Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsSPLK-1002DomainsCreating Reports, Dashboards and Visualizations
SPLK-1002Free — No Signup

Creating Reports, Dashboards and Visualizations

Practice SPLK-1002 Creating Reports, Dashboards and Visualizations questions with full explanations on every answer.

123questions

Start practicing

Creating Reports, Dashboards and Visualizations — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

SPLK-1002 Domains

Splunk Basics and Interface NavigationBasic Searching and Transforming CommandsUsing Fields and LookupsCreating Reports, Dashboards and VisualizationsData Models and Best Practices

Practice Creating Reports, Dashboards and Visualizations questions

10Q20Q30Q50Q

All SPLK-1002 Creating Reports, Dashboards and Visualizations questions (123)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A security team needs to create a report that shows the number of distinct users who triggered a firewall block each day for the past 30 days. Which search and visualization combination should be used?

2

A user wants to create a dashboard panel that refreshes automatically every 60 seconds. Which setting must be configured in the panel's edit mode?

3

A dashboard includes a table showing server errors. The team wants to click a row and drill down to a detailed view of that server's events in a new search. Which configuration is required?

4

Which TWO statements are true about saved reports in Splunk?

5

Which THREE of the following are valid ways to add a visualization to a dashboard?

6

Which TWO chart types are best suited for showing the distribution of categorical data?

7

Which THREE actions are possible when editing a dashboard in Studio?

8

A user wants to create a report that shows the top 5 most frequent error messages from the last 7 days. The search results should be sorted by count. Which search is correct?

9

Refer to the exhibit. A user runs this search and the resulting timechart shows multiple lines, one for each host. The user wants to show only the top 3 hosts by total count. Which modification achieves this?

10

A dashboard includes a single value visualization showing the total number of login failures. The number seems too high. Which common mistake could cause inflated counts?

11

A team creates a dashboard that uses a drop-down input to select a server. The dashboard slows down significantly when the input changes. What is the most likely cause?

12

A user wants to create a report that shows the average response time for each web endpoint over the past week. The data has fields: endpoint, response_time. Which search correctly calculates the average?

13

Refer to the exhibit. This search produces a table with hosts as rows and status codes as columns. The user wants to visualize this as a stacked column chart showing the distribution of status codes per host. Which chart type should be selected?

14

Refer to the exhibit. A user runs this search from a dashboard panel. The panel shows no results, but the lookup file exists and has data. What is the most likely reason?

15

A user creates a dashboard with multiple panels. Some panels share the same search. To improve performance, what should the user do?

16

Which TWO are valid methods to share a dashboard with other users without granting them edit permissions?

17

Which THREE are essential components of a Splunk dashboard?

18

You are a Splunk administrator at a large e-commerce company. The operations team has created a real-time dashboard to monitor website performance. The dashboard includes multiple panels: a line chart showing page load times over the last 60 minutes, a single value showing the number of active users, and a table listing the top 10 slowest pages. The dashboard refreshes every 30 seconds. Recently, users have reported that the dashboard is very slow to load and sometimes times out. The underlying searches are not accelerated. The dashboard uses a shared time range picker set to 'Last 60 minutes'. The index for web logs receives about 2 GB of data per hour. The team wants to improve performance without losing real-time capability. Which approach best addresses the problem?

19

You are a Splunk analyst for a financial services firm. You need to create a weekly report for management showing the total transaction value and number of transactions per day, broken down by transaction type (credit, debit, transfer). The data is in index=transactions with fields: trans_date, trans_type, amount. The report should be sent via email every Monday morning at 8 AM. You have created a report with the search: `index=transactions | timechart sum(amount) by trans_type`. However, the timechart shows only one series because the trans_type field has multiple values. You need to fix the search so that it correctly separates by trans_type. Additionally, you need to schedule the report. What should you do?

20

A security analyst has created a report that shows the count of failed login attempts by user. The analyst now wants to display this data as a column chart on a dashboard. Which Splunk feature should be used to convert the report into a visualization?

21

An IT operations team has a dashboard with multiple panels showing server metrics. Each panel uses a separate search that runs every time the dashboard is loaded, causing slow performance. What is the best practice to improve dashboard load time?

22

A user wants to create a pie chart showing the distribution of error types from web server logs. Which Splunk command should be used to group the errors before visualization?

23

A dashboard includes a time range picker. When a user selects 'Last 7 days', one panel does not update its data accordingly. What is the most likely cause?

24

Which TWO of the following are valid ways to add a visualization to a dashboard in Splunk?

25

Refer to the exhibit. The search is expected to produce a count of HTTP status codes grouped into categories. However, the results show a column 'status' instead of 'status_category'. What is the problem?

26

You are a Splunk administrator for a large e-commerce company. The marketing team has a dashboard that displays daily sales metrics, including revenue, number of transactions, and average order value. The dashboard is built using a single search that runs a 'timechart' command across all events. Recently, the dashboard has been timing out and failing to load during peak hours (10 AM - 2 PM) when traffic is highest. The team needs the dashboard to be available with minimal latency. You have the following options: A. Reduce the time range on the dashboard to the last hour instead of the default last 24 hours. B. Create a summary index that pre-aggregates the sales metrics every hour and modify the dashboard to search this summary index. C. Increase the search time limit in the Splunk settings to allow the search to run longer. D. Split the single search into multiple smaller searches, each for a different metric, and run them concurrently on separate panels. Which option best addresses the performance issue while maintaining data accuracy?

27

Which TWO of the following are valid methods to convert a saved search into a report in Splunk?

28

You are a Splunk administrator for a large e-commerce company. The operations team uses a dashboard to monitor server health, which includes a single-value panel showing the current number of active users, a bar chart of error counts by service, and a table of recent critical log entries. Recently, users have reported that the dashboard loads very slowly, sometimes taking over 30 seconds to display all panels. The dashboard uses base search and post-process searches to reduce duplication. The base search retrieves all logs from the last 24 hours, and each panel runs a post-process search to filter and aggregate data. The dashboard is scheduled to refresh every 60 seconds. There are approximately 10 million events per day. After investigating, you notice that the base search returns a large amount of data, and each post-process search still processes a significant subset. Which approach would most effectively improve dashboard performance without significantly altering the dashboard's functionality?

29

Which three of the following are valid approaches for creating a dashboard in Splunk Web? (Choose three.)

30

Which three options correctly describe characteristics or behaviors of Splunk reports and visualizations? (Choose three.)

31

Which of the following are true about creating and managing dashboards in Splunk? (Choose all that apply. There are four correct answers.)

32

Drag and drop the steps to configure a Splunk alert that sends an email when a specific condition is met into the correct order.

33

Drag and drop the steps to troubleshoot a Splunk search that returns no results into the correct order.

34

Match each Splunk component to its purpose.

35

Match each lookup type to its definition.

36

A security analyst wants to create a report that shows the count of failed login attempts per user over the last 24 hours, but only for users with more than 5 failures. Which Splunk command sequence should be used?

37

A team wants to add an interactive time range picker to a dashboard. The dashboard uses a base search with a token for earliest and latest. Which configuration is required?

38

A report is scheduled to run every hour but sometimes returns incomplete data because the search is too slow and times out. Which action should be taken to improve reliability without losing data?

39

A developer wants to display server CPU usage that updates every second on a dashboard. Which panel configuration is appropriate?

40

A user created a dashboard panel with a search that uses a token. The token is not being applied when the user modifies the dropdown. What is the most likely cause?

41

A compliance report must show the average latency per service for each hour over the past 30 days. The data set contains millions of events. To ensure the report finishes within a reasonable time, which approach is recommended?

42

A user wants to add a drilldown to a dashboard panel so that clicking a value opens a related search in a new tab. Which Simple XML attribute is used?

43

A dashboard uses a base search and a post-process search that modifies the fields. When the base search returns no results, the panel shows an error. How can this be handled?

44

A visualization is showing unexpected spikes in a timechart. The data is aggregated by hour, but the spikes align with time zone changes. What is the likely cause?

45

Which TWO options are valid methods to add a visualization to a dashboard?

46

Which THREE best practices should be followed when creating dashboards for a large organization with many users?

47

Which TWO options are correct about post-process searches in dashboards?

48

Refer to the exhibit. The report returns 0 results even though there are error events in the data. What is the most likely issue?

49

Refer to the exhibit. The pie chart shows only 10 slices, but the base search stats returns all destinations. What is the reason?

50

Refer to the exhibit. The timechart returns only partial results for some sourcetypes, and there are gaps in the timeline. Which is the most likely reason?

51

A security analyst creates a report that shows the count of failed login attempts by user over the last 7 days. The report uses the `top` command. However, the report only shows the top 10 users, but the analyst wants to see all users. What should the analyst do?

52

A user wants to create a dashboard panel that shows a single number representing the total number of errors in the last 24 hours. Which visualization type should be used?

53

A Splunk admin notices that a dashboard panel using `timechart` is showing gaps (null values) for some time periods where no events exist. The admin wants to display a zero instead of null to make the chart continuous. Which command should be added before `timechart`?

54

A dashboard has a radio button input that selects a sourcetype. The panel uses `index=web sourcetype=$source$`. However, when the user selects a sourcetype, the panel doesn't update. What is the most likely cause?

55

A user wants to create a bar chart showing the count of events by host for the last hour. Which command should be used?

56

A report uses `| timechart count by action`. The user wants to show only the top 3 actions and combine all others into a single 'Other' column. Which argument should be added?

57

A dashboard includes a pie chart showing the distribution of error types. The data comes from a search that uses `top` command. The pie chart is showing a slice labeled 'Other' that is very large. What is the most likely cause?

58

A user wants to add a trend indicator to a single value visualization showing whether the count increased or decreased compared to the previous period. Which feature should be used?

59

A dashboard has multiple panels that use the same base search. The admin wants to avoid running the same search multiple times. Which feature should be used?

60

A dashboard designer wants to create a drilldown from one chart to another dashboard. Which TWO actions must be configured? (Select two.)

61

A security analyst creates a dashboard with multiple timechart panels. To ensure the dashboard performs well with large datasets, which THREE practices should be followed? (Select three.)

62

A user wants to save a search as a report that can be used in a dashboard. Which TWO steps are required? (Select two.)

63

Refer to the exhibit. The dashboard panel is not displaying data when the input changes. What is the most likely cause?

64

Refer to the exhibit. Which visualization would be most appropriate for this data?

65

Refer to the exhibit. The user wants to display the count over time for each source. However, the chart shows only one line labeled 'MyCount'. What is the problem?

66

A security team wants to monitor the count of failed login attempts over the past week. They need a simple at-a-glance number. Which visualization type should they use?

67

An administrator needs to share a report with executives who prefer to see data in a tabular format with sorting capabilities. Which reporting method is best?

68

A user created a report that runs every hour. They notice the report's results include data from the previous hour only, but they want data from the last 24 hours. What should they change in the search?

69

An analyst needs to see the top 5 error codes by count. Which visualization is most appropriate?

70

A dashboard includes a form input that allows users to select a user. After selecting a user, a panel should show that user's activity. Which dashboard feature is required?

71

A report is scheduled to run every 5 minutes. After running, it sends an email if the count of errors exceeds 10. Which report action should be configured?

72

A dashboard has multiple panels that each use the same base search but apply different aggregate functions. To avoid running the base search multiple times, which technique should be used?

73

An organization has a large dataset and wants to create a daily report of top 10 error messages. The search takes a long time to run. Which optimization approach reduces run time while maintaining accuracy?

74

In a dashboard, a user wants to click on a bar in a chart and navigate to another dashboard with relevant data for that bar. Which feature should they configure?

75

Which two of the following are valid ways to create a report in Splunk? (Choose two.)

76

Which two of the following are actions that can be performed on a report after it is created? (Choose two.)

77

Which three of the following are best practices for creating efficient dashboards? (Choose three.)

78

Refer to the exhibit. Which visualization is most appropriate for this data?

79

Refer to the exhibit. The chart shows five series. What is the effect of the useother=f argument?

80

Refer to the exhibit. The dashboard panel shows a column chart of bytes by protocol for the last 24 hours. However, the chart shows only one column. What is the most likely cause?

81

A security analyst needs to create a report that shows the count of failed login attempts by user over the last 24 hours, updated every hour. The report should be accessible to the SOC team but not to other users. Which sequence of steps should the analyst follow?

82

When creating a dashboard panel that displays a line chart of CPU usage over time, which visualization option should be used to show multiple series (each CPU core) with different colors?

83

A dashboard includes a table panel that shows recent errors. The analyst wants users to click on an error message and be taken to a search showing all events containing that error message within the same time range. Which configuration should be applied to the table panel?

84

An analyst created a report that runs a search over the last 7 days. The report is scheduled to run daily. Each time the report runs, it takes a long time and impacts other searches. What is the best way to improve performance without changing the data model?

85

Which visualization type is best suited to show the proportion of errors by category (e.g., HTTP 404, 500, 403) as parts of a whole?

86

A dashboard uses tokens for time range selection. The admin wants to ensure that when a user changes the time range picker from 'Last 24 hours' to 'Last 7 days', all panels in the dashboard update accordingly. What is the correct way to define the token in Simple XML?

87

An analyst creates a dashboard with multiple panels. One panel shows a table of top users by login count. The analyst wants to add a second panel that updates based on the user clicked in the first panel. Which feature should be used?

88

In Splunk Web, which option allows a user to save a search result as a report that can be added to a dashboard later?

89

A newly created dashboard panel is not displaying data, showing only 'No results found'. The search query works correctly in the Search app. What is the most likely cause?

90

An analyst needs to create a dashboard that displays real-time data (streaming) for operational monitoring. Which panel type supports real-time data?

91

Which TWO actions are valid for modifying the appearance of a column chart in a dashboard panel? (Choose two.)

92

Which THREE of the following are valid considerations when scheduling a report for PDF delivery via email? (Choose three.)

93

Which TWO options are valid when adding a panel to a dashboard from an existing report? (Choose two.)

94

A security analyst creates a dashboard to monitor failed login attempts over the past 24 hours. Which visualization type is most appropriate for showing the trend of failed logins over time?

95

A user wants to create a dashboard panel that shows the top 5 most visited web pages. Which report type should be used as the underlying search?

96

An IT administrator has a dashboard with multiple panels that all use the same base search but with different post-processing filters. The dashboard is slow to load. Which optimization technique is most effective?

97

A dashboard panel using a bar chart shows a large number of values on the x-axis, making the chart unreadable. Which dashboard option should be used to limit the number of bars shown?

98

A dashboard designer adds a radio button input to filter by department. When a user selects a department, the panel does not update. What is the most likely cause?

99

A SOC manager creates a dashboard with multiple time-range pickers (one global, one per panel). The global picker is set to 'Last 7 days' but one panel uses its own picker set to 'Last 24 hours'. When the dashboard loads, which time range will the panel use?

100

A dashboard uses a drilldown on a table to navigate to another dashboard. After migration to a different Splunk instance, the drilldown links are broken. What is the best practice to avoid this issue?

101

A power user creates a dashboard with a panel that uses a search returning 10,000 events. The dashboard should display a single value representing the count of unique users. Which search approach is most efficient?

102

A user creates a report that summarizes error codes by frequency. They want to share it with the team so others can view but not edit. Which permission should the user set on the report?

103

Which TWO options are valid ways to add a visualization to a dashboard using Splunk Web? (Choose two.)

104

Which THREE elements are required to create a dashboard in Splunk Web? (Choose three.)

105

A dashboard panel uses a search that returns time-series data. Which TWO chart options are available in the 'Format' tab of the chart editor to modify the appearance of a line chart? (Choose two.)

106

A junior analyst creates a dashboard to monitor server CPU usage. The dashboard contains a single panel with a line chart showing CPU percentage over the last 24 hours. The analyst then adds a second panel that displays the same data but as a single value showing the average CPU. Both panels use the exact same search string. The dashboard loads slowly, and users complain of wait times. The analyst wants to improve performance without changing the displayed data. Which course of action is best?

107

A financial analyst creates a dashboard in Splunk Web to track daily transaction volumes. The dashboard has three panels: a table of top 10 merchants by transaction count, a bar chart of transactions by hour, and a single value showing total transaction amount. All panels use the same base search from the 'transactions' index. The analyst is in the 'finance' role. The dashboard runs fine in the analyst's session, but when the analyst shares the dashboard with the 'auditor' role, the auditor sees no data in any panel. The auditor role has read access to the dashboard and the 'transactions' index. What is the most likely cause?

108

A large enterprise Splunk environment has a heavy forwarder sending 2 TB of log data per day. An operator builds a dashboard that displays a real-time chart of events per second across all data sources, using the search 'index=* | stats count by sourcetype' with a real-time window of last 10 minutes. The dashboard is extremely slow, often timing out. The operator suspects the search is too broad. Which optimization strategy should be implemented first?

109

A security analyst wants to create a report showing the number of failed login attempts by user over the past 24 hours, updated automatically every hour. Which approach is most efficient?

110

Which TWO actions increase the performance of a dashboard in Splunk? (Choose two.)

111

A small business uses Splunk to monitor their web server. They have a dashboard that shows daily page views. After a system update, the dashboard loads very slowly, often timing out. The dashboard uses a search that takes only 2 seconds when run manually. The dashboard has a time range picker set to 'Today'. The update changed some default settings. What is the most likely cause?

112

A large organization's security team has a dashboard that displays the top 10 source IPs by number of failed login attempts. The dashboard uses a search: index=security sourcetype=login action=failure | top limit=10 src_ip. Lately, the dashboard shows incorrect data (e.g., IPs that are not actually top). However, when the same search is run in the Search app, it shows correct results. The dashboard is scheduled to refresh every 10 minutes. What is the most likely cause?

113

A company has a dashboard that uses a base search and four post-process searches to display metrics. The dashboard loads slowly. The base search returns 10,000 results and each post-process search further filters. The infrastructure team suggests using tstats to improve performance. Which approach is best?

114

A user creates a dashboard with a line chart showing server response times. The chart looks correct in the dashboard editor but when saved and viewed by other users, the chart shows no data. The other users have the same role as the creator. What is the most likely cause?

115

A Splunk administrator needs to create a dashboard that displays a summary of sales data from multiple regions. Each region's data is in a separate index. The dashboard should allow users to select a region from a dropdown and see the sales data for that region. Which type of dashboard input should be used?

116

A user wants to add a panel to an existing dashboard in Splunk. Which TWO of the following methods can be used to achieve this?

117

Refer to the exhibit. A user scheduled a report but it never runs. Which of the following is the most likely reason?

118

A large e-commerce company uses Splunk Enterprise to analyze sales data. The marketing team requests a real-time dashboard showing total revenue per product category, updated every 5 seconds. A new Splunk user creates a dashboard panel with the search `index=sales | stats sum(price) by category | sort - sum(price)`. The dashboard works initially, but after 30 minutes, it stops updating and displays the error 'Search failed: too many results'. The user is concerned about the impact on system performance. The data volume is approximately 1 TB per day. Which of the following should the user do to create a reliable dashboard that updates frequently without causing performance issues?

119

Refer to the exhibit. A user runs this search in Splunk to create a timechart of web server status codes. The resulting chart shows no data for the "error" status. What is the most likely cause?

120

Refer to the exhibit. A Splunk user runs this search against a lookup file containing application error data. The search returns fewer than 10 results. Which is the most likely reason?

121

Refer to the exhibit. A Splunk admin created this dashboard XML. When viewing the dashboard, the "Response Time" panel shows no data. What is the most likely cause?

122

Refer to the exhibit. A user runs this search to get details about a saved search. The results show empty values for the actions types. What is the most likely reason?

123

Refer to the exhibit. A security analyst runs this search to find top failed actions for admin accounts. The search returns no results, but there are failed actions for admin accounts in the data. What is the most likely cause?

Practice all 123 Creating Reports, Dashboards and Visualizations questions

Other SPLK-1002 exam domains

Splunk Basics and Interface NavigationBasic Searching and Transforming CommandsUsing Fields and LookupsData Models and Best Practices

Frequently asked questions

What does the Creating Reports, Dashboards and Visualizations domain cover on the SPLK-1002 exam?

The Creating Reports, Dashboards and Visualizations domain covers the key concepts tested in this area of the SPLK-1002 exam blueprint published by Splunk. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all SPLK-1002 domains — no account required.

How many Creating Reports, Dashboards and Visualizations questions are in the SPLK-1002 question bank?

The Courseiva SPLK-1002 question bank contains 123 questions in the Creating Reports, Dashboards and Visualizations domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Creating Reports, Dashboards and Visualizations for SPLK-1002?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Creating Reports, Dashboards and Visualizations questions for SPLK-1002?

Yes — the session launcher on this page draws questions exclusively from the Creating Reports, Dashboards and Visualizations domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your SPLK-1002 domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide