Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsSPLK-1002DomainsData Models and Best Practices
SPLK-1002Free — No Signup

Data Models and Best Practices

Practice SPLK-1002 Data Models and Best Practices questions with full explanations on every answer.

87questions

Start practicing

Data Models and Best Practices — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

SPLK-1002 Domains

Splunk Basics and Interface NavigationBasic Searching and Transforming CommandsUsing Fields and LookupsCreating Reports, Dashboards and VisualizationsData Models and Best Practices

Practice Data Models and Best Practices questions

10Q20Q30Q50Q

All SPLK-1002 Data Models and Best Practices questions (87)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A security analyst needs to create a data model for authentication logs that allows both event counts and average duration calculations. The data model should support fast search performance. Which approach best follows Splunk best practices for data model design?

2

A Splunk administrator notices that a data model acceleration summary is not updating as expected. The data model is accelerated with a summary range of 30 days. What is the most likely cause of this issue?

3

A large enterprise has multiple Splunk indexers and is using data model acceleration to speed up dashboards. The dashboards are slow despite acceleration being enabled. The data model has many root events and child datasets. Which best practice should the administrator consider to improve performance?

4

An analyst wants to create a data model that includes fields from both web server logs and database logs. The two sourcetypes have different timestamp formats. Which best practice should the analyst follow when designing the data model?

5

A user reports that a data model acceleration is consuming excessive disk space on the indexer. The data model has a summary range of 90 days. Which action is best to reduce disk space usage while maintaining acceptable query performance?

6

During a data model acceleration build, the following error appears in splunkd.log: 'Data model acceleration: not enough memory to complete summary build.' Which best practice should the administrator implement to prevent this error?

7

A Splunk administrator is designing a data model for network traffic logs. The logs contain source IP, destination IP, bytes transferred, and protocol. The administrator wants to create a root event that counts connections and a child transaction that sums bytes per session. Which constraint type should be used for the root event?

8

Which TWO are best practices for creating data models in Splunk? (Choose two.)

9

Which THREE are valid considerations when troubleshooting data model acceleration? (Choose three.)

10

Which TWO are benefits of using data model acceleration? (Choose two.)

11

You are a Splunk administrator at a financial services company. The company has a distributed Splunk environment with 10 indexers and 2 search heads. You have created a data model named 'transaction_analytics' to analyze financial transactions. The data model is accelerated with a summary range of 7 days. Recently, users have reported that dashboards using this data model are extremely slow, sometimes timing out. You check the acceleration status and see that the summary is 'Building' but never completes. The splunkd.log on the search head shows repeated messages: 'Data model acceleration: query timed out after 300 seconds.' The base search for the data model is: index=transactions sourcetype=fin_events | eval risk_score=if(amount>10000, 'high', 'low') | fields transaction_id, user, amount, risk_score, _time. The data model has one root event with two child datasets: one for high-risk transactions and one for low-risk transactions. The total data volume is about 500 GB per day. The indexer where the summary is built has 16 GB of RAM and the search head has 32 GB. What is the best course of action to resolve the acceleration build timeout?

12

A security team wants to create a data model to analyze authentication events from multiple sources (Windows Event Log, Linux syslog, and VPN logs). The data model should normalize the fields for user, source IP, and action (success/failure). Which Splunk best practice should be applied when designing this data model?

13

A Splunk administrator notices that a data model acceleration summary is consuming excessive disk space on the indexers. The data model is used for a dashboard that refreshes every 30 minutes. What is the best course of action to reduce disk usage while maintaining dashboard performance?

14

Which TWO statements about designing Splunk data models are correct? (Choose two.)

15

Refer to the exhibit. A Splunk user is building a data model for Apache error logs. The configuration above extracts an error_type field. However, when previewing data in the data model, the error_type field is not available. What is the most likely cause?

16

A large e-commerce company uses Splunk to monitor its web application. They have a data model named 'Web_Transactions' that contains fields: status_code, response_time, uri, user_agent. The data model is accelerated with a 30-day time range. Recently, the operations team reported that the dashboard showing average response time by URI is loading slowly, taking over 30 seconds to display. Upon investigation, you find that the data model acceleration summary job is taking longer to complete and sometimes fails. The indexers have sufficient CPU and memory, but the disk I/O is high during the summary job. The volume of web logs is approximately 500 GB per day. Which action should the Splunk administrator take to improve dashboard performance?

17

Which TWO of the following are best practices when creating and using data models in Splunk?

18

Refer to the exhibit. A user runs the search shown. The search returns results, but the user wants to use a data model to make future searches faster and more consistent. Which data model should the user select and what is the correct acceleration setting?

19

You are a Splunk administrator for a large e-commerce company. The security team frequently runs searches against the web access logs (sourcetype=access_combined) to investigate suspicious activity. These searches often take 5-10 minutes to complete, and the team is frustrated. You decide to implement a data model to accelerate these searches. After creating a data model based on the CIM Web model and enabling acceleration for the 'Web' dataset, you notice that the acceleration summary size grows to over 50 GB and the rebuild process takes more than an hour every night, causing some searches to time out during the rebuild window. What is the most effective way to address this issue?

20

Which three of the following are best practices when working with Data Models in Splunk? (Choose three.)

21

Which three options describe recommended practices for optimizing and maintaining data model acceleration? (Choose three.)

22

Which four of the following are best practices for working with data models in Splunk? (Choose four.)

23

Drag and drop the steps to add a new data input using Splunk Web (e.g., monitor a log file) into the correct order.

24

Drag and drop the steps to perform a Splunk software upgrade using the CLI into the correct order.

25

Match each data input type to its description.

26

Match each index type to its purpose.

27

Which of the following is required to use data model acceleration for a Pivot report?

28

A user wants to use the Pivot interface to analyze web traffic data. Which data model should they select?

29

When tagging events in Splunk to map them to a data model, which tag is used to associate events with a specific data model dataset?

30

A data model has been accelerated but some Pivot reports are showing incomplete data. What is the most likely cause?

31

Which of the following is a best practice when creating custom data models?

32

An administrator notices that a data model is not appearing in the Pivot interface. What is a possible reason?

33

A team has created a data model based on sourcetypes from different sources. Some fields are not populating correctly in Pivot. Which of the following is the most effective troubleshooting step?

34

When designing a data model for heterogeneous log sources, which approach minimizes field conflicts?

35

A user wants to create a Pivot report that counts failed login attempts by user and hour. Which data model dataset and fields are most appropriate?

36

Which TWO actions should be taken to optimize data model acceleration?

37

Which THREE statements about data model normalization are correct?

38

Which TWO are best practices for designing data models in Splunk?

39

Refer to the exhibit. What does this search do?

40

Refer to the exhibit. A data model named 'Web' is built on sourcetype 'web_access'. A user reports that the timestamp field is not being extracted correctly in the data model. What is the most likely issue?

41

Refer to the exhibit. An administrator configures a default stanza in props.conf to assign the Authentication data model to all sourcetypes. Which issue might arise?

42

A user notices that a data model is not updating with recent events. The data model acceleration is enabled and the summary range is set to 30 days. Which action should the admin take to ensure the accelerated data model includes data from the last hour?

43

A security team needs to track authentication events across multiple sources: Windows Security logs, Linux /var/log/auth.log, and network authentication events. They want to create a single data model covering all authentication events with consistent field names. Which best practice should they follow?

44

An admin wants to allow power users to search against a data model but prevent them from modifying its definition. Which permission setting should the admin configure?

45

An analyst wants to count the number of failed login attempts from a specific user using an accelerated data model named 'Authentication'. The data model has a dataset 'Failed_Authentication'. Which SPL query should they use?

46

A data model for web traffic has a child dataset 'Error_Pages' that should only include events with status code 5xx. The admin wants to ensure that when the data model is used with tstats, only these events are searched. Which definition should they use in the data model?

47

An admin runs '| datamodel App_State' and receives the error 'No data model named 'App_State''. Which of the following is the most likely cause?

48

A data model is set to accelerate with a summary range of 90 days. After some time, the administrator notices that the acceleration is using significant disk space. Which strategy would best reduce disk usage without losing the ability to quickly query the last 30 days of data?

49

A data model 'Network_Traffic' currently has a single root dataset 'Traffic'. The administrator wants to add a child dataset 'Firewall_Logs' that only contains events from sourcetype=firewall. The admin also wants 'Firewall_Logs' to inherit all fields from 'Traffic'. Which approach should they follow?

50

An administrator wants to list all data models in the current app and see their acceleration status. Which command should they use?

51

Which TWO of the following are best practices when designing data models in Splunk?

52

Which THREE of the following statements about data model acceleration are true?

53

Which THREE of the following are valid reasons to use data models instead of raw searches?

54

Refer to the exhibit. An admin is trying to accelerate this data model, but receives an error: 'Data model 'Authentication' has no constraints.' What is the most likely cause?

55

Refer to the exhibit. An admin sees that the Web_Traffic data model is accelerated but shows 'Summaries require rebuild'. What does this status indicate?

56

Refer to the exhibit. An analyst receives this error when running a tstats search. Which of the following is the most likely cause?

57

A security analyst wants to accelerate a frequently run search that uses the `Authentication` data model. Which best practice should they follow to ensure the acceleration consumes minimal disk space?

58

A team is designing a data model for IT operations. They have fields like `src_ip`, `dest_ip`, `user`, and `action`. Which best practice should they follow when naming the root event dataset?

59

An administrator notices that a data model with acceleration is not returning results for a specific time range. The search uses `| datamodel` command. The summary range is set to 30 days. What is the most likely cause?

60

An analyst creates a pivot from the `Authentication` data model. Which of the following is a valid reason to use a pivot instead of a search?

61

During data model creation, an administrator adds a calculated field that concatenates `src_ip` and `dest_ip` with a hyphen. Which of the following is a best practice for calculated fields in data models?

62

A search using `| datamodel All_Web data=Web search` returns a large number of results quickly, but the analyst notices the results are inconsistent with a manual search over the same time range. What is the most likely issue?

63

A data model includes a root event called `Authentication` with a constraint `action=*`. Which of the following is a valid reason to add a child dataset?

64

An organization wants to build a data model that includes data from multiple sourcetypes. Which best practice should they follow regarding field definitions?

65

An administrator reports that a data model acceleration job is consistently failing for a root event with a large dataset. What is the most likely cause?

66

Which TWO of the following are best practices when creating a data model in Splunk? (Choose two.)

67

Which THREE of the following are valid considerations when accelerating a data model? (Choose three.)

68

Which TWO of the following are common pitfalls when using data models that can lead to inaccurate pivot results? (Choose two.)

69

A new Splunk admin wants to reduce the time it takes to run reports on a large dataset. They have enabled acceleration on a data model. Which of the following is a best practice to maximize acceleration benefits?

70

A user notices that a data model designed for web server logs is not showing any events in the 'Web' object, even though the underlying logs are searched correctly with a normal search. The root events are pulling from the 'main' index, and the data model uses constraints. Which of the following is the most likely cause?

71

A Splunk admin is troubleshooting a slow report that uses an accelerated data model. The report uses tstats commands and filters on a field that is not a constraint field in the data model. Which of the following best explains why the report is slow?

72

An organization wants to define a data model that represents transaction-level data from multiple source types, including web logs and application logs. They need to ensure that the data model is scalable and easy to maintain. Which best practice should the admin follow when designing this data model?

73

A Splunk user has created a data model for firewall logs and wants to use it to generate a report showing top source IPs. They attempt to run a search using the data model but receive no results, even though a simple search over the same index returns many events. What is the most likely cause?

74

A company has a data model for email logs that includes a calculated field named 'sentiment_score' derived from a lookup. The data model is accelerated, but some reports using |tstats with 'sentiment_score' are returning incorrect values. What is the most likely reason?

75

A Splunk admin wants to ensure that data models are built efficiently and do not consume excessive resources. Which of the following is a best practice when creating data models?

76

Which THREE of the following are best practices when designing data models in Splunk?

77

Which TWO of the following are valid ways to create a data model in Splunk?

78

Which THREE of the following are components of a data model in Splunk?

79

You are a Splunk administrator for a large e-commerce company. The company ingests approximately 500 GB of web server logs per day into a single index named 'web_logs'. A data model named 'Web_Transactions' has been created to analyze user browsing behavior. The data model has a root event with no constraints, and three child objects: 'Page_Views', 'Searches', and 'Purchases'. Each child object has a constraint based on a key-value pair in the logs: e.g., 'action=view', 'action=search', 'action=purchase'. The data model is accelerated with a 7-day summary, but reports that query specific child objects are taking over 10 minutes to return. The reports use |tstats and filter on common fields like 'user_id' and 'session_id'. The admin suspects the acceleration summary is too large. Which of the following actions will most effectively reduce report latency while maintaining the ability to analyze all three transaction types?

80

You are working as a Splunk consultant for a financial services firm. They have multiple data sources: application logs, database audit logs, and network firewall logs. The security team needs to correlate events across these sources to detect potential fraud. You decide to create a data model named 'Security_Events'. The data model will be used with tstats for real-time dashboards. The logs vary in volume: application logs are 200 GB/day, audit logs are 50 GB/day, and firewall logs are 100 GB/day. The firm wants to optimize performance and storage. The data model currently has one root event with no constraints and three child objects with constraints based on sourcetype. The admin is concerned about acceleration storage costs. Which of the following is the best approach to balance performance and storage?

81

A small business uses Splunk to monitor their point-of-sale (POS) system. They have a data model named 'POS_Transactions' that is not accelerated. The owner wants to create a simple dashboard showing daily sales totals. They write a search using |tstats against the data model, but it returns 'No events found'. A plain search over the same index returns expected results. What should the owner do to resolve this?

82

You are an admin for a large healthcare organization that uses Splunk for compliance monitoring. You have a data model named 'Patient_Access' that tracks access to patient records. The data model includes fields like 'employee_id', 'patient_id', 'access_time', and 'action'. The data model is accelerated with a 30-day summary. Recently, a new compliance report requires filtering on a field named 'department', which is not currently part of the data model. You add 'department' as a new field to the root event of the data model. After this change, reports using the data model become slower. The data model's acceleration summary size has significantly increased. What is the most likely reason for the slowdown?

83

A media company uses Splunk to analyze user engagement across their website. They have a data model named 'User_Actions' with two child objects: 'Page_Views' and 'Clicks'. The data model is accelerated. The marketing team creates a report that uses |tstats to count the number of 'Page_Views' per user_id. The results seem low compared to an equivalent search using |search. Upon investigation, you find that the 'Page_Views' object has a constraint that filters events where 'event_type=page_view'. The base search returns many events with 'event_type=Page View' (note the space). What is the issue and the correct fix?

84

A large e-commerce company ingests 10 TB/day of web access logs into Splunk. They have enabled the CIM-compliant Web data model and created data model acceleration with a 90-day range. Users run reports using pivot to analyze HTTP status codes, client IPs, and URIs. Recently, two issues arose: (1) Pivot reports are returning incomplete or outdated results, sometimes missing data from the last few hours. (2) Acceleration summary size has ballooned to over 500 GB, causing search head performance degradation. The Splunk admin suspects that data model acceleration is not configured optimally. Upon inspection, the Web data model's root search contains a complex filter with multiple eval commands and lookups, and the acceleration time range is set to the same 90 days as the summary range. The admin also notices that the data model is defined as non-time-based, even though the events have timestamps and the pivot often uses time ranges. What is the best course of action to resolve both issues while maintaining accuracy and performance?

85

Which two of the following are best practices when designing Splunk data models? (Choose two.)

86

Refer to the exhibit. A Splunk admin runs a search using the 'Authentication' data model and notices that the search does not use the acceleration summaries. The admin confirms that acceleration is enabled and the summary range is set correctly. What is the most likely reason for the acceleration being ignored?

87

A financial services company uses Splunk to monitor authentication logs from 500 remote servers. They created a data model named 'Authentication' with 15 fields including 'user', 'src_ip', 'dest_ip', 'action', and 'status'. They enabled acceleration with a summary range of 1 day and set the maximum search time range to 30 days. After one month of operation, searches against the data model that used to complete in seconds now time out after 60 seconds. The average daily log volume is 10 GB. The admin runs | datamodel Audit and discovers that the summary size is approximately 5 GB per day, which is similar to the raw data index size. The search head has 16 GB RAM and 4 CPU cores, and no other resource issues are observed. What is the most likely cause of the performance degradation?

Practice all 87 Data Models and Best Practices questions

Other SPLK-1002 exam domains

Splunk Basics and Interface NavigationBasic Searching and Transforming CommandsUsing Fields and LookupsCreating Reports, Dashboards and Visualizations

Frequently asked questions

What does the Data Models and Best Practices domain cover on the SPLK-1002 exam?

The Data Models and Best Practices domain covers the key concepts tested in this area of the SPLK-1002 exam blueprint published by Splunk. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all SPLK-1002 domains — no account required.

How many Data Models and Best Practices questions are in the SPLK-1002 question bank?

The Courseiva SPLK-1002 question bank contains 87 questions in the Data Models and Best Practices domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Data Models and Best Practices for SPLK-1002?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Data Models and Best Practices questions for SPLK-1002?

Yes — the session launcher on this page draws questions exclusively from the Data Models and Best Practices domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your SPLK-1002 domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide