Sample questions
Splunk Core Certified Power User SPLK-1003 practice questions
Which TWO statements correctly describe the behavior of the transaction command in Splunk?
Trap 1: It is not recommended for use with large datasets because it…
While transaction can be memory-intensive, it is commonly used with large datasets when configured properly.
Trap 2: It merges all fields from all events into a single event, with the…
Fields are not merged; they remain associated with each event within the transaction.
Trap 3: It automatically calculates the duration of each transaction as the…
Duration is not automatically calculated; you must use eval or convert to compute it.
- A
It is not recommended for use with large datasets because it consumes too much memory.
Why wrong: While transaction can be memory-intensive, it is commonly used with large datasets when configured properly.
- B
It merges all fields from all events into a single event, with the last event's field value taking precedence.
Why wrong: Fields are not merged; they remain associated with each event within the transaction.
- C
It can concatenate the raw text of all events in the transaction into a single event.
The transaction command can combine raw event text from all related events into one event.
- D
It automatically calculates the duration of each transaction as the difference between the first and last event timestamps.
Why wrong: Duration is not automatically calculated; you must use eval or convert to compute it.
- E
It can close a transaction based on a change in a specific field value or after a specified timeout.
The endswith or maxspan/maxpause options control transaction closure.
Which TWO of the following are valid reasons to use the Common Information Model (CIM) in a Splunk environment?
Trap 1: It improves search performance by pre-aggregating data.
CIM does not pre-aggregate data; it only provides a common schema. Performance improvements are not a direct benefit.
Trap 2: It provides built-in security monitoring use cases.
CIM is a data model, not a security solution; it does not include built-in use cases.
Trap 3: It eliminates the need for custom field extractions.
CIM defines common field names but does not eliminate the need for custom field extractions; extractions are still required to populate those fields.
- A
It improves the ability to correlate events from different technologies.
By standardizing field names, CIM makes it easier to correlate events across different data sources.
- B
It enables searching across different data sources with common field names.
CIM normalizes data from various sources to use the same field names, allowing unified searching.
- C
It improves search performance by pre-aggregating data.
Why wrong: CIM does not pre-aggregate data; it only provides a common schema. Performance improvements are not a direct benefit.
- D
It provides built-in security monitoring use cases.
Why wrong: CIM is a data model, not a security solution; it does not include built-in use cases.
- E
It eliminates the need for custom field extractions.
Why wrong: CIM defines common field names but does not eliminate the need for custom field extractions; extractions are still required to populate those fields.
Order the steps to set up a data input for monitoring a log file in Splunk.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Arrange the steps to create a new index in Splunk in the correct order.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Order the steps to configure a field extraction using the Field Extractor (FX) in Splunk.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Arrange the steps to configure a lookup table file in Splunk.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Order the steps to create a workflow action in Splunk.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Order the steps to create a dashboard panel using the XML source editor in Splunk.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
A security analyst needs to find all events where the field `status` has a value of either "error" or "critical" and the field `bytes` is greater than 1000. Which search correctly accomplishes this?
Trap 1: status=error OR status=critical AND bytes>1000
Operator precedence causes AND to be evaluated before OR, so this is equivalent to status=error OR (status=critical AND bytes>1000).
Trap 2: status IN (error, critical) AND bytes>1000
The IN operator requires values in quotes: status IN ("error", "critical").
Trap 3: status="error" OR status="critical" bytes>1000
The quotes around field values are unnecessary and the missing OR between the second status and bytes makes the search invalid.
- A
(status=error OR status=critical) bytes>1000
Parentheses ensure the OR is evaluated first, and then the AND with bytes>1000.
- B
status=error OR status=critical AND bytes>1000
Why wrong: Operator precedence causes AND to be evaluated before OR, so this is equivalent to status=error OR (status=critical AND bytes>1000).
- C
status IN (error, critical) AND bytes>1000
Why wrong: The IN operator requires values in quotes: status IN ("error", "critical").
- D
status="error" OR status="critical" bytes>1000
Why wrong: The quotes around field values are unnecessary and the missing OR between the second status and bytes makes the search invalid.
A Splunk admin wants to track the number of unique users who accessed a system each hour over the past 24 hours. Which search provides the correct result?
Trap 1: index=main earliest=-24h | timechart span=1h values(user)
values(user) produces a multivalue field but does not count them.
Trap 2: index=main earliest=-24h | stats dc(user) by _time | timechart…
stats by _time creates one row per second, not hourly bins. timechart would then use those tiny bins.
Trap 3: index=main earliest=-24h | timechart span=1h count by user
This creates separate series for each user, not a single count of unique users.
- A
index=main earliest=-24h | timechart span=1h dc(user) as unique_users
dc(user) gives distinct count of users per hour with timechart.
- B
index=main earliest=-24h | timechart span=1h values(user)
Why wrong: values(user) produces a multivalue field but does not count them.
- C
index=main earliest=-24h | stats dc(user) by _time | timechart span=1h dc(user)
Why wrong: stats by _time creates one row per second, not hourly bins. timechart would then use those tiny bins.
- D
index=main earliest=-24h | timechart span=1h count by user
Why wrong: This creates separate series for each user, not a single count of unique users.
A search returns many events, and the analyst wants to see a summary table of the top 5 values of the field `src_ip` along with the count of events for each. Which command should be used?
Trap 1: eventstats
eventstats adds aggregation to each event but does not produce a summary table.
Trap 2: sort
sort sorts events but does not count or summarize.
Trap 3: rare
rare shows the least common values, not the top.
- A
eventstats
Why wrong: eventstats adds aggregation to each event but does not produce a summary table.
- B
top
top returns the most frequent values with count and percent.
- C
sort
Why wrong: sort sorts events but does not count or summarize.
- D
rare
Why wrong: rare shows the least common values, not the top.
An analyst wants to find the top 5 users who have the highest total bytes transferred. The data has fields 'user' and 'bytes'. Which search should be used?
Trap 1: | stats max(bytes) as max_bytes by user | sort - max_bytes | head 5
This shows maximum bytes, not total bytes.
Trap 2: | sort - bytes | head 5 | table user, bytes
This shows the top 5 events by bytes, not aggregated by user.
Trap 3: | top limit=5 user
top command shows the most frequent values, not sum of bytes.
- A
| stats max(bytes) as max_bytes by user | sort - max_bytes | head 5
Why wrong: This shows maximum bytes, not total bytes.
- B
| stats sum(bytes) as total_bytes by user | sort - total_bytes | head 5
This correctly sums bytes per user, sorts descending, and takes top 5.
- C
| sort - bytes | head 5 | table user, bytes
Why wrong: This shows the top 5 events by bytes, not aggregated by user.
- D
| top limit=5 user
Why wrong: top command shows the most frequent values, not sum of bytes.
The search above is executed but returns unexpected results: the count for 'API' is much lower than expected. What is the most likely cause?
Exhibit
Refer to the exhibit.
```
index=web sourcetype=access_combined
| rex field=_raw "(?<method>GET|POST|PUT|DELETE) (?<url>\S+)"
| eval category = case(
match(url, "^/api/"), "API",
match(url, "^/images/"), "Images",
1==1, "Other"
)
| stats count by category
```Trap 1: The stats command should use 'count by category' but category is…
The eval command creates the field category before stats, so it is available.
Trap 2: The regex does not account for the HTTP version string after the…
Typical access_combined format: method url status bytes. The URL is followed by a space then status, so \S+ stops at space. But if the format includes the HTTP version, it might be before the URL? Actually, common Apache log format: "GET /api/test HTTP/1.1" 200. The regex (GET|POST|PUT|DELETE) (?<url>\S+) would capture '/api/test' as url because \S+ stops at space. However, the HTTP version is after the URL separated by space, so it is not captured. So D is incorrect.
Trap 3: The case function has a default condition '1==1' that overrides all…
The case function evaluates conditions in order; the last condition is a catch-all, but it only applies if none of the previous match. Since match conditions are evaluated first, the default does not override them.
- A
The stats command should use 'count by category' but category is not a field until after eval.
Why wrong: The eval command creates the field category before stats, so it is available.
- B
The regex does not account for the HTTP version string after the URL, causing the URL field to include extra characters like 'HTTP/1.1'.
Why wrong: Typical access_combined format: method url status bytes. The URL is followed by a space then status, so \S+ stops at space. But if the format includes the HTTP version, it might be before the URL? Actually, common Apache log format: "GET /api/test HTTP/1.1" 200. The regex (GET|POST|PUT|DELETE) (?<url>\S+) would capture '/api/test' as url because \S+ stops at space. However, the HTTP version is after the URL separated by space, so it is not captured. So D is incorrect.
- C
The case function has a default condition '1==1' that overrides all other conditions.
Why wrong: The case function evaluates conditions in order; the last condition is a catch-all, but it only applies if none of the previous match. Since match conditions are evaluated first, the default does not override them.
A security analyst wants to find all events where the field 'src_ip' matches any IP address in a lookup table named 'malicious_ips.csv'. The lookup has fields 'ip' and 'threat'. Which search correctly enriches events with the threat info and filters to only malicious IPs?
Trap 1: `index=security | lookup malicious_ips.csv src_ip | search threat=*`
The lookup command without OUTPUT does not add any fields; 'threat' will not exist.
Trap 2: `index=security | lookup malicious_ips.csv src_ip OUTPUT threat |…
The correct syntax is OUTPUTNEW, not OUTPUT, to avoid overwriting existing fields. In SPL, OUTPUT will overwrite an existing field; if threat doesn't exist, it's added anyway but the syntax is non-standard.
Trap 3: `index=security [| inputlookup malicious_ips.csv | fields ip |…
Subsearch returns only matching src_ip values, but does not add the threat field; also may be inefficient.
- A
`index=security | lookup malicious_ips.csv src_ip | search threat=*`
Why wrong: The lookup command without OUTPUT does not add any fields; 'threat' will not exist.
- B
`index=security | lookup malicious_ips.csv src_ip OUTPUT threat | where threat!=""`
Why wrong: The correct syntax is OUTPUTNEW, not OUTPUT, to avoid overwriting existing fields. In SPL, OUTPUT will overwrite an existing field; if threat doesn't exist, it's added anyway but the syntax is non-standard.
- C
`index=security [| inputlookup malicious_ips.csv | fields ip | rename ip as src_ip]`
Why wrong: Subsearch returns only matching src_ip values, but does not add the threat field; also may be inefficient.
- D
`index=security | lookup malicious_ips.csv src_ip AS ip | where isnotnull(threat)`
Why wrong: The lookup field mapping is wrong; it should map src_ip to ip, not the other way.
- E
`index=security | lookup malicious_ips.csv src_ip AS ip OUTPUTNEW threat | where isnotnull(threat)`
Correct: uses lookup with outputnew to add threat field, then filters where threat is not null.
A team regularly runs a saved search that joins two large indexes. Performance is poor. Which design change would MOST improve query performance?
Trap 1: Convert the saved search to a scheduled report.
Scheduling does not improve query performance.
Trap 2: Replace the join with a subsearch.
Subsearches can be slower than joins.
Trap 3: Use the `fields` command to remove unnecessary fields before the…
Removing fields may not resolve the join overhead.
- A
Convert the saved search to a scheduled report.
Why wrong: Scheduling does not improve query performance.
- B
Create a data model summary to pre-aggregate the data.
Summaries reduce the amount of data scanned.
- C
Replace the join with a subsearch.
Why wrong: Subsearches can be slower than joins.
- D
Use the `fields` command to remove unnecessary fields before the join.
Why wrong: Removing fields may not resolve the join overhead.
Which TWO of the following are valid uses of the Common Information Model (CIM) in Splunk?
Trap 1: Defining user roles and permissions for data access.
CIM does not manage roles.
Trap 2: Managing license usage across indexers.
CIM does not handle licensing.
Trap 3: Creating new indexes for faster search performance.
CIM does not create indexes.
- A
Defining user roles and permissions for data access.
Why wrong: CIM does not manage roles.
- B
Managing license usage across indexers.
Why wrong: CIM does not handle licensing.
- C
Creating new indexes for faster search performance.
Why wrong: CIM does not create indexes.
- D
Defining tags and event types to categorize data.
CIM uses tags and event types to map data to models.
- E
Normalizing data from different sources to a common field naming convention.
CIM provides data models with standardized field names.
An engineer runs `| inputlookup asset_lookup.csv | table asset_id asset_name` and gets no results despite the file existing in $SPLUNK_HOME/etc/apps/search/lookups/. The lookup definition is correctly configured. What is the MOST likely cause?
Trap 1: The engineer lacks permissions to read the lookup.
No permission error mentioned.
Trap 2: The lookup file is not in the correct directory.
The file is in the correct directory as stated.
Trap 3: The lookup file has a .csv extension but contains other data.
No evidence of corrupt data.
- A
The engineer lacks permissions to read the lookup.
Why wrong: No permission error mentioned.
- B
The lookup file is not in the correct directory.
Why wrong: The file is in the correct directory as stated.
- C
The lookup file has a .csv extension but contains other data.
Why wrong: No evidence of corrupt data.
- D
The lookup definition name does not match the filename.
The engineer used the filename, but `inputlookup` expects the lookup definition name.
Which TWO statements about lookups in Splunk are correct? (Choose two.)
Trap 1: External lookups can only be used with CSV files
External lookups can use scripts or other data sources.
Trap 2: CSV lookups can be updated in real-time by adding rows to the CSV…
CSV lookups are static; changes require reloading the lookup.
Trap 3: Automatic lookups are configured in macros.conf
Automatic lookups are configured in transforms.conf and props.conf.
- A
The lookup command can be used to add fields from a lookup table to search results
Correct; lookup command enriches events.
- B
External lookups can only be used with CSV files
Why wrong: External lookups can use scripts or other data sources.
- C
KV store lookups support real-time updates during a search
Correct; KV store lookups are dynamic.
- D
CSV lookups can be updated in real-time by adding rows to the CSV file
Why wrong: CSV lookups are static; changes require reloading the lookup.
- E
Automatic lookups are configured in macros.conf
Why wrong: Automatic lookups are configured in transforms.conf and props.conf.
A dashboard uses a timechart to show CPU usage over 24 hours. The time range selector is set to 'Last 7 days'. The chart displays data only for the last 24 hours. Which visualization setting is MOST likely causing this?
Trap 1: The 'Max rows' is set to 24.
Max rows limits displayed rows, not time range.
Trap 2: The 'Span' is set to 1 hour.
Span affects granularity, not total time range.
Trap 3: The data source only retains 24 hours.
Not specified in stem.
- A
The chart's 'Time range override' is set to 24 hours.
A time range override on the panel overrides the dashboard selector.
- B
The 'Max rows' is set to 24.
Why wrong: Max rows limits displayed rows, not time range.
- C
The 'Span' is set to 1 hour.
Why wrong: Span affects granularity, not total time range.
- D
The data source only retains 24 hours.
Why wrong: Not specified in stem.
Which TWO are valid methods to join data from a CSV file in a Splunk search?
Trap 1: `| append myfile.csv`
`append` adds raw results, does not join.
Trap 2: `| join myfile.csv`
`join` requires a subsearch, not a file.
Trap 3: `| csvlookup myfile.csv`
Not a standard Splunk command.
- A
`| append myfile.csv`
Why wrong: `append` adds raw results, does not join.
- B
`| join myfile.csv`
Why wrong: `join` requires a subsearch, not a file.
- C
`| lookup myfile.csv`
`lookup` joins fields from a lookup file.
- D
`| csvlookup myfile.csv`
Why wrong: Not a standard Splunk command.
- E
`| inputlookup myfile.csv`
`inputlookup` reads lookup files.
A dashboard developer wants to create a single-value visualization that shows the current server status from a lookup table. Which Splunk command should be used to retrieve the lookup data in a real-time context?
Trap 1: inputlookup
inputlookup works only in historical searches.
Trap 2: outputlookup
outputlookup writes data, does not retrieve.
Trap 3: geostats
geostats is for geospatial aggregation.
- A
inputlookup
Why wrong: inputlookup works only in historical searches.
- B
outputlookup
Why wrong: outputlookup writes data, does not retrieve.
- C
lookup
lookup can be used in real-time searches to enrich events.
- D
geostats
Why wrong: geostats is for geospatial aggregation.
A Splunk admin notices that a time-based lookup (defined in transforms.conf with time_range=TRUE) is not returning correct results for events outside the lookup's time boundaries. The lookup file contains rows with a valid time range. What is the most likely cause?
Trap 1: The lookup is defined as an automatic lookup and runs at index time
Automatic lookups run at search time, not index time.
Trap 2: The lookup table has max_matches set to 1, limiting matches
Max_matches limits the number of matching rows, but doesn't explain no match.
Trap 3: The lookup file does not contain a time field
Time-based lookups require time fields; if they were missing, the lookup would not work at all.
- A
The lookup is defined as an automatic lookup and runs at index time
Why wrong: Automatic lookups run at search time, not index time.
- B
The lookup table has max_matches set to 1, limiting matches
Why wrong: Max_matches limits the number of matching rows, but doesn't explain no match.
- C
The lookup file does not contain a time field
Why wrong: Time-based lookups require time fields; if they were missing, the lookup would not work at all.
- D
The event time is outside the time range defined in the lookup
Time-based lookups only match events whose _time falls within the row's time range.
Which THREE of the following are best practices when using lookups in Splunk?
Trap 1: Store lookup tables in KV Store when the table has more than 1…
KV Store is not optimal for large lookups; use summary indexing.
Trap 2: Always use KV Store lookups for faster performance compared to CSV…
CSV lookups are faster for small to moderate sizes.
- A
Use the lookup command instead of inputlookup when possible to reduce memory usage
lookup command streams data efficiently.
- B
Use automatic lookups to enrich data at search time without manual commands
Automatic lookups apply to all events matching the field.
- C
Store lookup tables in KV Store when the table has more than 1 million rows
Why wrong: KV Store is not optimal for large lookups; use summary indexing.
- D
Always use KV Store lookups for faster performance compared to CSV lookups
Why wrong: CSV lookups are faster for small to moderate sizes.
- E
Keep lookup file sizes under 500 MB to avoid performance degradation
Large files can slow down searches.
A security analyst wants to visualize the count of login failures by source IP over the last 24 hours, but only for IPs with more than 10 failures. Which visualization type and SPL command combination is most appropriate?
Trap 1: Line chart with | top limit=10 showcount=1 by src_ip
Top command shows most frequent values but does not allow filtering by count threshold.
Trap 2: Scatter plot with | stats dc(src_ip) by failure
Scatter plot requires two numeric axes; dc computes distinct count.
Trap 3: Pie chart with | chart count over src_ip | where count > 10
Chart command syntax is incorrect; pie chart is not ideal for many categories.
- A
Line chart with | top limit=10 showcount=1 by src_ip
Why wrong: Top command shows most frequent values but does not allow filtering by count threshold.
- B
Column chart with | stats count by src_ip | where count > 10
Correctly uses stats to count, filters, and column chart for comparison.
- C
Scatter plot with | stats dc(src_ip) by failure
Why wrong: Scatter plot requires two numeric axes; dc computes distinct count.
- D
Pie chart with | chart count over src_ip | where count > 10
Why wrong: Chart command syntax is incorrect; pie chart is not ideal for many categories.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.