Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Using Fields and Lookups practice sets

SPLK-1002 Using Fields and Lookups • Complete Question Bank

SPLK-1002 Using Fields and Lookups — All Questions With Answers

Complete SPLK-1002 Using Fields and Lookups question bank — all 0 questions with answers and detailed explanations.

124
Questions
Free
No signup
Certifications/SPLK-1002/Practice Test/Using Fields and Lookups/All Questions
Question 1easymultiple choice
Read the full Using Fields and Lookups explanation →

A security analyst is investigating a suspicious IP address. They want to find all events related to that IP. Which field should they use in a search?

Question 2mediummultiple choice
Read the full Using Fields and Lookups explanation →

A Splunk admin wants to enrich web server logs with geographic location data based on IP addresses. Which approach should they use?

Question 3hardmultiple choice
Read the full Using Fields and Lookups explanation →

A search returns many events but the 'status' field is missing from some events. The admin wants to set a default value of 'unknown' when the field is absent. Which command should be used?

Question 4easymultiple choice
Read the full Using Fields and Lookups explanation →

A user wants to see only events where the 'action' field has a value of 'success'. Which search syntax should they use?

Question 5mediummultiple choice
Read the full Using Fields and Lookups explanation →

A lookup table contains employee names and IDs. An admin wants to add the employee name to events that contain an employee ID field called 'emp_id'. What is the correct lookup command syntax?

Question 6hardmultiple choice
Read the full Using Fields and Lookups explanation →

A search includes a lookup that returns multiple values per event. The admin wants to see each matched value as a separate event. Which command should be used after the lookup?

Question 7easymultiple choice
Read the full Using Fields and Lookups explanation →

In Splunk, which of the following is true about fields?

Question 8mediummultiple choice
Read the full Using Fields and Lookups explanation →

An admin notices that a lookup is not returning any results for some events even though matching keys exist. What is the most likely cause?

Question 9hardmultiple choice
Read the full Using Fields and Lookups explanation →

A search uses a lookup that returns a field 'priority'. The admin wants to use the lookup only for events where the 'source' is 'firewall'. Which command should be used?

Question 10easymultiple choice
Read the full Using Fields and Lookups explanation →

Which of the following best describes the purpose of the 'fields' command in a search?

Question 11mediummultiple choice
Read the full Using Fields and Lookups explanation →

A user wants to create a field that contains the length of the 'message' field. Which command should they use?

Question 12easymulti select
Read the full Using Fields and Lookups explanation →

Which TWO of the following are valid ways to extract fields in Splunk? (Choose two.)

Question 13mediummulti select
Read the full Using Fields and Lookups explanation →

Which THREE of the following are true about lookups in Splunk? (Choose three.)

Question 14hardmulti select
Read the full Using Fields and Lookups explanation →

A Splunk admin wants to handle missing field values in a search. Which TWO commands can replace null values with a specified default? (Choose two.)

Question 15mediummulti select
Read the full Using Fields and Lookups explanation →

Which THREE statements about the 'rex' command are correct? (Choose three.)

Question 16mediummultiple choice
Read the full Using Fields and Lookups explanation →

Refer to the exhibit. The lookup file app_versions.csv contains fields 'app' and 'version'. The version values are strings like '1.5', '2.0', '2.1'. What is the issue with this search?

Exhibit

Refer to the exhibit.

| inputlookup app_versions.csv
| where version > "2.0"
| table app version
Question 17hardmultiple choice
Read the full Using Fields and Lookups explanation →

Refer to the exhibit. A user gets this error when running a search with a GeoIP lookup. What is the most likely cause?

Exhibit

Refer to the exhibit.

Error message:
"Lookup table 'geoip' not found in 'lookups' directory."
Question 18easymultiple choice
Read the full Using Fields and Lookups explanation →

Refer to the exhibit. What will this search return?

Exhibit

Refer to the exhibit.

index=web sourcetype=access_combined | top 5 uri
Question 19hardmultiple choice
Read the full Using Fields and Lookups explanation →

A company has a Splunk environment indexing firewall logs from multiple vendors. The security team wants to enrich events with a threat intelligence lookup that contains IP addresses and threat categories. The lookup file 'threat_intel.csv' has fields: ip, category, confidence. The admin runs the following search: index=firewall | lookup threat_intel.csv src_ip OUTPUT category confidence. However, the lookup returns no results, even though there are matching IPs. The admin verifies that the lookup file is uploaded and the field names are correct. What is the most likely cause? The admin suspects that the lookup is case-sensitive, but the IP addresses in the logs are lowercase and the lookup has uppercase. The admin also considers that the lookup might be configured with the wrong field order, or that the lookup command is missing the OUTPUTNEW option, or that the index name is wrong. Which course of action should the admin take first to resolve the issue?

Question 20mediummultiple choice
Read the full Using Fields and Lookups explanation →

A Splunk admin is tasked with creating a dashboard that shows the top 10 error codes from application logs. The logs contain a field 'error_code' which is extracted automatically. The admin writes the search: index=app sourcetype=app_log | top limit=10 error_code. The dashboard shows the correct data, but the admin wants to add a drilldown that passes the selected error code to another search. The admin considers using the 'fields' command to keep only error_code, the 'table' command to display the data, the 'eval' command to create a new field, or the 'stats' command to count. Which change should the admin make to the search to enable the drilldown functionality?

Question 21mediummultiple choice
Read the full Using Fields and Lookups explanation →

A security analyst runs a search for failed logins and wants to display the source IP address, username, and count of failures. However, the field 'src_ip' is not showing in the field picker. Which of the following is the most likely reason?

Question 22hardmultiple choice
Read the full Using Fields and Lookups explanation →

An organization is ingesting web proxy logs and wants to enrich them with a lookup table that maps internal IP addresses to employee names. The lookup table is updated weekly. Which configuration ensures the lookup is automatically applied to all searches without manual intervention, while also minimizing performance impact?

Question 23easymultiple choice
Read the full Using Fields and Lookups explanation →

A user notices that a calculated field defined in props.conf is not appearing in search results. Which of the following is the most likely cause?

Question 24mediummultiple choice
Read the full Using Fields and Lookups explanation →

A user wants to replace a field value 'ERROR' with 'Error' in search results. Which command should be used within a search to achieve this transformation?

Question 25hardmulti select
Read the full Using Fields and Lookups explanation →

A Splunk administrator is configuring a lookup to enrich firewall logs with a static CSV file containing allowed IP ranges. Which TWO statements about lookup configuration are correct?

Question 26hardmultiple choice
Read the full Using Fields and Lookups explanation →

You are a Splunk admin for a large enterprise with multiple distributed Splunk components. The security team frequently runs searches that use a large CSV lookup file (500MB) containing threat intelligence indicators. They report that searches are slow and sometimes time out. The lookup file is updated hourly via an automated script. The team currently uses the 'lookup' command in every search. You need to improve performance without sacrificing data freshness. Your environment has a search head cluster and indexer cluster. The lookup file is stored on a shared filesystem accessible to all search heads. Which single approach will best improve search performance while maintaining hourly updates?

Question 27easymultiple choice
Read the full Using Fields and Lookups explanation →

An administrator needs to extract a field from log data where the value appears between two square brackets, for example [error_code: 404]. Which search command should they use to create a custom field extraction without modifying the original data?

Question 28mediummulti select
Read the full Using Fields and Lookups explanation →

A security analyst wants to enrich authentication logs with a lookup table containing user department and manager information. Which TWO statements are true about using lookups in Splunk?

Question 29hardmultiple choice
Read the full Using Fields and Lookups explanation →

A Splunk administrator configured an automatic lookup as shown. When searching index=main source=/var/log/auth.log, the department field is not populated. What is the most likely cause?

Exhibit

Refer to the exhibit.

# /opt/splunk/etc/system/local/transforms.conf
[user_lookup]
filename = users.csv
match_type = WILDCARD(user_name)

# /opt/splunk/etc/system/local/props.conf
[source::/var/log/auth.log]
LOOKUP-user = user_lookup user_name AS username OUTPUTNEW department
Question 30mediummulti select
Read the full Using Fields and Lookups explanation →

Which three of the following are valid methods for creating or using field extractions in Splunk? (Choose three.)

Question 31mediummulti select
Read the full Using Fields and Lookups explanation →

Which three of the following statements about lookup tables and their usage in Splunk are correct? (Choose three.)

Question 32mediummulti select
Read the full Using Fields and Lookups explanation →

Which of the following are true statements about using fields and lookups in Splunk? Choose all that apply. (There are four correct answers.)

Question 33mediumdrag order
Read the full Using Fields and Lookups explanation →

Drag and drop the steps to create a simple Splunk search that returns results for a specific error in the last 24 hours into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 34mediumdrag order
Read the full Using Fields and Lookups explanation →

Drag and drop the steps to configure Splunk to use LDAP authentication into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 35mediummatching
Read the full Using Fields and Lookups explanation →

Match each knowledge object to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Define how to extract fields from raw data

A search that is persisted and can be scheduled

Saved search with visualization or statistics

Saved search that triggers actions on conditions

Collection of panels with saved searches or reports

Question 36mediummatching
Read the full Using Fields and Lookups explanation →

Match each search mode to its behavior.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Optimizes for speed, minimal fields and events

Adjusts automatically based on search complexity

Returns all fields and events for maximum detail

Question 37easymultiple choice
Read the full Using Fields and Lookups explanation →

A user wants to rename the field 'src_ip' to 'sourceIP' in all search results without modifying the raw data. Which method should they use?

Question 38mediummultiple choice
Read the full Using Fields and Lookups explanation →

A security team needs to enrich their authentication events with risk scores from a CSV file that maps username to risk_score. The CSV is updated daily and has 100,000 rows. Which lookup configuration is most appropriate?

Question 39easymultiple choice
Read the full Using Fields and Lookups explanation →

An analyst runs a search and needs to view only events where the 'status' field has a value of 'failed'. Which command should be used?

Question 40mediummultiple choice
Read the full Using Fields and Lookups explanation →

A team has a lookup table 'app_errors.csv' that includes a field 'error_code'. They want to automatically join error descriptions from 'error_codes.csv' on 'error_code' every time they search a sourcetype. What is the best way to achieve this?

Question 41hardmultiple choice
Read the full Using Fields and Lookups explanation →

An organization uses a KV Store lookup to maintain a list of known malicious IPs. The lookup is updated every 5 minutes via a script. Analysts complain that their searches sometimes miss recent additions. What is the most likely cause?

Question 42hardmultiple choice
Read the full Using Fields and Lookups explanation →

A user has a search that produces a chart of error counts by host. They want to add a calculated field 'error_rate' as errors per million events. Which approach is correct?

Question 43easymultiple choice
Read the full Using Fields and Lookups explanation →

A user wants to see the list of all fields that are extracted from a specific sourcetype. Which command should they use?

Question 44mediummultiple choice
Read the full Using Fields and Lookups explanation →

Your team uses a large CSV lookup 'users.csv' with 200,000 rows. When running searches that use this lookup via the lookup command, performance is slow. Which action would most improve performance?

Question 45hardmultiple choice
Read the full Using Fields and Lookups explanation →

An administrator notices that an automatic lookup is not being applied to events from a certain sourcetype. The lookup file exists and the configuration in props.conf appears correct. What is a possible reason?

Question 46mediummulti select
Read the full Using Fields and Lookups explanation →

Which TWO of the following are valid ways to create a field alias in Splunk?

Question 47hardmulti select
Read the full Using Fields and Lookups explanation →

Which TWO of the following are true about KV Store lookups in Splunk?

Question 48mediummulti select
Read the full Using Fields and Lookups explanation →

Which THREE of the following are valid options for the lookup command?

Question 49mediummultiple choice
Read the full Using Fields and Lookups explanation →

Refer to the exhibit. The search returns no results from the lookup. What is the most likely issue?

Exhibit

Refer to the exhibit.

props.conf:
[apache_error]
FIELDALIAS-error_code = error_id AS error_code

Transforms.conf:
[error_code_lookup]
filename = error_codes.csv

Search:
index=web sourcetype=apache_error | lookup error_code_lookup error_id OUTPUT error_description

The search returns no results from the lookup. What is the most likely issue?
Question 50hardmultiple choice
Read the full Using Fields and Lookups explanation →

Refer to the exhibit. The search results show city and country fields from the GeoIP lookup. What does the automatic lookup use as the input field to match against the lookup table?

Exhibit

Refer to the exhibit.

automatic_lookups.conf:
[apache_access]
lookup_table = geoip

GeoIP lookup file has fields: ip, city, country

The search: index=web sourcetype=apache_access | head 10

Results show city and country fields with correct values from the GeoIP lookup. However, the search also shows the raw field 'clientip'. What does the automatic lookup do with the input field?
Question 51easymultiple choice
Read the full Using Fields and Lookups explanation →

Refer to the exhibit. What would happen if the eval statement was changed to: eval priority = case(error = "critical", 1, error = "warning", 2, true(), 3)?

Exhibit

Refer to the exhibit.

Search:
index=main | eval priority = case(error = "critical", 1, error = "warning", 2, 1=1, 3) | stats count by priority

Results show priority values 1, 2, and 3. What would happen if the eval statement was changed to: eval priority = case(error = "critical", 1, error = "warning", 2, true(), 3)?
Question 52easymultiple choice
Read the full Using Fields and Lookups explanation →

A user runs a search for errors but notices that the `source` field is not appearing in the selected fields list. What is the most likely reason?

Question 53mediummultiple choice
Read the full Using Fields and Lookups explanation →

An administrator wants to add a lookup table that maps user IDs to department names. The lookup file is a CSV with columns `user_id` and `department`. To use this lookup in searches, what must be configured?

Question 54hardmultiple choice
Read the full Using Fields and Lookups explanation →

A search using `| lookup user_lookup user_id OUTPUT department_name` returns incorrect department names for some users. The lookup file is correct. What could be the issue?

Question 55easymultiple choice
Read the full Using Fields and Lookups explanation →

Which command is used to import an external CSV file into a Splunk lookup table for the first time?

Question 56mediummultiple choice
Read the full Using Fields and Lookups explanation →

A user wants to see the values of all fields in an event, including fields that are not automatically extracted. Which search command should be used?

Question 57hardmultiple choice
Read the full Using Fields and Lookups explanation →

A lookup table has been defined with `max_matches = 5`. What does this setting do?

Question 58easymultiple choice
Read the full Using Fields and Lookups explanation →

Which of the following is a default field that is automatically extracted by Splunk?

Question 59mediummultiple choice
Read the full Using Fields and Lookups explanation →

A user creates a calculated field that extracts the domain from email addresses using the expression `| rex field=email "(?P<domain>@\w+\.\w+)"`. However, the calculated field does not appear in search results. What is the most likely reason?

Question 60hardmultiple choice
Read the full Using Fields and Lookups explanation →

An automatic lookup is configured but it is not enriching events. The lookup file is large (100MB) and is updated daily. What setting could improve performance?

Question 61easymulti select
Read the full Using Fields and Lookups explanation →

A user wants to view the contents of a lookup table file named `users.csv` that is stored in Splunk. Which two commands can be used? (Choose two.)

Question 62mediummulti select
Read the full Using Fields and Lookups explanation →

Which of the following are valid reasons to use a lookup in Splunk? (Choose two.)

Question 63hardmulti select
Read the full Using Fields and Lookups explanation →

A lookup definition in transforms.conf includes the following settings: `filename = employees.csv`, `max_matches = 0`, `case_sensitive_match = false`. Which three statements about this lookup are true? (Choose three.)

Question 64mediummultiple choice
Read the full Using Fields and Lookups explanation →

Refer to the exhibit. A user runs a search with `| lookup excel_lookup product_id OUTPUT sales_rep`. For a product_id that exists in the CSV but with a different case (e.g., "ABC123" vs "abc123"), what will be the value of the `sales_rep` field after the lookup?

Exhibit

[excel_lookup]
filename = sales_data.csv
max_matches = 1
default_match = N/A
case_sensitive_match = true
Question 65hardmultiple choice
Read the full Using Fields and Lookups explanation →

Refer to the exhibit. The lookup `usertable` has fields: user, role, department. The search returns an error: "Error in 'where' command: Field 'role' is not defined." What is the most likely cause?

Exhibit

| inputlookup usertable
| where role="admin"
| stats count by department
Question 66easymultiple choice
Read the full Using Fields and Lookups explanation →

Refer to the exhibit. An automatic lookup is configured with WILDCARD match type. What kind of matching does this enable?

Exhibit

[automatic_lookup]
filename = dept_table.csv
match_type = WILDCARD(employee_id)
Question 67easymultiple choice
Read the full Using Fields and Lookups explanation →

A security analyst wants to count the number of unique users who have logged in over the past week. Which field-based command should they use?

Question 68easymultiple choice
Read the full Using Fields and Lookups explanation →

A user has a lookup file containing employee email addresses and department names. They want to add the department field to search results containing the employee's email. Which command should they use?

Question 69easymultiple choice
Read the full Using Fields and Lookups explanation →

An analyst runs a search and notices that a field `status_code` contains values like '200', '404', '500'. They want to categorize these as 'Success' or 'Error'. Which approach is most efficient?

Question 70mediummultiple choice
Read the full Using Fields and Lookups explanation →

A Splunk administrator receives a complaint that a saved search is slow. The search uses a lookup to enrich events with a CSV file that has 500,000 rows. Which optimization is most effective?

Question 71mediummultiple choice
Read the full Using Fields and Lookups explanation →

An analyst wants to compute the average response time for each server from web server logs. The field `response_time` is a string like '120ms'. What is the correct way to convert and compute?

Question 72mediummultiple choice
Read the full Using Fields and Lookups explanation →

A team uses a lookup to map IP addresses to geographic locations. The lookup is large and updated weekly. Which lookup type is best suited?

Question 73hardmultiple choice
Read the full Using Fields and Lookups explanation →

A search includes a lookup that returns multiple matches for a single event. The analyst wants to keep only the first match. Which lookup command option should they use?

Question 74hardmultiple choice
Read the full Using Fields and Lookups explanation →

A Splunk admin notices that a lookup is not matching fields correctly. The lookup file has a header row with field names. The search uses `lookup usernames.csv user_id OUTPUT username`. Some events have `user_id` values that exist in the lookup but no match occurs. What is the most likely cause?

Question 75hardmultiple choice
Read the full NAT/PAT explanation →

An analyst wants to use a lookup to enrich events only if a condition is met, e.g., only for events where `status=error`. Which search pattern is most efficient?

Question 76easymulti select
Read the full Using Fields and Lookups explanation →

Which TWO methods can be used to create a new field in a search?

Question 77mediummulti select
Read the full Using Fields and Lookups explanation →

Which THREE statements about Splunk lookups are true?

Question 78hardmulti select
Read the full Using Fields and Lookups explanation →

Which TWO commands can be used to filter events based on field values?

Question 79easymultiple choice
Read the full Using Fields and Lookups explanation →

Refer to the exhibit. An analyst runs the search and expects the `country`, `region`, and `city` fields to appear in the results, but they do not. What is the most likely reason?

Exhibit

Refer to the exhibit.

search command: `index=web sourcetype=access | lookup geo_ip.csv clientip OUTPUT country region city`

Exhibit shows the first few lines of the geo_ip.csv file:

clientip,country,region,city
10.0.0.1,USA,CA,San Francisco
10.0.0.2,USA,NY,New York
10.0.0.3,CAN,ON,Toronto
Question 80mediummultiple choice
Read the full NAT/PAT explanation →

Refer to the exhibit. The search is not returning the `app_name` field as expected. The lookup has many entries with wildcard patterns. What is the most likely issue?

Exhibit

Refer to the exhibit.

Search: `index=main sourcetype=syslog | eval match_field=src_ip | lookup application_map.csv match_field OUTPUTNEW app_name`

Exhibit shows the lookup definition:

[lookup_application_map]
filename = application_map.csv
match_type = WILDCARD(app_name)
Question 81hardmultiple choice
Read the full Using Fields and Lookups explanation →

Refer to the exhibit. The search returns a count for only a subset of user_ids, even though all user_ids exist in the lookup. What could explain this?

Exhibit

Refer to the exhibit.

Lookup definition in transforms.conf:

[user_lookup]
filename = users.csv
match_type = EXACT(user_id)
max_matches = 1

Search:
`index=main | lookup user_lookup user_id OUTPUT first_name last_name | where isnotnull(first_name) | stats count by user_id`
Question 82easymultiple choice
Read the full Using Fields and Lookups explanation →

A user wants to create a lookup table to enrich events with customer information. Which file format is NOT supported for a classic CSV-based lookup?

Question 83mediummultiple choice
Read the full Using Fields and Lookups explanation →

An analyst runs `| inputlookup mylookup.csv` but gets no results. The lookup file exists. What is the most likely cause?

Question 84hardmultiple choice
Read the full Using Fields and Lookups explanation →

A search uses a lookup to enrich results with a field 'status'. After the lookup, some events have empty status values. The lookup file contains a mapping for all possible status codes. What is a likely reason for empty values?

Question 85easymultiple choice
Read the full Using Fields and Lookups explanation →

An analyst wants to see all field names and their types from a search result. Which command can be used?

Question 86mediummultiple choice
Read the full Using Fields and Lookups explanation →

A lookup definition is configured with a very large CSV file. The lookup performs slowly. Which change would most improve performance?

Question 87hardmultiple choice
Read the full Using Fields and Lookups explanation →

A user runs a search and uses `| lookup mylookup myfield OUTPUT myfield2`. The search returns events that have myfield values, but myfield2 is null. The lookup file has matching entries. What is the most likely issue?

Question 88easymultiple choice
Read the full Using Fields and Lookups explanation →

Which command is used to export the current search results to a CSV file that can be used as a lookup table?

Question 89mediummultiple choice
Read the full Using Fields and Lookups explanation →

A search uses the rex command to extract fields from a log line. The field extraction is working correctly, but some events are missing the extracted field. What is a possible reason?

Question 90hardmultiple choice
Read the full Using Fields and Lookups explanation →

An analyst wants to automatically look up a field 'user_id' in a lookup file every time a search is run, without having to type the lookup command manually. Which approach is best?

Question 91mediummulti select
Read the full Using Fields and Lookups explanation →

An analyst needs to create a lookup file. Which TWO methods can be used?

Question 92hardmulti select
Read the full Using Fields and Lookups explanation →

Which THREE of the following are capabilities of the rex command?

Question 93easymulti select
Read the full Using Fields and Lookups explanation →

Which TWO commands can be used to bring lookup data into a search?

Question 94mediummultiple choice
Read the full Using Fields and Lookups explanation →

Refer to the exhibit. An analyst runs a search that uses this lookup. The lookup returns multiple matches for some events. Which of the following is true?

Exhibit

[my_lookup]
filename = my_lookup.csv
max_matches = 5
default_match = UNKNOWN
case_sensitive_match = true
Question 95easymultiple choice
Read the full Using Fields and Lookups explanation →

Refer to the exhibit. An administrator runs this command. What is the effect?

Exhibit

> splunk add lookup-table my_lookup my_lookup.csv
Question 96mediummultiple choice
Read the full Using Fields and Lookups explanation →

Refer to the exhibit. The search returns no results for the 'country' field even though the lookup file exists and contains IP-to-country mappings. Which is the most likely issue?

Exhibit

index=main | rex field=_raw "(?<ip>\d+\.\d+\.\d+\.\d+)" | lookup country_lookup ip OUTPUT country
Question 97easymultiple choice
Read the full Using Fields and Lookups explanation →

A security analyst runs a search that returns many fields, most of which are not needed. Which command should be used to remove all fields except 'src_ip', 'dest_ip', and 'action'?

Question 98mediummultiple choice
Read the full Using Fields and Lookups explanation →

A user creates a CSV lookup file 'users.csv' with columns 'userid' and 'full_name'. A lookup definition is set up. The search `index=auth | lookup users.csv userid AS user OUTPUT full_name` returns no results for 'full_name' even though there are matching userids. What is the most likely cause?

Question 99hardmultiple choice
Read the full Using Fields and Lookups explanation →

A Splunk admin has a lookup with 10 million rows. The search uses this lookup as a left join and takes too long. Which design change would most improve performance?

Question 100easymultiple choice
Read the full Using Fields and Lookups explanation →

A search uses `| fields - _raw, _time` and then later needs `_time` again. What will happen?

Question 101mediummultiple choice
Read the full Using Fields and Lookups explanation →

An organization needs to enrich authentication events with employee department information stored in a MySQL database. The data is updated frequently. Which lookup type is most appropriate?

Question 102hardmultiple choice
Read the full Using Fields and Lookups explanation →

A time-based lookup is configured with `max_offset_secs = 3600`. An event has a timestamp 100 seconds after the lookup time value. Will the lookup match?

Question 103easymultiple choice
Read the full Using Fields and Lookups explanation →

Which command reads a lookup file and outputs it as search results?

Question 104mediummultiple choice
Read the full Using Fields and Lookups explanation →

A search needs to replace a field value 'user' with 'full name' using a CSV lookup that has 'username' and 'fullname' columns. Which lookup command is correct?

Question 105hardmultiple choice
Read the full Using Fields and Lookups explanation →

When using an automatic lookup in props.conf, which setting controls the order in which multiple automatic lookups apply to the same sourcetype?

Question 106mediummulti select
Read the full Using Fields and Lookups explanation →

Which TWO of the following are best practices for managing lookup files in Splunk?

Question 107mediummulti select
Read the full Using Fields and Lookups explanation →

Which TWO of the following commands can be used to view the current fields in a search result?

Question 108hardmulti select
Read the full Using Fields and Lookups explanation →

Which THREE of the following are true about automatic field extraction in Splunk?

Question 109hardmultiple choice
Read the full Using Fields and Lookups explanation →

A large enterprise uses Splunk across 50 indexers and a search head cluster. An analyst reports that a search using a lookup file 'employees.csv' (500 MB, 10 million rows) is extremely slow. The search is: `index=winlogs sourcetype=Security EventCode=4624 | lookup employees.csv account AS User OUTPUT department, manager`. The lookup currently runs on each event, and the entire CSV is loaded into memory on the search head each time. There are about 5 million matching events per day. The company has a separate Identity Management system that updates employee data hourly. The analyst needs the lookup to be fast and up-to-date. Which solution should the Splunk admin implement?

Question 110mediummultiple choice
Read the full Using Fields and Lookups explanation →

A Splunk admin configured a CSV-based lookup to map device IP addresses to location data. The lookup 'devices.csv' has columns 'ip', 'building', 'floor'. In props.conf, they set: `LOOKUP-1 = devices ip OUTPUT building floor`. In transforms.conf: `[devices] filename = devices.csv`. The search over sourcetype 'network_logs' returns events with the 'ip' field, but 'building' and 'floor' are missing. The admin confirms the CSV file exists and has data. What is the most likely issue?

Question 111mediummultiple choice
Read the full Using Fields and Lookups explanation →

A security analyst needs to enrich firewall logs with user identity information stored in a CSV file. The CSV file contains fields: user_id, username, department, location. The firewall logs contain a field 'src_user_id'. Which Splunk feature should be used to add the username and department fields to the firewall events based on matching src_user_id to user_id?

Question 112hardmultiple choice
Read the full Using Fields and Lookups explanation →

A Splunk administrator notices that a lookup definition named 'assets' is not returning any results in searches even though the CSV file exists and has data. The lookup definition uses the filename 'assets.csv' and the matching field 'ip' matches the event field 'dest_ip'. The search query 'index=main | lookup assets ip AS dest_ip OUTPUT asset_name' returns no asset_name values. What is the most likely cause?

Question 113mediummulti select
Read the full Using Fields and Lookups explanation →

A Splunk user wants to create a lookup that maps a field 'status_code' to a human-readable 'status_description'. The lookup data is small and changes infrequently. Which TWO methods are appropriate for creating this lookup? (Choose two.)

Question 114hardmulti select
Read the full Using Fields and Lookups explanation →

A Splunk administrator is troubleshooting a time-based lookup that is supposed to match events to a lookup table that changes over time. The lookup is defined with time_field 'start_time' and time_format '%Y-%m-%d %H:%M:%S'. Which THREE conditions must be met for the time-based lookup to correctly match an event to a single row in the lookup table? (Choose three.)

Question 115mediummultiple choice
Read the full Using Fields and Lookups explanation →

A large enterprise uses Splunk to monitor network traffic from thousands of devices. The events contain a field 'dest_ip' that you want to enrich with a company-specific asset owner and department. The asset data is stored in an SQL database that is updated daily. The Splunk administrator has set up a DB Connect app to query the database. However, the performance of the search is very slow when using dbquery to lookup asset information for each event. The team needs to improve performance while still maintaining daily updates. Which approach should the team take?

Question 116mediummultiple choice
Read the full Using Fields and Lookups explanation →

A Splunk user needs to perform a lookup that matches events based on a field 'userid' to a lookup table that contains 'userid', 'full_name', and 'email'. The lookup table is a CSV file named 'users.csv' located in the default lookup directory. The user runs the search: index=main | lookup users.csv userid OUTPUT full_name, email. However, the search returns an error that the lookup table 'users.csv' was not found. What is the most likely reason for this error?

Question 117hardmultiple choice
Read the full Using Fields and Lookups explanation →

A company uses Splunk to monitor web server logs. They have a lookup table that maps IP addresses to geographic locations (city, country). The lookup is defined as a CSV file with fields: ip, city, country. The lookup definition is named 'geo'. The team wants to automatically add city and country to every web event at index time, so that all future searches have this enrichment without adding the lookup command. The team tries to set up an automatic lookup in props.conf for the sourcetype 'web_access', but the city and country fields still do not appear in the events. They verify that the lookup file exists and that the lookup definition works when used manually with the lookup command. What is the most likely cause of the automatic lookup not working?

Question 118easymultiple choice
Read the full Using Fields and Lookups explanation →

A Splunk user wants to see a list of all fields that are extracted from events of sourcetype 'apache_access'. They need to know which fields are available for use in searches and lookups. Which command should they use to discover all fields automatically extracted by Splunk for that sourcetype?

Question 119mediummultiple choice
Read the full Using Fields and Lookups explanation →

A Splunk administrator needs to create a field alias that renames the field 'src_ip' to 'source_ip' for events in the index 'network'. The administrator has created the field alias in the Field Aliases settings in the UI. However, when searching index=network, the new field 'source_ip' does not appear in the events. The search still shows 'src_ip'. What could be the reason?

Question 120hardmultiple choice
Read the full Using Fields and Lookups explanation →

A security team uses a KV Store lookup to track threat intelligence indicators (IPs, domains) with a field 'indicator' and a field 'threat_type'. They regularly update the KV Store with new indicators. The team notices that searches using the lookup are very slow when the KV Store contains over 100,000 entries. They want to improve lookup performance without losing the ability to update frequently. Which approach should they take?

Question 121easymultiple choice
Read the full Using Fields and Lookups explanation →

A Splunk user wants to see the list of fields that are defined in a lookup table named 'assets' without running a search. Which command should they use?

Question 122mediummultiple choice
Read the full network assurance explanation →

A security analyst is investigating a breach and needs to extract the 'user_id' field from raw log events. The logs contain both structured and unstructured data. The analyst uses the following search: `index=security sourcetype=syslog | rex field=_raw "user_id=(?<user_id>\w+)" | stats count by user_id`. However, some events do not contain the 'user_id' pattern, but they have a 'username' field extracted by a default extraction. The analyst wants to create a unified field 'user_id' that includes values from both. Which approach should the analyst take?

Question 123easymulti select
Read the full Using Fields and Lookups explanation →

Which TWO of the following must be true for the lookup to return results?

Exhibit

Refer to the exhibit.

Search:
```
index=main sourcetype=vendor_sales
| lookup region_lookup zip_code OUTPUT city, state
| stats count by city
```

Lookup definition: `region_lookup` is a CSV file with columns: `zip_code`, `city`, `state`, `population`.
Question 124hardmultiple choice
Read the full Using Fields and Lookups explanation →

A company uses Splunk to monitor its e-commerce platform. They have a lookup file (user_geo.csv) that maps user_id to city, state, and country. The search `index=ecommerce sourcetype=access_combined | lookup user_geo user_id OUTPUT city, state, country | stats count by country` is used to analyze user locations. Recently, the lookup stopped returning results for many events. The lookup file is updated daily via a script that pulls from an external API. The Splunk administrator checks the lookup definition and finds that the lookup is configured to automatically reload every 24 hours. The last successful load was 23 hours ago. The events still contain the 'user_id' field. Which course of action should the administrator take first?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

SPLK-1002 Practice Test 1 — 10 Questions→SPLK-1002 Practice Test 2 — 10 Questions→SPLK-1002 Practice Test 3 — 10 Questions→SPLK-1002 Practice Test 4 — 10 Questions→SPLK-1002 Practice Test 5 — 10 Questions→SPLK-1002 Practice Exam 1 — 20 Questions→SPLK-1002 Practice Exam 2 — 20 Questions→SPLK-1002 Practice Exam 3 — 20 Questions→SPLK-1002 Practice Exam 4 — 20 Questions→Free SPLK-1002 Practice Test 1 — 30 Questions→Free SPLK-1002 Practice Test 2 — 30 Questions→Free SPLK-1002 Practice Test 3 — 30 Questions→SPLK-1002 Practice Questions 1 — 50 Questions→SPLK-1002 Practice Questions 2 — 50 Questions→SPLK-1002 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Splunk Basics and Interface NavigationBasic Searching and Transforming CommandsUsing Fields and LookupsCreating Reports, Dashboards and VisualizationsData Models and Best Practices

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Using Fields and Lookups setsAll Using Fields and Lookups questionsSPLK-1002 Practice Hub