Practice SPLK-1002 Data Models and Best Practices questions with full explanations on every answer.
Start practicing
Data Models and Best Practices — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A security analyst needs to create a data model for authentication logs that allows both event counts and average duration calculations. The data model should support fast search performance. Which approach best follows Splunk best practices for data model design?
2A Splunk administrator notices that a data model acceleration summary is not updating as expected. The data model is accelerated with a summary range of 30 days. What is the most likely cause of this issue?
3A large enterprise has multiple Splunk indexers and is using data model acceleration to speed up dashboards. The dashboards are slow despite acceleration being enabled. The data model has many root events and child datasets. Which best practice should the administrator consider to improve performance?
4An analyst wants to create a data model that includes fields from both web server logs and database logs. The two sourcetypes have different timestamp formats. Which best practice should the analyst follow when designing the data model?
5A user reports that a data model acceleration is consuming excessive disk space on the indexer. The data model has a summary range of 90 days. Which action is best to reduce disk space usage while maintaining acceptable query performance?
6During a data model acceleration build, the following error appears in splunkd.log: 'Data model acceleration: not enough memory to complete summary build.' Which best practice should the administrator implement to prevent this error?
7A Splunk administrator is designing a data model for network traffic logs. The logs contain source IP, destination IP, bytes transferred, and protocol. The administrator wants to create a root event that counts connections and a child transaction that sums bytes per session. Which constraint type should be used for the root event?
8Which TWO are best practices for creating data models in Splunk? (Choose two.)
9Which THREE are valid considerations when troubleshooting data model acceleration? (Choose three.)
10Which TWO are benefits of using data model acceleration? (Choose two.)
11You are a Splunk administrator at a financial services company. The company has a distributed Splunk environment with 10 indexers and 2 search heads. You have created a data model named 'transaction_analytics' to analyze financial transactions. The data model is accelerated with a summary range of 7 days. Recently, users have reported that dashboards using this data model are extremely slow, sometimes timing out. You check the acceleration status and see that the summary is 'Building' but never completes. The splunkd.log on the search head shows repeated messages: 'Data model acceleration: query timed out after 300 seconds.' The base search for the data model is: index=transactions sourcetype=fin_events | eval risk_score=if(amount>10000, 'high', 'low') | fields transaction_id, user, amount, risk_score, _time. The data model has one root event with two child datasets: one for high-risk transactions and one for low-risk transactions. The total data volume is about 500 GB per day. The indexer where the summary is built has 16 GB of RAM and the search head has 32 GB. What is the best course of action to resolve the acceleration build timeout?
12A security team wants to create a data model to analyze authentication events from multiple sources (Windows Event Log, Linux syslog, and VPN logs). The data model should normalize the fields for user, source IP, and action (success/failure). Which Splunk best practice should be applied when designing this data model?
13A Splunk administrator notices that a data model acceleration summary is consuming excessive disk space on the indexers. The data model is used for a dashboard that refreshes every 30 minutes. What is the best course of action to reduce disk usage while maintaining dashboard performance?
14Which TWO statements about designing Splunk data models are correct? (Choose two.)
15Refer to the exhibit. A Splunk user is building a data model for Apache error logs. The configuration above extracts an error_type field. However, when previewing data in the data model, the error_type field is not available. What is the most likely cause?
16A large e-commerce company uses Splunk to monitor its web application. They have a data model named 'Web_Transactions' that contains fields: status_code, response_time, uri, user_agent. The data model is accelerated with a 30-day time range. Recently, the operations team reported that the dashboard showing average response time by URI is loading slowly, taking over 30 seconds to display. Upon investigation, you find that the data model acceleration summary job is taking longer to complete and sometimes fails. The indexers have sufficient CPU and memory, but the disk I/O is high during the summary job. The volume of web logs is approximately 500 GB per day. Which action should the Splunk administrator take to improve dashboard performance?
17Which TWO of the following are best practices when creating and using data models in Splunk?
18Refer to the exhibit. A user runs the search shown. The search returns results, but the user wants to use a data model to make future searches faster and more consistent. Which data model should the user select and what is the correct acceleration setting?
19You are a Splunk administrator for a large e-commerce company. The security team frequently runs searches against the web access logs (sourcetype=access_combined) to investigate suspicious activity. These searches often take 5-10 minutes to complete, and the team is frustrated. You decide to implement a data model to accelerate these searches. After creating a data model based on the CIM Web model and enabling acceleration for the 'Web' dataset, you notice that the acceleration summary size grows to over 50 GB and the rebuild process takes more than an hour every night, causing some searches to time out during the rebuild window. What is the most effective way to address this issue?
20Which three of the following are best practices when working with Data Models in Splunk? (Choose three.)
21Which three options describe recommended practices for optimizing and maintaining data model acceleration? (Choose three.)
22Which four of the following are best practices for working with data models in Splunk? (Choose four.)
23Drag and drop the steps to add a new data input using Splunk Web (e.g., monitor a log file) into the correct order.
24Drag and drop the steps to perform a Splunk software upgrade using the CLI into the correct order.
25Match each data input type to its description.
26Match each index type to its purpose.
27Which of the following is required to use data model acceleration for a Pivot report?
28A user wants to use the Pivot interface to analyze web traffic data. Which data model should they select?
29When tagging events in Splunk to map them to a data model, which tag is used to associate events with a specific data model dataset?
30A data model has been accelerated but some Pivot reports are showing incomplete data. What is the most likely cause?
31Which of the following is a best practice when creating custom data models?
32An administrator notices that a data model is not appearing in the Pivot interface. What is a possible reason?
33A team has created a data model based on sourcetypes from different sources. Some fields are not populating correctly in Pivot. Which of the following is the most effective troubleshooting step?
34When designing a data model for heterogeneous log sources, which approach minimizes field conflicts?
35A user wants to create a Pivot report that counts failed login attempts by user and hour. Which data model dataset and fields are most appropriate?
36Which TWO actions should be taken to optimize data model acceleration?
37Which THREE statements about data model normalization are correct?
38Which TWO are best practices for designing data models in Splunk?
39Refer to the exhibit. What does this search do?
40Refer to the exhibit. A data model named 'Web' is built on sourcetype 'web_access'. A user reports that the timestamp field is not being extracted correctly in the data model. What is the most likely issue?
41Refer to the exhibit. An administrator configures a default stanza in props.conf to assign the Authentication data model to all sourcetypes. Which issue might arise?
42A user notices that a data model is not updating with recent events. The data model acceleration is enabled and the summary range is set to 30 days. Which action should the admin take to ensure the accelerated data model includes data from the last hour?
43A security team needs to track authentication events across multiple sources: Windows Security logs, Linux /var/log/auth.log, and network authentication events. They want to create a single data model covering all authentication events with consistent field names. Which best practice should they follow?
44An admin wants to allow power users to search against a data model but prevent them from modifying its definition. Which permission setting should the admin configure?
45An analyst wants to count the number of failed login attempts from a specific user using an accelerated data model named 'Authentication'. The data model has a dataset 'Failed_Authentication'. Which SPL query should they use?
46A data model for web traffic has a child dataset 'Error_Pages' that should only include events with status code 5xx. The admin wants to ensure that when the data model is used with tstats, only these events are searched. Which definition should they use in the data model?
47An admin runs '| datamodel App_State' and receives the error 'No data model named 'App_State''. Which of the following is the most likely cause?
48A data model is set to accelerate with a summary range of 90 days. After some time, the administrator notices that the acceleration is using significant disk space. Which strategy would best reduce disk usage without losing the ability to quickly query the last 30 days of data?
49A data model 'Network_Traffic' currently has a single root dataset 'Traffic'. The administrator wants to add a child dataset 'Firewall_Logs' that only contains events from sourcetype=firewall. The admin also wants 'Firewall_Logs' to inherit all fields from 'Traffic'. Which approach should they follow?
50An administrator wants to list all data models in the current app and see their acceleration status. Which command should they use?
51Which TWO of the following are best practices when designing data models in Splunk?
52Which THREE of the following statements about data model acceleration are true?
53Which THREE of the following are valid reasons to use data models instead of raw searches?
54Refer to the exhibit. An admin is trying to accelerate this data model, but receives an error: 'Data model 'Authentication' has no constraints.' What is the most likely cause?
55Refer to the exhibit. An admin sees that the Web_Traffic data model is accelerated but shows 'Summaries require rebuild'. What does this status indicate?
56Refer to the exhibit. An analyst receives this error when running a tstats search. Which of the following is the most likely cause?
57A security analyst wants to accelerate a frequently run search that uses the `Authentication` data model. Which best practice should they follow to ensure the acceleration consumes minimal disk space?
58A team is designing a data model for IT operations. They have fields like `src_ip`, `dest_ip`, `user`, and `action`. Which best practice should they follow when naming the root event dataset?
59An administrator notices that a data model with acceleration is not returning results for a specific time range. The search uses `| datamodel` command. The summary range is set to 30 days. What is the most likely cause?
60An analyst creates a pivot from the `Authentication` data model. Which of the following is a valid reason to use a pivot instead of a search?
61During data model creation, an administrator adds a calculated field that concatenates `src_ip` and `dest_ip` with a hyphen. Which of the following is a best practice for calculated fields in data models?
62A search using `| datamodel All_Web data=Web search` returns a large number of results quickly, but the analyst notices the results are inconsistent with a manual search over the same time range. What is the most likely issue?
63A data model includes a root event called `Authentication` with a constraint `action=*`. Which of the following is a valid reason to add a child dataset?
64An organization wants to build a data model that includes data from multiple sourcetypes. Which best practice should they follow regarding field definitions?
65An administrator reports that a data model acceleration job is consistently failing for a root event with a large dataset. What is the most likely cause?
66Which TWO of the following are best practices when creating a data model in Splunk? (Choose two.)
67Which THREE of the following are valid considerations when accelerating a data model? (Choose three.)
68Which TWO of the following are common pitfalls when using data models that can lead to inaccurate pivot results? (Choose two.)
69A new Splunk admin wants to reduce the time it takes to run reports on a large dataset. They have enabled acceleration on a data model. Which of the following is a best practice to maximize acceleration benefits?
70A user notices that a data model designed for web server logs is not showing any events in the 'Web' object, even though the underlying logs are searched correctly with a normal search. The root events are pulling from the 'main' index, and the data model uses constraints. Which of the following is the most likely cause?
71A Splunk admin is troubleshooting a slow report that uses an accelerated data model. The report uses tstats commands and filters on a field that is not a constraint field in the data model. Which of the following best explains why the report is slow?
72An organization wants to define a data model that represents transaction-level data from multiple source types, including web logs and application logs. They need to ensure that the data model is scalable and easy to maintain. Which best practice should the admin follow when designing this data model?
73A Splunk user has created a data model for firewall logs and wants to use it to generate a report showing top source IPs. They attempt to run a search using the data model but receive no results, even though a simple search over the same index returns many events. What is the most likely cause?
74A company has a data model for email logs that includes a calculated field named 'sentiment_score' derived from a lookup. The data model is accelerated, but some reports using |tstats with 'sentiment_score' are returning incorrect values. What is the most likely reason?
75A Splunk admin wants to ensure that data models are built efficiently and do not consume excessive resources. Which of the following is a best practice when creating data models?
76Which THREE of the following are best practices when designing data models in Splunk?
77Which TWO of the following are valid ways to create a data model in Splunk?
78Which THREE of the following are components of a data model in Splunk?
79You are a Splunk administrator for a large e-commerce company. The company ingests approximately 500 GB of web server logs per day into a single index named 'web_logs'. A data model named 'Web_Transactions' has been created to analyze user browsing behavior. The data model has a root event with no constraints, and three child objects: 'Page_Views', 'Searches', and 'Purchases'. Each child object has a constraint based on a key-value pair in the logs: e.g., 'action=view', 'action=search', 'action=purchase'. The data model is accelerated with a 7-day summary, but reports that query specific child objects are taking over 10 minutes to return. The reports use |tstats and filter on common fields like 'user_id' and 'session_id'. The admin suspects the acceleration summary is too large. Which of the following actions will most effectively reduce report latency while maintaining the ability to analyze all three transaction types?
80You are working as a Splunk consultant for a financial services firm. They have multiple data sources: application logs, database audit logs, and network firewall logs. The security team needs to correlate events across these sources to detect potential fraud. You decide to create a data model named 'Security_Events'. The data model will be used with tstats for real-time dashboards. The logs vary in volume: application logs are 200 GB/day, audit logs are 50 GB/day, and firewall logs are 100 GB/day. The firm wants to optimize performance and storage. The data model currently has one root event with no constraints and three child objects with constraints based on sourcetype. The admin is concerned about acceleration storage costs. Which of the following is the best approach to balance performance and storage?
81A small business uses Splunk to monitor their point-of-sale (POS) system. They have a data model named 'POS_Transactions' that is not accelerated. The owner wants to create a simple dashboard showing daily sales totals. They write a search using |tstats against the data model, but it returns 'No events found'. A plain search over the same index returns expected results. What should the owner do to resolve this?
82You are an admin for a large healthcare organization that uses Splunk for compliance monitoring. You have a data model named 'Patient_Access' that tracks access to patient records. The data model includes fields like 'employee_id', 'patient_id', 'access_time', and 'action'. The data model is accelerated with a 30-day summary. Recently, a new compliance report requires filtering on a field named 'department', which is not currently part of the data model. You add 'department' as a new field to the root event of the data model. After this change, reports using the data model become slower. The data model's acceleration summary size has significantly increased. What is the most likely reason for the slowdown?
83A media company uses Splunk to analyze user engagement across their website. They have a data model named 'User_Actions' with two child objects: 'Page_Views' and 'Clicks'. The data model is accelerated. The marketing team creates a report that uses |tstats to count the number of 'Page_Views' per user_id. The results seem low compared to an equivalent search using |search. Upon investigation, you find that the 'Page_Views' object has a constraint that filters events where 'event_type=page_view'. The base search returns many events with 'event_type=Page View' (note the space). What is the issue and the correct fix?
84A large e-commerce company ingests 10 TB/day of web access logs into Splunk. They have enabled the CIM-compliant Web data model and created data model acceleration with a 90-day range. Users run reports using pivot to analyze HTTP status codes, client IPs, and URIs. Recently, two issues arose: (1) Pivot reports are returning incomplete or outdated results, sometimes missing data from the last few hours. (2) Acceleration summary size has ballooned to over 500 GB, causing search head performance degradation. The Splunk admin suspects that data model acceleration is not configured optimally. Upon inspection, the Web data model's root search contains a complex filter with multiple eval commands and lookups, and the acceleration time range is set to the same 90 days as the summary range. The admin also notices that the data model is defined as non-time-based, even though the events have timestamps and the pivot often uses time ranges. What is the best course of action to resolve both issues while maintaining accuracy and performance?
85Which two of the following are best practices when designing Splunk data models? (Choose two.)
86Refer to the exhibit. A Splunk admin runs a search using the 'Authentication' data model and notices that the search does not use the acceleration summaries. The admin confirms that acceleration is enabled and the summary range is set correctly. What is the most likely reason for the acceleration being ignored?
87A financial services company uses Splunk to monitor authentication logs from 500 remote servers. They created a data model named 'Authentication' with 15 fields including 'user', 'src_ip', 'dest_ip', 'action', and 'status'. They enabled acceleration with a summary range of 1 day and set the maximum search time range to 30 days. After one month of operation, searches against the data model that used to complete in seconds now time out after 60 seconds. The average daily log volume is 10 GB. The admin runs | datamodel Audit and discovers that the summary size is approximately 5 GB per day, which is similar to the raw data index size. The search head has 16 GB RAM and 4 CPU cores, and no other resource issues are observed. What is the most likely cause of the performance degradation?
The Data Models and Best Practices domain covers the key concepts tested in this area of the SPLK-1002 exam blueprint published by Splunk. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all SPLK-1002 domains — no account required.
The Courseiva SPLK-1002 question bank contains 87 questions in the Data Models and Best Practices domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Data Models and Best Practices domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included