Splunk · Free Practice Questions · Last reviewed May 2026
30real exam-style questions organised by domain, each with the correct answer highlighted and a plain-English explanation of why it's right — and why the others are wrong.
A new Splunk user wants to view the raw event data for the last hour. Which interface should they use?
Search History
Settings
Data Summary
Search & Reporting
Main interface for searching raw events.
An analyst notices that searches take long to complete. They want to understand how many events are indexed per second. Which tab in the Monitoring Console provides this information?
Indexing Performance
Shows events indexed per second.
License Usage
Search Performance
Forwarder Management
A search returns no results. The user has verified that data is being indexed. What is the most likely cause?
The search term is misspelled
The search is using incorrect index name
The time range picker is set incorrectly
Most common cause if data is indexed.
The user lacks search permissions
After running a search, a user wants to save the search for later use. Which button should they click?
Export
Share
Save As
Saves the search for later use.
Schedule
A user wants to see a visual representation of search results over time. Which tab should they use?
Visualizations
Allows creating charts and graphs.
Patterns
Events
Statistics
During onboarding, a new user can't find any data in Splunk. They see 'No results found' for all searches. The data is being forwarded from a universal forwarder. What should they check first?
Check if the user has admin role
Check if the forwarder is configured to send to the correct indexer
Common misconfiguration.
Check if the firewall is blocking ports
Check if the search is using the correct time range
Want more Splunk Basics and Interface Navigation practice?
Practice this domainA security analyst needs to identify the top 5 source IP addresses generating the most web traffic. Which command should be used?
| stats count by src_ip | sort - count
| top limit=5 src_ip
The top command with limit=5 returns the top 5 values.
| sort - count | head 5
| table src_ip | head 5
An administrator wants to count events by status code and show only codes with more than 100 events. Which search correctly accomplishes this?
| stats count by status | where count > 100
| eval count=1 | stats sum(count) by status | where count > 100
| stats count as cnt by status | where cnt > 100
Correct: stats counts by status, then filters on the count field.
| where count > 100 | stats count by status
A search returns events with a field 'duration' in milliseconds. The analyst wants to create a new field 'duration_sec' that divides duration by 1000. Which command accomplishes this?
| rename duration as duration_sec
| convert duration_sec = duration/1000
| eval duration_sec = duration / 1000
eval creates new field with arithmetic.
| fields duration_sec = duration/1000
A search returns 1,000 events. The analyst wants to see the first 10 events sorted by the '_time' field in descending order. Which search is correct?
| sort by _time | head 10
| sort -_time | head 10
Sorts descending, gives newest 10.
| sort +_time | head 10
| sort _time | head 10
An analyst wants to remove duplicate events based on the 'user' field, keeping only the first occurrence. Which command should be used?
| sort -user
| uniq user
| dedup user
Removes duplicates on user field.
| fields user
A search includes the command '| stats dc(user) by host'. What does this command return?
The number of unique hosts per user
The count of events per host
The sum of user values per host
The number of distinct users per host
dc(user) counts distinct users.
Want more Basic Searching and Transforming Commands practice?
Practice this domainA security analyst is investigating a suspicious IP address. They want to find all events related to that IP. Which field should they use in a search?
source_ip
source_ip typically contains the originating IP address.
dest_ip
host
user
A Splunk admin wants to enrich web server logs with geographic location data based on IP addresses. Which approach should they use?
Configure a lookup definition and use lookup command
lookup command enriches data with external sources like GeoIP.
Use rex to extract location from the IP
Use an eval command to calculate coordinates
Use fields command to add location
A search returns many events but the 'status' field is missing from some events. The admin wants to set a default value of 'unknown' when the field is absent. Which command should be used?
eval status=coalesce(status, "unknown")
default status=unknown
fillnull value=unknown status
fillnull sets null fields to a specified value.
replace status with "unknown"
A user wants to see only events where the 'action' field has a value of 'success'. Which search syntax should they use?
where action=success
action=success
Direct filtering in the search bar.
lookup action=success
search action=success
A lookup table contains employee names and IDs. An admin wants to add the employee name to events that contain an employee ID field called 'emp_id'. What is the correct lookup command syntax?
| lookup employee_lookup employee_name FROM emp_id
| lookup employee_lookup emp_id OUTPUTNEW *
| lookup employee_lookup emp_id OUTPUT employee_name
| lookup employee_lookup emp_id OUTPUTNEW employee_name
OUTPUTNEW prevents overwriting existing employee_name field.
A search includes a lookup that returns multiple values per event. The admin wants to see each matched value as a separate event. Which command should be used after the lookup?
mvexpand
mvexpand creates separate events for each multivalue entry.
untable
stats
makemv
Want more Using Fields and Lookups practice?
Practice this domainA security team needs to create a report that shows the number of distinct users who triggered a firewall block each day for the past 30 days. Which search and visualization combination should be used?
Use `dc(user)` with `chart` and a column chart
Use `top user` with `timechart` and a pie chart
Use `dc(user)` with `timechart` and a column chart
Correctly counts distinct users per day over time.
Use `count` with `chart` and a bar chart
A user wants to create a dashboard panel that refreshes automatically every 60 seconds. Which setting must be configured in the panel's edit mode?
Add | delay 60 to the search
Set the Refresh Interval to 60 seconds
Directly sets the auto-refresh time.
Schedule the search to run every 60 seconds
Set the Time Range to Last 60 seconds
A dashboard includes a table showing server errors. The team wants to click a row and drill down to a detailed view of that server's events in a new search. Which configuration is required?
Enable row expansion in the table options
Add a link to the search in the table using 'Link to external resource'
Set the drilldown action to 'Search' in the table's edit panel
Configures drilldown to run a new search.
Use the `drilldown` search command in the underlying search
Which TWO statements are true about saved reports in Splunk?
All saved reports automatically send email alerts.
Saved reports are created exclusively from dashboard panels.
Saved reports can be used as data sources for dashboard panels.
Correct.
Saved reports can be scheduled to run at specific times.
Correct.
Saved reports cannot be edited after creation.
Which THREE of the following are valid ways to add a visualization to a dashboard?
Paste a search query in the dashboard editor.
Yes, it creates a new panel.
Create a report and then drag it onto the dashboard.
Click 'Add Panel' and choose 'New from Search'.
Standard method.
Clone an existing panel and edit its search.
Duplicates a panel for editing.
Upload a CSV file and select visualization type.
Which TWO chart types are best suited for showing the distribution of categorical data?
Scatter chart
Line chart
Area chart
Pie chart
Good for categorical distribution.
Column chart
Good for comparing categories.
Want more Creating Reports, Dashboards and Visualizations practice?
Practice this domainA security analyst needs to create a data model for authentication logs that allows both event counts and average duration calculations. The data model should support fast search performance. Which approach best follows Splunk best practices for data model design?
Define root events as event types and add child transactions for duration calculations.
This approach allows efficient counts from root events and duration calculations from child transactions, following best practices.
Define the root event as an event type with calculated fields for duration.
Define the root event as a transaction type to include duration inherently.
Create separate data models for counts and durations.
A Splunk administrator notices that a data model acceleration summary is not updating as expected. The data model is accelerated with a summary range of 30 days. What is the most likely cause of this issue?
The data model is based on a time range older than the summary range.
The summary index is not writable due to insufficient disk space.
Insufficient disk space prevents summary updates, stopping acceleration.
The data model includes calculated fields that are not search-time extractable.
The data model acceleration is configured to run only on real-time searches.
A large enterprise has multiple Splunk indexers and is using data model acceleration to speed up dashboards. The dashboards are slow despite acceleration being enabled. The data model has many root events and child datasets. Which best practice should the administrator consider to improve performance?
Use tstats commands on the data model without acceleration.
Reduce the number of root events in the data model.
Fewer root events simplify the acceleration summary, improving build and search performance.
Replicate the data model on each indexer to distribute load.
Increase the summary range to cover more data.
An analyst wants to create a data model that includes fields from both web server logs and database logs. The two sourcetypes have different timestamp formats. Which best practice should the analyst follow when designing the data model?
Use the data model to define new timestamp fields based on indexed data.
Normalize the timestamp fields using eval expressions in the data model definition.
Normalizing timestamps ensures consistent time-based acceleration and queries.
Use the same timestamp field name but ignore the format differences.
Create two separate data models, one for each sourcetype.
A user reports that a data model acceleration is consuming excessive disk space on the indexer. The data model has a summary range of 90 days. Which action is best to reduce disk space usage while maintaining acceptable query performance?
Increase the acceleration frequency to rebuild summaries more often.
Reduce the summary range to 30 days.
A shorter summary range reduces the amount of summary data, saving disk space.
Disable acceleration for the data model.
Delete old indexed data that is not frequently queried.
During a data model acceleration build, the following error appears in splunkd.log: 'Data model acceleration: not enough memory to complete summary build.' Which best practice should the administrator implement to prevent this error?
Remove unnecessary fields from the data model to reduce complexity.
Increase the memory allocation for the data model acceleration process.
The error indicates insufficient memory; increasing allocation resolves it.
Reduce the summary range to less than 7 days.
Use tstats instead of data model acceleration for queries.
Want more Data Models and Best Practices practice?
Practice this domainThe SPLK-1002 exam has 65 questions and must be completed in 60 minutes. The passing score is 700/1000.
Scenario-based questions covering exam objectives with detailed answer explanations.
The exam covers 5 domains: Splunk Basics and Interface Navigation, Basic Searching and Transforming Commands, Using Fields and Lookups, Creating Reports, Dashboards and Visualizations, Data Models and Best Practices. Questions are weighted by domain — higher-weight domains appear more on your actual exam.
No. These are original exam-style practice questions written against the official Splunk SPLK-1002 exam objectives. They are not copied from the real exam. Courseiva focuses on genuine understanding, not memorisation of braindumps.
Courseiva tracks your accuracy per domain and routes you toward weak areas automatically. Free, no account required.