Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Data Models and Best Practices practice sets

SPLK-1002 Data Models and Best Practices • Complete Question Bank

SPLK-1002 Data Models and Best Practices — All Questions With Answers

Complete SPLK-1002 Data Models and Best Practices question bank — all 0 questions with answers and detailed explanations.

87
Questions
Free
No signup
Certifications/SPLK-1002/Practice Test/Data Models and Best Practices/All Questions
Question 1mediummultiple choice
Read the full Data Models and Best Practices explanation →

A security analyst needs to create a data model for authentication logs that allows both event counts and average duration calculations. The data model should support fast search performance. Which approach best follows Splunk best practices for data model design?

Question 2easymultiple choice
Read the full Data Models and Best Practices explanation →

A Splunk administrator notices that a data model acceleration summary is not updating as expected. The data model is accelerated with a summary range of 30 days. What is the most likely cause of this issue?

Question 3hardmultiple choice
Read the full Data Models and Best Practices explanation →

A large enterprise has multiple Splunk indexers and is using data model acceleration to speed up dashboards. The dashboards are slow despite acceleration being enabled. The data model has many root events and child datasets. Which best practice should the administrator consider to improve performance?

Question 4mediummultiple choice
Read the full Data Models and Best Practices explanation →

An analyst wants to create a data model that includes fields from both web server logs and database logs. The two sourcetypes have different timestamp formats. Which best practice should the analyst follow when designing the data model?

Question 5easymultiple choice
Read the full Data Models and Best Practices explanation →

A user reports that a data model acceleration is consuming excessive disk space on the indexer. The data model has a summary range of 90 days. Which action is best to reduce disk space usage while maintaining acceptable query performance?

Question 6hardmultiple choice
Read the full Data Models and Best Practices explanation →

During a data model acceleration build, the following error appears in splunkd.log: 'Data model acceleration: not enough memory to complete summary build.' Which best practice should the administrator implement to prevent this error?

Question 7mediummultiple choice
Read the full NAT/PAT explanation →

A Splunk administrator is designing a data model for network traffic logs. The logs contain source IP, destination IP, bytes transferred, and protocol. The administrator wants to create a root event that counts connections and a child transaction that sums bytes per session. Which constraint type should be used for the root event?

Question 8mediummulti select
Read the full Data Models and Best Practices explanation →

Which TWO are best practices for creating data models in Splunk? (Choose two.)

Question 9hardmulti select
Read the full Data Models and Best Practices explanation →

Which THREE are valid considerations when troubleshooting data model acceleration? (Choose three.)

Question 10easymulti select
Read the full Data Models and Best Practices explanation →

Which TWO are benefits of using data model acceleration? (Choose two.)

Question 11hardmultiple choice
Read the full Data Models and Best Practices explanation →

You are a Splunk administrator at a financial services company. The company has a distributed Splunk environment with 10 indexers and 2 search heads. You have created a data model named 'transaction_analytics' to analyze financial transactions. The data model is accelerated with a summary range of 7 days. Recently, users have reported that dashboards using this data model are extremely slow, sometimes timing out. You check the acceleration status and see that the summary is 'Building' but never completes. The splunkd.log on the search head shows repeated messages: 'Data model acceleration: query timed out after 300 seconds.' The base search for the data model is: index=transactions sourcetype=fin_events | eval risk_score=if(amount>10000, 'high', 'low') | fields transaction_id, user, amount, risk_score, _time. The data model has one root event with two child datasets: one for high-risk transactions and one for low-risk transactions. The total data volume is about 500 GB per day. The indexer where the summary is built has 16 GB of RAM and the search head has 32 GB. What is the best course of action to resolve the acceleration build timeout?

Question 12mediummultiple choice
Read the full VPN explanation →

A security team wants to create a data model to analyze authentication events from multiple sources (Windows Event Log, Linux syslog, and VPN logs). The data model should normalize the fields for user, source IP, and action (success/failure). Which Splunk best practice should be applied when designing this data model?

Question 13hardmultiple choice
Read the full Data Models and Best Practices explanation →

A Splunk administrator notices that a data model acceleration summary is consuming excessive disk space on the indexers. The data model is used for a dashboard that refreshes every 30 minutes. What is the best course of action to reduce disk usage while maintaining dashboard performance?

Question 14hardmulti select
Read the full Data Models and Best Practices explanation →

Which TWO statements about designing Splunk data models are correct? (Choose two.)

Question 15easymultiple choice
Read the full Data Models and Best Practices explanation →

Refer to the exhibit. A Splunk user is building a data model for Apache error logs. The configuration above extracts an error_type field. However, when previewing data in the data model, the error_type field is not available. What is the most likely cause?

Exhibit

Refer to the exhibit.

# props.conf
[apache_error]
TRANSFORMS-set = set_error_type

# transforms.conf
[set_error_type]
REGEX = \[(error|warn|info)\]
FORMAT = error_type::$1
DEST_KEY = _meta
Question 16hardmultiple choice
Read the full Data Models and Best Practices explanation →

A large e-commerce company uses Splunk to monitor its web application. They have a data model named 'Web_Transactions' that contains fields: status_code, response_time, uri, user_agent. The data model is accelerated with a 30-day time range. Recently, the operations team reported that the dashboard showing average response time by URI is loading slowly, taking over 30 seconds to display. Upon investigation, you find that the data model acceleration summary job is taking longer to complete and sometimes fails. The indexers have sufficient CPU and memory, but the disk I/O is high during the summary job. The volume of web logs is approximately 500 GB per day. Which action should the Splunk administrator take to improve dashboard performance?

Question 17hardmulti select
Read the full Data Models and Best Practices explanation →

Which TWO of the following are best practices when creating and using data models in Splunk?

Question 18mediummultiple choice
Read the full Data Models and Best Practices explanation →

Refer to the exhibit. A user runs the search shown. The search returns results, but the user wants to use a data model to make future searches faster and more consistent. Which data model should the user select and what is the correct acceleration setting?

Exhibit

Refer to the exhibit.

index=web sourcetype=access_combined | stats count by status | where count > 1000
Question 19easymultiple choice
Read the full Data Models and Best Practices explanation →

You are a Splunk administrator for a large e-commerce company. The security team frequently runs searches against the web access logs (sourcetype=access_combined) to investigate suspicious activity. These searches often take 5-10 minutes to complete, and the team is frustrated. You decide to implement a data model to accelerate these searches. After creating a data model based on the CIM Web model and enabling acceleration for the 'Web' dataset, you notice that the acceleration summary size grows to over 50 GB and the rebuild process takes more than an hour every night, causing some searches to time out during the rebuild window. What is the most effective way to address this issue?

Question 20mediummulti select
Read the full Data Models and Best Practices explanation →

Which three of the following are best practices when working with Data Models in Splunk? (Choose three.)

Question 21mediummulti select
Read the full Data Models and Best Practices explanation →

Which three options describe recommended practices for optimizing and maintaining data model acceleration? (Choose three.)

Question 22mediummulti select
Read the full Data Models and Best Practices explanation →

Which four of the following are best practices for working with data models in Splunk? (Choose four.)

Question 23mediumdrag order
Read the full Data Models and Best Practices explanation →

Drag and drop the steps to add a new data input using Splunk Web (e.g., monitor a log file) into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 24mediumdrag order
Read the full Data Models and Best Practices explanation →

Drag and drop the steps to perform a Splunk software upgrade using the CLI into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 25mediummatching
Read the full Data Models and Best Practices explanation →

Match each data input type to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Tails a file or directory for new data

Receives syslog data via UDP or TCP

Runs a script to collect data

Receives data via HTTP or HTTPS

Collects Windows Event Log data

Question 26mediummatching
Read the full Data Models and Best Practices explanation →

Match each index type to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Default index for all data unless otherwise specified

Stores pre-computed results for faster searches

Optimized for numeric metric data

Stores data model acceleration data

Question 27easymultiple choice
Read the full Data Models and Best Practices explanation →

Which of the following is required to use data model acceleration for a Pivot report?

Question 28easymultiple choice
Read the full Data Models and Best Practices explanation →

A user wants to use the Pivot interface to analyze web traffic data. Which data model should they select?

Question 29easymultiple choice
Read the full Data Models and Best Practices explanation →

When tagging events in Splunk to map them to a data model, which tag is used to associate events with a specific data model dataset?

Question 30mediummultiple choice
Read the full Data Models and Best Practices explanation →

A data model has been accelerated but some Pivot reports are showing incomplete data. What is the most likely cause?

Question 31mediummultiple choice
Read the full Data Models and Best Practices explanation →

Which of the following is a best practice when creating custom data models?

Question 32mediummultiple choice
Read the full Data Models and Best Practices explanation →

An administrator notices that a data model is not appearing in the Pivot interface. What is a possible reason?

Question 33hardmultiple choice
Read the full Data Models and Best Practices explanation →

A team has created a data model based on sourcetypes from different sources. Some fields are not populating correctly in Pivot. Which of the following is the most effective troubleshooting step?

Question 34hardmultiple choice
Read the full Data Models and Best Practices explanation →

When designing a data model for heterogeneous log sources, which approach minimizes field conflicts?

Question 35hardmultiple choice
Read the full Data Models and Best Practices explanation →

A user wants to create a Pivot report that counts failed login attempts by user and hour. Which data model dataset and fields are most appropriate?

Question 36easymulti select
Read the full Data Models and Best Practices explanation →

Which TWO actions should be taken to optimize data model acceleration?

Question 37mediummulti select
Read the full Data Models and Best Practices explanation →

Which THREE statements about data model normalization are correct?

Question 38hardmulti select
Read the full Data Models and Best Practices explanation →

Which TWO are best practices for designing data models in Splunk?

Question 39easymultiple choice
Read the full Data Models and Best Practices explanation →

Refer to the exhibit. What does this search do?

Exhibit

| datamodel Web search
| where status=500
| stats count by uri_path
Question 40mediummultiple choice
Read the full Data Models and Best Practices explanation →

Refer to the exhibit. A data model named 'Web' is built on sourcetype 'web_access'. A user reports that the timestamp field is not being extracted correctly in the data model. What is the most likely issue?

Exhibit

props.conf:
[web_access]
DATETIME_CONFIG = /etc/datetime.xml
MAX_TIMESTAMP_LOOKAHEAD = 20
TIME_PREFIX = ^
TIME_FORMAT = %d/%b/%Y:%H:%M:%S
Question 41hardmultiple choice
Read the full Data Models and Best Practices explanation →

Refer to the exhibit. An administrator configures a default stanza in props.conf to assign the Authentication data model to all sourcetypes. Which issue might arise?

Exhibit

props.conf:
[default]
DATETIME_CONFIG = CURRENT
DATA_MODEL = Authentication
Question 42mediummultiple choice
Read the full Data Models and Best Practices explanation →

A user notices that a data model is not updating with recent events. The data model acceleration is enabled and the summary range is set to 30 days. Which action should the admin take to ensure the accelerated data model includes data from the last hour?

Question 43hardmultiple choice
Read the full Data Models and Best Practices explanation →

A security team needs to track authentication events across multiple sources: Windows Security logs, Linux /var/log/auth.log, and network authentication events. They want to create a single data model covering all authentication events with consistent field names. Which best practice should they follow?

Question 44easymultiple choice
Read the full Data Models and Best Practices explanation →

An admin wants to allow power users to search against a data model but prevent them from modifying its definition. Which permission setting should the admin configure?

Question 45mediummultiple choice
Read the full Data Models and Best Practices explanation →

An analyst wants to count the number of failed login attempts from a specific user using an accelerated data model named 'Authentication'. The data model has a dataset 'Failed_Authentication'. Which SPL query should they use?

Question 46hardmultiple choice
Read the full Data Models and Best Practices explanation →

A data model for web traffic has a child dataset 'Error_Pages' that should only include events with status code 5xx. The admin wants to ensure that when the data model is used with tstats, only these events are searched. Which definition should they use in the data model?

Question 47easymultiple choice
Read the full Data Models and Best Practices explanation →

An admin runs '| datamodel App_State' and receives the error 'No data model named 'App_State''. Which of the following is the most likely cause?

Question 48mediummultiple choice
Read the full Data Models and Best Practices explanation →

A data model is set to accelerate with a summary range of 90 days. After some time, the administrator notices that the acceleration is using significant disk space. Which strategy would best reduce disk usage without losing the ability to quickly query the last 30 days of data?

Question 49hardmultiple choice
Read the full Data Models and Best Practices explanation →

A data model 'Network_Traffic' currently has a single root dataset 'Traffic'. The administrator wants to add a child dataset 'Firewall_Logs' that only contains events from sourcetype=firewall. The admin also wants 'Firewall_Logs' to inherit all fields from 'Traffic'. Which approach should they follow?

Question 50easymultiple choice
Read the full Data Models and Best Practices explanation →

An administrator wants to list all data models in the current app and see their acceleration status. Which command should they use?

Question 51easymulti select
Read the full Data Models and Best Practices explanation →

Which TWO of the following are best practices when designing data models in Splunk?

Question 52mediummulti select
Read the full Data Models and Best Practices explanation →

Which THREE of the following statements about data model acceleration are true?

Question 53hardmulti select
Read the full Data Models and Best Practices explanation →

Which THREE of the following are valid reasons to use data models instead of raw searches?

Question 54mediummultiple choice
Read the full Data Models and Best Practices explanation →

Refer to the exhibit. An admin is trying to accelerate this data model, but receives an error: 'Data model 'Authentication' has no constraints.' What is the most likely cause?

Exhibit

[datamodel]
app = search
name = Authentication
[datamodel/Authentication/constraint]
sourcetype = auth_log
[datamodel/Authentication/fields/action]
type = string
Question 55hardmultiple choice
Read the full Data Models and Best Practices explanation →

Refer to the exhibit. An admin sees that the Web_Traffic data model is accelerated but shows 'Summaries require rebuild'. What does this status indicate?

Exhibit

| datamodel list
Data model  App       Type   Accelerated?  Status
Web_Traffic  search   root   Yes           Summaries require rebuild
Error_Logs   search   root   No            -
Question 56easymultiple choice
Read the full Data Models and Best Practices explanation →

Refer to the exhibit. An analyst receives this error when running a tstats search. Which of the following is the most likely cause?

Exhibit

Error: tstats search includes invalid argument: datamodel=
Search command: | tstats count from datamodel=Web_Traffic.Failed_Pages
Question 57easymultiple choice
Read the full Data Models and Best Practices explanation →

A security analyst wants to accelerate a frequently run search that uses the `Authentication` data model. Which best practice should they follow to ensure the acceleration consumes minimal disk space?

Question 58mediummultiple choice
Read the full Data Models and Best Practices explanation →

A team is designing a data model for IT operations. They have fields like `src_ip`, `dest_ip`, `user`, and `action`. Which best practice should they follow when naming the root event dataset?

Question 59hardmultiple choice
Read the full Data Models and Best Practices explanation →

An administrator notices that a data model with acceleration is not returning results for a specific time range. The search uses `| datamodel` command. The summary range is set to 30 days. What is the most likely cause?

Question 60easymultiple choice
Read the full Data Models and Best Practices explanation →

An analyst creates a pivot from the `Authentication` data model. Which of the following is a valid reason to use a pivot instead of a search?

Question 61mediummultiple choice
Read the full NAT/PAT explanation →

During data model creation, an administrator adds a calculated field that concatenates `src_ip` and `dest_ip` with a hyphen. Which of the following is a best practice for calculated fields in data models?

Question 62hardmultiple choice
Read the full Data Models and Best Practices explanation →

A search using `| datamodel All_Web data=Web search` returns a large number of results quickly, but the analyst notices the results are inconsistent with a manual search over the same time range. What is the most likely issue?

Question 63easymultiple choice
Read the full Data Models and Best Practices explanation →

A data model includes a root event called `Authentication` with a constraint `action=*`. Which of the following is a valid reason to add a child dataset?

Question 64mediummultiple choice
Read the full Data Models and Best Practices explanation →

An organization wants to build a data model that includes data from multiple sourcetypes. Which best practice should they follow regarding field definitions?

Question 65hardmultiple choice
Read the full Data Models and Best Practices explanation →

An administrator reports that a data model acceleration job is consistently failing for a root event with a large dataset. What is the most likely cause?

Question 66easymulti select
Read the full Data Models and Best Practices explanation →

Which TWO of the following are best practices when creating a data model in Splunk? (Choose two.)

Question 67mediummulti select
Read the full Data Models and Best Practices explanation →

Which THREE of the following are valid considerations when accelerating a data model? (Choose three.)

Question 68hardmulti select
Read the full Data Models and Best Practices explanation →

Which TWO of the following are common pitfalls when using data models that can lead to inaccurate pivot results? (Choose two.)

Question 69easymultiple choice
Read the full Data Models and Best Practices explanation →

A new Splunk admin wants to reduce the time it takes to run reports on a large dataset. They have enabled acceleration on a data model. Which of the following is a best practice to maximize acceleration benefits?

Question 70mediummultiple choice
Read the full Data Models and Best Practices explanation →

A user notices that a data model designed for web server logs is not showing any events in the 'Web' object, even though the underlying logs are searched correctly with a normal search. The root events are pulling from the 'main' index, and the data model uses constraints. Which of the following is the most likely cause?

Question 71hardmultiple choice
Read the full Data Models and Best Practices explanation →

A Splunk admin is troubleshooting a slow report that uses an accelerated data model. The report uses tstats commands and filters on a field that is not a constraint field in the data model. Which of the following best explains why the report is slow?

Question 72mediummultiple choice
Read the full Data Models and Best Practices explanation →

An organization wants to define a data model that represents transaction-level data from multiple source types, including web logs and application logs. They need to ensure that the data model is scalable and easy to maintain. Which best practice should the admin follow when designing this data model?

Question 73easymultiple choice
Read the full Data Models and Best Practices explanation →

A Splunk user has created a data model for firewall logs and wants to use it to generate a report showing top source IPs. They attempt to run a search using the data model but receive no results, even though a simple search over the same index returns many events. What is the most likely cause?

Question 74hardmultiple choice
Read the full Data Models and Best Practices explanation →

A company has a data model for email logs that includes a calculated field named 'sentiment_score' derived from a lookup. The data model is accelerated, but some reports using |tstats with 'sentiment_score' are returning incorrect values. What is the most likely reason?

Question 75mediummultiple choice
Read the full Data Models and Best Practices explanation →

A Splunk admin wants to ensure that data models are built efficiently and do not consume excessive resources. Which of the following is a best practice when creating data models?

Question 76hardmulti select
Read the full Data Models and Best Practices explanation →

Which THREE of the following are best practices when designing data models in Splunk?

Question 77easymulti select
Read the full Data Models and Best Practices explanation →

Which TWO of the following are valid ways to create a data model in Splunk?

Question 78mediummulti select
Read the full Data Models and Best Practices explanation →

Which THREE of the following are components of a data model in Splunk?

Question 79hardmultiple choice
Read the full Data Models and Best Practices explanation →

You are a Splunk administrator for a large e-commerce company. The company ingests approximately 500 GB of web server logs per day into a single index named 'web_logs'. A data model named 'Web_Transactions' has been created to analyze user browsing behavior. The data model has a root event with no constraints, and three child objects: 'Page_Views', 'Searches', and 'Purchases'. Each child object has a constraint based on a key-value pair in the logs: e.g., 'action=view', 'action=search', 'action=purchase'. The data model is accelerated with a 7-day summary, but reports that query specific child objects are taking over 10 minutes to return. The reports use |tstats and filter on common fields like 'user_id' and 'session_id'. The admin suspects the acceleration summary is too large. Which of the following actions will most effectively reduce report latency while maintaining the ability to analyze all three transaction types?

Question 80mediummultiple choice
Read the full Data Models and Best Practices explanation →

You are working as a Splunk consultant for a financial services firm. They have multiple data sources: application logs, database audit logs, and network firewall logs. The security team needs to correlate events across these sources to detect potential fraud. You decide to create a data model named 'Security_Events'. The data model will be used with tstats for real-time dashboards. The logs vary in volume: application logs are 200 GB/day, audit logs are 50 GB/day, and firewall logs are 100 GB/day. The firm wants to optimize performance and storage. The data model currently has one root event with no constraints and three child objects with constraints based on sourcetype. The admin is concerned about acceleration storage costs. Which of the following is the best approach to balance performance and storage?

Question 81easymultiple choice
Read the full Data Models and Best Practices explanation →

A small business uses Splunk to monitor their point-of-sale (POS) system. They have a data model named 'POS_Transactions' that is not accelerated. The owner wants to create a simple dashboard showing daily sales totals. They write a search using |tstats against the data model, but it returns 'No events found'. A plain search over the same index returns expected results. What should the owner do to resolve this?

Question 82hardmultiple choice
Read the full NAT/PAT explanation →

You are an admin for a large healthcare organization that uses Splunk for compliance monitoring. You have a data model named 'Patient_Access' that tracks access to patient records. The data model includes fields like 'employee_id', 'patient_id', 'access_time', and 'action'. The data model is accelerated with a 30-day summary. Recently, a new compliance report requires filtering on a field named 'department', which is not currently part of the data model. You add 'department' as a new field to the root event of the data model. After this change, reports using the data model become slower. The data model's acceleration summary size has significantly increased. What is the most likely reason for the slowdown?

Question 83mediummultiple choice
Read the full Data Models and Best Practices explanation →

A media company uses Splunk to analyze user engagement across their website. They have a data model named 'User_Actions' with two child objects: 'Page_Views' and 'Clicks'. The data model is accelerated. The marketing team creates a report that uses |tstats to count the number of 'Page_Views' per user_id. The results seem low compared to an equivalent search using |search. Upon investigation, you find that the 'Page_Views' object has a constraint that filters events where 'event_type=page_view'. The base search returns many events with 'event_type=Page View' (note the space). What is the issue and the correct fix?

Question 84hardmultiple choice
Read the full Data Models and Best Practices explanation →

A large e-commerce company ingests 10 TB/day of web access logs into Splunk. They have enabled the CIM-compliant Web data model and created data model acceleration with a 90-day range. Users run reports using pivot to analyze HTTP status codes, client IPs, and URIs. Recently, two issues arose: (1) Pivot reports are returning incomplete or outdated results, sometimes missing data from the last few hours. (2) Acceleration summary size has ballooned to over 500 GB, causing search head performance degradation. The Splunk admin suspects that data model acceleration is not configured optimally. Upon inspection, the Web data model's root search contains a complex filter with multiple eval commands and lookups, and the acceleration time range is set to the same 90 days as the summary range. The admin also notices that the data model is defined as non-time-based, even though the events have timestamps and the pivot often uses time ranges. What is the best course of action to resolve both issues while maintaining accuracy and performance?

Question 85mediummulti select
Read the full Data Models and Best Practices explanation →

Which two of the following are best practices when designing Splunk data models? (Choose two.)

Question 86hardmultiple choice
Read the full Data Models and Best Practices explanation →

Refer to the exhibit. A Splunk admin runs a search using the 'Authentication' data model and notices that the search does not use the acceleration summaries. The admin confirms that acceleration is enabled and the summary range is set correctly. What is the most likely reason for the acceleration being ignored?

Exhibit

Refer to the exhibit.

Data model definition:
{
  "dataModel": {
    "objectName": "Authentication",
    "fieldList": [
      {"fieldName": "user", "type": "string"},
      {"fieldName": "action", "type": "string"},
      {"fieldName": "src_ip", "type": "ip"},
      {"fieldName": "_time", "type": "time"},
      {"fieldName": "duration", "type": "number"}
    ],
    "constraints": [
      {"field": "action", "comparison": "IN", "value": ["login", "logout"]}
    ],
    "acceleration": {
      "enabled": true,
      "summaryRange": "1d",
      "maxTime": "30d"
    }
  }
}
Question 87hardmultiple choice
Read the full Data Models and Best Practices explanation →

A financial services company uses Splunk to monitor authentication logs from 500 remote servers. They created a data model named 'Authentication' with 15 fields including 'user', 'src_ip', 'dest_ip', 'action', and 'status'. They enabled acceleration with a summary range of 1 day and set the maximum search time range to 30 days. After one month of operation, searches against the data model that used to complete in seconds now time out after 60 seconds. The average daily log volume is 10 GB. The admin runs | datamodel Audit and discovers that the summary size is approximately 5 GB per day, which is similar to the raw data index size. The search head has 16 GB RAM and 4 CPU cores, and no other resource issues are observed. What is the most likely cause of the performance degradation?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

SPLK-1002 Practice Test 1 — 10 Questions→SPLK-1002 Practice Test 2 — 10 Questions→SPLK-1002 Practice Test 3 — 10 Questions→SPLK-1002 Practice Test 4 — 10 Questions→SPLK-1002 Practice Test 5 — 10 Questions→SPLK-1002 Practice Exam 1 — 20 Questions→SPLK-1002 Practice Exam 2 — 20 Questions→SPLK-1002 Practice Exam 3 — 20 Questions→SPLK-1002 Practice Exam 4 — 20 Questions→Free SPLK-1002 Practice Test 1 — 30 Questions→Free SPLK-1002 Practice Test 2 — 30 Questions→Free SPLK-1002 Practice Test 3 — 30 Questions→SPLK-1002 Practice Questions 1 — 50 Questions→SPLK-1002 Practice Questions 2 — 50 Questions→SPLK-1002 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Splunk Basics and Interface NavigationBasic Searching and Transforming CommandsUsing Fields and LookupsCreating Reports, Dashboards and VisualizationsData Models and Best Practices

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Data Models and Best Practices setsAll Data Models and Best Practices questionsSPLK-1002 Practice Hub