
Read the full Macros, Saved Searches and CIM explanation →

What is the most likely cause of the error?

Exhibit

Refer to the exhibit.
The following macro definition is saved in a Splunk environment:
```
[name="my_macro"]
args = host, index, sourcetype
definition = search index=$index$ host=$host$ sourcetype=$sourcetype$
```
When a user runs `| `my_macro(index=main host=web01 sourcetype=access_combined)``, they receive the error: "Error in 'search' command: Unable to parse the search: Expected '(', found end of command."
Question 16easymultiple choice
Read the full NAT/PAT explanation →

A security analyst needs to monitor failed login attempts across multiple Windows domain controllers. The environment has a custom sourcetype 'WinEventLog:Security' and the data is indexed under 'windows_security'. The analyst wants to create a saved search that runs every 10 minutes, searches for EventCode 4625 (failed logon), and triggers an alert if more than 10 failures occur from the same source IP within the last 10 minutes. The saved search should use the Common Information Model (CIM) to ensure compatibility with other security apps. Which of the following saved search definitions best meets these requirements?

Question 17mediummultiple choice
Read the full NAT/PAT explanation →

A Splunk administrator notices that a scheduled saved search titled 'Nightly_Threat_Report' is not completing on time. The search runs at 2:00 AM daily and typically takes 15 minutes, but recently it has been timing out after 30 minutes. The search query is complex, joining data from multiple indexes. The administrator checks the 'savedsearch.log' and sees entries like 'Search job terminated due to dispatch time limit' and 'Search job exceeded max time'. The administrator wants to resolve the issue without changing the search logic or increasing system resource limits. Which action should the administrator take first?

Question 18hardmulti select
Read the full Macros, Saved Searches and CIM explanation →

Which TWO of the following are valid reasons to use the Common Information Model (CIM) in a Splunk environment?

Question 19mediummultiple choice
Read the full Macros, Saved Searches and CIM explanation →

A Splunk admin has created several macros to simplify complex search commands. One macro, named `time_filter`, is defined as `earliest=-7d@d latest=@d`. The admin also has a saved search that uses this macro. Recently, users have complained that the saved search reports data from the wrong time range: it appears to be showing data from the last 24 hours instead of the last 7 days. The admin inspects the saved search and finds that the search string is:

`index=main | eval days=now() | where days > relative_time(now(), "-7d@d") | `time_filter``

The admin suspects the macro is not being expanded correctly. Which of the following is the most likely cause of the issue?

Question 20mediumdrag order
Read the full Macros, Saved Searches and CIM explanation →

Order the steps to configure a field extraction using the Field Extractor (FX) in Splunk.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 21mediumdrag order
Read the full Macros, Saved Searches and CIM explanation →

Order the steps to create a data model in Splunk in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 22mediumdrag order
Read the full Macros, Saved Searches and CIM explanation →

Order the steps to create a dashboard panel using the XML source editor in Splunk.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 23mediummatching
Read the full Macros, Saved Searches and CIM explanation →

Match each Splunk knowledge object to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Defines how to extract fields from raw data

Categorizes events based on a search query

Assigns key-value pairs to events for filtering

Maps field values to additional information

Provides a structured, normalized view of data

Question 24mediummatching
Read the full Macros, Saved Searches and CIM explanation →

Match each Splunk macro to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

A reusable search snippet without arguments

A reusable search snippet with arguments

A search within a search, enclosed in brackets

A macro that performs a lookup

A macro that evaluates an expression

Question 25mediummatching
Read the full Macros, Saved Searches and CIM explanation →

Match each Splunk license violation type to its consequence.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Indicates usage is near the limit

Usage exceeds license quota, search may be limited

License has expired, functionality is restricted

License key is incorrect or corrupted

Usage is within license limits

Question 26easymultiple choice
Read the full Macros, Saved Searches and CIM explanation →

A Splunk user wants to create a macro named `nunique` that takes a field name as an argument and returns the count of distinct values for that field. Which macro definition should be used?

Question 27easymultiple choice
Read the full Macros, Saved Searches and CIM explanation →

A Splunk admin needs to schedule a search to run every day at 2 AM and send an email alert if more than 100 events are found. Which saved search configuration achieves this?

Question 28mediummultiple choice
Read the full Macros, Saved Searches and CIM explanation →

An organization is implementing the Splunk Common Information Model (CIM) to normalize data. They have a source that provides event data with field names `src_ip` and `dst_ip`. To map these to CIM fields, which knowledge object should be created?

Question 29mediummultiple choice
Read the full Macros, Saved Searches and CIM explanation →

A search includes the macro `mysearch(field1, field2)`. The macro definition is `stats count by $1$, $2$`. If the search is `index=main | `mysearch(user, action)`, what is the expanded search?

Question 30mediummultiple choice
Read the full Macros, Saved Searches and CIM explanation →

A saved search is configured to run every hour and generate a summary index. The original search returns data that is then summarized. Which of the following best describes the purpose of summary indexing?

Question 31hardmultiple choice
Read the full Macros, Saved Searches and CIM explanation →

A Splunk admin creates a macro named `lookup_user` that is defined as `| lookup user_lookup user AS $1$ OUTPUT full_name as user_name`. The macro is used in a search like `index=main | `lookup_user(user_id)`. However, the results show no matches even though valid user_id values exist. What is the most likely cause?

Question 32hardmultiple choice
Read the full Macros, Saved Searches and CIM explanation →

A Splunk admin is accelerating a CIM data model for the "Network_Traffic" dataset. After acceleration, some searches that use the data model are slower than expected. What is the most likely reason?

Question 33hardmultiple choice
Read the full Macros, Saved Searches and CIM explanation →

A macro is defined as `mysearch` with definition `index=main | stats count by $source_type$`. The macro is invoked as `| `mysearch(access_combined)` but the search never finishes. What is the likely issue?

Question 34easymultiple choice
Read the full Macros, Saved Searches and CIM explanation →

A saved search is configured with a schedule but is not triggering at the expected time. The admin checks the "Job Inspector" and sees that the scheduled search is "skipped". What is a common reason for a scheduled search to be skipped?

Question 35easymulti select
Read the full Macros, Saved Searches and CIM explanation →

Which of the following are valid ways to define a macro in Splunk? (Choose two.)

Question 36mediummulti select
Read the full Macros, Saved Searches and CIM explanation →

Which of the following are characteristics of the Splunk Common Information Model (CIM)? (Choose three.)

Question 37hardmulti select
Read the full Macros, Saved Searches and CIM explanation →

An admin is troubleshooting a saved search that uses the `| `my_macro` command. The macro definition is `stats count by $1$`. The saved search is scheduled to run hourly. Which of the following issues could cause the saved search to fail? (Choose three.)

Question 38easymultiple choice
Read the full Macros, Saved Searches and CIM explanation →

Refer to the exhibit. The macro `count_by_host` is defined as shown. The macro is invoked as `| `count_by_host`. What will the expanded search look like?

Exhibit

| stats count by host, sourcetype
Question 39mediummultiple choice
Read the full Macros, Saved Searches and CIM explanation →

Refer to the exhibit. An admin configures acceleration for the Network_Traffic data model as shown. A user runs a search using the data model over the last 60 days. Why might the search be slower for data older than 7 days?

Exhibit

[dm_acceleration]
datamodel = Network_Traffic
summary_range = 30d
earliest_time = -7d@d
Question 40hardmultiple choice
Read the full Macros, Saved Searches and CIM explanation →

Refer to the exhibit. A search uses the macro as `| `fillnull(field=user)`. However, the search fails with a syntax error. What is the most likely issue?

Exhibit

macro definition: eval $field$ = if(isnull($field$), "" , $field$)
Question 41easymultiple choice
Read the full Macros, Saved Searches and CIM explanation →

A Splunk admin wants to create a reusable macro that accepts a time range parameter and searches all indexes for events within that range. The macro will be used in dashboards and reports. Which macro definition is correct?

Question 42easymultiple choice
Read the full Macros, Saved Searches and CIM explanation →

When creating a saved search that runs every hour and sends an email alert when the count of errors exceeds 10, which action must be configured in addition to the search logic?

Question 43mediummultiple choice
Read the full Macros, Saved Searches and CIM explanation →

An organization uses the Splunk Common Information Model (CIM) to normalize data from various sourcetypes. After onboarding a new firewall vendor, the data is not populating the Network Traffic data model. Which of the following is the most likely cause?

Question 44mediummultiple choice
Read the full Macros, Saved Searches and CIM explanation →

A Splunk administrator is asked to create a dashboard that shows the top 10 source IPs by count of failed logins over the past week. The data is already CIM-compliant and uses the Authentication data model. Which search is most appropriate?

Question 45hardmultiple choice
Read the full Macros, Saved Searches and CIM explanation →

A security team has a saved search that runs every 5 minutes and looks for 'FAILED' events in Windows Security logs. The search uses a macro 'failed_logins' defined as: `define failed_logins() [search index=windows sourcetype=WinEventLog:Security EventCode=4625]`. Recently, the team noticed that the search is returning no results even though there are failed login events. What is the most likely issue?

Question 46hardmultiple choice
Read the full Macros, Saved Searches and CIM explanation →

A large enterprise uses multiple Splunk search heads. An admin wants to create a saved search that automatically runs on all search heads and sends a single alert email per triggered result, not per search head. Which saved search setting should be configured?

Question 47easymultiple choice
Read the full Macros, Saved Searches and CIM explanation →

A team needs to create a saved search that runs automatically every Monday at 8 AM and emails a CSV file of the results. Besides configuring the search string, which steps are required?

Question 48mediummultiple choice
Read the full Macros, Saved Searches and CIM explanation →

An admin notices that a saved search with a scheduled alert is not triggering as expected even though the search returns results. The search uses a macro with arguments. Which troubleshooting step should the admin take first?

Question 49hardmultiple choice
Read the full Macros, Saved Searches and CIM explanation →

A Splunk admin wants to create a saved search that triggers an alert when the average CPU usage across all servers exceeds 80% over a 5-minute window. The data is in a 'perfmon' sourcetype. Which search best fits this requirement?

Question 50easymulti select
Read the full Macros, Saved Searches and CIM explanation →

Which TWO benefits does the Splunk Common Information Model (CIM) provide? (Choose two.)

Question 51mediummulti select
Read the full Macros, Saved Searches and CIM explanation →

Which THREE are valid uses of macros in Splunk? (Choose three.)

Question 52hardmulti select
Read the full Macros, Saved Searches and CIM explanation →

Which TWO are correct about saved search permissions and scheduling? (Choose two.)

Question 53mediummultiple choice
Read the full Macros, Saved Searches and CIM explanation →

The admin calls the macro as shown. What will be the expanded search string?

Exhibit

Refer to the exhibit.

Macro definition:
```
define my_summary($index, $time_range) [search index=$index$ earliest=$time_range$ latest=now | stats count by sourcetype | rename count as total]
```

The macro is called as:
```
| `my_summary(main, -1h)`
```
Question 54hardmultiple choice
Read the full Macros, Saved Searches and CIM explanation →

What is the most likely reason for this behavior?

Exhibit

Refer to the exhibit.

An admin has created a CIM data model for web traffic with the following acceleration configuration:

```
{
  "acceleration": {
    "enabled": true,
    "max_time": "1d",
    "earliest_time": "-7d",
    "summaries": [
      {"period": "5m", "search": "..."},
      {"period": "1h", "search": "..."}
    ]
  }
}
```

The admin notices that a search using `| tstats` against this data model only returns results for the past 24 hours, not the full 7 days expected.
Question 55easymultiple choice
Read the full Macros, Saved Searches and CIM explanation →

What is the most likely cause of this error?

Exhibit

Refer to the exhibit.

An administrator is troubleshooting a macro that is not working. The macro definition is:

```
define current_users() [ | rest /services/authentication/users | table title email ]
```

When the macro is called via `|`current_users()``, an error appears: "Error in '| rest' command: The requested URL was not found."
Question 56easymultiple choice
Read the full Macros, Saved Searches and CIM explanation →

A Splunk administrator wants to create a reusable search component that accepts a sourcetype and a time range. What is the correct method to define this in Splunk?

Question 57mediummultiple choice
Read the full Macros, Saved Searches and CIM explanation →

A user reports that a macro named `my_macro` is not expanding in a search. The macro is defined in a private app called 'App_A'. The user is running the search in a different app called 'App_B'. What is the most likely cause of the issue?

Question 58hardmultiple choice
Read the full Macros, Saved Searches and CIM explanation →

A user defined a macro that includes a lookup command. The macro works correctly in ad-hoc searches. However, when the macro is used in a scheduled saved search, the macro fails to expand. Administration confirms the macro is shared globally. What is the most likely cause of this failure?

Question 59easymultiple choice
Read the full Macros, Saved Searches and CIM explanation →

Which Common Information Model (CIM) data model is appropriate for standardizing authentication events?

Question 60mediummultiple choice
Read the full Macros, Saved Searches and CIM explanation →

A Splunk administrator needs to schedule a saved search to run every second Friday at 10:00 AM. Which cron expression should be used?

Question 61hardmultiple choice
Read the full Macros, Saved Searches and CIM explanation →

An administrator defines a macro that calls another macro. Both macros are defined in the same app. The first macro works correctly, but when executed, it triggers an error: 'Recursive macro call detected'. What is the most likely cause?

Question 62easymultiple choice
Read the full Macros, Saved Searches and CIM explanation →

In the CIM, which field is commonly used to identify the user responsible for an authentication event?

Question 63mediummultiple choice
Read the full Macros, Saved Searches and CIM explanation →

A saved search is configured to run every 5 minutes and send an alert when the count of failures exceeds 10. After several days, users report they are not receiving alerts even though failures are occurring. The saved search runs successfully and produces results. What is the most likely cause?

Question 64hardmultiple choice
Read the full Macros, Saved Searches and CIM explanation →

A Splunk administrator uses a macro to normalize firewall logs into the CIM Network Traffic data model. The macro includes a field alias that maps `bytes_sent` to `bytes_out`. The mapping works in ad-hoc searches, but when the macro is used in a summary index search, the field is not populated. What is the most likely reason?

Question 65mediummulti select
Read the full Macros, Saved Searches and CIM explanation →

Which TWO of the following are valid considerations when defining macros in Splunk?

Question 66hardmulti select
Read the full Macros, Saved Searches and CIM explanation →

Which THREE of the following are required steps to properly schedule a saved search for summary indexing that runs a macro?

Question 67easymulti select
Read the full Macros, Saved Searches and CIM explanation →

Which THREE are components of the Common Information Model (CIM) in Splunk?

Question 68easymultiple choice
Read the full Macros, Saved Searches and CIM explanation →

A Splunk admin wants to create a macro named `filter_by_app` that accepts an application name as an argument and returns a search string filtering by that application. The application name may contain spaces. Which of the following correctly defines the macro's arguments and usage?

Question 69mediummultiple choice
Read the full Macros, Saved Searches and CIM explanation →

An administrator configures a saved search that uses a macro to generate a summary index every hour. The macro includes a time range argument with default value `earliest=-1h@h latest=@h`. The saved search does not pass any time range argument, so the default is used. After a few days, the summary index is missing data for the last hour of each day. What is the most likely cause?

Question 70hardmultiple choice
Read the full Macros, Saved Searches and CIM explanation →

A security team uses the CIM 'Authentication' data model to investigate failed logins. They have enabled acceleration on the data model and set a summary range of '1d'. After one week, searches against the data model are still slow and use the `search` command instead of `tstats`. What should they check first?

Question 71easymultiple choice
Read the full Macros, Saved Searches and CIM explanation →

A Splunk administrator wants to reduce maintenance effort when the same search logic is used in multiple saved searches. Which approach is most effective?

Question 72mediummultiple choice
Read the full Macros, Saved Searches and CIM explanation →

A security analyst sets up a saved search alert to trigger when more than 100 failed logins occur in 5 minutes. To avoid alert fatigue, they want to suppress the alert if the number of failed logins is the same as the previous evaluation. Which alert action setting should they configure?

Question 73hardmultiple choice
Read the full Macros, Saved Searches and CIM explanation →

A data engineer has defined a CIM data model for 'Network_Traffic'. They have also created field aliases using `| fieldaliases` to map custom fields like `src_ip` and `dest_ip` to the CIM fields. When running searches against the data model, some events do not appear. The engineer verified that the tags are correctly applied. What is the most likely remaining issue?

Question 74easymultiple choice
Read the full Macros, Saved Searches and CIM explanation →

An analyst creates a macro that uses `| inputlookup` to validate a macro argument. Which statement about macro validation is true?

Question 75mediummultiple choice
Read the full Macros, Saved Searches and CIM explanation →

A systems engineer creates a summary index using a saved search that runs every 30 minutes. The summary index aggregates data from multiple sourcetypes. After a week, the engineer notices that the summary index contains duplicate events for certain time ranges. What is the most likely cause?

Question 76hardmultiple choice
Read the full Macros, Saved Searches and CIM explanation →

A performance analyst notices that a saved search running a macro with multiple `| eval` statements takes significantly longer than expected. The macro includes conditions like `| eval status=if(success=="true", "OK", "Fail")`. Which change would most likely improve performance?

Question 77mediummulti select
Read the full Macros, Saved Searches and CIM explanation →

Which TWO of the following are valid ways to define macro arguments in Splunk? (Select exactly 2.)

Question 78hardmulti select
Read the full Macros, Saved Searches and CIM explanation →

Which THREE of the following are true considerations when using CIM data model acceleration? (Select exactly 3.)

Question 79mediummulti select
Read the full Macros, Saved Searches and CIM explanation →

Which TWO best practices should be followed when creating saved searches that use macros? (Select exactly 2.)

Question 80hardmultiple choice
Read the full Macros, Saved Searches and CIM explanation →

A large organization uses Splunk to monitor its network infrastructure. They have a single saved search that runs every hour to create a summary index for each of the 50 network device sourcetypes. The saved search uses a macro named `build_network_summary` that accepts two arguments: `sourcetype` and `time_range`. The macro definition is:

```

[build_network_summary]

definition = index=network sourcetype=$sourcetype$ earliest=$time_range$ latest=now | stats count by src_ip, dest_ip, protocol | collect index=network_summary args = sourcetype, time_range iseval = 0 ```

The saved search iterates over the 50 sourcetypes using a separate lookup or list. Recently, the security team noticed that the network_summary index is missing data for certain sourcetypes, specifically those with hyphens in their names (e.g., `cisco-asa`, `juniper-srx`). For other sourcetypes, the summary is complete. The saved search runs without errors in Splunk's job inspector. Which course of action should the administrator take to resolve the issue?

Question 81easymultiple choice
Read the full Macros, Saved Searches and CIM explanation →

A user reports that a macro named `my_macro` is not working in a search. The macro is defined with no arguments and uses a simple search string. What is the most likely issue?

Question 82mediummultiple choice
Read the full Macros, Saved Searches and CIM explanation →

An engineer wants to create a saved search that runs every hour and searches against 90 days of data. To optimize performance, they should...

Question 83hardmultiple choice
Read the full Macros, Saved Searches and CIM explanation →

A security analyst is trying to normalize authentication data from multiple sources using CIM. After mapping sourcetypes to the Authentication data model, the CIM acceleration dashboard shows no data. The data model acceleration is enabled and has completed building. What is the most likely cause?

Question 84mediummultiple choice
Read the full Macros, Saved Searches and CIM explanation →

A team develops multiple dashboards that share common search logic. What is the best practice for managing these searches?

Question 85easymultiple choice
Read the full Macros, Saved Searches and CIM explanation →

An alert saved search runs every 5 minutes and is set to trigger when count > 0. The alert keeps triggering repeatedly for the same events. What is the recommended solution?

Question 86mediummulti select
Read the full Macros, Saved Searches and CIM explanation →

When designing a macro for use across multiple dashboards, which two considerations are important? (Choose TWO.)

Question 87hardmulti select
Read the full Macros, Saved Searches and CIM explanation →

A saved search that runs every hour is showing 'No results' in its history, but the same search when run manually returns results. Which two of the following are likely causes? (Choose TWO.)

Question 88easymulti select
Read the full Macros, Saved Searches and CIM explanation →

Which three of the following are benefits of using the Common Information Model (CIM)? (Choose THREE.)

Question 89mediummultiple choice
Read the full Macros, Saved Searches and CIM explanation →

A company has over 2000 saved searches that are used across multiple teams. Each team has its own app, and many searches share common logic, such as filtering by a specific index or time range. The system is experiencing slow search performance and difficulty in managing changes. The administrator wants to improve maintainability and performance. Which action would best address these issues?

Question 90hardmultiple choice
Read the full Macros, Saved Searches and CIM explanation →

An organization has implemented the Splunk Common Information Model (CIM) for their security data. They have mapped several sourcetypes to the Authentication data model and enabled data model acceleration. However, the CIM dashboard shows no data even though searches against the raw data return results. The admin checks the data model acceleration settings and sees that the acceleration is enabled and has completed building. What is the most likely issue?

Question 91mediummultiple choice
Read the full Macros, Saved Searches and CIM explanation →

A Splunk admin created a macro named `filter_by_region` that takes one argument: the region code. The macro definition is: `index=main sourcetype=web region=$region$`. When a user runs the search `| `filter_by_region US`` they get no results, but when they replace the macro with the actual string `index=main sourcetype=web region=US`, they get results. What is the problem?

Question 92hardmultiple choice
Read the full Macros, Saved Searches and CIM explanation →

A saved search alert is configured to run every 10 minutes and trigger when the count of error events exceeds 5. The search returns results when run manually, but the alert never triggers. The admin checks the alert history and sees entries for the previous runs but all show 'Trigger: False'. They also confirm that the search returns count > 5 for those periods. What is the likely cause?

Question 93mediummultiple choice
Read the full Macros, Saved Searches and CIM explanation →

After upgrading Splunk to a new version, the Security team notices that the CIM Authentication dashboard is showing a much lower number of events than before. They verify that the data is still being indexed and that the sourcetype mappings to the Authentication data model are unchanged. The admin runs a search against the data model and sees some fields are missing. What is the most likely cause of the issue?

Question 94easymultiple choice
Read the full Macros, Saved Searches and CIM explanation →

A Splunk admin is tasked with creating a set of macros that will be used by multiple app developers to standardize searches across the organization. The macros need to accept parameters such as index, sourcetype, and time range. Some macros will be complex and include subsearches. Which approach should the admin take to ensure maximum reusability and maintainability?

Question 95easymultiple choice
Read the full Macros, Saved Searches and CIM explanation →

A team wants to create a dashboard that displays daily user activity over the past 30 days. The underlying data is voluminous (hundreds of millions of events per day). They need the dashboard to load quickly. The admin considers two options: using a summary index with a scheduled search to pre-compute the daily counts, or using data model acceleration on a CIM data model. Which approach is most appropriate for this specific requirement?

Question 96easymulti select
Read the full Macros, Saved Searches and CIM explanation →

Which TWO of the following are valid ways to define arguments in a Splunk macro?

Question 97mediummultiple choice
Read the full Macros, Saved Searches and CIM explanation →

Refer to the exhibit. An analyst executes the following search: `| filter_status(status_code=500)`. What will be the result?

Exhibit

[filter_status]
args = status_code
definition = search index=web status=$arg1$ | stats count by status
Question 98hardmultiple choice
Read the full Macros, Saved Searches and CIM explanation →

GlobalTech runs Splunk Enterprise Security with CIM compliance. Their security operations center uses a scheduled saved search named 'Brute Force Detection' that runs every 30 minutes. The search definition is: `| tstats count from datamodel=Authentication where Authentication.action=failure by Authentication.user, Authentication.src | where count > 5 | join type=outer user [search index=* sourcetype=linux_secure | stats count by user | where count > 5]`. This search has been working for months. Recently, after an upgrade to the Splunk environment, the saved search started returning no results. The administrator checks the search log and sees that the tstats portion runs fine but the secondary search (the subsearch) returns no events even though there are matching events in the index. The subsearch uses a macro named 'get_failed_users' defined as `search index=* sourcetype=linux_secure "Failed password" | stats count by user | where count>5` with no arguments. The administrator confirms that the macro's search works when run manually in the same time range. What is the most likely reason the subsearch returns no results?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

SPLK-1003 Practice Test 1 — 10 Questions→SPLK-1003 Practice Test 2 — 10 Questions→SPLK-1003 Practice Test 3 — 10 Questions→SPLK-1003 Practice Test 4 — 10 Questions→SPLK-1003 Practice Test 5 — 10 Questions→SPLK-1003 Practice Exam 1 — 20 Questions→SPLK-1003 Practice Exam 2 — 20 Questions→SPLK-1003 Practice Exam 3 — 20 Questions→SPLK-1003 Practice Exam 4 — 20 Questions→Free SPLK-1003 Practice Test 1 — 30 Questions→Free SPLK-1003 Practice Test 2 — 30 Questions→Free SPLK-1003 Practice Test 3 — 30 Questions→SPLK-1003 Practice Questions 1 — 50 Questions→SPLK-1003 Practice Questions 2 — 50 Questions→SPLK-1003 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Advanced Searching and StatisticsMacros, Saved Searches and CIMAdvanced Visualization and LookupsTransactions and Event Correlation

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Macros, Saved Searches and CIM setsAll Macros, Saved Searches and CIM questionsSPLK-1003 Practice Hub