Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsSPLK-1002DomainsBasic Searching and Transforming Commands
SPLK-1002Free — No Signup

Basic Searching and Transforming Commands

Practice SPLK-1002 Basic Searching and Transforming Commands questions with full explanations on every answer.

69questions

Start practicing

Basic Searching and Transforming Commands — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

SPLK-1002 Domains

Splunk Basics and Interface NavigationBasic Searching and Transforming CommandsUsing Fields and LookupsCreating Reports, Dashboards and VisualizationsData Models and Best Practices

Practice Basic Searching and Transforming Commands questions

10Q20Q30Q50Q

All SPLK-1002 Basic Searching and Transforming Commands questions (69)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A security analyst needs to identify the top 5 source IP addresses generating the most web traffic. Which command should be used?

2

An administrator wants to count events by status code and show only codes with more than 100 events. Which search correctly accomplishes this?

3

A search returns events with a field 'duration' in milliseconds. The analyst wants to create a new field 'duration_sec' that divides duration by 1000. Which command accomplishes this?

4

A search returns 1,000 events. The analyst wants to see the first 10 events sorted by the '_time' field in descending order. Which search is correct?

5

An analyst wants to remove duplicate events based on the 'user' field, keeping only the first occurrence. Which command should be used?

6

A search includes the command '| stats dc(user) by host'. What does this command return?

7

Which TWO commands can be used to filter events based on a field value? (Choose two.)

8

Which THREE of the following are valid uses of the 'eval' command? (Choose three.)

9

How many events will be output by this search?

10

What is the purpose of this search?

11

A large e-commerce company uses Splunk to monitor their web application. The operations team has noticed that the search for tracking user sessions is taking too long and consuming excessive resources. The current search is: index=web sourcetype=access_combined | stats count by clientip, sessionid, productid | sort - count The index contains over 10 billion events per day. The team wants to reduce the search time while still being able to identify the top 10 most active sessions (combinations of clientip and sessionid) that involve more than 5 product views. They also need to exclude any sessions that originated from internal IPs (10.0.0.0/8). Which approach would achieve this most efficiently?

12

Which TWO of the following statements about the `stats` command in Splunk are correct? (Choose two.)

13

Refer to the exhibit. A security analyst runs the search and sees the result table. The analyst wants to see only the top 3 URI paths with their counts, without the percentage column. Which command modification achieves this?

14

A junior Splunk user is tasked with investigating slow search performance in a large Splunk environment. The user runs a search over a week of data from the main index (containing 500 GB of data per day) using the following command: `index=main | search error | stats count by host`. The search takes over 10 minutes to complete. The user wants to improve search performance while still getting accurate results. Which of the following actions should the user take first?

15

Which three of the following are valid uses of the `stats` command in Splunk? (Choose three.)

16

Which three of the following statements about the `eval` command in Splunk are correct? (Choose three.)

17

Which of the following statements about the `top` and `rare` commands in Splunk are correct? Choose all that apply. (There are four correct answers.)

18

Drag and drop the steps to configure a Splunk forwarder to send data to an indexer into the correct order.

19

Drag and drop the steps to create a Splunk dashboard with a single panel into the correct order.

20

Match each Splunk role to its typical permission scope.

21

Match each Splunk license type to its description.

22

An analyst wants to find all events where the field 'status' is not 200. Which search is correct?

23

A user runs a search that returns thousands of results. They need to see only the first 100 events after sorting by time descending. Which command should they use?

24

A search uses `eval memory_MB = memory_bytes / 1024 / 1024`. The field memory_bytes contains values like '2,048,000'. The eval results memory_MB is often null. What is the most likely cause?

25

Which TWO of the following commands can be used to create a new field from existing fields?

26

Which THREE of the following are valid uses of the stats command?

27

Which TWO of the following commands will return exactly one result row when there is at least one event?

28

Refer to the exhibit. A user runs this search. The results show only Error and Warning, but no Info. What is the most likely reason?

29

Refer to the exhibit. A user runs this search and gets 10 results as expected. However, they want to see the top 10 hosts for the past week. The search still returns results, but the counts are lower than expected. What is the most likely reason?

30

Refer to the exhibit. The search runs but the user field is not modified. What is the most likely cause?

31

A security analyst needs to find the number of failed login attempts per user in the last hour. The events contain a field 'result' with value 'failure'. Which search is correct?

32

A user wants to see the top 5 most common values of the 'action' field in the web access logs. Which command should be used?

33

An analyst runs the search `index=web | stats count by status | sort - count` and wants to show only status codes with count greater than 100. Which command should be added before the sort?

34

A team needs to calculate the average response time for each URL path from web server logs. The response time is in a field 'duration'. Which search is correct?

35

A search returns events with a field 'ip' that contains both IPv4 and IPv6 addresses. An analyst wants to count events for each IP type (IPv4 vs IPv6). Which command should be used to create a new field that categorizes the IP type?

36

A search `index=main | top limit=10 user | fields - percent` is running slowly on a large dataset. Which change would likely improve performance the most?

37

An analyst needs to find the count of events by source type for each day in the past week, but only for source types with more than 1000 events. Which search is correct?

38

An analyst runs a search that returns 10,000 events. They want to see the distribution of the 'status' field across the 'method' field. Which command should be used?

39

A user wants to remove duplicate events based on the 'transaction_id' field, keeping only the first occurrence. Which command is appropriate?

40

Which two of the following search commands are transforming commands? (Choose two.)

41

Which two components are required to create a time-based chart of average CPU usage per host over the last 4 hours? (Choose two.)

42

Which three of the following are valid ways to filter events before a transforming command? (Choose three.)

43

Refer to the exhibit. An analyst runs this search and expects to see a table of status codes with their counts, filtered to those with count greater than 100. The search returns zero results even though there are many events. What is the most likely reason?

44

Refer to the exhibit. A security analyst runs this search and gets two rows: threat_level 'high' and 'low'. However, many events have threat_score between 60 and 90 that are not captured. How should the search be modified to include a 'medium' category?

45

Refer to the exhibit. An analyst wants to see the top 10 most visited URI paths, but the result also includes a 'percent' column. To remove the percent column, which command should be added?

46

A security analyst needs to find the number of failed login attempts per user. Which command group should be used?

47

A user wants to see the top 10 source IP addresses generating 404 errors. Which SPL is correct?

48

An analyst runs: index=app sourcetype=log ERROR | stats count by host | where count > 5. What is the function of the where command in this search?

49

A user needs to create a report showing the average response time per endpoint for the last hour. Which command would produce this result?

50

A large enterprise uses Splunk to monitor 500+ servers. A search returns results slowly due to high data volume. Which best practice can improve performance when using the top command?

51

An analyst wants to find events where the field 'user' is not present. Which search correctly identifies such events?

52

A user needs to see the trend of login failures over the past 7 days, broken down by hour. Which command should be used?

53

A search returns many duplicate events due to data source redundancy. Which command can remove duplicate events based on a specific field?

54

An analyst executes the following search: index=main sourcetype=access | stats dc(user) by host. What does dc(user) do?

55

Which TWO commands can be used to create a chart that shows the count of events over time?

56

Which THREE of the following are transforming commands in Splunk?

57

Which TWO factors should be considered when deciding to use the rare command instead of top?

58

Refer to the exhibit. What will be the output of this search?

59

A medium-sized company uses Splunk to monitor its e-commerce platform. The platform generates around 10 million events per day from web servers, application logs, and databases. The security team wants to identify the top 10 IP addresses that trigger the most 403 Forbidden errors in the last 24 hours. However, when they run the search: index=ecom sourcetype=web status=403 | top src_ip, the search takes over 5 minutes to complete and sometimes times out. The team needs a faster approach that still accurately identifies the top IPs. The team's Splunk environment uses indexers and a search head. The data is not accelerated. What should the team do to improve search performance?

60

A large financial institution uses Splunk to consolidate logs from thousands of ATMs. Each ATM sends a heartbeat event every 5 minutes containing fields: atm_id, timestamp, status (OK or ERROR), and firmware_version. The operations team wants to find the number of ATMs that have reported at least one ERROR status in the last hour. The initial search is: index=atm sourcetype=heartbeat status=ERROR | dedup atm_id | stats count. However, this search returns a count that is too high because some ATMs report multiple errors within the hour. The team needs an accurate count of ATMs that had any error, regardless of how many error events each ATM generated. The search must be efficient due to the high volume of events. Which approach should be used?

61

A user wants to find events where the status code is 500 or 503 and the response time is greater than 2 seconds. Which TWO SPL commands will correctly limit the results to only these events?

62

A security analyst uses Splunk to ingest firewall logs from multiple locations. The index is 'firewall' and the sourcetype is 'fw_log'. Each event contains fields: src_ip, dest_ip, action, bytes, and time. The analyst needs to find how many unique source IPs have been logged in the last hour to report potential scanning activity. The search should be efficient and accurate, returning only the total count of distinct source IPs. Which search accomplishes this?

63

A network operations team uses Splunk to monitor netflow data stored in index='net' and sourcetype='netflow'. The events contain fields: src_ip, dest_ip, bytes, and protocols. The team needs to identify the top 5 source IPs by total bytes transferred (based on the bytes field). For each of those top source IPs, they also want to list the destination IPs and the number of times they communicated. The data volume is large, so performance is important. Which SPL approach returns the desired results efficiently?

64

A Splunk administrator is troubleshooting a slow search on firewall logs. The index is 'firewall', sourcetype is 'cisco:asa', and there is about 500 GB of data per day. The search is: index=firewall sourcetype=cisco:asa action=block | stats count by src_ip | where count > 1000. This search takes over 5 minutes to return results. The administrator needs the same results faster. The index has a data model named 'firewall_dm' that is accelerated with a summary range of 7 days. Which change to the search will improve performance the most while still returning the same results?

65

Refer to the exhibit. A user runs the search and gets no results. Which is the most likely cause?

66

Refer to the exhibit. The search returns no results. What is the most likely reason?

67

Refer to the exhibit. A user gets an error: 'Error in 'where' command: The field 'count' is not a numeric type.' What is the issue?

68

Refer to the exhibit. The search returns zero results. What is a likely cause?

69

Refer to the exhibit. The search returns only events where src_zone is 'external'. What is the problem?

Practice all 69 Basic Searching and Transforming Commands questions

Other SPLK-1002 exam domains

Splunk Basics and Interface NavigationUsing Fields and LookupsCreating Reports, Dashboards and VisualizationsData Models and Best Practices

Frequently asked questions

What does the Basic Searching and Transforming Commands domain cover on the SPLK-1002 exam?

The Basic Searching and Transforming Commands domain covers the key concepts tested in this area of the SPLK-1002 exam blueprint published by Splunk. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all SPLK-1002 domains — no account required.

How many Basic Searching and Transforming Commands questions are in the SPLK-1002 question bank?

The Courseiva SPLK-1002 question bank contains 69 questions in the Basic Searching and Transforming Commands domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Basic Searching and Transforming Commands for SPLK-1002?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Basic Searching and Transforming Commands questions for SPLK-1002?

Yes — the session launcher on this page draws questions exclusively from the Basic Searching and Transforming Commands domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your SPLK-1002 domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide