Splunk · 2026 Edition
A complete preparation guide written by Splunk-certified engineers. Covers the exam format,all 5 blueprint domains, a week-by-week study plan, and proven tips for passing first time.
3–5 weeks
Prep time
Beginner
Difficulty
65
Exam questions
700/1000
Pass mark
Exam code
SPLK-1002
Full name
Splunk Core Certified User
Vendor
Splunk
Duration
60 minutes
Questions
65 items
Passing score
700/1000 (scaled)
Domains covered
5 blueprint domains
Recommended experience
No prerequisites — suitable for users new to Splunk
Typical prep time
3–5 weeks
Splunk Core Certified User is the entry-level Splunk credential. It validates the ability to search, use fields, create reports and dashboards, and navigate the Splunk interface — skills required for SOC analysts, data analysts, and operations staff working with Splunk SIEM.
Job roles this opens
Domain percentage weights are not currently available for this exam. The checklist below is still useful for planning your study.
Weeks 1–2
Introduction and Basic Navigation: search bar, time range picker, events, field sidebar
Tip: Splunk's free eLearning courses (Splunk Fundamentals 1 and 2) align directly with the Core Certified User exam. Both courses are free on Splunk's website and include hands-on exercises in a live Splunk environment — use them as your primary study resource.
Weeks 3–4
Using Fields and Commands: search pipeline, field extraction, transforming commands (stats, chart, top, rare)
Tip: The Splunk search pipeline is the foundation of every SPL query: search terms | command1 | command2 | command3. Know the most common transforming commands: stats (calculate statistics grouped by fields), chart (create a table for charting), top (find most frequent values), rare (find least frequent values), and timechart (time-series statistics).
Weeks 5
Reports, Dashboards, and Knowledge Objects: alerts, saved searches, dashboards
Tip: Know the types of visualisations available in Splunk: column chart, bar chart, line chart, area chart, pie chart, scatter chart, single value, and radial gauge. Questions describe a use case (show trend over time, compare categories, show percentage of total) and ask which visualisation type is most appropriate.
SPLK-1001 exam (Core Certified User): 63 questions, 60 minutes, 70% passing score. Questions focus on recognising correct SPL syntax and understanding what commands do — not writing complex queries from scratch.
The most important SPL commands to know for this exam: search (implicit at the start), fields (include/exclude fields), rename, eval (calculate new fields or transform existing ones), where (filter results), dedup (remove duplicate events), rex (extract fields with regex), stats, chart, timechart, top, rare.
Splunk data model and accelerated searches appear on SPLK-1001. Know that a data model is a hierarchical structure of datasets representing domain knowledge (e.g. the Authentication data model has datasets for Successful Logins, Failed Logins). Pivot is the drag-and-drop interface for querying data models without writing SPL.
Time modifiers in SPL are directly tested: know how to use relative time modifiers (earliest=-24h, latest=now), snap-to-time (earliest=@d snaps to the start of today), and absolute times (earliest=01/01/2024:00:00:00). These modifiers appear in saved searches and alerts.
Splunk User certification is the first rung of the Splunk certification ladder. The next steps are Splunk Core Certified Power User (SPLK-1003) and then Splunk Enterprise Certified Admin (SPLK-1004). Each builds on the previous level's content.
Apply everything in this guide with adaptive practice questions, detailed answer explanations, and domain analytics.
Deep-dive explanations of the key topics tested on SPLK-1002 — with exam key points and common misconceptions.