Practice SPLK-1002 Splunk Basics and Interface Navigation questions with full explanations on every answer.
Start practicing
Splunk Basics and Interface Navigation — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A new Splunk user wants to view the raw event data for the last hour. Which interface should they use?
2An analyst notices that searches take long to complete. They want to understand how many events are indexed per second. Which tab in the Monitoring Console provides this information?
3A search returns no results. The user has verified that data is being indexed. What is the most likely cause?
4After running a search, a user wants to save the search for later use. Which button should they click?
5A user wants to see a visual representation of search results over time. Which tab should they use?
6During onboarding, a new user can't find any data in Splunk. They see 'No results found' for all searches. The data is being forwarded from a universal forwarder. What should they check first?
7Which of the following is the default time range in a new Splunk search?
8A user wants to view only the fields that appear in the current search results, without seeing all extracted fields. Which option should they use?
9Which TWO of the following are valid ways to share a Splunk dashboard?
10Which THREE of the following are features available in the Splunk Settings menu?
11Which TWO of the following are default Splunk roles?
12Refer to the exhibit. What can be determined about the license usage?
13Refer to the exhibit. What is the most likely cause of the error?
14A medium-sized enterprise uses Splunk Enterprise with a single indexer and one search head. They have 50 universal forwarders sending data from web servers, application servers, and database logs. Recently, the indexer crashed during peak hours. The administrator restarted the indexer and it came back up. After analyzing the crash log, they found that the indexer ran out of memory. The indexer has 16 GB RAM and the default memory settings. The daily indexing volume is about 20 GB. The administrator is concerned about stability. They want to prevent future crashes without adding hardware. What should they do?
15A user at a large organization runs a search that returns 50,000 events. They need to export these events to a CSV file for further analysis in Excel. However, when they click the Export button and select CSV, only 10,000 events are exported. What is the most likely reason and how should they export all 50,000 events?
16A security analyst wants to investigate a suspicious IP address that appeared in multiple log sources. Which Splunk feature is best suited to quickly find all events containing that IP across all indexed data?
17A Splunk administrator notices that a new user cannot see any data in the Search & Reporting app, even though the user has the 'user' role. What is the most likely cause?
18Which TWO of the following are valid ways to add data to Splunk?
19Refer to the exhibit. After running the search, the user wants to see only events where the HTTP status is 404. Which change to the search is correct?
20You are a Splunk administrator at a mid-sized company that uses Splunk Enterprise to monitor application logs from a web server cluster. The cluster has five servers, each sending logs via a universal forwarder to a single indexer. The indexer has ample resources. Recently, users have complained that searches for the last 24 hours are slow, but searches for the last hour are fast. The data volume is about 50 GB per day. You suspect the issue is related to how data is stored or indexed. Which action should you take first to improve search performance for the 24-hour time range?
21A new Splunk user wants to see all events from the last 30 minutes, but the search returns no results. The user knows data is being indexed. Which is the most likely cause?
22A user runs a search and sees the results in the Statistics tab, but the events are not appearing. What is the most likely reason?
23A user wants to save a search for later use but not schedule it. Which action should the user take?
24An administrator notices that a user's search is timing out after 60 seconds. The search needs up to 5 minutes to complete. What should the administrator do?
25Which three of the following are valid ways to navigate and interact with data in the Splunk Web interface? (Choose three.)
26Which three options describe features or components of the Splunk default interface that are available to a Core Certified User? (Choose three.)
27Which of the following are components of the Splunk interface that can be used to refine and focus search results? (Choose all that apply. There are four correct answers.)
28Drag and drop the steps to create a new Splunk index into the correct order.
29Drag and drop the steps to install an app from Splunkbase into the correct order.
30Match each Splunk search command to its primary function.
31Match each search command to its category.
32A user runs a search and sees "No results found". The time range is set to "All time". Data exists in the index "main" and sourcetype "access_combined". Which is the most likely cause?
33A user wants to see a list of all sourcetypes in the index "main". Which search command should be used?
34A user notices that a search returns results only from the last 15 minutes, even though the time range picker is set to "All time". The search string is: error | timechart count. Which is the most likely cause?
35Which tab in the Search app should be used to view the raw events in their original format?
36To create a real-time dashboard panel showing errors in the last 30 minutes, which time range setting should be used?
37A user needs to export search results to a CSV file for further analysis. Which method is the most straightforward?
38From the Splunk Home page, which of the following can be accessed directly?
39A search using index=security sourcetype=windows_security returns events with EventCode=4625. The user wants to find the top 10 source IP addresses. Which search will accomplish this?
40A user wants to view only specific fields in the search results. Which interface element can be used to select which fields to show?
41Which two tabs are always present in the search results page? (Select TWO)
42Which two of the following search commands can be used to rename a field? (Select TWO)
43Which three of the following actions can be performed from the "Save As" menu in the Search app? (Select THREE)
44What is the purpose of this search?
45This is a props.conf configuration snippet. What does it configure?
46This message appears in the Monitoring Console. What does it indicate?
47A new user wants to start a search in Splunk Web. Which is the first step they should take?
48An analyst has multiple Splunk apps installed and wants to ensure a search runs against data from a specific app's index. Which action should they take?
49A user runs a search but sees no results, even though they know events exist. The search does not show any errors. What is the most likely cause?
50After running a search, an analyst sees a timeline graph at the top of the results. What is the primary purpose of the timeline?
51An analyst wants to save a search so that they can run it again with a single click in the future. Which action should they take?
52A team needs to be notified immediately when a specific error pattern appears in logs. The search for the pattern is already written. Which feature of Splunk should they use to set up automated notifications?
53A user wants to view events from the last 4 hours. Which is the most efficient way to set the time range in Splunk Web?
54After running a search, an analyst notices that useful fields are not appearing in the 'Selected Fields' section. What is the most likely reason?
55A user notices that a search is taking a long time and wants to see detailed performance breakdown. Which tool in Splunk Web should they use?
56Which TWO of the following methods allow a user to switch between apps in Splunk Web?
57Which TWO methods allow a user to share a saved search with other users in the same Splunk instance?
58Which THREE of the following are core interface components visible on the Splunk Web search page?
59Refer to the exhibit. What does the log entry indicate about the search job?
60Refer to the exhibit. An administrator notices that searches against the 'sample_index' index return events older than 24 hours, while searches against other indexes do not. What is the most likely explanation?
61Refer to the exhibit. A user reports they cannot log in to Splunk Web and sees this error in the logs. What is the most likely cause?
62A user runs a search that returns many results. Which action in the Timeline histogram allows the user to narrow the result set to a specific time range?
63An analyst has created a search that they want to run regularly. What is the most efficient way to save this search for future use?
64A user wants to search only data from the 'security' index. Which search syntax should they use?
65After running a search, the Fields sidebar shows several fields but the analyst wants to see all fields. Which button should they click?
66An administrator needs to find events from hosts that have reported a critical error in the last hour. Which search uses a subsearch correctly?
67An analyst needs to count the number of distinct IP addresses that accessed a server. Which approach is most efficient?
68A security team wants to add department info from an external CSV file to events containing user IDs. The CSV has columns 'userid' and 'department'. What is the correct configuration?
69A user selects 'Last 24 hours' from the time picker but their search returns events from only the last hour. What is the most likely cause?
70An administrator wants to group all events from a single web session identified by session_id, where the session starts with a 'login' event and ends with a 'logout' event. Which search is correct?
71Which TWO of the following are knowledge objects in Splunk?
72Which THREE of the following are valid ways to narrow search results?
73Which THREE of the following are steps in the process of creating a dashboard from a search?
74Refer to the exhibit. What is the primary purpose of this search?
75Refer to the exhibit. What does this configuration do?
76Refer to the exhibit. What is the effect of this command?
77A new Splunk user logs in and sees the Home page. What is the most direct way to start searching data?
78A user runs a search but sees zero results. What is the most common cause for this?
79Where does a user click to view all fields extracted from search results?
80A user frequently runs a long search and wants to save it as a report. What is the best practice when naming the report?
81An admin wants to add a new data input for a network device sending syslog. Under which Settings menu would the admin navigate?
82A user needs to quickly find a specific event from last week. Which navigation method is most efficient?
83A search is slow and the user wants to check the performance metrics. Which part of the UI provides details like run duration, scan count, and result count?
84A dashboard developer wants to add a table that only shows the top 5 values of a field. Which dashboard editor component should they use?
85When viewing search results, what is the difference between the 'Events' tab and the 'Statistics' tab?
86Which TWO of the following are valid ways to navigate from a search result to a dashboard?
87Which TWO of the following are features available in the Splunk Web interface under the 'Settings' menu?
88Which THREE of the following are elements of the Splunk search interface?
89The exhibit shows a savedsearch.conf stanza. What is the effect of the setting `displayview = flashtimeline`?
90The exhibit shows log output from a Splunk search head. What is the most likely performance issue indicated?
91A company has 50 Splunk users in the default 'user' role. The Splunk administrator wants to allow a subset of 5 users to create custom alerts and reports, but not modify data inputs or indexes. The administrator creates a new role called 'analyst' and assigns the 'can_create_alerts' and 'can_create_reports' capabilities. However, when these 5 users log in, they cannot create alerts or reports and receive an error that they 'do not have permission to create alerts'. The administrator verifies that the role has both capabilities. Which of the following is the most likely cause and solution?
92A user wants to quickly see the count of events per source type over the last hour without performing a search. Which Splunk Web feature provides this information with the fewest clicks?
93A new user accidentally closed the search bar while in the Search & Reporting app and can no longer see it. What is the most direct way to restore the search bar?
94A user is building a search in Splunk Web and wants to use the field autocomplete feature to quickly select fields. What must the user do to enable this feature?
95A user runs a search in Splunk Web that returns no results. The user believes data should exist for the current time. Which action most quickly verifies whether the time range is the issue?
96Which TWO of the following are valid ways to access the Search & Reporting app in Splunk Web? (Choose two.)
97Which TWO of the following are valid methods to change the time range of a search in Splunk Web? (Choose two.)
98Which THREE of the following are standard components of the Splunk Web Search interface? (Choose three.)
99A large enterprise is using Splunk Enterprise to monitor web server logs from 200 servers. The logs are forwarded via a heavy forwarder cluster. Recently, a user has reported that when they log into Splunk Web and navigate to the Search & Reporting app, the search bar is empty, and they cannot see any data. The user has confirmed that other users can see data and run searches. The user is part of the 'power' role. The queries for the web server logs use the index 'web_logs'. The user can see the index in the Data Summary. The user has cleared the browser cache and tried a different browser, but the issue persists. What is the most likely cause of this issue?
100A junior administrator at a mid-size company is responsible for onboarding new data sources into Splunk. She has been asked to add a custom application log file, which is generated in a proprietary text format. The log file is located on a Linux server that is not a Splunk universal forwarder. The administrator plans to use the Add Data wizard in Splunk Web to monitor this file. However, when she navigates to Settings > Add Data, she does not see the option to 'Monitor a file' but only sees options for 'Upload' and 'Forward'. She is logged in as admin. What is the most likely reason for this?
101A support technician is troubleshooting a user who cannot see the 'Field sidebar' and 'Timeline' in the Search & Reporting app. The user says that when they run a search, they only see the results in a table format, but no side panels or timeline below the search bar. The technician checks the user's settings and finds that the user's default app is set to 'Search & Reporting'. The technician then looks at the user's browser and notices that the user has a very small browser window. What is the most likely cause of the missing panels?
102A Splunk administrator is reviewing the 'Add Data' wizard for a new data source. The admin wants to monitor a log file that is located on the same server where Splunk is installed. The admin navigates to Settings > Add Data and selects 'Monitor' and then 'Files & Directories'. In the file list, the admin sees a checkbox next to each file. The admin selects the desired file and clicks 'Next'. However, the wizard does not proceed to the next page; instead, nothing happens. The admin has confirmed that the file exists and is readable. What is the most likely cause?
103A security analyst uses Splunk Web daily to investigate incidents. Recently, the analyst noticed that when running a search, the search results are displayed correctly, but the 'Field sidebar' on the left shows the message 'No fields found. Your search may not have generated any fields.' The analyst knows that the data has fields because the same search used to show fields. The analyst has not changed any settings. The analyst is using the same Splunk instance and same data. What is the most likely reason for this issue?
104A user is trying to create a dashboard in Splunk Web by saving a search as a dashboard panel. The user runs a search that produces a table of results. The user clicks 'Save As' and selects 'Dashboard Panel'. The user then selects an existing dashboard and clicks 'Save'. However, the panel does not appear on the dashboard. The user has confirmed that the dashboard exists and that they have write permission to it. The user also sees no error messages. What is the most likely cause of this issue?
105Which THREE of the following are valid methods to access the Search & Reporting app in Splunk Web?
106Refer to the exhibit. A user runs this search but receives an error. What is the most likely cause?
107A company has a distributed Splunk environment with a single search head and 4 indexers. The data volume is approximately 50 GB per day across various sourcetypes. Users frequently run searches that span 'All time' (from the time picker), and these searches are taking significantly longer than expected. The search head shows high CPU usage during these searches, while indexers are moderately loaded. The administrator has verified that all indexers are healthy and that there are no network bottlenecks. The data is raw log data with minimal field extractions. Which course of action will most effectively improve search performance for these 'All time' searches?
The Splunk Basics and Interface Navigation domain covers the key concepts tested in this area of the SPLK-1002 exam blueprint published by Splunk. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all SPLK-1002 domains — no account required.
The Courseiva SPLK-1002 question bank contains 107 questions in the Splunk Basics and Interface Navigation domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Splunk Basics and Interface Navigation domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included