Practice SPLK-1002 Creating Reports, Dashboards and Visualizations questions with full explanations on every answer.
Start practicing
Creating Reports, Dashboards and Visualizations — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A security team needs to create a report that shows the number of distinct users who triggered a firewall block each day for the past 30 days. Which search and visualization combination should be used?
2A user wants to create a dashboard panel that refreshes automatically every 60 seconds. Which setting must be configured in the panel's edit mode?
3A dashboard includes a table showing server errors. The team wants to click a row and drill down to a detailed view of that server's events in a new search. Which configuration is required?
4Which TWO statements are true about saved reports in Splunk?
5Which THREE of the following are valid ways to add a visualization to a dashboard?
6Which TWO chart types are best suited for showing the distribution of categorical data?
7Which THREE actions are possible when editing a dashboard in Studio?
8A user wants to create a report that shows the top 5 most frequent error messages from the last 7 days. The search results should be sorted by count. Which search is correct?
9Refer to the exhibit. A user runs this search and the resulting timechart shows multiple lines, one for each host. The user wants to show only the top 3 hosts by total count. Which modification achieves this?
10A dashboard includes a single value visualization showing the total number of login failures. The number seems too high. Which common mistake could cause inflated counts?
11A team creates a dashboard that uses a drop-down input to select a server. The dashboard slows down significantly when the input changes. What is the most likely cause?
12A user wants to create a report that shows the average response time for each web endpoint over the past week. The data has fields: endpoint, response_time. Which search correctly calculates the average?
13Refer to the exhibit. This search produces a table with hosts as rows and status codes as columns. The user wants to visualize this as a stacked column chart showing the distribution of status codes per host. Which chart type should be selected?
14Refer to the exhibit. A user runs this search from a dashboard panel. The panel shows no results, but the lookup file exists and has data. What is the most likely reason?
15A user creates a dashboard with multiple panels. Some panels share the same search. To improve performance, what should the user do?
16Which TWO are valid methods to share a dashboard with other users without granting them edit permissions?
17Which THREE are essential components of a Splunk dashboard?
18You are a Splunk administrator at a large e-commerce company. The operations team has created a real-time dashboard to monitor website performance. The dashboard includes multiple panels: a line chart showing page load times over the last 60 minutes, a single value showing the number of active users, and a table listing the top 10 slowest pages. The dashboard refreshes every 30 seconds. Recently, users have reported that the dashboard is very slow to load and sometimes times out. The underlying searches are not accelerated. The dashboard uses a shared time range picker set to 'Last 60 minutes'. The index for web logs receives about 2 GB of data per hour. The team wants to improve performance without losing real-time capability. Which approach best addresses the problem?
19You are a Splunk analyst for a financial services firm. You need to create a weekly report for management showing the total transaction value and number of transactions per day, broken down by transaction type (credit, debit, transfer). The data is in index=transactions with fields: trans_date, trans_type, amount. The report should be sent via email every Monday morning at 8 AM. You have created a report with the search: `index=transactions | timechart sum(amount) by trans_type`. However, the timechart shows only one series because the trans_type field has multiple values. You need to fix the search so that it correctly separates by trans_type. Additionally, you need to schedule the report. What should you do?
20A security analyst has created a report that shows the count of failed login attempts by user. The analyst now wants to display this data as a column chart on a dashboard. Which Splunk feature should be used to convert the report into a visualization?
21An IT operations team has a dashboard with multiple panels showing server metrics. Each panel uses a separate search that runs every time the dashboard is loaded, causing slow performance. What is the best practice to improve dashboard load time?
22A user wants to create a pie chart showing the distribution of error types from web server logs. Which Splunk command should be used to group the errors before visualization?
23A dashboard includes a time range picker. When a user selects 'Last 7 days', one panel does not update its data accordingly. What is the most likely cause?
24Which TWO of the following are valid ways to add a visualization to a dashboard in Splunk?
25Refer to the exhibit. The search is expected to produce a count of HTTP status codes grouped into categories. However, the results show a column 'status' instead of 'status_category'. What is the problem?
26You are a Splunk administrator for a large e-commerce company. The marketing team has a dashboard that displays daily sales metrics, including revenue, number of transactions, and average order value. The dashboard is built using a single search that runs a 'timechart' command across all events. Recently, the dashboard has been timing out and failing to load during peak hours (10 AM - 2 PM) when traffic is highest. The team needs the dashboard to be available with minimal latency. You have the following options: A. Reduce the time range on the dashboard to the last hour instead of the default last 24 hours. B. Create a summary index that pre-aggregates the sales metrics every hour and modify the dashboard to search this summary index. C. Increase the search time limit in the Splunk settings to allow the search to run longer. D. Split the single search into multiple smaller searches, each for a different metric, and run them concurrently on separate panels. Which option best addresses the performance issue while maintaining data accuracy?
27Which TWO of the following are valid methods to convert a saved search into a report in Splunk?
28You are a Splunk administrator for a large e-commerce company. The operations team uses a dashboard to monitor server health, which includes a single-value panel showing the current number of active users, a bar chart of error counts by service, and a table of recent critical log entries. Recently, users have reported that the dashboard loads very slowly, sometimes taking over 30 seconds to display all panels. The dashboard uses base search and post-process searches to reduce duplication. The base search retrieves all logs from the last 24 hours, and each panel runs a post-process search to filter and aggregate data. The dashboard is scheduled to refresh every 60 seconds. There are approximately 10 million events per day. After investigating, you notice that the base search returns a large amount of data, and each post-process search still processes a significant subset. Which approach would most effectively improve dashboard performance without significantly altering the dashboard's functionality?
29Which three of the following are valid approaches for creating a dashboard in Splunk Web? (Choose three.)
30Which three options correctly describe characteristics or behaviors of Splunk reports and visualizations? (Choose three.)
31Which of the following are true about creating and managing dashboards in Splunk? (Choose all that apply. There are four correct answers.)
32Drag and drop the steps to configure a Splunk alert that sends an email when a specific condition is met into the correct order.
33Drag and drop the steps to troubleshoot a Splunk search that returns no results into the correct order.
34Match each Splunk component to its purpose.
35Match each lookup type to its definition.
36A security analyst wants to create a report that shows the count of failed login attempts per user over the last 24 hours, but only for users with more than 5 failures. Which Splunk command sequence should be used?
37A team wants to add an interactive time range picker to a dashboard. The dashboard uses a base search with a token for earliest and latest. Which configuration is required?
38A report is scheduled to run every hour but sometimes returns incomplete data because the search is too slow and times out. Which action should be taken to improve reliability without losing data?
39A developer wants to display server CPU usage that updates every second on a dashboard. Which panel configuration is appropriate?
40A user created a dashboard panel with a search that uses a token. The token is not being applied when the user modifies the dropdown. What is the most likely cause?
41A compliance report must show the average latency per service for each hour over the past 30 days. The data set contains millions of events. To ensure the report finishes within a reasonable time, which approach is recommended?
42A user wants to add a drilldown to a dashboard panel so that clicking a value opens a related search in a new tab. Which Simple XML attribute is used?
43A dashboard uses a base search and a post-process search that modifies the fields. When the base search returns no results, the panel shows an error. How can this be handled?
44A visualization is showing unexpected spikes in a timechart. The data is aggregated by hour, but the spikes align with time zone changes. What is the likely cause?
45Which TWO options are valid methods to add a visualization to a dashboard?
46Which THREE best practices should be followed when creating dashboards for a large organization with many users?
47Which TWO options are correct about post-process searches in dashboards?
48Refer to the exhibit. The report returns 0 results even though there are error events in the data. What is the most likely issue?
49Refer to the exhibit. The pie chart shows only 10 slices, but the base search stats returns all destinations. What is the reason?
50Refer to the exhibit. The timechart returns only partial results for some sourcetypes, and there are gaps in the timeline. Which is the most likely reason?
51A security analyst creates a report that shows the count of failed login attempts by user over the last 7 days. The report uses the `top` command. However, the report only shows the top 10 users, but the analyst wants to see all users. What should the analyst do?
52A user wants to create a dashboard panel that shows a single number representing the total number of errors in the last 24 hours. Which visualization type should be used?
53A Splunk admin notices that a dashboard panel using `timechart` is showing gaps (null values) for some time periods where no events exist. The admin wants to display a zero instead of null to make the chart continuous. Which command should be added before `timechart`?
54A dashboard has a radio button input that selects a sourcetype. The panel uses `index=web sourcetype=$source$`. However, when the user selects a sourcetype, the panel doesn't update. What is the most likely cause?
55A user wants to create a bar chart showing the count of events by host for the last hour. Which command should be used?
56A report uses `| timechart count by action`. The user wants to show only the top 3 actions and combine all others into a single 'Other' column. Which argument should be added?
57A dashboard includes a pie chart showing the distribution of error types. The data comes from a search that uses `top` command. The pie chart is showing a slice labeled 'Other' that is very large. What is the most likely cause?
58A user wants to add a trend indicator to a single value visualization showing whether the count increased or decreased compared to the previous period. Which feature should be used?
59A dashboard has multiple panels that use the same base search. The admin wants to avoid running the same search multiple times. Which feature should be used?
60A dashboard designer wants to create a drilldown from one chart to another dashboard. Which TWO actions must be configured? (Select two.)
61A security analyst creates a dashboard with multiple timechart panels. To ensure the dashboard performs well with large datasets, which THREE practices should be followed? (Select three.)
62A user wants to save a search as a report that can be used in a dashboard. Which TWO steps are required? (Select two.)
63Refer to the exhibit. The dashboard panel is not displaying data when the input changes. What is the most likely cause?
64Refer to the exhibit. Which visualization would be most appropriate for this data?
65Refer to the exhibit. The user wants to display the count over time for each source. However, the chart shows only one line labeled 'MyCount'. What is the problem?
66A security team wants to monitor the count of failed login attempts over the past week. They need a simple at-a-glance number. Which visualization type should they use?
67An administrator needs to share a report with executives who prefer to see data in a tabular format with sorting capabilities. Which reporting method is best?
68A user created a report that runs every hour. They notice the report's results include data from the previous hour only, but they want data from the last 24 hours. What should they change in the search?
69An analyst needs to see the top 5 error codes by count. Which visualization is most appropriate?
70A dashboard includes a form input that allows users to select a user. After selecting a user, a panel should show that user's activity. Which dashboard feature is required?
71A report is scheduled to run every 5 minutes. After running, it sends an email if the count of errors exceeds 10. Which report action should be configured?
72A dashboard has multiple panels that each use the same base search but apply different aggregate functions. To avoid running the base search multiple times, which technique should be used?
73An organization has a large dataset and wants to create a daily report of top 10 error messages. The search takes a long time to run. Which optimization approach reduces run time while maintaining accuracy?
74In a dashboard, a user wants to click on a bar in a chart and navigate to another dashboard with relevant data for that bar. Which feature should they configure?
75Which two of the following are valid ways to create a report in Splunk? (Choose two.)
76Which two of the following are actions that can be performed on a report after it is created? (Choose two.)
77Which three of the following are best practices for creating efficient dashboards? (Choose three.)
78Refer to the exhibit. Which visualization is most appropriate for this data?
79Refer to the exhibit. The chart shows five series. What is the effect of the useother=f argument?
80Refer to the exhibit. The dashboard panel shows a column chart of bytes by protocol for the last 24 hours. However, the chart shows only one column. What is the most likely cause?
81A security analyst needs to create a report that shows the count of failed login attempts by user over the last 24 hours, updated every hour. The report should be accessible to the SOC team but not to other users. Which sequence of steps should the analyst follow?
82When creating a dashboard panel that displays a line chart of CPU usage over time, which visualization option should be used to show multiple series (each CPU core) with different colors?
83A dashboard includes a table panel that shows recent errors. The analyst wants users to click on an error message and be taken to a search showing all events containing that error message within the same time range. Which configuration should be applied to the table panel?
84An analyst created a report that runs a search over the last 7 days. The report is scheduled to run daily. Each time the report runs, it takes a long time and impacts other searches. What is the best way to improve performance without changing the data model?
85Which visualization type is best suited to show the proportion of errors by category (e.g., HTTP 404, 500, 403) as parts of a whole?
86A dashboard uses tokens for time range selection. The admin wants to ensure that when a user changes the time range picker from 'Last 24 hours' to 'Last 7 days', all panels in the dashboard update accordingly. What is the correct way to define the token in Simple XML?
87An analyst creates a dashboard with multiple panels. One panel shows a table of top users by login count. The analyst wants to add a second panel that updates based on the user clicked in the first panel. Which feature should be used?
88In Splunk Web, which option allows a user to save a search result as a report that can be added to a dashboard later?
89A newly created dashboard panel is not displaying data, showing only 'No results found'. The search query works correctly in the Search app. What is the most likely cause?
90An analyst needs to create a dashboard that displays real-time data (streaming) for operational monitoring. Which panel type supports real-time data?
91Which TWO actions are valid for modifying the appearance of a column chart in a dashboard panel? (Choose two.)
92Which THREE of the following are valid considerations when scheduling a report for PDF delivery via email? (Choose three.)
93Which TWO options are valid when adding a panel to a dashboard from an existing report? (Choose two.)
94A security analyst creates a dashboard to monitor failed login attempts over the past 24 hours. Which visualization type is most appropriate for showing the trend of failed logins over time?
95A user wants to create a dashboard panel that shows the top 5 most visited web pages. Which report type should be used as the underlying search?
96An IT administrator has a dashboard with multiple panels that all use the same base search but with different post-processing filters. The dashboard is slow to load. Which optimization technique is most effective?
97A dashboard panel using a bar chart shows a large number of values on the x-axis, making the chart unreadable. Which dashboard option should be used to limit the number of bars shown?
98A dashboard designer adds a radio button input to filter by department. When a user selects a department, the panel does not update. What is the most likely cause?
99A SOC manager creates a dashboard with multiple time-range pickers (one global, one per panel). The global picker is set to 'Last 7 days' but one panel uses its own picker set to 'Last 24 hours'. When the dashboard loads, which time range will the panel use?
100A dashboard uses a drilldown on a table to navigate to another dashboard. After migration to a different Splunk instance, the drilldown links are broken. What is the best practice to avoid this issue?
101A power user creates a dashboard with a panel that uses a search returning 10,000 events. The dashboard should display a single value representing the count of unique users. Which search approach is most efficient?
102A user creates a report that summarizes error codes by frequency. They want to share it with the team so others can view but not edit. Which permission should the user set on the report?
103Which TWO options are valid ways to add a visualization to a dashboard using Splunk Web? (Choose two.)
104Which THREE elements are required to create a dashboard in Splunk Web? (Choose three.)
105A dashboard panel uses a search that returns time-series data. Which TWO chart options are available in the 'Format' tab of the chart editor to modify the appearance of a line chart? (Choose two.)
106A junior analyst creates a dashboard to monitor server CPU usage. The dashboard contains a single panel with a line chart showing CPU percentage over the last 24 hours. The analyst then adds a second panel that displays the same data but as a single value showing the average CPU. Both panels use the exact same search string. The dashboard loads slowly, and users complain of wait times. The analyst wants to improve performance without changing the displayed data. Which course of action is best?
107A financial analyst creates a dashboard in Splunk Web to track daily transaction volumes. The dashboard has three panels: a table of top 10 merchants by transaction count, a bar chart of transactions by hour, and a single value showing total transaction amount. All panels use the same base search from the 'transactions' index. The analyst is in the 'finance' role. The dashboard runs fine in the analyst's session, but when the analyst shares the dashboard with the 'auditor' role, the auditor sees no data in any panel. The auditor role has read access to the dashboard and the 'transactions' index. What is the most likely cause?
108A large enterprise Splunk environment has a heavy forwarder sending 2 TB of log data per day. An operator builds a dashboard that displays a real-time chart of events per second across all data sources, using the search 'index=* | stats count by sourcetype' with a real-time window of last 10 minutes. The dashboard is extremely slow, often timing out. The operator suspects the search is too broad. Which optimization strategy should be implemented first?
109A security analyst wants to create a report showing the number of failed login attempts by user over the past 24 hours, updated automatically every hour. Which approach is most efficient?
110Which TWO actions increase the performance of a dashboard in Splunk? (Choose two.)
111A small business uses Splunk to monitor their web server. They have a dashboard that shows daily page views. After a system update, the dashboard loads very slowly, often timing out. The dashboard uses a search that takes only 2 seconds when run manually. The dashboard has a time range picker set to 'Today'. The update changed some default settings. What is the most likely cause?
112A large organization's security team has a dashboard that displays the top 10 source IPs by number of failed login attempts. The dashboard uses a search: index=security sourcetype=login action=failure | top limit=10 src_ip. Lately, the dashboard shows incorrect data (e.g., IPs that are not actually top). However, when the same search is run in the Search app, it shows correct results. The dashboard is scheduled to refresh every 10 minutes. What is the most likely cause?
113A company has a dashboard that uses a base search and four post-process searches to display metrics. The dashboard loads slowly. The base search returns 10,000 results and each post-process search further filters. The infrastructure team suggests using tstats to improve performance. Which approach is best?
114A user creates a dashboard with a line chart showing server response times. The chart looks correct in the dashboard editor but when saved and viewed by other users, the chart shows no data. The other users have the same role as the creator. What is the most likely cause?
115A Splunk administrator needs to create a dashboard that displays a summary of sales data from multiple regions. Each region's data is in a separate index. The dashboard should allow users to select a region from a dropdown and see the sales data for that region. Which type of dashboard input should be used?
116A user wants to add a panel to an existing dashboard in Splunk. Which TWO of the following methods can be used to achieve this?
117Refer to the exhibit. A user scheduled a report but it never runs. Which of the following is the most likely reason?
118A large e-commerce company uses Splunk Enterprise to analyze sales data. The marketing team requests a real-time dashboard showing total revenue per product category, updated every 5 seconds. A new Splunk user creates a dashboard panel with the search `index=sales | stats sum(price) by category | sort - sum(price)`. The dashboard works initially, but after 30 minutes, it stops updating and displays the error 'Search failed: too many results'. The user is concerned about the impact on system performance. The data volume is approximately 1 TB per day. Which of the following should the user do to create a reliable dashboard that updates frequently without causing performance issues?
119Refer to the exhibit. A user runs this search in Splunk to create a timechart of web server status codes. The resulting chart shows no data for the "error" status. What is the most likely cause?
120Refer to the exhibit. A Splunk user runs this search against a lookup file containing application error data. The search returns fewer than 10 results. Which is the most likely reason?
121Refer to the exhibit. A Splunk admin created this dashboard XML. When viewing the dashboard, the "Response Time" panel shows no data. What is the most likely cause?
122Refer to the exhibit. A user runs this search to get details about a saved search. The results show empty values for the actions types. What is the most likely reason?
123Refer to the exhibit. A security analyst runs this search to find top failed actions for admin accounts. The search returns no results, but there are failed actions for admin accounts in the data. What is the most likely cause?
The Creating Reports, Dashboards and Visualizations domain covers the key concepts tested in this area of the SPLK-1002 exam blueprint published by Splunk. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all SPLK-1002 domains — no account required.
The Courseiva SPLK-1002 question bank contains 123 questions in the Creating Reports, Dashboards and Visualizations domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Creating Reports, Dashboards and Visualizations domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included