Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsSPLK-1002Exam Questions

Splunk · Free Practice Questions · Last reviewed May 2026

SPLK-1002 Exam Questions and Answers

30real exam-style questions organised by domain, each with the correct answer highlighted and a plain-English explanation of why it's right — and why the others are wrong.

65 exam questions
60 min time limit
Pass: 700/1000 / 1000
5 exam domains
OverviewDomain BlueprintStudy GuideAll QuestionsSample by Domain
1. Splunk Basics and Interface Navigation2. Basic Searching and Transforming Commands3. Using Fields and Lookups4. Creating Reports, Dashboards and Visualizations5. Data Models and Best Practices
1

Domain 1: Splunk Basics and Interface Navigation

All Splunk Basics and Interface Navigation questions
Q1
easyFull explanation →

A new Splunk user wants to view the raw event data for the last hour. Which interface should they use?

A

Search History

B

Settings

C

Data Summary

D

Search & Reporting

Main interface for searching raw events.

Why: The Search & Reporting interface (D) is the primary Splunk app for running searches and viewing raw event data. By default, it shows events from the last 24 hours, but the user can easily set the time range picker to 'Last hour' to see raw events for that period. This interface provides the search bar, timeline, and event listing necessary to inspect raw data.
Q2
mediumFull explanation →

An analyst notices that searches take long to complete. They want to understand how many events are indexed per second. Which tab in the Monitoring Console provides this information?

A

Indexing Performance

Shows events indexed per second.

B

License Usage

C

Search Performance

D

Forwarder Management

Why: The Monitoring Console's 'Indexing Performance' tab provides real-time metrics on indexing throughput, including events per second (EPS) and indexing latency. This directly answers the analyst's need to understand how many events are indexed per second, as it displays the rate at which data is being processed and written to indexes.
Q3
hardFull explanation →

A search returns no results. The user has verified that data is being indexed. What is the most likely cause?

A

The search term is misspelled

B

The search is using incorrect index name

C

The time range picker is set incorrectly

Most common cause if data is indexed.

D

The user lacks search permissions

Why: The most likely cause is that the time range picker is set incorrectly. Even if data is being indexed and the search terms are correct, Splunk restricts search results to the selected time range. If the time range does not cover the period when the data was indexed, the search will return no results. This is a common issue because the default time range is often set to "Last 24 hours" or "All time" depending on the user's last selection.
Q4
easyFull explanation →

After running a search, a user wants to save the search for later use. Which button should they click?

A

Export

B

Share

C

Save As

Saves the search for later use.

D

Schedule

Why: Option C is correct because the 'Save As' button in Splunk allows a user to save a completed search as a report, alert, or dashboard panel for later use. This is the standard method for persisting a search definition without executing it immediately, enabling reuse in the future.
Q5
mediumFull explanation →

A user wants to see a visual representation of search results over time. Which tab should they use?

A

Visualizations

Allows creating charts and graphs.

B

Patterns

C

Events

D

Statistics

Why: The Visualizations tab is the correct choice because it provides a graphical representation of search results, such as charts, graphs, and time-series plots, which are essential for visualizing trends over time. In Splunk, after running a search, the user can switch to the Visualizations tab to select from various chart types (e.g., line, column, area) that automatically map the _time field to the x-axis, enabling temporal analysis. This tab is specifically designed for transforming tabular search results into visual formats, making it the appropriate tool for seeing data over time.
Q6
hardFull explanation →

During onboarding, a new user can't find any data in Splunk. They see 'No results found' for all searches. The data is being forwarded from a universal forwarder. What should they check first?

A

Check if the user has admin role

B

Check if the forwarder is configured to send to the correct indexer

Common misconfiguration.

C

Check if the firewall is blocking ports

D

Check if the search is using the correct time range

Why: Option B is correct because the most common reason a universal forwarder sends data that never appears in Splunk is misconfiguration of the outputs.conf file. The forwarder must specify the correct indexer IP address or hostname and the receiving port (default 9997) using the TCP output stanza; if this is wrong, data is sent to the wrong destination or nowhere at all. Checking the forwarder's configuration first isolates whether data is even reaching the indexer tier before investigating other potential issues.

Want more Splunk Basics and Interface Navigation practice?

Practice this domain
2

Domain 2: Basic Searching and Transforming Commands

All Basic Searching and Transforming Commands questions
Q1
easyFull explanation →

A security analyst needs to identify the top 5 source IP addresses generating the most web traffic. Which command should be used?

A

| stats count by src_ip | sort - count

B

| top limit=5 src_ip

The top command with limit=5 returns the top 5 values.

C

| sort - count | head 5

D

| table src_ip | head 5

Why: Option B is correct because the `top` command is specifically designed to return the most common values of a field, and `limit=5` restricts the output to the top 5 source IP addresses by count. This command automatically sorts the results in descending order, making it the most efficient and direct way to identify the top 5 source IPs generating web traffic.
Q2
mediumFull explanation →

An administrator wants to count events by status code and show only codes with more than 100 events. Which search correctly accomplishes this?

A

| stats count by status | where count > 100

B

| eval count=1 | stats sum(count) by status | where count > 100

C

| stats count as cnt by status | where cnt > 100

Correct: stats counts by status, then filters on the count field.

D

| where count > 100 | stats count by status

Why: Option C is correct because it first uses `stats count as cnt by status` to count events per status code, renaming the count field to `cnt`, then applies `where cnt > 100` to filter for status codes with more than 100 events. This is the standard Splunk pattern for aggregating data and then filtering on the aggregated result.
Q3
hardFull explanation →

A search returns events with a field 'duration' in milliseconds. The analyst wants to create a new field 'duration_sec' that divides duration by 1000. Which command accomplishes this?

A

| rename duration as duration_sec

B

| convert duration_sec = duration/1000

C

| eval duration_sec = duration / 1000

eval creates new field with arithmetic.

D

| fields duration_sec = duration/1000

Why: Option C is correct because the `eval` command in Splunk is specifically designed to create new fields by evaluating expressions, including arithmetic operations. Using `| eval duration_sec = duration / 1000` creates a new field `duration_sec` that contains the value of `duration` divided by 1000, converting milliseconds to seconds.
Q4
mediumFull explanation →

A search returns 1,000 events. The analyst wants to see the first 10 events sorted by the '_time' field in descending order. Which search is correct?

A

| sort by _time | head 10

B

| sort -_time | head 10

Sorts descending, gives newest 10.

C

| sort +_time | head 10

D

| sort _time | head 10

Why: Option B is correct because the `sort` command with a hyphen prefix (`-`) sorts in descending order. By default, `sort` sorts in ascending order, so `sort -_time` sorts events by the `_time` field from newest to oldest, and `head 10` returns the first 10 events, which are the 10 most recent.
Q5
easyFull explanation →

An analyst wants to remove duplicate events based on the 'user' field, keeping only the first occurrence. Which command should be used?

A

| sort -user

B

| uniq user

C

| dedup user

Removes duplicates on user field.

D

| fields user

Why: The `dedup` command in Splunk removes duplicate events based on specified fields, keeping only the first occurrence by default. Since the analyst wants to remove duplicates based on the 'user' field and retain the first event, `| dedup user` is the correct command.
Q6
hardFull explanation →

A search includes the command '| stats dc(user) by host'. What does this command return?

A

The number of unique hosts per user

B

The count of events per host

C

The sum of user values per host

D

The number of distinct users per host

dc(user) counts distinct users.

Why: The `dc(user)` function in the `stats` command calculates the distinct count of the `user` field values. When combined with `by host`, it returns the number of unique users for each host. This is why option D is correct.

Want more Basic Searching and Transforming Commands practice?

Practice this domain
3

Domain 3: Using Fields and Lookups

All Using Fields and Lookups questions
Q1
easyFull explanation →

A security analyst is investigating a suspicious IP address. They want to find all events related to that IP. Which field should they use in a search?

A

source_ip

source_ip typically contains the originating IP address.

B

dest_ip

C

host

D

user

Why: The correct answer is A: source_ip. In Splunk, when investigating a suspicious IP address, the source_ip field identifies the origin of network traffic. By searching for source_ip=<suspicious IP>, you retrieve all events where that IP was the initiator of a connection, which is the most direct way to find events related to that IP in network logs.
Q2
mediumFull explanation →

A Splunk admin wants to enrich web server logs with geographic location data based on IP addresses. Which approach should they use?

A

Configure a lookup definition and use lookup command

lookup command enriches data with external sources like GeoIP.

B

Use rex to extract location from the IP

C

Use an eval command to calculate coordinates

D

Use fields command to add location

Why: Option A is correct because Splunk's lookup command, combined with a lookup definition that references a geographic IP-to-location database (such as MaxMind GeoLite2), allows the admin to enrich web server logs with fields like city, country, and coordinates based on the client IP address. This is the standard, efficient approach for IP geolocation enrichment in Splunk, as it leverages pre-built external data without requiring custom parsing or calculations.
Q3
hardFull explanation →

A search returns many events but the 'status' field is missing from some events. The admin wants to set a default value of 'unknown' when the field is absent. Which command should be used?

A

eval status=coalesce(status, "unknown")

B

default status=unknown

C

fillnull value=unknown status

fillnull sets null fields to a specified value.

D

replace status with "unknown"

Why: Option C is correct because the `fillnull` command explicitly sets a default value for specified fields when they are null or missing in search results. In this scenario, `fillnull value=unknown status` replaces all null or absent 'status' field values with 'unknown', ensuring consistency across events. This command is designed specifically for handling missing field values in Splunk, unlike `eval` or `default` which operate differently.
Q4
easyFull explanation →

A user wants to see only events where the 'action' field has a value of 'success'. Which search syntax should they use?

A

where action=success

B

action=success

Direct filtering in the search bar.

C

lookup action=success

D

search action=success

Why: Option B is correct because in Splunk's Search Processing Language (SPL), a field-value pair like `action=success` is the most direct and efficient way to filter events where the field 'action' has the value 'success'. This syntax leverages Splunk's index-time field extraction and inverted index lookup, making it faster than using the `where` or `search` commands for simple equality filters.
Q5
mediumFull explanation →

A lookup table contains employee names and IDs. An admin wants to add the employee name to events that contain an employee ID field called 'emp_id'. What is the correct lookup command syntax?

A

| lookup employee_lookup employee_name FROM emp_id

B

| lookup employee_lookup emp_id OUTPUTNEW *

C

| lookup employee_lookup emp_id OUTPUT employee_name

D

| lookup employee_lookup emp_id OUTPUTNEW employee_name

OUTPUTNEW prevents overwriting existing employee_name field.

Why: Option D is correct because the `OUTPUTNEW` clause in a lookup command only adds fields from the lookup table that are not already present in the event, preventing overwriting of existing field values. In this scenario, the admin wants to add the employee name to events that already contain an `emp_id` field, so `OUTPUTNEW employee_name` ensures the name is appended without modifying any existing data.
Q6
hardFull explanation →

A search includes a lookup that returns multiple values per event. The admin wants to see each matched value as a separate event. Which command should be used after the lookup?

A

mvexpand

mvexpand creates separate events for each multivalue entry.

B

untable

C

stats

D

makemv

Why: The `mvexpand` command is correct because it takes a multivalue field (such as one created by a lookup returning multiple matches) and expands it into separate events, one for each value. This allows the admin to see each matched value as an individual event, which is exactly the requirement.

Want more Using Fields and Lookups practice?

Practice this domain
4

Domain 4: Creating Reports, Dashboards and Visualizations

All Creating Reports, Dashboards and Visualizations questions
Q1
mediumFull explanation →

A security team needs to create a report that shows the number of distinct users who triggered a firewall block each day for the past 30 days. Which search and visualization combination should be used?

A

Use `dc(user)` with `chart` and a column chart

B

Use `top user` with `timechart` and a pie chart

C

Use `dc(user)` with `timechart` and a column chart

Correctly counts distinct users per day over time.

D

Use `count` with `chart` and a bar chart

Why: Option C is correct because `dc(user)` calculates the distinct count of users, and `timechart` automatically groups results by time (e.g., per day) over the specified 30-day range. A column chart is the appropriate visualization for displaying discrete daily counts, as it clearly shows trends over time.
Q2
easyFull explanation →

A user wants to create a dashboard panel that refreshes automatically every 60 seconds. Which setting must be configured in the panel's edit mode?

A

Add | delay 60 to the search

B

Set the Refresh Interval to 60 seconds

Directly sets the auto-refresh time.

C

Schedule the search to run every 60 seconds

D

Set the Time Range to Last 60 seconds

Why: Option B is correct because the dashboard panel's edit mode includes a 'Refresh Interval' setting that allows you to specify an automatic refresh period in seconds. Setting this to 60 causes the panel to re-run its underlying search and update the visualization every 60 seconds without manual intervention.
Q3
hardFull explanation →

A dashboard includes a table showing server errors. The team wants to click a row and drill down to a detailed view of that server's events in a new search. Which configuration is required?

A

Enable row expansion in the table options

B

Add a link to the search in the table using 'Link to external resource'

C

Set the drilldown action to 'Search' in the table's edit panel

Configures drilldown to run a new search.

D

Use the `drilldown` search command in the underlying search

Why: Option C is correct because setting the drilldown action to 'Search' in the table's edit panel configures the dashboard to open a new search when a row is clicked. This uses the selected row's field values (e.g., server name) to populate the new search, enabling a detailed view of that server's events. The drilldown action is a built-in feature of Splunk's Simple XML dashboards, not a search command or external link.
Q4
mediumFull explanation →

Which TWO statements are true about saved reports in Splunk?

A

All saved reports automatically send email alerts.

B

Saved reports are created exclusively from dashboard panels.

C

Saved reports can be used as data sources for dashboard panels.

Correct.

D

Saved reports can be scheduled to run at specific times.

Correct.

E

Saved reports cannot be edited after creation.

Why: Option C is correct because saved reports in Splunk can be used as data sources for dashboard panels. When you create a dashboard panel, you can select a saved report as its data source, which allows the panel to display the report's results. This enables reuse of report logic across multiple dashboards without rewriting the search.
Q5
hardFull explanation →

Which THREE of the following are valid ways to add a visualization to a dashboard?

A

Paste a search query in the dashboard editor.

Yes, it creates a new panel.

B

Create a report and then drag it onto the dashboard.

C

Click 'Add Panel' and choose 'New from Search'.

Standard method.

D

Clone an existing panel and edit its search.

Duplicates a panel for editing.

E

Upload a CSV file and select visualization type.

Why: Option A is correct because pasting a search query directly into the dashboard editor is a standard method for creating a new panel. When you paste a search in the editor, Splunk automatically generates a visualization based on the search results, allowing you to configure the chart type and formatting within the dashboard context.
Q6
easyFull explanation →

Which TWO chart types are best suited for showing the distribution of categorical data?

A

Scatter chart

B

Line chart

C

Area chart

D

Pie chart

Good for categorical distribution.

E

Column chart

Good for comparing categories.

Why: Pie charts and column charts are both effective for displaying the distribution of categorical data because they visually compare parts of a whole or the frequency of distinct categories. In Splunk, the `pie` and `column` chart types are commonly used with the `chart` or `timechart` commands to aggregate event counts or statistical values by a categorical field, making it easy to see relative proportions or rankings.

Want more Creating Reports, Dashboards and Visualizations practice?

Practice this domain
5

Domain 5: Data Models and Best Practices

All Data Models and Best Practices questions
Q1
mediumFull explanation →

A security analyst needs to create a data model for authentication logs that allows both event counts and average duration calculations. The data model should support fast search performance. Which approach best follows Splunk best practices for data model design?

A

Define root events as event types and add child transactions for duration calculations.

This approach allows efficient counts from root events and duration calculations from child transactions, following best practices.

B

Define the root event as an event type with calculated fields for duration.

C

Define the root event as a transaction type to include duration inherently.

D

Create separate data models for counts and durations.

Why: Option A is correct because Splunk best practices for data model design recommend using root events as event types for base calculations like counts, and adding child transactions (or child datasets) for calculations that require grouping multiple events, such as average duration. This separation optimizes search performance by allowing the data model to leverage the faster event-based search for counts while using transactions only when necessary for duration calculations.
Q2
easyFull explanation →

A Splunk administrator notices that a data model acceleration summary is not updating as expected. The data model is accelerated with a summary range of 30 days. What is the most likely cause of this issue?

A

The data model is based on a time range older than the summary range.

B

The summary index is not writable due to insufficient disk space.

Insufficient disk space prevents summary updates, stopping acceleration.

C

The data model includes calculated fields that are not search-time extractable.

D

The data model acceleration is configured to run only on real-time searches.

Why: Option B is correct because data model acceleration relies on a summary index to store pre-computed results. If the disk hosting that summary index is full, the acceleration process cannot write new data, causing the summary to stop updating. Splunk will log errors related to disk space, and the acceleration status will show as stalled or incomplete.
Q3
hardFull explanation →

A large enterprise has multiple Splunk indexers and is using data model acceleration to speed up dashboards. The dashboards are slow despite acceleration being enabled. The data model has many root events and child datasets. Which best practice should the administrator consider to improve performance?

A

Use tstats commands on the data model without acceleration.

B

Reduce the number of root events in the data model.

Fewer root events simplify the acceleration summary, improving build and search performance.

C

Replicate the data model on each indexer to distribute load.

D

Increase the summary range to cover more data.

Why: Data model acceleration creates a summary of the data, but the acceleration process must traverse all root events to build the child datasets. If there are too many root events, the acceleration job itself becomes slow and resource-intensive, negating the performance benefit. Reducing the number of root events directly reduces the workload for acceleration, allowing the summaries to be built faster and queries to run against the accelerated data more efficiently.
Q4
mediumFull explanation →

An analyst wants to create a data model that includes fields from both web server logs and database logs. The two sourcetypes have different timestamp formats. Which best practice should the analyst follow when designing the data model?

A

Use the data model to define new timestamp fields based on indexed data.

B

Normalize the timestamp fields using eval expressions in the data model definition.

Normalizing timestamps ensures consistent time-based acceleration and queries.

C

Use the same timestamp field name but ignore the format differences.

D

Create two separate data models, one for each sourcetype.

Why: Option B is correct because the best practice for handling different timestamp formats in a data model is to normalize them using eval expressions within the data model definition. This ensures that all events share a common, consistent timestamp field, which is essential for accurate time-based searches and pivot operations across multiple sourcetypes.
Q5
easyFull explanation →

A user reports that a data model acceleration is consuming excessive disk space on the indexer. The data model has a summary range of 90 days. Which action is best to reduce disk space usage while maintaining acceptable query performance?

A

Increase the acceleration frequency to rebuild summaries more often.

B

Reduce the summary range to 30 days.

A shorter summary range reduces the amount of summary data, saving disk space.

C

Disable acceleration for the data model.

D

Delete old indexed data that is not frequently queried.

Why: Reducing the summary range from 90 days to 30 days directly decreases the amount of data that the acceleration precomputes and stores on the indexer. This minimizes disk space consumption while still accelerating queries for the most recent, commonly accessed data. Maintaining a shorter summary range ensures acceptable performance for recent queries without the overhead of storing summaries for older, less frequently accessed time periods.
Q6
hardFull explanation →

During a data model acceleration build, the following error appears in splunkd.log: 'Data model acceleration: not enough memory to complete summary build.' Which best practice should the administrator implement to prevent this error?

A

Remove unnecessary fields from the data model to reduce complexity.

B

Increase the memory allocation for the data model acceleration process.

The error indicates insufficient memory; increasing allocation resolves it.

C

Reduce the summary range to less than 7 days.

D

Use tstats instead of data model acceleration for queries.

Why: Option B is correct because the error 'not enough memory to complete summary build' indicates that the data model acceleration process has exhausted its allocated memory. Increasing the memory allocation for the data model acceleration process (via the limits.conf or the data model acceleration settings) directly addresses this resource constraint, allowing the summary to build successfully.

Want more Data Models and Best Practices practice?

Practice this domain

Frequently asked questions

How many questions are on the SPLK-1002 exam?

The SPLK-1002 exam has 65 questions and must be completed in 60 minutes. The passing score is 700/1000.

What types of questions appear on the SPLK-1002 exam?

Scenario-based questions covering exam objectives with detailed answer explanations.

How are SPLK-1002 questions organised by domain?

The exam covers 5 domains: Splunk Basics and Interface Navigation, Basic Searching and Transforming Commands, Using Fields and Lookups, Creating Reports, Dashboards and Visualizations, Data Models and Best Practices. Questions are weighted by domain — higher-weight domains appear more on your actual exam.

Are these the actual SPLK-1002 exam questions?

No. These are original exam-style practice questions written against the official Splunk SPLK-1002 exam objectives. They are not copied from the real exam. Courseiva focuses on genuine understanding, not memorisation of braindumps.

Ready to practice all 65 SPLK-1002 questions?

Courseiva tracks your accuracy per domain and routes you toward weak areas automatically. Free, no account required.

Browse all SPLK-1002 questionsTake a timed practice test