Practice SPLK-1002 Basic Searching and Transforming Commands questions with full explanations on every answer.
Start practicing
Basic Searching and Transforming Commands — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A security analyst needs to identify the top 5 source IP addresses generating the most web traffic. Which command should be used?
2An administrator wants to count events by status code and show only codes with more than 100 events. Which search correctly accomplishes this?
3A search returns events with a field 'duration' in milliseconds. The analyst wants to create a new field 'duration_sec' that divides duration by 1000. Which command accomplishes this?
4A search returns 1,000 events. The analyst wants to see the first 10 events sorted by the '_time' field in descending order. Which search is correct?
5An analyst wants to remove duplicate events based on the 'user' field, keeping only the first occurrence. Which command should be used?
6A search includes the command '| stats dc(user) by host'. What does this command return?
7Which TWO commands can be used to filter events based on a field value? (Choose two.)
8Which THREE of the following are valid uses of the 'eval' command? (Choose three.)
9How many events will be output by this search?
10What is the purpose of this search?
11A large e-commerce company uses Splunk to monitor their web application. The operations team has noticed that the search for tracking user sessions is taking too long and consuming excessive resources. The current search is: index=web sourcetype=access_combined | stats count by clientip, sessionid, productid | sort - count The index contains over 10 billion events per day. The team wants to reduce the search time while still being able to identify the top 10 most active sessions (combinations of clientip and sessionid) that involve more than 5 product views. They also need to exclude any sessions that originated from internal IPs (10.0.0.0/8). Which approach would achieve this most efficiently?
12Which TWO of the following statements about the `stats` command in Splunk are correct? (Choose two.)
13Refer to the exhibit. A security analyst runs the search and sees the result table. The analyst wants to see only the top 3 URI paths with their counts, without the percentage column. Which command modification achieves this?
14A junior Splunk user is tasked with investigating slow search performance in a large Splunk environment. The user runs a search over a week of data from the main index (containing 500 GB of data per day) using the following command: `index=main | search error | stats count by host`. The search takes over 10 minutes to complete. The user wants to improve search performance while still getting accurate results. Which of the following actions should the user take first?
15Which three of the following are valid uses of the `stats` command in Splunk? (Choose three.)
16Which three of the following statements about the `eval` command in Splunk are correct? (Choose three.)
17Which of the following statements about the `top` and `rare` commands in Splunk are correct? Choose all that apply. (There are four correct answers.)
18Drag and drop the steps to configure a Splunk forwarder to send data to an indexer into the correct order.
19Drag and drop the steps to create a Splunk dashboard with a single panel into the correct order.
20Match each Splunk role to its typical permission scope.
21Match each Splunk license type to its description.
22An analyst wants to find all events where the field 'status' is not 200. Which search is correct?
23A user runs a search that returns thousands of results. They need to see only the first 100 events after sorting by time descending. Which command should they use?
24A search uses `eval memory_MB = memory_bytes / 1024 / 1024`. The field memory_bytes contains values like '2,048,000'. The eval results memory_MB is often null. What is the most likely cause?
25Which TWO of the following commands can be used to create a new field from existing fields?
26Which THREE of the following are valid uses of the stats command?
27Which TWO of the following commands will return exactly one result row when there is at least one event?
28Refer to the exhibit. A user runs this search. The results show only Error and Warning, but no Info. What is the most likely reason?
29Refer to the exhibit. A user runs this search and gets 10 results as expected. However, they want to see the top 10 hosts for the past week. The search still returns results, but the counts are lower than expected. What is the most likely reason?
30Refer to the exhibit. The search runs but the user field is not modified. What is the most likely cause?
31A security analyst needs to find the number of failed login attempts per user in the last hour. The events contain a field 'result' with value 'failure'. Which search is correct?
32A user wants to see the top 5 most common values of the 'action' field in the web access logs. Which command should be used?
33An analyst runs the search `index=web | stats count by status | sort - count` and wants to show only status codes with count greater than 100. Which command should be added before the sort?
34A team needs to calculate the average response time for each URL path from web server logs. The response time is in a field 'duration'. Which search is correct?
35A search returns events with a field 'ip' that contains both IPv4 and IPv6 addresses. An analyst wants to count events for each IP type (IPv4 vs IPv6). Which command should be used to create a new field that categorizes the IP type?
36A search `index=main | top limit=10 user | fields - percent` is running slowly on a large dataset. Which change would likely improve performance the most?
37An analyst needs to find the count of events by source type for each day in the past week, but only for source types with more than 1000 events. Which search is correct?
38An analyst runs a search that returns 10,000 events. They want to see the distribution of the 'status' field across the 'method' field. Which command should be used?
39A user wants to remove duplicate events based on the 'transaction_id' field, keeping only the first occurrence. Which command is appropriate?
40Which two of the following search commands are transforming commands? (Choose two.)
41Which two components are required to create a time-based chart of average CPU usage per host over the last 4 hours? (Choose two.)
42Which three of the following are valid ways to filter events before a transforming command? (Choose three.)
43Refer to the exhibit. An analyst runs this search and expects to see a table of status codes with their counts, filtered to those with count greater than 100. The search returns zero results even though there are many events. What is the most likely reason?
44Refer to the exhibit. A security analyst runs this search and gets two rows: threat_level 'high' and 'low'. However, many events have threat_score between 60 and 90 that are not captured. How should the search be modified to include a 'medium' category?
45Refer to the exhibit. An analyst wants to see the top 10 most visited URI paths, but the result also includes a 'percent' column. To remove the percent column, which command should be added?
46A security analyst needs to find the number of failed login attempts per user. Which command group should be used?
47A user wants to see the top 10 source IP addresses generating 404 errors. Which SPL is correct?
48An analyst runs: index=app sourcetype=log ERROR | stats count by host | where count > 5. What is the function of the where command in this search?
49A user needs to create a report showing the average response time per endpoint for the last hour. Which command would produce this result?
50A large enterprise uses Splunk to monitor 500+ servers. A search returns results slowly due to high data volume. Which best practice can improve performance when using the top command?
51An analyst wants to find events where the field 'user' is not present. Which search correctly identifies such events?
52A user needs to see the trend of login failures over the past 7 days, broken down by hour. Which command should be used?
53A search returns many duplicate events due to data source redundancy. Which command can remove duplicate events based on a specific field?
54An analyst executes the following search: index=main sourcetype=access | stats dc(user) by host. What does dc(user) do?
55Which TWO commands can be used to create a chart that shows the count of events over time?
56Which THREE of the following are transforming commands in Splunk?
57Which TWO factors should be considered when deciding to use the rare command instead of top?
58Refer to the exhibit. What will be the output of this search?
59A medium-sized company uses Splunk to monitor its e-commerce platform. The platform generates around 10 million events per day from web servers, application logs, and databases. The security team wants to identify the top 10 IP addresses that trigger the most 403 Forbidden errors in the last 24 hours. However, when they run the search: index=ecom sourcetype=web status=403 | top src_ip, the search takes over 5 minutes to complete and sometimes times out. The team needs a faster approach that still accurately identifies the top IPs. The team's Splunk environment uses indexers and a search head. The data is not accelerated. What should the team do to improve search performance?
60A large financial institution uses Splunk to consolidate logs from thousands of ATMs. Each ATM sends a heartbeat event every 5 minutes containing fields: atm_id, timestamp, status (OK or ERROR), and firmware_version. The operations team wants to find the number of ATMs that have reported at least one ERROR status in the last hour. The initial search is: index=atm sourcetype=heartbeat status=ERROR | dedup atm_id | stats count. However, this search returns a count that is too high because some ATMs report multiple errors within the hour. The team needs an accurate count of ATMs that had any error, regardless of how many error events each ATM generated. The search must be efficient due to the high volume of events. Which approach should be used?
61A user wants to find events where the status code is 500 or 503 and the response time is greater than 2 seconds. Which TWO SPL commands will correctly limit the results to only these events?
62A security analyst uses Splunk to ingest firewall logs from multiple locations. The index is 'firewall' and the sourcetype is 'fw_log'. Each event contains fields: src_ip, dest_ip, action, bytes, and time. The analyst needs to find how many unique source IPs have been logged in the last hour to report potential scanning activity. The search should be efficient and accurate, returning only the total count of distinct source IPs. Which search accomplishes this?
63A network operations team uses Splunk to monitor netflow data stored in index='net' and sourcetype='netflow'. The events contain fields: src_ip, dest_ip, bytes, and protocols. The team needs to identify the top 5 source IPs by total bytes transferred (based on the bytes field). For each of those top source IPs, they also want to list the destination IPs and the number of times they communicated. The data volume is large, so performance is important. Which SPL approach returns the desired results efficiently?
64A Splunk administrator is troubleshooting a slow search on firewall logs. The index is 'firewall', sourcetype is 'cisco:asa', and there is about 500 GB of data per day. The search is: index=firewall sourcetype=cisco:asa action=block | stats count by src_ip | where count > 1000. This search takes over 5 minutes to return results. The administrator needs the same results faster. The index has a data model named 'firewall_dm' that is accelerated with a summary range of 7 days. Which change to the search will improve performance the most while still returning the same results?
65Refer to the exhibit. A user runs the search and gets no results. Which is the most likely cause?
66Refer to the exhibit. The search returns no results. What is the most likely reason?
67Refer to the exhibit. A user gets an error: 'Error in 'where' command: The field 'count' is not a numeric type.' What is the issue?
68Refer to the exhibit. The search returns zero results. What is a likely cause?
69Refer to the exhibit. The search returns only events where src_zone is 'external'. What is the problem?
The Basic Searching and Transforming Commands domain covers the key concepts tested in this area of the SPLK-1002 exam blueprint published by Splunk. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all SPLK-1002 domains — no account required.
The Courseiva SPLK-1002 question bank contains 69 questions in the Basic Searching and Transforming Commands domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Basic Searching and Transforming Commands domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included