Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Splunk Basics and Interface Navigation practice sets

SPLK-1002 Splunk Basics and Interface Navigation • Complete Question Bank

SPLK-1002 Splunk Basics and Interface Navigation — All Questions With Answers

Complete SPLK-1002 Splunk Basics and Interface Navigation question bank — all 0 questions with answers and detailed explanations.

107
Questions
Free
No signup
Certifications/SPLK-1002/Practice Test/Splunk Basics and Interface Navigation/All Questions
Question 1easymultiple choice
Read the full Splunk Basics and Interface Navigation explanation →

A new Splunk user wants to view the raw event data for the last hour. Which interface should they use?

Question 2mediummultiple choice
Read the full Splunk Basics and Interface Navigation explanation →

An analyst notices that searches take long to complete. They want to understand how many events are indexed per second. Which tab in the Monitoring Console provides this information?

Question 3hardmultiple choice
Read the full Splunk Basics and Interface Navigation explanation →

A search returns no results. The user has verified that data is being indexed. What is the most likely cause?

Question 4easymultiple choice
Read the full Splunk Basics and Interface Navigation explanation →

After running a search, a user wants to save the search for later use. Which button should they click?

Question 5mediummultiple choice
Read the full Splunk Basics and Interface Navigation explanation →

A user wants to see a visual representation of search results over time. Which tab should they use?

Question 6hardmultiple choice
Read the full Splunk Basics and Interface Navigation explanation →

During onboarding, a new user can't find any data in Splunk. They see 'No results found' for all searches. The data is being forwarded from a universal forwarder. What should they check first?

Question 7easymultiple choice
Read the full Splunk Basics and Interface Navigation explanation →

Which of the following is the default time range in a new Splunk search?

Question 8mediummultiple choice
Read the full Splunk Basics and Interface Navigation explanation →

A user wants to view only the fields that appear in the current search results, without seeing all extracted fields. Which option should they use?

Question 9mediummulti select
Read the full Splunk Basics and Interface Navigation explanation →

Which TWO of the following are valid ways to share a Splunk dashboard?

Question 10hardmulti select
Read the full Splunk Basics and Interface Navigation explanation →

Which THREE of the following are features available in the Splunk Settings menu?

Question 11easymulti select
Read the full Splunk Basics and Interface Navigation explanation →

Which TWO of the following are default Splunk roles?

Question 12hardmultiple choice
Read the full Splunk Basics and Interface Navigation explanation →

Refer to the exhibit. What can be determined about the license usage?

Exhibit

Refer to the exhibit.

```
> splunk show licenser-pool -name auto_generated_pool_enterprise
Pool: auto_generated_pool_enterprise
    Description: Automatically created pool.
    Max Size: 500 MB
    Used Size: 320 MB
    Allowed Slaves: *
    Stack ID: enterprise
```
Question 13mediummultiple choice
Read the full Splunk Basics and Interface Navigation explanation →

Refer to the exhibit. What is the most likely cause of the error?

Exhibit

Refer to the exhibit.

```
2019-06-15 10:23:45,123 ERROR [main] com.splunk.service.Splunkd - Could not connect to KV Store: Connection refused
2019-06-15 10:23:46,456 WARN [main] com.splunk.service.Splunkd - KV Store not available, retrying...
```
Question 14hardmultiple choice
Read the full Splunk Basics and Interface Navigation explanation →

A medium-sized enterprise uses Splunk Enterprise with a single indexer and one search head. They have 50 universal forwarders sending data from web servers, application servers, and database logs. Recently, the indexer crashed during peak hours. The administrator restarted the indexer and it came back up. After analyzing the crash log, they found that the indexer ran out of memory. The indexer has 16 GB RAM and the default memory settings. The daily indexing volume is about 20 GB. The administrator is concerned about stability. They want to prevent future crashes without adding hardware. What should they do?

Question 15mediummultiple choice
Read the full Splunk Basics and Interface Navigation explanation →

A user at a large organization runs a search that returns 50,000 events. They need to export these events to a CSV file for further analysis in Excel. However, when they click the Export button and select CSV, only 10,000 events are exported. What is the most likely reason and how should they export all 50,000 events?

Question 16mediummultiple choice
Read the full Splunk Basics and Interface Navigation explanation →

A security analyst wants to investigate a suspicious IP address that appeared in multiple log sources. Which Splunk feature is best suited to quickly find all events containing that IP across all indexed data?

Question 17hardmultiple choice
Read the full Splunk Basics and Interface Navigation explanation →

A Splunk administrator notices that a new user cannot see any data in the Search & Reporting app, even though the user has the 'user' role. What is the most likely cause?

Question 18mediummulti select
Read the full Splunk Basics and Interface Navigation explanation →

Which TWO of the following are valid ways to add data to Splunk?

Question 19easymultiple choice
Read the full Splunk Basics and Interface Navigation explanation →

Refer to the exhibit. After running the search, the user wants to see only events where the HTTP status is 404. Which change to the search is correct?

Exhibit

Refer to the exhibit.

index=main sourcetype=access_combined
| stats count by status
| sort - count

Results:
status   count
200      1234
404      56
500      12
403      5
Question 20hardmultiple choice
Read the full Splunk Basics and Interface Navigation explanation →

You are a Splunk administrator at a mid-sized company that uses Splunk Enterprise to monitor application logs from a web server cluster. The cluster has five servers, each sending logs via a universal forwarder to a single indexer. The indexer has ample resources. Recently, users have complained that searches for the last 24 hours are slow, but searches for the last hour are fast. The data volume is about 50 GB per day. You suspect the issue is related to how data is stored or indexed. Which action should you take first to improve search performance for the 24-hour time range?

Question 21easymultiple choice
Read the full Splunk Basics and Interface Navigation explanation →

A new Splunk user wants to see all events from the last 30 minutes, but the search returns no results. The user knows data is being indexed. Which is the most likely cause?

Question 22easymultiple choice
Read the full Splunk Basics and Interface Navigation explanation →

A user runs a search and sees the results in the Statistics tab, but the events are not appearing. What is the most likely reason?

Question 23easymultiple choice
Read the full Splunk Basics and Interface Navigation explanation →

A user wants to save a search for later use but not schedule it. Which action should the user take?

Question 24mediummultiple choice
Read the full Splunk Basics and Interface Navigation explanation →

An administrator notices that a user's search is timing out after 60 seconds. The search needs up to 5 minutes to complete. What should the administrator do?

Question 25mediummulti select
Read the full Splunk Basics and Interface Navigation explanation →

Which three of the following are valid ways to navigate and interact with data in the Splunk Web interface? (Choose three.)

Question 26mediummulti select
Read the full Splunk Basics and Interface Navigation explanation →

Which three options describe features or components of the Splunk default interface that are available to a Core Certified User? (Choose three.)

Question 27mediummulti select
Read the full Splunk Basics and Interface Navigation explanation →

Which of the following are components of the Splunk interface that can be used to refine and focus search results? (Choose all that apply. There are four correct answers.)

Question 28mediumdrag order
Read the full Splunk Basics and Interface Navigation explanation →

Drag and drop the steps to create a new Splunk index into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 29mediumdrag order
Read the full Splunk Basics and Interface Navigation explanation →

Drag and drop the steps to install an app from Splunkbase into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 30mediummatching
Read the full Splunk Basics and Interface Navigation explanation →

Match each Splunk search command to its primary function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Compute statistics on search results

Evaluate expression and create new fields

Extract fields using regular expressions

Group related events into transactions

Create time-based chart of statistics

Question 31mediummatching
Read the full Splunk Basics and Interface Navigation explanation →

Match each search command to its category.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Filtering command

Filtering command

Reporting command

Reporting command

Reporting command

Question 32easymultiple choice
Read the full Splunk Basics and Interface Navigation explanation →

A user runs a search and sees "No results found". The time range is set to "All time". Data exists in the index "main" and sourcetype "access_combined". Which is the most likely cause?

Question 33mediummultiple choice
Read the full Splunk Basics and Interface Navigation explanation →

A user wants to see a list of all sourcetypes in the index "main". Which search command should be used?

Question 34hardmultiple choice
Read the full Splunk Basics and Interface Navigation explanation →

A user notices that a search returns results only from the last 15 minutes, even though the time range picker is set to "All time". The search string is: error | timechart count. Which is the most likely cause?

Question 35mediummultiple choice
Read the full Splunk Basics and Interface Navigation explanation →

Which tab in the Search app should be used to view the raw events in their original format?

Question 36easymultiple choice
Read the full Splunk Basics and Interface Navigation explanation →

To create a real-time dashboard panel showing errors in the last 30 minutes, which time range setting should be used?

Question 37mediummultiple choice
Read the full Splunk Basics and Interface Navigation explanation →

A user needs to export search results to a CSV file for further analysis. Which method is the most straightforward?

Question 38easymultiple choice
Read the full Splunk Basics and Interface Navigation explanation →

From the Splunk Home page, which of the following can be accessed directly?

Question 39hardmultiple choice
Read the full Splunk Basics and Interface Navigation explanation →

A search using index=security sourcetype=windows_security returns events with EventCode=4625. The user wants to find the top 10 source IP addresses. Which search will accomplish this?

Question 40mediummultiple choice
Read the full Splunk Basics and Interface Navigation explanation →

A user wants to view only specific fields in the search results. Which interface element can be used to select which fields to show?

Question 41mediummulti select
Read the full Splunk Basics and Interface Navigation explanation →

Which two tabs are always present in the search results page? (Select TWO)

Question 42hardmulti select
Read the full Splunk Basics and Interface Navigation explanation →

Which two of the following search commands can be used to rename a field? (Select TWO)

Question 43easymulti select
Read the full Splunk Basics and Interface Navigation explanation →

Which three of the following actions can be performed from the "Save As" menu in the Search app? (Select THREE)

Question 44mediummultiple choice
Read the full Splunk Basics and Interface Navigation explanation →

What is the purpose of this search?

Exhibit

Refer to the exhibit.
search index=web sourcetype=access_combined status=404 | top 10 uri_path
Question 45hardmultiple choice
Read the full Splunk Basics and Interface Navigation explanation →

This is a props.conf configuration snippet. What does it configure?

Exhibit

Refer to the exhibit.
[default]
host = server1
index = main
sourcetype = syslog
Question 46easymultiple choice
Read the full Splunk Basics and Interface Navigation explanation →

This message appears in the Monitoring Console. What does it indicate?

Exhibit

Refer to the exhibit.
Error: No data indexed. Check your inputs configuration.
Question 47easymultiple choice
Read the full Splunk Basics and Interface Navigation explanation →

A new user wants to start a search in Splunk Web. Which is the first step they should take?

Question 48mediummultiple choice
Read the full Splunk Basics and Interface Navigation explanation →

An analyst has multiple Splunk apps installed and wants to ensure a search runs against data from a specific app's index. Which action should they take?

Question 49hardmultiple choice
Read the full Splunk Basics and Interface Navigation explanation →

A user runs a search but sees no results, even though they know events exist. The search does not show any errors. What is the most likely cause?

Question 50easymultiple choice
Read the full Splunk Basics and Interface Navigation explanation →

After running a search, an analyst sees a timeline graph at the top of the results. What is the primary purpose of the timeline?

Question 51mediummultiple choice
Read the full Splunk Basics and Interface Navigation explanation →

An analyst wants to save a search so that they can run it again with a single click in the future. Which action should they take?

Question 52hardmultiple choice
Read the full NAT/PAT explanation →

A team needs to be notified immediately when a specific error pattern appears in logs. The search for the pattern is already written. Which feature of Splunk should they use to set up automated notifications?

Question 53easymultiple choice
Read the full Splunk Basics and Interface Navigation explanation →

A user wants to view events from the last 4 hours. Which is the most efficient way to set the time range in Splunk Web?

Question 54mediummultiple choice
Read the full Splunk Basics and Interface Navigation explanation →

After running a search, an analyst notices that useful fields are not appearing in the 'Selected Fields' section. What is the most likely reason?

Question 55hardmultiple choice
Read the full Splunk Basics and Interface Navigation explanation →

A user notices that a search is taking a long time and wants to see detailed performance breakdown. Which tool in Splunk Web should they use?

Question 56mediummulti select
Read the full Splunk Basics and Interface Navigation explanation →

Which TWO of the following methods allow a user to switch between apps in Splunk Web?

Question 57hardmulti select
Read the full Splunk Basics and Interface Navigation explanation →

Which TWO methods allow a user to share a saved search with other users in the same Splunk instance?

Question 58easymulti select
Read the full Splunk Basics and Interface Navigation explanation →

Which THREE of the following are core interface components visible on the Splunk Web search page?

Question 59mediummultiple choice
Read the full Splunk Basics and Interface Navigation explanation →

Refer to the exhibit. What does the log entry indicate about the search job?

Exhibit

Refer to the exhibit.

```
2023-09-15 10:30:00,000 INFO  SearchContext - Search job created: job_id=1234567890
2023-09-15 10:30:01,500 INFO  IndexProcessor - Processing results for index=_internal
2023-09-15 10:30:02,000 WARN  SearchExecutor - Search job 1234567890 completed with partial results due to time limit
```
Question 60hardmultiple choice
Read the full NAT/PAT explanation →

Refer to the exhibit. An administrator notices that searches against the 'sample_index' index return events older than 24 hours, while searches against other indexes do not. What is the most likely explanation?

Exhibit

Refer to the exhibit.

```
[default]
maxGlobalTimeFieldSec = 3600

[sample_index]
repFactor = auto
maxGlobalTimeFieldSec = 604800
```
Question 61easymultiple choice
Read the full Splunk Basics and Interface Navigation explanation →

Refer to the exhibit. A user reports they cannot log in to Splunk Web and sees this error in the logs. What is the most likely cause?

Exhibit

Refer to the exhibit.

```
2023-10-01 12:00:00,000 ERROR  [SplunkWeb] - CSRF token validation failed. Request rejected.
```
Question 62easymultiple choice
Read the full Splunk Basics and Interface Navigation explanation →

A user runs a search that returns many results. Which action in the Timeline histogram allows the user to narrow the result set to a specific time range?

Question 63easymultiple choice
Read the full Splunk Basics and Interface Navigation explanation →

An analyst has created a search that they want to run regularly. What is the most efficient way to save this search for future use?

Question 64easymultiple choice
Read the full Splunk Basics and Interface Navigation explanation →

A user wants to search only data from the 'security' index. Which search syntax should they use?

Question 65mediummultiple choice
Read the full Splunk Basics and Interface Navigation explanation →

After running a search, the Fields sidebar shows several fields but the analyst wants to see all fields. Which button should they click?

Question 66mediummultiple choice
Read the full Splunk Basics and Interface Navigation explanation →

An administrator needs to find events from hosts that have reported a critical error in the last hour. Which search uses a subsearch correctly?

Question 67mediummultiple choice
Read the full Splunk Basics and Interface Navigation explanation →

An analyst needs to count the number of distinct IP addresses that accessed a server. Which approach is most efficient?

Question 68hardmultiple choice
Read the full Splunk Basics and Interface Navigation explanation →

A security team wants to add department info from an external CSV file to events containing user IDs. The CSV has columns 'userid' and 'department'. What is the correct configuration?

Question 69hardmultiple choice
Read the full Splunk Basics and Interface Navigation explanation →

A user selects 'Last 24 hours' from the time picker but their search returns events from only the last hour. What is the most likely cause?

Question 70hardmultiple choice
Read the full Splunk Basics and Interface Navigation explanation →

An administrator wants to group all events from a single web session identified by session_id, where the session starts with a 'login' event and ends with a 'logout' event. Which search is correct?

Question 71mediummulti select
Read the full Splunk Basics and Interface Navigation explanation →

Which TWO of the following are knowledge objects in Splunk?

Question 72mediummulti select
Read the full Splunk Basics and Interface Navigation explanation →

Which THREE of the following are valid ways to narrow search results?

Question 73hardmulti select
Read the full Splunk Basics and Interface Navigation explanation →

Which THREE of the following are steps in the process of creating a dashboard from a search?

Question 74mediummultiple choice
Read the full Splunk Basics and Interface Navigation explanation →

Refer to the exhibit. What is the primary purpose of this search?

Exhibit

index=web sourcetype=access_combined status=404 | stats count by uri_path | sort - count
Question 75hardmultiple choice
Read the full Splunk Basics and Interface Navigation explanation →

Refer to the exhibit. What does this configuration do?

Exhibit

[my_sourcetype]
TRANSFORMS-set = set_host_from_ip
Question 76easymultiple choice
Read the full Splunk Basics and Interface Navigation explanation →

Refer to the exhibit. What is the effect of this command?

Exhibit

./splunk add forward-server 192.168.1.10:9997 -auth admin:changeme
Question 77easymultiple choice
Read the full Splunk Basics and Interface Navigation explanation →

A new Splunk user logs in and sees the Home page. What is the most direct way to start searching data?

Question 78easymultiple choice
Read the full Splunk Basics and Interface Navigation explanation →

A user runs a search but sees zero results. What is the most common cause for this?

Question 79easymultiple choice
Read the full Splunk Basics and Interface Navigation explanation →

Where does a user click to view all fields extracted from search results?

Question 80mediummultiple choice
Read the full Splunk Basics and Interface Navigation explanation →

A user frequently runs a long search and wants to save it as a report. What is the best practice when naming the report?

Question 81mediummultiple choice
Read the full network assurance explanation →

An admin wants to add a new data input for a network device sending syslog. Under which Settings menu would the admin navigate?

Question 82mediummultiple choice
Read the full Splunk Basics and Interface Navigation explanation →

A user needs to quickly find a specific event from last week. Which navigation method is most efficient?

Question 83hardmultiple choice
Read the full Splunk Basics and Interface Navigation explanation →

A search is slow and the user wants to check the performance metrics. Which part of the UI provides details like run duration, scan count, and result count?

Question 84hardmultiple choice
Read the full Splunk Basics and Interface Navigation explanation →

A dashboard developer wants to add a table that only shows the top 5 values of a field. Which dashboard editor component should they use?

Question 85hardmultiple choice
Read the full Splunk Basics and Interface Navigation explanation →

When viewing search results, what is the difference between the 'Events' tab and the 'Statistics' tab?

Question 86easymulti select
Read the full Splunk Basics and Interface Navigation explanation →

Which TWO of the following are valid ways to navigate from a search result to a dashboard?

Question 87mediummulti select
Read the full Splunk Basics and Interface Navigation explanation →

Which TWO of the following are features available in the Splunk Web interface under the 'Settings' menu?

Question 88hardmulti select
Read the full Splunk Basics and Interface Navigation explanation →

Which THREE of the following are elements of the Splunk search interface?

Question 89mediummultiple choice
Read the full Splunk Basics and Interface Navigation explanation →

The exhibit shows a savedsearch.conf stanza. What is the effect of the setting `displayview = flashtimeline`?

Exhibit

Refer to the exhibit.

```
[savedsearch://error_count]
dispatch.earliest_time = -30d@d
dispatch.latest_time = now
search = index=main sourcetype=access_combined status=50* | stats count by status
action.email = 1
action.email.to = admin@example.com
action.email.subject = Error Count Alert
displayview = flashtimeline
```
Question 90hardmultiple choice
Read the full Splunk Basics and Interface Navigation explanation →

The exhibit shows log output from a Splunk search head. What is the most likely performance issue indicated?

Exhibit

Refer to the exhibit.

```
2018-03-12 14:23:45,123 INFO  SearchJobManager - Starting search job: sid=1234567890.1
2018-03-12 14:23:45,456 INFO  SearchJobExecutor - Search 'error_count' started
2018-03-12 14:23:50,789 INFO  SearchJobExecutor - Search 'error_count' completed: 1000 events scanned, 10 results
2018-03-12 14:23:55,012 WARN  SearchJobManager - Search job 'error_count' consumed 80% CPU on search head
2018-03-12 14:24:00,123 INFO  SearchJobManager - Starting search job: sid=1234567890.2
2018-03-12 14:24:02,456 INFO  SearchJobExecutor - Search 'login_failures' started
2018-03-12 14:24:10,789 INFO  SearchJobExecutor - Search 'login_failures' completed: 50000 events scanned, 200 results
2018-03-12 14:24:15,012 INFO  SearchJobManager - Search job 'login_failures' consumed 20% CPU
```
Question 91hardmultiple choice
Read the full Splunk Basics and Interface Navigation explanation →

A company has 50 Splunk users in the default 'user' role. The Splunk administrator wants to allow a subset of 5 users to create custom alerts and reports, but not modify data inputs or indexes. The administrator creates a new role called 'analyst' and assigns the 'can_create_alerts' and 'can_create_reports' capabilities. However, when these 5 users log in, they cannot create alerts or reports and receive an error that they 'do not have permission to create alerts'. The administrator verifies that the role has both capabilities. Which of the following is the most likely cause and solution?

Question 92easymultiple choice
Read the full Splunk Basics and Interface Navigation explanation →

A user wants to quickly see the count of events per source type over the last hour without performing a search. Which Splunk Web feature provides this information with the fewest clicks?

Question 93easymultiple choice
Read the full Splunk Basics and Interface Navigation explanation →

A new user accidentally closed the search bar while in the Search & Reporting app and can no longer see it. What is the most direct way to restore the search bar?

Question 94mediummultiple choice
Read the full Splunk Basics and Interface Navigation explanation →

A user is building a search in Splunk Web and wants to use the field autocomplete feature to quickly select fields. What must the user do to enable this feature?

Question 95hardmultiple choice
Read the full Splunk Basics and Interface Navigation explanation →

A user runs a search in Splunk Web that returns no results. The user believes data should exist for the current time. Which action most quickly verifies whether the time range is the issue?

Question 96easymulti select
Read the full Splunk Basics and Interface Navigation explanation →

Which TWO of the following are valid ways to access the Search & Reporting app in Splunk Web? (Choose two.)

Question 97mediummulti select
Read the full Splunk Basics and Interface Navigation explanation →

Which TWO of the following are valid methods to change the time range of a search in Splunk Web? (Choose two.)

Question 98hardmulti select
Read the full Splunk Basics and Interface Navigation explanation →

Which THREE of the following are standard components of the Splunk Web Search interface? (Choose three.)

Question 99hardmultiple choice
Read the full Splunk Basics and Interface Navigation explanation →

A large enterprise is using Splunk Enterprise to monitor web server logs from 200 servers. The logs are forwarded via a heavy forwarder cluster. Recently, a user has reported that when they log into Splunk Web and navigate to the Search & Reporting app, the search bar is empty, and they cannot see any data. The user has confirmed that other users can see data and run searches. The user is part of the 'power' role. The queries for the web server logs use the index 'web_logs'. The user can see the index in the Data Summary. The user has cleared the browser cache and tried a different browser, but the issue persists. What is the most likely cause of this issue?

Question 100mediummultiple choice
Read the full Splunk Basics and Interface Navigation explanation →

A junior administrator at a mid-size company is responsible for onboarding new data sources into Splunk. She has been asked to add a custom application log file, which is generated in a proprietary text format. The log file is located on a Linux server that is not a Splunk universal forwarder. The administrator plans to use the Add Data wizard in Splunk Web to monitor this file. However, when she navigates to Settings > Add Data, she does not see the option to 'Monitor a file' but only sees options for 'Upload' and 'Forward'. She is logged in as admin. What is the most likely reason for this?

Question 101easymultiple choice
Read the full Splunk Basics and Interface Navigation explanation →

A support technician is troubleshooting a user who cannot see the 'Field sidebar' and 'Timeline' in the Search & Reporting app. The user says that when they run a search, they only see the results in a table format, but no side panels or timeline below the search bar. The technician checks the user's settings and finds that the user's default app is set to 'Search & Reporting'. The technician then looks at the user's browser and notices that the user has a very small browser window. What is the most likely cause of the missing panels?

Question 102mediummultiple choice
Read the full Splunk Basics and Interface Navigation explanation →

A Splunk administrator is reviewing the 'Add Data' wizard for a new data source. The admin wants to monitor a log file that is located on the same server where Splunk is installed. The admin navigates to Settings > Add Data and selects 'Monitor' and then 'Files & Directories'. In the file list, the admin sees a checkbox next to each file. The admin selects the desired file and clicks 'Next'. However, the wizard does not proceed to the next page; instead, nothing happens. The admin has confirmed that the file exists and is readable. What is the most likely cause?

Question 103hardmultiple choice
Read the full Splunk Basics and Interface Navigation explanation →

A security analyst uses Splunk Web daily to investigate incidents. Recently, the analyst noticed that when running a search, the search results are displayed correctly, but the 'Field sidebar' on the left shows the message 'No fields found. Your search may not have generated any fields.' The analyst knows that the data has fields because the same search used to show fields. The analyst has not changed any settings. The analyst is using the same Splunk instance and same data. What is the most likely reason for this issue?

Question 104mediummultiple choice
Read the full Splunk Basics and Interface Navigation explanation →

A user is trying to create a dashboard in Splunk Web by saving a search as a dashboard panel. The user runs a search that produces a table of results. The user clicks 'Save As' and selects 'Dashboard Panel'. The user then selects an existing dashboard and clicks 'Save'. However, the panel does not appear on the dashboard. The user has confirmed that the dashboard exists and that they have write permission to it. The user also sees no error messages. What is the most likely cause of this issue?

Question 105easymulti select
Read the full Splunk Basics and Interface Navigation explanation →

Which THREE of the following are valid methods to access the Search & Reporting app in Splunk Web?

Question 106hardmultiple choice
Read the full Splunk Basics and Interface Navigation explanation →

Refer to the exhibit. A user runs this search but receives an error. What is the most likely cause?

Exhibit

index=main | table _time, host, source | rename _time as Time | convert timeformat="%Y-%m-%d" ctime(Time)
Question 107mediummultiple choice
Read the full Splunk Basics and Interface Navigation explanation →

A company has a distributed Splunk environment with a single search head and 4 indexers. The data volume is approximately 50 GB per day across various sourcetypes. Users frequently run searches that span 'All time' (from the time picker), and these searches are taking significantly longer than expected. The search head shows high CPU usage during these searches, while indexers are moderately loaded. The administrator has verified that all indexers are healthy and that there are no network bottlenecks. The data is raw log data with minimal field extractions. Which course of action will most effectively improve search performance for these 'All time' searches?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

SPLK-1002 Practice Test 1 — 10 Questions→SPLK-1002 Practice Test 2 — 10 Questions→SPLK-1002 Practice Test 3 — 10 Questions→SPLK-1002 Practice Test 4 — 10 Questions→SPLK-1002 Practice Test 5 — 10 Questions→SPLK-1002 Practice Exam 1 — 20 Questions→SPLK-1002 Practice Exam 2 — 20 Questions→SPLK-1002 Practice Exam 3 — 20 Questions→SPLK-1002 Practice Exam 4 — 20 Questions→Free SPLK-1002 Practice Test 1 — 30 Questions→Free SPLK-1002 Practice Test 2 — 30 Questions→Free SPLK-1002 Practice Test 3 — 30 Questions→SPLK-1002 Practice Questions 1 — 50 Questions→SPLK-1002 Practice Questions 2 — 50 Questions→SPLK-1002 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Splunk Basics and Interface NavigationBasic Searching and Transforming CommandsUsing Fields and LookupsCreating Reports, Dashboards and VisualizationsData Models and Best Practices

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Splunk Basics and Interface Navigation setsAll Splunk Basics and Interface Navigation questionsSPLK-1002 Practice Hub