Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Basic Searching and Transforming Commands practice sets

SPLK-1002 Basic Searching and Transforming Commands • Complete Question Bank

SPLK-1002 Basic Searching and Transforming Commands — All Questions With Answers

Complete SPLK-1002 Basic Searching and Transforming Commands question bank — all 0 questions with answers and detailed explanations.

69
Questions
Free
No signup
Certifications/SPLK-1002/Practice Test/Basic Searching and Transforming Commands/All Questions
Question 1easymultiple choice
Read the full Basic Searching and Transforming Commands explanation →

A security analyst needs to identify the top 5 source IP addresses generating the most web traffic. Which command should be used?

Question 2mediummultiple choice
Read the full Basic Searching and Transforming Commands explanation →

An administrator wants to count events by status code and show only codes with more than 100 events. Which search correctly accomplishes this?

Question 3hardmultiple choice
Read the full Basic Searching and Transforming Commands explanation →

A search returns events with a field 'duration' in milliseconds. The analyst wants to create a new field 'duration_sec' that divides duration by 1000. Which command accomplishes this?

Question 4mediummultiple choice
Read the full Basic Searching and Transforming Commands explanation →

A search returns 1,000 events. The analyst wants to see the first 10 events sorted by the '_time' field in descending order. Which search is correct?

Question 5easymultiple choice
Read the full Basic Searching and Transforming Commands explanation →

An analyst wants to remove duplicate events based on the 'user' field, keeping only the first occurrence. Which command should be used?

Question 6hardmultiple choice
Read the full Basic Searching and Transforming Commands explanation →

A search includes the command '| stats dc(user) by host'. What does this command return?

Question 7mediummulti select
Read the full Basic Searching and Transforming Commands explanation →

Which TWO commands can be used to filter events based on a field value? (Choose two.)

Question 8hardmulti select
Read the full Basic Searching and Transforming Commands explanation →

Which THREE of the following are valid uses of the 'eval' command? (Choose three.)

Question 9mediummultiple choice
Read the full Basic Searching and Transforming Commands explanation →

How many events will be output by this search?

Exhibit

Refer to the exhibit.

| makeresults count=5
| eval user = mvappend("alice","bob","charlie")
| mvexpand user
| stats count by user
Question 10hardmultiple choice
Read the full Basic Searching and Transforming Commands explanation →

What is the purpose of this search?

Exhibit

Refer to the exhibit.

index=web sourcetype=access_combined
| stats count by status
| sort - count
| head 5
Question 11hardmultiple choice
Read the full NAT/PAT explanation →

A large e-commerce company uses Splunk to monitor their web application. The operations team has noticed that the search for tracking user sessions is taking too long and consuming excessive resources. The current search is:

index=web sourcetype=access_combined | stats count by clientip, sessionid, productid | sort - count

The index contains over 10 billion events per day. The team wants to reduce the search time while still being able to identify the top 10 most active sessions (combinations of clientip and sessionid) that involve more than 5 product views. They also need to exclude any sessions that originated from internal IPs (10.0.0.0/8). Which approach would achieve this most efficiently?

Question 12mediummulti select
Read the full Basic Searching and Transforming Commands explanation →

Which TWO of the following statements about the `stats` command in Splunk are correct? (Choose two.)

Question 13hardmultiple choice
Read the full NAT/PAT explanation →

Refer to the exhibit. A security analyst runs the search and sees the result table. The analyst wants to see only the top 3 URI paths with their counts, without the percentage column. Which command modification achieves this?

Exhibit

Refer to the exhibit.

Search:
`index=web sourcetype=access_combined | top limit=5 uri_path`

Result table:
uri_path          count   percent
/                 4523    23.45
/login            2341    12.14
/products         1890    9.80
/about            1234    6.40
/contact          987     5.12
Question 14easymultiple choice
Read the full Basic Searching and Transforming Commands explanation →

A junior Splunk user is tasked with investigating slow search performance in a large Splunk environment. The user runs a search over a week of data from the main index (containing 500 GB of data per day) using the following command: `index=main | search error | stats count by host`. The search takes over 10 minutes to complete. The user wants to improve search performance while still getting accurate results. Which of the following actions should the user take first?

Question 15mediummulti select
Read the full Basic Searching and Transforming Commands explanation →

Which three of the following are valid uses of the `stats` command in Splunk? (Choose three.)

Question 16mediummulti select
Read the full Basic Searching and Transforming Commands explanation →

Which three of the following statements about the `eval` command in Splunk are correct? (Choose three.)

Question 17mediummulti select
Read the full Basic Searching and Transforming Commands explanation →

Which of the following statements about the `top` and `rare` commands in Splunk are correct? Choose all that apply. (There are four correct answers.)

Question 18mediumdrag order
Read the full Basic Searching and Transforming Commands explanation →

Drag and drop the steps to configure a Splunk forwarder to send data to an indexer into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 19mediumdrag order
Read the full Basic Searching and Transforming Commands explanation →

Drag and drop the steps to create a Splunk dashboard with a single panel into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 20mediummatching
Read the full Basic Searching and Transforming Commands explanation →

Match each Splunk role to its typical permission scope.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Full system access including settings and users

Create and share knowledge objects and run searches

Run searches and create personal knowledge objects

Ability to delete events from indexes

Question 21mediummatching
Read the full Basic Searching and Transforming Commands explanation →

Match each Splunk license type to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Full-featured license for production use

Limited to 500 MB/day, no authentication or distributed search

Free license for forwarders only

Full features for a limited time period

Question 22easymultiple choice
Read the full Basic Searching and Transforming Commands explanation →

An analyst wants to find all events where the field 'status' is not 200. Which search is correct?

Question 23mediummultiple choice
Read the full Basic Searching and Transforming Commands explanation →

A user runs a search that returns thousands of results. They need to see only the first 100 events after sorting by time descending. Which command should they use?

Question 24hardmultiple choice
Read the full Basic Searching and Transforming Commands explanation →

A search uses `eval memory_MB = memory_bytes / 1024 / 1024`. The field memory_bytes contains values like '2,048,000'. The eval results memory_MB is often null. What is the most likely cause?

Question 25mediummulti select
Read the full Basic Searching and Transforming Commands explanation →

Which TWO of the following commands can be used to create a new field from existing fields?

Question 26hardmulti select
Read the full Basic Searching and Transforming Commands explanation →

Which THREE of the following are valid uses of the stats command?

Question 27easymulti select
Read the full Basic Searching and Transforming Commands explanation →

Which TWO of the following commands will return exactly one result row when there is at least one event?

Question 28easymultiple choice
Read the full Basic Searching and Transforming Commands explanation →

Refer to the exhibit. A user runs this search. The results show only Error and Warning, but no Info. What is the most likely reason?

Exhibit

Refer to the exhibit.
index=main | eval severity = case(error=1, "Error", warning=1, "Warning", 1=1, "Info") | stats count by severity
Question 29mediummultiple choice
Read the full Basic Searching and Transforming Commands explanation →

Refer to the exhibit. A user runs this search and gets 10 results as expected. However, they want to see the top 10 hosts for the past week. The search still returns results, but the counts are lower than expected. What is the most likely reason?

Exhibit

Refer to the exhibit.
index=main | stats count by host | sort - count | head 10
Question 30hardmultiple choice
Read the full Basic Searching and Transforming Commands explanation →

Refer to the exhibit. The search runs but the user field is not modified. What is the most likely cause?

Exhibit

Refer to the exhibit.
index=main | eval user=lowercase(user)
Question 31easymultiple choice
Read the full Basic Searching and Transforming Commands explanation →

A security analyst needs to find the number of failed login attempts per user in the last hour. The events contain a field 'result' with value 'failure'. Which search is correct?

Question 32easymultiple choice
Read the full Basic Searching and Transforming Commands explanation →

A user wants to see the top 5 most common values of the 'action' field in the web access logs. Which command should be used?

Question 33mediummultiple choice
Read the full Basic Searching and Transforming Commands explanation →

An analyst runs the search `index=web | stats count by status | sort - count` and wants to show only status codes with count greater than 100. Which command should be added before the sort?

Question 34mediummultiple choice
Read the full NAT/PAT explanation →

A team needs to calculate the average response time for each URL path from web server logs. The response time is in a field 'duration'. Which search is correct?

Question 35mediummultiple choice
Study the full IPv6 explanation →

A search returns events with a field 'ip' that contains both IPv4 and IPv6 addresses. An analyst wants to count events for each IP type (IPv4 vs IPv6). Which command should be used to create a new field that categorizes the IP type?

Question 36hardmultiple choice
Read the full Basic Searching and Transforming Commands explanation →

A search `index=main | top limit=10 user | fields - percent` is running slowly on a large dataset. Which change would likely improve performance the most?

Question 37hardmultiple choice
Read the full Basic Searching and Transforming Commands explanation →

An analyst needs to find the count of events by source type for each day in the past week, but only for source types with more than 1000 events. Which search is correct?

Question 38hardmultiple choice
Read the full Basic Searching and Transforming Commands explanation →

An analyst runs a search that returns 10,000 events. They want to see the distribution of the 'status' field across the 'method' field. Which command should be used?

Question 39easymultiple choice
Read the full Basic Searching and Transforming Commands explanation →

A user wants to remove duplicate events based on the 'transaction_id' field, keeping only the first occurrence. Which command is appropriate?

Question 40easymulti select
Read the full Basic Searching and Transforming Commands explanation →

Which two of the following search commands are transforming commands? (Choose two.)

Question 41mediummulti select
Read the full Basic Searching and Transforming Commands explanation →

Which two components are required to create a time-based chart of average CPU usage per host over the last 4 hours? (Choose two.)

Question 42hardmulti select
Read the full Basic Searching and Transforming Commands explanation →

Which three of the following are valid ways to filter events before a transforming command? (Choose three.)

Question 43hardmultiple choice
Read the full Basic Searching and Transforming Commands explanation →

Refer to the exhibit. An analyst runs this search and expects to see a table of status codes with their counts, filtered to those with count greater than 100. The search returns zero results even though there are many events. What is the most likely reason?

Exhibit

index=weblogic sourcetype=accesslog
| rex "status=(?<status_code>\d+)"
| stats count by status_code
| where count > 100
Question 44mediummultiple choice
Read the full Basic Searching and Transforming Commands explanation →

Refer to the exhibit. A security analyst runs this search and gets two rows: threat_level 'high' and 'low'. However, many events have threat_score between 60 and 90 that are not captured. How should the search be modified to include a 'medium' category?

Exhibit

index=network sourcetype=firewall
| eval threat_level = if(threat_score > 90, "high", "low")
| stats count by threat_level
Question 45easymultiple choice
Read the full NAT/PAT explanation →

Refer to the exhibit. An analyst wants to see the top 10 most visited URI paths, but the result also includes a 'percent' column. To remove the percent column, which command should be added?

Exhibit

index=web sourcetype=access_combined
| top limit=10 uri_path
Question 46easymultiple choice
Read the full Basic Searching and Transforming Commands explanation →

A security analyst needs to find the number of failed login attempts per user. Which command group should be used?

Question 47easymultiple choice
Read the full Basic Searching and Transforming Commands explanation →

A user wants to see the top 10 source IP addresses generating 404 errors. Which SPL is correct?

Question 48mediummultiple choice
Read the full Basic Searching and Transforming Commands explanation →

An analyst runs: index=app sourcetype=log ERROR | stats count by host | where count > 5. What is the function of the where command in this search?

Question 49mediummultiple choice
Read the full Basic Searching and Transforming Commands explanation →

A user needs to create a report showing the average response time per endpoint for the last hour. Which command would produce this result?

Question 50hardmultiple choice
Read the full Basic Searching and Transforming Commands explanation →

A large enterprise uses Splunk to monitor 500+ servers. A search returns results slowly due to high data volume. Which best practice can improve performance when using the top command?

Question 51hardmultiple choice
Read the full Basic Searching and Transforming Commands explanation →

An analyst wants to find events where the field 'user' is not present. Which search correctly identifies such events?

Question 52easymultiple choice
Read the full Basic Searching and Transforming Commands explanation →

A user needs to see the trend of login failures over the past 7 days, broken down by hour. Which command should be used?

Question 53mediummultiple choice
Read the full Basic Searching and Transforming Commands explanation →

A search returns many duplicate events due to data source redundancy. Which command can remove duplicate events based on a specific field?

Question 54hardmultiple choice
Read the full Basic Searching and Transforming Commands explanation →

An analyst executes the following search: index=main sourcetype=access | stats dc(user) by host. What does dc(user) do?

Question 55mediummulti select
Read the full Basic Searching and Transforming Commands explanation →

Which TWO commands can be used to create a chart that shows the count of events over time?

Question 56mediummulti select
Read the full Basic Searching and Transforming Commands explanation →

Which THREE of the following are transforming commands in Splunk?

Question 57hardmulti select
Read the full Basic Searching and Transforming Commands explanation →

Which TWO factors should be considered when deciding to use the rare command instead of top?

Question 58hardmultiple choice
Read the full Basic Searching and Transforming Commands explanation →

Refer to the exhibit. What will be the output of this search?

Exhibit

index=web sourcetype=access status=200 | stats count by productId | sort - count | head 10
Question 59mediummultiple choice
Read the full Basic Searching and Transforming Commands explanation →

A medium-sized company uses Splunk to monitor its e-commerce platform. The platform generates around 10 million events per day from web servers, application logs, and databases. The security team wants to identify the top 10 IP addresses that trigger the most 403 Forbidden errors in the last 24 hours. However, when they run the search: index=ecom sourcetype=web status=403 | top src_ip, the search takes over 5 minutes to complete and sometimes times out. The team needs a faster approach that still accurately identifies the top IPs. The team's Splunk environment uses indexers and a search head. The data is not accelerated. What should the team do to improve search performance?

Question 60hardmultiple choice
Read the full Basic Searching and Transforming Commands explanation →

A large financial institution uses Splunk to consolidate logs from thousands of ATMs. Each ATM sends a heartbeat event every 5 minutes containing fields: atm_id, timestamp, status (OK or ERROR), and firmware_version. The operations team wants to find the number of ATMs that have reported at least one ERROR status in the last hour. The initial search is: index=atm sourcetype=heartbeat status=ERROR | dedup atm_id | stats count. However, this search returns a count that is too high because some ATMs report multiple errors within the hour. The team needs an accurate count of ATMs that had any error, regardless of how many error events each ATM generated. The search must be efficient due to the high volume of events. Which approach should be used?

Question 61mediummulti select
Read the full Basic Searching and Transforming Commands explanation →

A user wants to find events where the status code is 500 or 503 and the response time is greater than 2 seconds. Which TWO SPL commands will correctly limit the results to only these events?

Question 62easymultiple choice
Read the full Basic Searching and Transforming Commands explanation →

A security analyst uses Splunk to ingest firewall logs from multiple locations. The index is 'firewall' and the sourcetype is 'fw_log'. Each event contains fields: src_ip, dest_ip, action, bytes, and time. The analyst needs to find how many unique source IPs have been logged in the last hour to report potential scanning activity. The search should be efficient and accurate, returning only the total count of distinct source IPs. Which search accomplishes this?

Question 63mediummultiple choice
Read the full network assurance explanation →

A network operations team uses Splunk to monitor netflow data stored in index='net' and sourcetype='netflow'. The events contain fields: src_ip, dest_ip, bytes, and protocols. The team needs to identify the top 5 source IPs by total bytes transferred (based on the bytes field). For each of those top source IPs, they also want to list the destination IPs and the number of times they communicated. The data volume is large, so performance is important. Which SPL approach returns the desired results efficiently?

Question 64hardmultiple choice
Read the full Basic Searching and Transforming Commands explanation →

A Splunk administrator is troubleshooting a slow search on firewall logs. The index is 'firewall', sourcetype is 'cisco:asa', and there is about 500 GB of data per day. The search is: index=firewall sourcetype=cisco:asa action=block | stats count by src_ip | where count > 1000. This search takes over 5 minutes to return results. The administrator needs the same results faster. The index has a data model named 'firewall_dm' that is accelerated with a summary range of 7 days. Which change to the search will improve performance the most while still returning the same results?

Question 65hardmultiple choice
Read the full Basic Searching and Transforming Commands explanation →

Refer to the exhibit. A user runs the search and gets no results. Which is the most likely cause?

Exhibit

index=web sourcetype=access_combined
 | stats count by status | where status >= 400
 | sort - count
Question 66hardmultiple choice
Read the full Basic Searching and Transforming Commands explanation →

Refer to the exhibit. The search returns no results. What is the most likely reason?

Exhibit

index=security sourcetype=linux_secure
 | regex _raw="Failed password for .* from (?<src_ip>\d+\.\d+\.\d+\.\d+)"
 | top 5 src_ip
Question 67mediummultiple choice
Read the full Basic Searching and Transforming Commands explanation →

Refer to the exhibit. A user gets an error: 'Error in 'where' command: The field 'count' is not a numeric type.' What is the issue?

Exhibit

index=main sourcetype=apache
 | timechart count by host span=1h
 | where count > 100
Question 68hardmultiple choice
Read the full Basic Searching and Transforming Commands explanation →

Refer to the exhibit. The search returns zero results. What is a likely cause?

Exhibit

index=app sourcetype=json_logs
 | spath input=raw_data path=response.status
 | search response.status=200
 | stats count by response.status
Question 69mediummultiple choice
Read the full Basic Searching and Transforming Commands explanation →

Refer to the exhibit. The search returns only events where src_zone is 'external'. What is the problem?

Exhibit

index=network sourcetype=cisco:asa
 | eval src_zone=case(src_ip="10.0.0.0/8","internal", 1=1,"external")
 | search src_zone=internal
 | stats count by src_zone

Practice tests

Scored 10-question sessions with instant feedback and explanations.

SPLK-1002 Practice Test 1 — 10 Questions→SPLK-1002 Practice Test 2 — 10 Questions→SPLK-1002 Practice Test 3 — 10 Questions→SPLK-1002 Practice Test 4 — 10 Questions→SPLK-1002 Practice Test 5 — 10 Questions→SPLK-1002 Practice Exam 1 — 20 Questions→SPLK-1002 Practice Exam 2 — 20 Questions→SPLK-1002 Practice Exam 3 — 20 Questions→SPLK-1002 Practice Exam 4 — 20 Questions→Free SPLK-1002 Practice Test 1 — 30 Questions→Free SPLK-1002 Practice Test 2 — 30 Questions→Free SPLK-1002 Practice Test 3 — 30 Questions→SPLK-1002 Practice Questions 1 — 50 Questions→SPLK-1002 Practice Questions 2 — 50 Questions→SPLK-1002 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Splunk Basics and Interface NavigationBasic Searching and Transforming CommandsUsing Fields and LookupsCreating Reports, Dashboards and VisualizationsData Models and Best Practices

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Basic Searching and Transforming Commands setsAll Basic Searching and Transforming Commands questionsSPLK-1002 Practice Hub