Splunk Core Certified Power User SPLK-1003 (SPLK-1003) — Questions 226300

500 questions total · 7pages · All types, answers revealed

Page 3

Page 4 of 7

Page 5
226
MCQeasy

A user has created a dashboard panel using a 'chart' command with 'datacount by host'. The chart shows counts per host, but the hosts appear in alphabetical order. The user wants to sort the chart by count descending, so that the host with the most events appears first. The search is: index=main sourcetype=access | chart count by host. The dashboard is built using Simple XML. Which approach should be used to achieve the desired sorting?

A.Use the 'top' command instead of 'chart' to automatically sort by count.
B.Use 'eventstats' to compute counts and then sort by count.
C.Add '| sort -count' after the chart command in the search.
D.Use the chart properties panel in the dashboard editor to set sorting by count descending.
AnswerC

Sort after chart reorders the results.

Why this answer

Option B is correct because adding | sort -count after chart sorts the results. Option A is wrong because chart properties do not include sorting by count. Option C is wrong because eventstats is unnecessary.

Option D is wrong because top command changes output format.

227
MCQmedium

Refer to the exhibit. A security analyst notices that some transactions have a duration greater than 600 seconds even though maxpause is set to 5 minutes (300 seconds). What is the most likely reason?

A.The transaction command is including events that are more than 5 minutes apart because the maxpause is ignored when maxspan is set.
B.The eventcount field is inflated, causing duration to be calculated incorrectly.
C.The duration field represents milliseconds, so 600 seconds is actually 0.6 seconds.
D.The maxspan setting of 30 minutes allows the total transaction duration to reach up to 1800 seconds.
AnswerD

Maxspan limits the total elapsed time from first to last event; 600 seconds is within 30 minutes.

Why this answer

Option D is correct because the `maxspan` parameter in the transaction command sets an upper limit on the total duration of the transaction from the first to the last event, regardless of the `maxpause` setting. With `maxspan=30m` (1800 seconds), a transaction can have a total duration up to 1800 seconds, even if individual gaps between events exceed `maxpause=5m` (300 seconds). The `maxpause` only limits the idle time between consecutive events, not the overall span, so transactions with gaps larger than 300 seconds but within the 1800-second span are still valid.

Exam trap

Splunk often tests the distinction between `maxpause` and `maxspan`, where candidates mistakenly think `maxpause` alone controls the total transaction duration, ignoring that `maxspan` can extend the overall time window.

How to eliminate wrong answers

Option A is wrong because `maxpause` is not ignored when `maxspan` is set; both parameters work together, with `maxpause` limiting gaps between events and `maxspan` limiting the total transaction duration. Option B is wrong because the `eventcount` field does not affect the calculation of `duration`; `duration` is derived from the timestamps of the first and last events in the transaction, not from event count. Option C is wrong because the `duration` field in the transaction command output is in seconds, not milliseconds; 600 seconds is indeed 600 seconds, not 0.6 seconds.

228
MCQmedium

Refer to the exhibit. This search is intended to find users with average duration above overall average. However, it returns no results. Why?

A.eventstats should be after stats
B.The where clause should use the 'search' command
C.overall_avg is not available in the where clause because it is created in eventstats
D.The search requires a subquery to compute overall_avg
AnswerC

Stats output does not include fields from prior commands unless preserved.

Why this answer

Option B is correct: eventstats adds overall_avg to each event, but stats by user only outputs user and user_avg, dropping overall_avg, so where compares a non-existent field to user_avg. Option A is wrong because eventstats before stats is correct conceptually. Option C is wrong because where works fine with fields present.

Option D is wrong as subquery is not needed.

229
MCQhard

Refer to the exhibit. This search returns an error. What is the most likely cause?

A.The timechart command requires a _time field which is not present after stats
B.The eval command cannot be used before timechart
C.The status_group field is not available after timechart because it was created in eval
D.The stats command aggregates data, so timechart cannot use the aggregated count field
AnswerA

Stats does not preserve _time unless explicitly used in a by clause.

Why this answer

The error occurs because the `stats` command removes the `_time` field from the events, and `timechart` requires a valid `_time` field to create time-based buckets. Without `_time`, `timechart` cannot generate the time axis, resulting in a search error. This is a common pitfall when chaining `stats` before `timechart` without preserving the time field.

Exam trap

Splunk often tests the misconception that `stats` preserves `_time` by default, leading candidates to overlook that `timechart` requires an explicit time field in the result set.

How to eliminate wrong answers

Option B is wrong because `eval` can be used before `timechart` without issue, as long as the required `_time` field is present. Option C is wrong because `status_group` is created by `eval` and is available to `timechart`; the error is not about field availability but the missing `_time` field. Option D is wrong because `timechart` can use aggregated count fields from `stats`; the real problem is that `stats` removes `_time`, not that the count field is incompatible.

230
MCQhard

An administrator wants to correlate events from the same session but the events span up to 30 minutes apart. The transaction command is being considered. Which transaction option is most appropriate to ensure sessions are correctly grouped without artificially high memory usage?

A.| transaction sessionid maxspan=30m
B.| transaction sessionid maxspan=30m maxpause=5m
C.| transaction sessionid maxevents=100
D.| transaction sessionid maxspan=30m keepevicted=true
AnswerB

Correctly defines time window and pause to group sessions

Why this answer

Option B is correct because the `maxspan=30m` ensures events spanning up to 30 minutes are grouped into the same transaction, while `maxpause=5m` prevents the transaction from remaining open indefinitely by closing it after 5 minutes of inactivity. This combination correctly groups sessions without keeping the transaction open for the full 30 minutes, which would artificially increase memory usage by holding events in the buffer.

Exam trap

Splunk often tests the misconception that `maxspan` alone is sufficient to control memory usage, when in fact `maxpause` is critical to close transactions during idle periods and prevent excessive memory consumption.

How to eliminate wrong answers

Option A is wrong because using only `maxspan=30m` without `maxpause` means the transaction will remain open for the entire 30-minute span even if there are long gaps between events, causing high memory usage as events are held in the buffer. Option C is wrong because `maxevents=100` limits the number of events per transaction but does not address the time span or pause requirements, so sessions spanning 30 minutes may be split or incomplete. Option D is wrong because `keepevicted=true` retains evicted (incomplete) transactions in the output, which does not help control memory usage and may actually increase it by including partial groups.

231
MCQhard

A Splunk admin wants to create a saved search that triggers an alert when the average CPU usage across all servers exceeds 80% over a 5-minute window. The data is in a 'perfmon' sourcetype. Which search best fits this requirement?

A.index=os sourcetype=perfmon counter="% Processor Time" | timechart avg(Value) as avg_cpu by host | where avg_cpu > 80
B.index=os sourcetype=perfmon counter="% Processor Time" earliest=-5m latest=now | stats avg(Value) as avg_cpu by host | where avg_cpu > 80
C.index=os sourcetype=perfmon counter="% Processor Time" | streamstats avg(Value) as avg_cpu by host | where avg_cpu > 80
D.index=os sourcetype=perfmon counter="% Processor Time" earliest=-5m latest=now | bucket _time span=5m | stats avg(Value) as avg_cpu by host | where avg_cpu > 80
AnswerD

Correctly batches events into 5-minute buckets per host and filters where average exceeds 80.

Why this answer

Option A is correct because it accurately defines the requirements using events per second to ensure each server window, correct time command bucket, and stats to compute average. Option B does not use latest properly. Option C uses streamstats which is not necessary.

Option D uses timechart which creates multiple series.

232
Drag & Dropmedium

Order the steps to create a workflow action in Splunk.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Workflow actions are created by specifying a label, action type, and URI with field references.

233
MCQhard

An analyst needs to create a visualization that shows the relationship between source IP and destination port in network traffic. Which visualization type is most appropriate?

A.Choropleth map
B.Sankey diagram
C.Single value
D.Column chart
AnswerB

Sankey diagrams effectively illustrate flows between two dimensions.

Why this answer

A Sankey diagram is designed to show flow relationships between sources and destinations. Choropleth maps are geographic, single values show one number, and column charts are for comparisons.

234
Multi-Selecteasy

Which TWO SPL commands can be used to create a time-based chart showing event counts over time? (Select two.)

Select 2 answers
A.eventstats
B.chart (with time span)
C.timechart
D.where
E.stats
AnswersB, C

chart can be used with an explicit span over _time to produce a similar result.

Why this answer

Options A and B are correct: timechart automatically creates a time-based chart, and chart with a span over _time can also create one. Options C, D, and E do not produce charts: stats returns a table, eventstats adds fields, where filters events.

235
MCQeasy

A security analyst is investigating a potential breach. They have a search that uses the transaction command to group events by session_id and calculates the total bytes transferred per session. However, the search takes over 30 minutes to complete on a 24-hour time range. The environment has 10 indexers with default settings. The analyst needs to reduce search time while preserving the ability to group by session_id. Which course of action should they take?

A.Pre-aggregate events by session_id using 'stats values(*) as * sum(bytes) as total_bytes by session_id' before the transaction command.
B.Use an append command to add a subsearch that pre-filters events.
C.Replace transaction with the 'streamstats' command to compute running totals.
D.Add the 'local' keyword to the transaction command to force it to run on a single indexer.
AnswerA

Reduces the number of events per session, making transaction faster.

Why this answer

Option C is correct because summarizing events by session_id using stats with values and sum before the transaction command reduces the number of events that transaction needs to process. Option A would disable parallel processing, making it slower. Option B adds subsearch overhead.

Option D changes the grouping logic and does not reduce the workload.

236
MCQeasy

A security analyst needs to monitor failed login attempts across multiple Windows domain controllers. The environment has a custom sourcetype 'WinEventLog:Security' and the data is indexed under 'windows_security'. The analyst wants to create a saved search that runs every 10 minutes, searches for EventCode 4625 (failed logon), and triggers an alert if more than 10 failures occur from the same source IP within the last 10 minutes. The saved search should use the Common Information Model (CIM) to ensure compatibility with other security apps. Which of the following saved search definitions best meets these requirements?

A.`| from datamodel:Authentication.All_Authentication where Authentication.EventCode=4625 | search Authentication.app=windows | timechart span=10m count by Authentication.src | where count > 10`
B.`index=windows_security sourcetype=WinEventLog:Security EventCode=4625 | stats count by src_ip | where count > 10`
C.`| from datamodel:Authentication.Failed_Authentication | where EventCode=4625 | stats count by src_ip | where count > 10`
D.`index=windows_security EventCode=4625 | transaction src_ip maxspan=10m | where eventcount > 10`
AnswerA

Uses CIM data model, correct field, and timechart for aggregation.

Why this answer

Option A is correct because it uses the `from datamodel` command to query the CIM Authentication data model, specifically the `All_Authentication` dataset filtered for EventCode 4625 and Windows (`Authentication.app=windows`). The `timechart span=10m count by Authentication.src` then counts failures per source IP in 10-minute buckets, and the `where count > 10` triggers the alert only when the threshold is exceeded. This approach ensures CIM compatibility, uses the correct data model object, and respects the 10-minute sliding window required by the use case.

Exam trap

The trap here is that candidates often pick Option C because 'Failed_Authentication' sounds correct, but they miss that it may not expose the raw EventCode field and lacks a time-bounded aggregation, while Option A correctly uses the parent dataset `All_Authentication` with explicit filtering and `timechart` for the sliding window.

How to eliminate wrong answers

Option B is wrong because it uses `index=windows_security sourcetype=WinEventLog:Security` directly instead of the CIM data model, breaking compatibility with other security apps; it also uses `stats count by src_ip` without a time window, so it counts all-time failures rather than within the last 10 minutes. Option C is wrong because it queries `Authentication.Failed_Authentication` which is a child dataset that may not contain the raw EventCode field directly, and it uses `stats count by src_ip` without a time-bounded window, failing the 10-minute requirement. Option D is wrong because it uses `transaction src_ip maxspan=10m` which groups events into transactions but does not enforce a fixed 10-minute sliding window for counting; `transaction` can merge events across gaps and may produce inaccurate counts, plus it does not use the CIM data model.

237
MCQeasy

A user wants to create a macro that calculates the average response time for web requests. The macro should accept a field name as an argument and return the average. Which syntax is correct for defining the macro?

A.`stats avg($field$) | eval avg_response=$result$`
B."stats avg($field$) as avg_response"
C.`stats avg($field$) as avg_$field$`
D.`stats avg($field$) as avg_response`
AnswerD

This correctly uses the argument $field$ and returns a field named avg_response.

Why this answer

Option D is correct because in Splunk macro definitions, the argument placeholder syntax is `$field$` (with dollar signs), and the macro body must be a valid search string. The `stats avg($field$) as avg_response` correctly uses the argument in a stats command and assigns a static alias, which is the standard way to return a single computed value from a macro.

Exam trap

The trap here is that candidates often confuse macro argument syntax with eval variable syntax (e.g., `$result$`) or incorrectly assume that the macro definition must be quoted, leading them to pick options A or B, while the correct syntax uses unquoted search commands with `$argname$` placeholders.

How to eliminate wrong answers

Option A is wrong because it uses `$result$` which is not a valid macro argument placeholder; macros only recognize `$argname$` syntax, and the `eval` command is unnecessary since `stats` already produces the result. Option B is wrong because it encloses the macro definition in double quotes, which would cause Splunk to treat it as a literal string rather than a search command, breaking the macro. Option C is wrong because `as avg_$field$` dynamically names the output field based on the argument value, which is not the intended behavior — the requirement is to return a fixed field name 'avg_response' regardless of the input field name.

238
MCQeasy

A dashboard developer wants to display the count of errors over the last 24 hours with a line chart. Which search command should be the final command before the visualization?

A.chart
B.trendline
C.stats
D.timechart
AnswerD

timechart produces a time-based chart by default.

Why this answer

timechart automatically creates a time-based chart suitable for line chart visualization without additional formatting.

239
MCQmedium

An engineer wants to create a saved search that runs every hour and searches against 90 days of data. To optimize performance, they should...

A.Use a summary index to pre-compute results.
B.Set a time range relative to the search time.
C.Use the `| stats` command with `span` to aggregate.
D.Enable report acceleration on the saved search.
AnswerA

Correct: A summary index can pre-compute daily aggregates, but report acceleration is the more direct and supported approach for this scenario.

Why this answer

Option B is correct: report acceleration pre-computes results for the time range, reducing query time. Summary indexing is an alternative but more complex. Relative time range is already used.

Using `| stats` with span is a search technique, not an optimization method per se.

240
MCQmedium

An admin notices that a saved search with a scheduled alert is not triggering as expected even though the search returns results. The search uses a macro with arguments. Which troubleshooting step should the admin take first?

A.Ensure that the macro name does not conflict with existing commands or other macros.
B.Review the macro definition for syntax errors, such as missing brackets or incorrect argument references.
C.Verify the macro's permissions are set to global.
D.Check the search head's job inspector for the expanded search string.
AnswerB

Macro syntax errors are a common cause of search failure.

Why this answer

Option C is correct because the most common issue with macros is the definition syntax. Option A is not first step. Option B is not relevant if macro is defined.

Option D is too narrow.

241
MCQhard

A Splunk administrator runs the following search and notices that the results include events where the 'status' field is 200 or 404, but also includes events where the 'status' field is missing. What is the most efficient way to modify the search to exclude events where the 'status' field does not exist?

A.status=200 OR status=404 | search status!=null
B.NOT ISNULL(status) (status=200 OR status=404)
C.status=200 OR status=404 | where isnotnull(status)
D.status=200 OR status=404
AnswerB

ISNULL(status) returns true if field does not exist; NOT ISNULL ensures only events with a status field are considered.

Why this answer

Option B is correct because it uses the `NOT ISNULL(status)` filter before the OR conditions, which efficiently excludes events where the `status` field does not exist. In Splunk, `ISNULL()` returns true if a field is missing or null, so `NOT ISNULL(status)` ensures only events with a defined `status` field are considered, and then the parentheses group the OR conditions correctly. This approach is more efficient than post-filtering because it reduces the result set early in the search pipeline.

Exam trap

The trap here is that candidates often confuse `ISNULL()` with checking for empty strings or use `!=null` as if it were SQL, failing to recognize that Splunk requires explicit `ISNULL()` or `isnull()` functions for field existence checks.

How to eliminate wrong answers

Option A is wrong because `status!=null` is not a valid Splunk syntax for checking field existence; it compares the field value to the literal string 'null' rather than checking for absence. Option C is wrong because while `where isnotnull(status)` works, it is less efficient than using `NOT ISNULL(status)` in the base search, as `where` processes all results after the initial search, whereas the base search filter can leverage index-time optimizations. Option D is wrong because it simply searches for status=200 OR status=404 without any filter to exclude events where the status field is missing, so it will still include those events.

242
Multi-Selectmedium

A user needs to identify the top 3 error types by count, but only for the current month, and exclude results with fewer than 100 occurrences. Which TWO steps are necessary? (Select two.)

Select 2 answers
A.Use the time range picker to set 'Current Month'
B.Use the where command to filter count>=100
C.Use the search command with earliest and latest
D.Use the top command with limit=3
E.Use the time command with relative time modifiers
AnswersB, D

Excludes error types with count less than 100.

Why this answer

Option B is correct because the `where` command in Splunk is used to filter results based on a condition, and here it is needed to exclude error types with fewer than 100 occurrences after counting. Option D is correct because the `top` command with `limit=3` returns the top 3 values of a field by count, which directly satisfies the requirement to identify the top 3 error types.

Exam trap

Splunk often tests the distinction between using the time range picker versus explicit time commands in the search, and candidates may incorrectly assume that the time range picker is a necessary step when the search itself can use relative time modifiers like `earliest=-30d@d`.

243
MCQmedium

What is the MOST likely cause of this error?

A.The lookup is not configured to output all fields.
B.The lookup definition filename is incorrect.
C.The CSV file has a trailing space in the column header 'asset_type'.
D.The `where` command cannot be used after `inputlookup`.
AnswerC

Trailing spaces cause field name mismatch.

Why this answer

The error is most likely caused by a trailing space in the CSV column header 'asset_type'. When `inputlookup` reads a CSV file, it treats column headers as literal strings; a trailing space makes the field name 'asset_type ' (with a space) instead of 'asset_type'. This mismatch causes the `where` command to fail because it references 'asset_type' without the space, leading to a field-not-found error.

Exam trap

Splunk often tests the subtlety that CSV headers are parsed literally, including whitespace, and candidates mistakenly assume Splunk automatically trims or normalizes field names, leading them to overlook trailing spaces as the root cause.

How to eliminate wrong answers

Option A is wrong because a lookup not configured to output all fields would simply not return certain fields, but it would not cause a field-not-found error in the `where` command; the lookup would still work with the fields it does output. Option B is wrong because an incorrect lookup definition filename would cause a 'lookup table not found' error, not a field mismatch error in the `where` clause. Option D is wrong because the `where` command can absolutely be used after `inputlookup`; it is a standard pattern for filtering results from a lookup table.

244
MCQeasy

A security analyst needs to correlate login events with subsequent logout events for the same user session. Which command should be used to group these events together?

A.Use the transaction command with startswith='login' and endswith='logout'.
B.Use the sort command by user and time to manually identify sessions.
C.Use the stats command with values() and earliest().
D.Use the eval command to create a session ID based on time differences.
AnswerA

transaction is designed exactly for this purpose: it groups events that share common fields and satisfy start/end conditions.

Why this answer

The `transaction` command is specifically designed to group related events that share a common field (e.g., user or session ID) and occur within a defined time window. By using `startswith='login'` and `endswith='logout'`, it correctly identifies the beginning and end of a user session, grouping all intermediate events into a single transaction. This is the most direct and efficient method for correlating login and logout events in Splunk.

Exam trap

Splunk often tests the misconception that `stats` or `eval` can replace `transaction` for sessionization, but the trap is that `transaction` is the only command that natively groups events based on a start and end condition without requiring manual time-window calculations or complex field manipulation.

How to eliminate wrong answers

Option B is wrong because the `sort` command only reorders events and does not group them into sessions; manually identifying sessions from sorted data is impractical and error-prone. Option C is wrong because `stats` with `values()` and `earliest()` can aggregate fields but cannot define a transaction boundary based on event types (login/logout) or group intermediate events into a single session. Option D is wrong because `eval` can create a calculated field like a session ID based on time differences, but it lacks the built-in logic to automatically detect start and end events and group all events in between; this would require complex, custom logic that `transaction` handles natively.

245
Multi-Selectmedium

Which TWO are valid methods to join data from a CSV file in a Splunk search?

Select 2 answers
A.`| append myfile.csv`
B.`| join myfile.csv`
C.`| lookup myfile.csv`
D.`| csvlookup myfile.csv`
E.`| inputlookup myfile.csv`
AnswersC, E

`lookup` joins fields from a lookup file.

Why this answer

Option C is correct because the `| lookup` command can reference a CSV file defined as a lookup table in Splunk, allowing field-based enrichment of search results. This is a standard method for joining data from a CSV file within a search, provided the lookup is properly configured in transforms.conf and props.conf.

Exam trap

The trap here is that candidates often confuse `| lookup` with `| inputlookup`, not realizing that both are valid for CSV data but serve different purposes—`| lookup` for field-based enrichment and `| inputlookup` for loading the entire file as a dataset.

246
MCQeasy

A user runs a search on web access logs: `index=web | eventstats sum(bytes) as total_bytes by host`. The search returns the correct total bytes per host, but now the user needs to calculate the average bytes per host for each event. Which command should be added to the base search to achieve this?

A.Add `| eventstats avg(bytes) as avg_bytes by host` after the first eventstats.
B.Replace eventstats with `| streamstats avg(bytes) as avg_bytes by host`.
C.Add `| eval avg_bytes = total_bytes / count` after the eventstats.
D.Use `| stats avg(bytes) by host` then `| join host [search index=web]`.
AnswerA

eventstats can compute average directly and add it to each event.

Why this answer

eventstats can compute the average directly with `avg(bytes)`. Option A requires manually calculating average with count, which is more complex. Option C uses streamstats, which computes a running average, not overall.

Option D uses stats and join, which is slower and may not work well.

247
MCQeasy

A financial services company uses Splunk to monitor transactions between internal systems. Each transaction consists of a request event and a response event with identical fields: transaction_id, timestamp, component, status. The request event has component='app' and status='request'; the response event has component='db' and status='success' or 'failure'. The analyst runs the following search to correlate them: `index=main (component=app OR component=db) | transaction transaction_id maxspan=30s`. However, they notice that the search takes too long and often times out when there are many transactions. What change would most effectively reduce search time while still correctly grouping request-response pairs?

A.Use `transaction transaction_id maxspan=30s` with a time range picker to limit the search to a smaller time window.
B.Use `stats values(*) as * by transaction_id` and then filter.
C.Use `rename component to type` and then use `transaction`.
D.Use `transaction transaction_id maxevents=2 maxspan=30s`.
AnswerD

Correct: maxevents=2 ensures each transaction contains only the expected two events, reducing memory and processing.

Why this answer

Option B is correct because setting maxevents=2 limits each transaction to exactly two events (request and response), preventing large groupings that cause memory issues and timeouts. Option A (stats values) does not maintain event order and may not clearly separate request/response. Option C (smaller time range) is already implied by the maxspan.

Option D (rename) does not address the performance issue.

248
Multi-Selectmedium

Which TWO statements about the 'transaction' command are correct? (Choose two.)

Select 2 answers
A.It requires all events to be from the same source.
B.It sums numeric field values across events in the transaction.
C.It can use the 'by' clause to group events based on common field values.
D.The 'maxevents' option limits the total number of transactions output.
E.It can combine multiple events into a single event.
AnswersC, E

The 'by' clause is used to specify the field(s) that define a transaction group.

Why this answer

Option C is correct because the 'transaction' command can use a 'by' clause to group events that share common field values into a single transaction. This allows you to correlate events from different sources or sourcetypes as long as they have matching field values, enabling flexible event correlation.

Exam trap

Splunk often tests the misconception that 'transaction' aggregates numeric fields (like sum or average) when in reality it only concatenates events, and that 'maxevents' controls the total number of transactions rather than the maximum events per transaction.

249
Multi-Selectmedium

Which TWO statements are true about the `transaction` command in Splunk?

Select 2 answers
A.It can group events based on one or more common field values.
B.It automatically calculates the duration between the first and last event.
C.It can only correlate events from the same sourcetype.
D.It supports maxspan and maxpause options to control time boundaries.
E.It automatically sorts events in chronological order within each transaction.
AnswersA, D

Transaction uses a by clause to group on field values.

Why this answer

Option A is correct because the `transaction` command groups events that share one or more common field values, such as `session_id` or `user_id`, into a single transaction. This allows you to correlate related events across different sources or sourcetypes based on matching field values.

Exam trap

The trap here is that candidates often assume the `transaction` command automatically calculates duration or sorts events, but it only groups events based on fields and time boundaries, leaving duration calculation and sorting as separate steps.

250
Multi-Selectmedium

Which TWO of the following are valid uses of the stats command in Splunk? (Choose two.)

Select 2 answers
A.stats mode(score) by group
B.stats values(ip) by user
C.stats count by host
D.stats median(response_time) by server
E.stats first(error_code) by session
AnswersB, C

Valid: returns list of distinct IPs per user.

Why this answer

The `stats` command in Splunk can compute aggregate statistics over fields. `values(ip) by user` is valid because `values()` returns a multivalue list of all distinct `ip` values for each `user`, which is a standard aggregation function. `count by host` is valid because `count` is a default aggregation that counts events per `host`.

Exam trap

The trap here is that candidates may confuse valid `stats` functions with functions from other contexts (like `mode()` from statistics or `first()` from programming languages) or assume that `median()` is supported when Splunk uses percentile functions instead.

251
MCQmedium

You are a Splunk power user at a manufacturing company. You have created a timechart that shows machine temperature readings over time. The data is indexed with timestamps every minute, but the timechart shows gaps where no data exists because some machines may not report at all times. You want to fill the gaps with 0 values to avoid misleading visualizations. The current search is: index=manufacturing sourcetype=temperature | timechart span=1h avg(temp) by machine. Which modification to the timechart command will fill the gaps with 0?

A.timechart span=1h cont=t
B.timechart span=1h limit=0
C.timechart span=1h usenull=t
D.timechart span=1h usenull=f useother=f
AnswerC

usenull=t fills nulls with 0.

Why this answer

Option A is correct because usenull=t fills null values with 0. Option B is wrong because usenull=f leaves gaps. Option C is wrong because limit=0 does not fill nulls.

Option D is wrong because cont=t ensures continuous time but does not fill with 0.

252
MCQmedium

A saved search is configured to run every 5 minutes and send an alert when the count of failures exceeds 10. After several days, users report they are not receiving alerts even though failures are occurring. The saved search runs successfully and produces results. What is the most likely cause?

A.The saved search owner does not have permission to send alerts.
B.The alert action is not configured to send to the intended recipients.
C.Alert throttling is enabled and suppressing subsequent alerts.
D.The alert condition is set to trigger when count is less than 10.
AnswerC

Throttling stops alerts from firing again within a set time window, even if the condition is true again.

Why this answer

If the search runs successfully but no alerts are sent, the issue is likely with alert configuration. Option C (alert condition not met) could be if the condition is evaluated incorrectly, but the question says results are produced. Option A (throttling) could suppress alerts if they are triggered too frequently.

Option B (permissions) would prevent the search from running. Option D (action not configured) is plausible but less likely if alerts were working before. The most common issue is that the alert condition is set to fire only when the number of results is > 10, but if the search returns multiple rows, the alert might fire per result unless throttled.

However, given the wording, throttling after first alert might suppress subsequent ones. I'll go with A. But typical exam: alert condition is 'number of results > 10' but the search returns one row with count=15, so it fires once, then throttling prevents another alert within the throttle period.

So throttling can cause missed alerts. Option C is also plausible if condition is not met. I'll choose A.

253
MCQhard

An organization has a transaction that groups firewall events by source IP to detect port scans. The transaction uses `maxpause=1m`. Some valid scans are being missed because events occasionally have gaps longer than 1 minute due to network latency. Which change would best capture these scans without introducing too many false positives?

A.Decrease maxspan to 30 seconds
B.Remove maxpause and use only maxspan
C.Group by destination IP instead of source IP
D.Increase maxpause to 2 minutes
AnswerD

Longer pause tolerance captures the scans despite latency, while still closing transactions after gaps.

Why this answer

Increasing maxpause to 2 minutes allows the transaction to tolerate longer gaps between events caused by network latency, ensuring that valid port scans are still captured. This change directly addresses the issue without altering the grouping logic or removing the timeout guard, which would otherwise risk false positives or incorrect grouping.

Exam trap

The trap here is that candidates may think decreasing `maxpause` or removing it entirely will reduce false positives, but in reality, that would increase missed detections (false negatives) without addressing the root cause of latency gaps.

How to eliminate wrong answers

Option A is wrong because decreasing maxspan to 30 seconds would tighten the overall time window, making it even harder to capture scans with latency-induced gaps, thus missing more valid scans. Option B is wrong because removing maxpause and using only maxspan would eliminate the pause tolerance entirely, causing the transaction to close as soon as any gap occurs, which would miss scans with intermittent delays. Option C is wrong because grouping by destination IP instead of source IP changes the correlation logic entirely, which would not address the gap issue and could introduce false positives by correlating unrelated events from different sources to the same destination.

254
Multi-Selecthard

Which THREE practices improve lookup performance in Splunk? (Select three.)

Select 3 answers
A.Use large CSV files configured as automatic lookups for always-current data
B.Use KV Store lookups for data that is updated frequently
C.Apply formatting options like 'format' command to reduce lookup size
D.Use index-time lookups for static reference data that rarely changes
E.Keep lookup files small and focused for fast search-time loading
AnswersB, D, E

KV Store provides fast indexed lookups and supports frequent updates without reindexing.

Why this answer

Options A, B, and C are correct: using index-time lookups avoids repeated lookups at search time (static data benefit); using small static lookups reduces memory overhead; using KV Store for frequently updated data provides efficient indexed lookups. Option D is incorrect because large CSVs in automatic lookups degrade performance. Option E is incorrect because formatting options do not impact performance.

255
MCQmedium

A dashboard panel uses a timechart to show error counts over time. Users report that the time range picker does not affect the panel. What is the most likely cause?

A.The dashboard is not shared.
B.The panel uses 'stats' instead of 'timechart'.
C.The index is not time-based.
D.The search uses a fixed earliest and latest time.
AnswerD

Fixed time overrides the time picker.

Why this answer

Option B is correct because if the search uses fixed earliest/latest times, the time picker has no effect. Option A is wrong because stats can still respect the time range. Option C is wrong because the index being non-time-based would prevent any time range from working, but the panel would show no data.

Option D is wrong because sharing doesn't affect time range behavior.

256
MCQeasy

Refer to the exhibit. What is the result of this search?

A.A list of all users sorted by count ascending.
B.The first 5 events with failed password.
C.A table of users and their total counts, sorted by count descending, limited to 5 rows.
D.The top 5 users by username alphabetically.
AnswerC

This accurately describes the output of the search.

Why this answer

The search uses the `top` command, which by default returns the most common values of a field sorted by count in descending order, limited to 10 results. The `limit=5` parameter overrides the default to return only the top 5 users. The `countfield` option renames the count column to 'total', and the `showcount=f` hides the percent column, producing a table of users and their total counts sorted by count descending, limited to 5 rows.

Exam trap

Splunk often tests the default behavior of the `top` command—specifically that it sorts by count descending and limits results to 10—and candidates mistakenly think it returns all values or sorts alphabetically, or they overlook the `limit=5` override.

How to eliminate wrong answers

Option A is wrong because the `top` command sorts by count descending, not ascending, and it does not return all users—it limits results to the top 5. Option B is wrong because the search does not filter for 'failed password' events; it operates on all events in the index and uses the `top` command to find the most common users, not the first 5 events. Option D is wrong because the `top` command sorts by count, not alphabetically by username, and it returns the most frequent users, not a simple alphabetical list.

257
MCQmedium

After upgrading Splunk to a new version, the Security team notices that the CIM Authentication dashboard is showing a much lower number of events than before. They verify that the data is still being indexed and that the sourcetype mappings to the Authentication data model are unchanged. The admin runs a search against the data model and sees some fields are missing. What is the most likely cause of the issue?

A.The data model acceleration needed to be rebuilt after the upgrade.
B.The upgrade changed the CIM field definitions, causing some extractions to fail.
C.The permissions on the data model were reset during the upgrade.
D.The index configuration changed, and the data is now in a different index.
AnswerA

Correct: Acceleration may become stale after an upgrade; rebuilding it can restore full data.

Why this answer

Option B is correct: After an upgrade, data model acceleration may need to be rebuilt to incorporate any changes; stale acceleration can cause missing fields and lower event counts. Field definitions rarely change between minor upgrades. Permissions would affect visibility, not data content.

Index configuration changes would affect all searches, not just data model.

258
MCQhard

A search uses `transaction maxspan=30s maxpause=5s`. Events are sorted by _time. If there is a gap of 10 seconds between two events, what happens?

A.They are merged because maxpause is 5s but maxspan is 30s, so the 10s gap is within maxspan.
B.They are considered part of the same transaction as long as total span ≤ 30s.
C.They are split only if the total span exceeds maxspan.
D.They are split into separate transactions because the gap exceeds maxpause.
AnswerD

A gap of 10s exceeds the 5s maxpause, so a new transaction begins.

Why this answer

The `maxpause` parameter in the `transaction` command defines the maximum allowed gap between consecutive events within the same transaction. Since the gap of 10 seconds exceeds the `maxpause=5s`, the events are split into separate transactions, regardless of the `maxspan=30s` limit. The `maxspan` only sets an upper bound on the total duration of the transaction from the first to the last event, but it does not override the pause-based splitting logic.

Exam trap

The trap here is that candidates often confuse `maxpause` with `maxspan`, mistakenly thinking that as long as the total duration is under `maxspan`, any gap is acceptable, when in fact `maxpause` enforces a strict per-gap limit that can split transactions independently.

How to eliminate wrong answers

Option A is wrong because it incorrectly assumes that a gap within `maxspan` overrides `maxpause`; in reality, `maxpause` is evaluated first and any gap exceeding it forces a split. Option B is wrong because it ignores the `maxpause` constraint entirely, suggesting that only the total span matters, which is false. Option C is wrong because it claims splitting only occurs when total span exceeds `maxspan`, but the `maxpause` parameter independently triggers splits on inter-event gaps.

259
MCQeasy

A user wants to see a single consolidated event for each user session that includes the start time, end time, and total duration. The session events have a 'action' field with values 'start' and 'end' and a common 'user_id'. Which transaction command would achieve this?

A.`transaction user_id startswith=action=start endswith=action=end`
B.`transaction startswith=action=start endswith=action=end`
C.`transaction user_id`
D.`stats values(action) by user_id`
AnswerA

Correctly defines session boundaries using action values.

Why this answer

Using startswith and endswith defines the boundary events, and transaction automatically calculates duration when there are start and end events.

260
MCQeasy

An analyst wants to group events by 'session_id' but only if the events occur within 5 minutes of each other, and there must be at least 2 events per transaction. Which transaction parameters achieve this?

A.transaction session_id maxspan=300
B.transaction session_id maxspan=300 maxevents=2
C.transaction session_id maxpause=300 minevents=2
D.transaction session_id maxspan=300 minpause=300
AnswerC

Correct: maxpause ensures events are close, minevents ensures at least 2.

Why this answer

Option C is correct because maxpause=300 ensures events are within 5 minutes of each other, and minevents=2 ensures at least 2 events. Option A (maxspan=300) only limits total time. Option B (maxevents=2) limits event count but not grouping window.

Option D (minpause) is not a valid parameter.

261
Multi-Selectmedium

A security analyst is investigating a series of failed login attempts followed by successful logins from the same IP addresses within short time windows. They want to correlate these events into sessions representing potential brute-force attacks. Which TWO statements accurately describe best practices for using the transaction command in this scenario?

Select 2 answers
A.Transaction command is optimized for correlating events over very long time ranges (over 24 hours).
B.Transaction command requires at least one field to group events into sessions.
C.Transaction command can define transaction boundaries using startswith and endswith conditions.
D.Transaction command can only be used with events that have identical timestamps.
E.Transaction command automatically deduplicates events within a transaction.
AnswersB, C

Correct: A field like src_ip is needed to group related events.

Why this answer

Option A is correct because transaction requires at least one field (like src_ip) to group events into sessions. Option D is correct because startswith and endswith allow defining the boundaries of a transaction, for example, using startswith for failed login and endswith for successful login. Option B is incorrect because transaction events do not need identical timestamps; they can span over time.

Option C is incorrect because transaction does not automatically deduplicate events; dedup command would be needed. Option E is incorrect because transaction is not optimized for very long time ranges and can be resource-intensive.

262
MCQmedium

An analyst uses the following search: `index=web status=500 | timechart count by method`. What does the timechart command do?

A.Calculates the total count per day for each method.
B.Bins events into 1-hour intervals by default.
C.Shows only the top 10 methods.
D.Splits the count by the 'method' field into separate series.
AnswerD

The 'by' clause creates a separate time series for each unique value of method.

Why this answer

Option B is correct. The `by` clause in timechart splits the count into separate series for each value of the 'method' field. Option A is not necessarily true—default span depends on time range.

Option C is false; there is no limit by default. Option D is incorrect because it does not calculate per day; it uses the time range of the search.

263
MCQhard

Refer to the exhibit. The search above returns no results for api_version. What is the most likely cause?

A.The stats command cannot be used after rex.
B.The field `uri_path` does not exist or contains data that does not match the pattern.
C.The search time range is too short to include any events.
D.The regex pattern is incorrectly written.
AnswerB

If `uri_path` is not a field in the sourcetype, the rex will not extract anything.

Why this answer

The `rex` command extracts fields based on a regex pattern applied to a specific source field. If `uri_path` does not exist in the events or its values do not match the pattern `(?<api_version>/v[0-9]+)`, then no `api_version` field will be created. This is the most likely cause because the search returns no results for `api_version`, indicating the extraction failed at the source field level.

Exam trap

Splunk often tests the misconception that a regex pattern is incorrect when the real issue is that the source field is missing or contains non-matching data, leading candidates to focus on syntax rather than data validation.

How to eliminate wrong answers

Option A is wrong because `stats` can be used after `rex` without issue; `rex` extracts fields, and `stats` can then aggregate them. Option C is wrong because if the time range were too short, the search would return no events at all, not just no results for `api_version` while other fields might exist. Option D is wrong because the regex pattern `(?<api_version>/v[0-9]+)` is syntactically correct for capturing a version string like `/v1` or `/v2`; the issue is that it is applied to a field that may not contain matching data.

264
MCQeasy

A large e-commerce company uses Splunk to monitor its web application performance. The operations team has created a dashboard with a timechart showing the 95th percentile of page load times over the last 24 hours. Recently, the dashboard stopped showing data for the last hour. The Splunk administrator confirms that the index is receiving data and the sourcetype is correctly configured. The search string is: `index=web_app sourcetype=access_combined earliest=-24h@h latest=@h | timechart perc95(page_load_time) by host` The dashboard panel uses a base search and a post-process search. The base search is: `index=web_app sourcetype=access_combined earliest=-7d@d latest=@h` What is the most likely cause of the missing last hour of data?

A.The post-process search has a time range override that conflicts with the base search.
B.The base search uses a macro that is not defined in the app context.
C.The index is not being searched because the base search uses a wrong sourcetype.
D.The base search time range is set to latest=@h, which excludes data from the current partial hour.
AnswerD

@h snaps to the beginning of the hour, missing the last 45 minutes.

Why this answer

The base search uses `latest=@h`, which snaps the end time to the beginning of the current hour (e.g., 14:00:00), excluding any data from the current partial hour (e.g., 14:00:01 to 14:59:59). Since the dashboard panel relies on this base search, the post-process search inherits that time range, causing the last hour of data to be missing even though the index is actively receiving data.

Exam trap

Splunk often tests the subtle behavior of time modifiers like `@h` and `@d`, where candidates mistakenly believe the data is missing due to indexing or sourcetype issues rather than the time range snapping to the start of the current hour.

How to eliminate wrong answers

Option A is wrong because the post-process search does not have a time range override; it inherits the base search's time range, and no conflict is described. Option B is wrong because the base search does not use a macro; it is a literal search string. Option C is wrong because the base search correctly specifies `sourcetype=access_combined`, matching the panel's search, and the administrator confirmed the sourcetype is correctly configured.

265
MCQhard

A company uses `transaction` to group events by `order_id`. Some orders have many events (1000+). Which option should be added to prevent a single transaction from consuming too many resources?

A.keepevicted=true
B.maxspan=1h
C.maxevents=500
D.maxpause=5m
AnswerC

maxevents caps the number of events per transaction, preventing runaway resource usage.

Why this answer

Option D is correct because `maxevents` limits the number of events per transaction, preventing a single large order from consuming resources. Option A (maxspan) limits time, not event count. Option B (maxpause) controls inactivity.

Option C (keepevicted) retains partials but doesn't prevent large transactions.

266
MCQhard

A saved search alert is configured to run every 10 minutes and trigger when the count of error events exceeds 5. The search returns results when run manually, but the alert never triggers. The admin checks the alert history and sees entries for the previous runs but all show 'Trigger: False'. They also confirm that the search returns count > 5 for those periods. What is the likely cause?

A.The alert is disabled due to throttling or suppression settings.
B.The search uses a summary index that is not searchable by the alert system.
C.The time range in the saved search does not align with the alert schedule.
D.The alert condition is set to 'when number of results is greater than 5' but it should be 'when count field is greater than 5'.
AnswerD

Correct: The condition must evaluate the count field value, not the number of results.

Why this answer

Option A is correct: The alert condition is likely 'number of results > 5', but the search returns a single result with a count field. The condition should evaluate the count field value, not the number of results. Summary index not searchable by alerts is unlikely.

Time range misalignment would cause mismatch but the admin confirmed counts. Throttling only applies after a trigger.

267
MCQeasy

A security team needs to group all login events from the same user session. Events include 'login' and 'logout' with a common session_id field. Which command should be used to combine these events into a single event per session?

A.join session_id
B.stats by session_id
C.transaction session_id
D.append session_id
AnswerC

Correctly groups events by session_id into a single transaction event.

Why this answer

The `transaction` command is designed to group related events based on common fields and time constraints, making it ideal for combining login and logout events by session_id.

268
MCQeasy

An analyst creates a macro that uses `| inputlookup` to validate a macro argument. Which statement about macro validation is true?

A.Macro validation is not possible; arguments are always trusted.
B.The macro can use `| inputlookup` to define a list of valid values for an argument.
C.Macro validation must be implemented in the saved search that uses the macro.
D.Macro arguments can be validated using regular expressions inside the definition.
AnswerB

This is a common pattern to ensure argument values are valid.

Why this answer

Option A is correct: macros support validation using `| inputlookup` to check argument values. Option B: macros do not have built-in regex validation. Option C: valid values can be specified with a lookup.

Option D: validation is optional.

269
MCQmedium

You need to find the percentage of total events contributed by each sourcetype. Which command should follow index=* | stats count by sourcetype?

A.addtotals
B.eventstats sum(count) as total | eval percent = count/total*100
C.eval percent = count / sum(count) * 100
D.appendpipe [stats sum(count) as total] | eval percent = count/total*100
AnswerB

eventstats adds total column, then eval computes percentage per row.

Why this answer

Option A is correct because eventstats adds a total count field across all events, then eval computes the percentage. Option B addtotals adds row totals, not a column total. Option C attempts to use sum in eval, which is invalid.

Option D appendpipe adds a row with total, not a column, making the eval compute incorrectly.

270
MCQmedium

A security analyst wants to create a saved search that triggers an alert when more than 100 failed login attempts occur within a 5-minute window from the same source IP. The search should run every 5 minutes and alert only once per window. Which setting should be configured?

A.Enable 'Digest mode' with a time window of 5 minutes.
B.Configure the search to use a 'Real-time' window of 5 minutes and set 'Alert on' to 'Result count'.
C.Set the 'Alert condition' to 'Number of results > 100' and use a rolling time window of 5 minutes.
D.Enable 'Throttle' and set the throttle window to 5 minutes, throttling on the source IP field.
AnswerD

This suppresses duplicate alerts for the same IP within 5 minutes.

Why this answer

Option D is correct because enabling Throttle with a 5-minute window on the source IP field ensures that once an alert fires for a given source IP, subsequent alerts from that same IP are suppressed for the duration of the throttle window. This matches the requirement to alert only once per 5-minute window per source IP, preventing alert fatigue while still detecting the threshold breach.

Exam trap

The trap here is that candidates often confuse throttling with alert conditions or time windows, mistakenly thinking that setting a rolling time window or result count alone will prevent duplicate alerts, when in fact throttling is the specific mechanism designed to suppress repeated alerts based on field values.

How to eliminate wrong answers

Option A is wrong because Digest mode sends a single alert containing all results in a summary, but it does not suppress duplicate alerts for the same source IP across consecutive search runs; it also does not inherently throttle per IP. Option B is wrong because a Real-time window of 5 minutes with 'Alert on' set to 'Result count' would trigger an alert every time the search runs (every 5 minutes) if the condition is met, but it does not suppress repeated alerts for the same source IP within overlapping windows. Option C is wrong because setting 'Number of results > 100' with a rolling time window of 5 minutes will fire an alert every time the search executes and the condition is true, without any deduplication or throttling per source IP, leading to multiple alerts for the same incident.

271
Multi-Selectmedium

Which THREE factors should be considered when deciding between using a lookup table and a KV store for enriching data?

Select 3 answers
A.KV store collections can be used with the 'inputlookup' command.
B.KV store collections can be updated in real-time via REST API.
C.KV store collections can be used with the 'kv' command.
D.Lookup tables support time-based lookups.
E.Lookup tables are faster for large datasets.
AnswersB, C, D

KV store supports real-time updates.

Why this answer

Options A, C, and D are correct. A: KV store can be updated in real-time via REST. C: Lookup tables support time-based lookups.

D: KV store can be used with 'kv' command. B is false because KV store is faster for large datasets. E is false because 'inputlookup' is for file-based lookups.

272
MCQmedium

A team uses a lookup table to map employee IDs to department names. The lookup is defined in transforms.conf with max_matches=1. Some events have multiple employee IDs in the emp_id field (comma-separated). The analyst wants to see the department for each ID. Which approach should be used?

A.Use | makemv delim="," emp_id | lookup employee_lookup emp_id OUTPUT department
B.Use | eval department=match(emp_id, "(?i)" . lookup_table)
C.Use | eval emp_ids=split(emp_id, ",") | mvexpand emp_ids | lookup employee_lookup emp_id OUTPUT department
D.Use | inputlookup employee_lookup where emp_id IN (emp_id_field)
AnswerC

Correctly splits and expands each ID, then looks up department.

Why this answer

Option C is correct because it first splits the comma-separated emp_id field into a multivalue field using split(), then expands each value into its own event with mvexpand, and finally performs the lookup with max_matches=1 to retrieve the department for each individual ID. This ensures that the lookup processes each ID separately, even though the original field contained multiple values.

Exam trap

The trap here is that candidates often confuse makemv (which only creates a multivalue field) with mvexpand (which actually creates separate events), leading them to choose Option A and miss the need to expand before lookup.

How to eliminate wrong answers

Option A is wrong because makmew with delim=',' creates a multivalue field but does not expand it into separate events; with max_matches=1, the lookup would only match the first value and ignore the rest. Option B is wrong because match() is a string-matching function, not a lookup mechanism, and the syntax is invalid for performing a table lookup. Option D is wrong because inputlookup does not accept a dynamic field reference like emp_id_field; it requires a literal value or a subsearch, and it cannot be used inline with event data.

273
MCQmedium

A lookup table maps combinations of 'source_ip' and 'dest_port' to a 'policy' field. The lookup is defined in transforms.conf with a max_match of 1. Which lookup command syntax will correctly perform the lookup?

A.lookup policy_lookup source_ip dest_port
B.lookup policy_lookup (source_ip, dest_port) OUTPUT policy
C.lookup policy_lookup source_ip dest_port OUTPUT policy
D.lookup policy_lookup source_ip, dest_port OUTPUT policy
AnswerC

This syntax correctly maps event fields to lookup fields.

Why this answer

The lookup command takes a space-separated list of event fields to match against lookup fields in order.

274
MCQhard

A large CSV lookup file (over 10 million rows) is causing search performance degradation. Which solution best improves performance without sacrificing accuracy?

A.Increase the max_memory setting in transforms.conf
B.Convert to an index-time lookup with automatic re-indexing
C.Convert to a KV Store lookup and update the collection as needed
D.Reduce the CSV file to only the most common lookup keys
AnswerC

KV Store lookups are optimized for large, frequently changing data and provide efficient search-time lookup.

Why this answer

Option D is correct because KV Store lookups provide indexed lookups and can be updated without reindexing, improving performance for large, dynamic datasets. Option A is incorrect because converting to a smaller subset would lose data. Option B is incorrect because increasing memory allocation does not address the fundamental lookup efficiency.

Option C is incorrect because index-time lookups require reindexing and are not suitable for frequently changing data.

275
Multi-Selectmedium

Which TWO fields are automatically created by the transaction command? (Select exactly 2 correct answers.)

Select 2 answers
A.total_events
B._endtime
C._starttime
D._time
E.maxpause
AnswersB, C

Correct: transaction adds _endtime.

Why this answer

The transaction command adds _starttime and _endtime fields to each event in the transaction. It also adds duration and eventcount, but those are not listed as options. _time and maxpause are not created by transaction.

276
MCQhard

A user defined a macro that includes a lookup command. The macro works correctly in ad-hoc searches. However, when the macro is used in a scheduled saved search, the macro fails to expand. Administration confirms the macro is shared globally. What is the most likely cause of this failure?

A.The macro expects arguments that are not provided in the saved search.
B.The lookup used in the macro is not accessible in the saved search's app context.
C.The macro is not shared to the global context despite confirmation.
D.The macro contains a syntax error that only appears at schedule time.
AnswerB

All knowledge objects used in the macro must be accessible from the saved search's app context.

Why this answer

Scheduled saved searches run under the context of the search user (owner) and the app where the saved search is defined. If the macro uses a lookup that is not accessible in that app context (e.g., the lookup is defined in a different app and not shared), the macro will fail at schedule time even though the macro itself is global. Option C is correct.

Option A (syntax error) would also fail ad-hoc. Option B (macro not global) is false as stated. Option D (macro arguments) is unlikely unless mismatch.

277
Multi-Selecthard

Which TWO conditions can cause a transaction to be evicted?

Select 2 answers
A.Maximum pause between events exceeded
B.Timestamp format mismatch
C.Maximum number of events per transaction reached
D.Transaction has too many fields
E.Search is canceled by user
AnswersA, C

If maxpause is reached, the transaction is closed and evicted from open set.

Why this answer

Correct options: B (maxpause exceeded) and D (maxevents reached). Option A (too many fields) does not cause eviction. Option E (timeformat mismatch) does not.

Option C (search cancellation) would stop search, not evict transaction.

278
MCQmedium

A dashboard developer wants to color-code the bars in a column chart based on a severity field (critical=red, high=orange, medium=yellow, low=green). How can this be achieved?

A.Configure drilldown to change colors when clicked
B.Use the chart command with 'useColors=true' and specify a color palette or use Eval to create a color field
C.Use the 'overlay' option in the chart command
D.Add CSS styling to the Simple XML dashboard
AnswerB

The chart command supports mapping severity to colors via options like 'colorPalette' or by using a color field in the search.

Why this answer

Option C is correct because using the chart command's 'useColors' and 'colorPalette' options, or setting colors via eval, allows custom coloring. Option A is incorrect because CSS in Simple XML requires advanced customization and is not straightforward. Option B is incorrect because drilldown is for interaction, not color.

Option D is incorrect because the 'overlay' option is for overlaying another chart.

279
MCQmedium

A large e-commerce company uses Splunk to monitor its web application performance. The application logs every HTTP request with fields: `transaction_id`, `url`, `response_time_ms`, `status`. Currently, the team uses the following search to identify slow page loads: `index=web sourcetype=access_combined | transaction transaction_id maxspan=60s | eval total_time = sum(response_time_ms) | where total_time > 5000` However, the search returns no results even though there are known slow pages. The team verified that logs contain `transaction_id` values and that some pages take over 10 seconds. What is the most likely reason the search fails to identify slow pages?

A.The `maxspan=60s` is too short; some page loads may take longer than 60 seconds, causing incomplete transactions.
B.The `transaction` command is grouping by `transaction_id`, but the events might have different transaction_id values for the same page load.
C.The field name is misspelled; it should be `response_time` not `response_time_ms`.
D.The `eval total_time = sum(response_time_ms)` is incorrect because after `transaction`, `response_time_ms` is a multivalue field, and `sum()` does not automatically calculate the sum of multivalue fields.
AnswerD

`sum()` is a statistical function; you need `eval total_time = mvsum(response_time_ms)` or use `stats sum` in a different approach.

Why this answer

Option D is correct because after the `transaction` command, `response_time_ms` becomes a multivalue field containing all the individual response times from the events in the transaction. The `sum()` function in `eval` does not automatically aggregate multivalue fields; it requires explicit use of the `mvsum()` function or a `stats sum()` approach. Without this, `total_time` is not calculated correctly, so the `where` clause never matches, returning no results despite slow pages existing.

Exam trap

The trap here is that candidates assume `sum()` in `eval` automatically aggregates multivalue fields, but Splunk's `eval` does not support aggregation functions on multivalue fields without explicit `mv` functions.

How to eliminate wrong answers

Option A is wrong because the search is designed to find slow pages with total time > 5000 ms (5 seconds), and the `maxspan=60s` is more than sufficient to capture transactions that take over 10 seconds; the issue is not the maxspan duration. Option B is wrong because the team verified that logs contain `transaction_id` values and that pages take over 10 seconds, implying the same `transaction_id` is used per page load; if IDs differed, the `transaction` command would simply create separate transactions, not cause zero results. Option C is wrong because the field name `response_time_ms` is explicitly stated in the question as a field in the logs, and there is no evidence of a misspelling; the problem lies in how the field is processed after `transaction`.

280
MCQhard

A lookup is not returning any results even though the search events contain the matching field. The lookup definition in transforms.conf includes 'default_match = false'. What is the most likely issue?

A.The lookup has a time restriction that excludes the events
B.The lookup is case-sensitive and the event fields have different case
C.The lookup field names do not match the event field names
D.The lookup command is missing the 'OUTPUT' clause
E.The lookup file is empty
AnswerB

Case mismatch is a common cause of lookup failure.

Why this answer

Lookups are case-sensitive by default; if event fields have different case than lookup fields, no match occurs. default_match=false causes no default value on mismatch.

281
MCQeasy

A Splunk admin wants to group events from the same user session in web logs. Which transaction option should be used to ensure the transaction ends after 30 minutes of inactivity?

A.maxpause=30m
B.keepevicted=true
C.maxspan=30m
D.maxevents=100
AnswerA

maxpause ends transaction after 30 minutes of inactivity between events.

Why this answer

Option B is correct because maxpause ends the transaction if the time between events exceeds the specified duration. Option A (maxspan) limits total duration, not inactivity. Option C (maxevents) limits the number of events.

Option D (keepevicted) retains partial transactions that were evicted.

282
MCQeasy

A Splunk admin needs to schedule a search to run every day at 2 AM and send an email alert if more than 100 events are found. Which saved search configuration achieves this?

A.Set schedule to 'Daily' at 02:00, trigger on 'Custom condition' `search result count > 100`, action 'Send email'
B.Set schedule to 'Every day' at 2:00, trigger on 'Number of Events' > 100, action 'Send email'
C.Set schedule to 'Daily' at 02:00, trigger on 'Number of Events' > 100, action 'Email'
D.Set schedule to 'Daily' at 02:00, trigger on 'Result count' > 100, action 'Email'
AnswerC

Correct: Standard schedule, trigger, and action.

Why this answer

Option C is correct: Splunk schedules allow 'Daily' with a specific time, but the trigger condition is 'Number of Events' > 100, and 'Email' action. Option A uses 'Result count' which is not a standard trigger condition name. Option B uses cron with a custom condition string that is not valid.

Option D uses 'Custom condition' with incorrect syntax.

283
Multi-Selecthard

Which TWO of the following eval functions can be used to convert a string to a numeric value?

Select 2 answers
A.tostring()
B.number()
C.int()
D.str()
E.tonumber()
AnswersC, E

`int()` converts a value to an integer, working on strings as well.

Why this answer

The `int()` function (option C) converts a string representation of an integer into a numeric integer value, and `tonumber()` (option E) converts a string to a floating-point or integer number, making both valid for converting strings to numeric values in Splunk's eval command.

Exam trap

Splunk often tests candidates' familiarity with Splunk's specific eval function names, and the trap here is that `number()` and `str()` sound plausible but are not valid Splunk functions, leading candidates to select them based on general programming knowledge rather than Splunk's actual syntax.

284
MCQmedium

An analyst wants to find transactions where the first event was a 'login' and the last event was a 'logout'. Which post-transaction filter is correct?

A.where action[0]="login" AND action[-1]="logout"
B.where first(action)="login" AND last(action)="logout"
C.where action="login" AND action="logout"
D.where mvindex(action,0)="login" AND mvindex(action,-1)="logout"
AnswerD

Correct: mvindex accesses elements by position.

Why this answer

Option A is correct because mvindex accesses the first (index=0) and last (index=-1) values of a multivalue field. Option B uses invalid syntax. Option C uses nonexistent functions.

Option D would match if both values appear anywhere, not necessarily first/last.

285
Multi-Selecthard

Which THREE of the following are true considerations when using CIM data model acceleration? (Select exactly 3.)

Select 3 answers
A.Acceleration only works on indexed fields; extracted fields are not accelerated.
B.When acceleration is built, searches using the data model may use the `tstats` command for faster retrieval.
C.Acceleration must be explicitly enabled on the data model.
D.You must set a summary range to define how much historical data to accelerate.
E.Acceleration uses summary indexes to store precomputed results.
.Acceleration requires that all data model constraints be defined with field aliases.
AnswersB, C, D

tstats reads the tsidx files directly.

Why this answer

Options B, C, and E are correct. Option A is false: acceleration uses `tsidx` files, not summary indexes. Option D is false: acceleration works on indexed and extracted fields.

Option F is not a primary consideration for acceleration.

286
MCQmedium

A company has over 2000 saved searches that are used across multiple teams. Each team has its own app, and many searches share common logic, such as filtering by a specific index or time range. The system is experiencing slow search performance and difficulty in managing changes. The administrator wants to improve maintainability and performance. Which action would best address these issues?

A.Increase the search head's memory allocation.
B.Create macros for common search fragments and update saved searches to use them.
C.Enable acceleration on all saved searches.
D.Consolidate all saved searches into a single app and use role-based access.
AnswerB

Correct: Macros reduce duplication, simplify updates, and improve performance.

Why this answer

Option B is correct because macros reduce duplication, simplify updates, and can improve performance by reducing parsing time. Consolidating into a single app does not reduce logic duplication. Increasing memory is a temporary fix.

Acceleration on all searches may consume resources and does not address logic duplication.

287
MCQhard

A Splunk administrator notices that the 'transaction' command is consuming excessive memory when processing a large dataset. The dataset contains events with a common field 'user_id', and the goal is to group events per user within 1 hour. Which approach would best reduce memory usage while still achieving the desired correlation?

A.Use the 'kvform' command instead of transaction.
B.Use a subsearch to first filter events and then apply transaction on the smaller set.
C.Add more fields to the transaction to make it more specific.
D.Increase the maxspan value to 2 hours to reduce the number of transactions.
AnswerB

A subsearch can pre-filter or aggregate events, reducing the input size for transaction and thus memory.

Why this answer

Option B is correct because using a subsearch first reduces the dataset size before the 'transaction' command processes it, directly addressing the memory issue. The 'transaction' command groups events into memory until they are finalized, so a smaller input set means fewer events held simultaneously, lowering memory consumption while still allowing the 1-hour maxspan correlation per user_id.

Exam trap

The trap here is that candidates often assume increasing maxspan or adding fields will reduce memory usage, but these actions actually increase the memory footprint or do not address the root cause of excessive data volume.

How to eliminate wrong answers

Option A is wrong because 'kvform' extracts key-value pairs from event data and does not perform event correlation or grouping, so it cannot replace the 'transaction' command's functionality. Option C is wrong because adding more fields to the 'transaction' command increases the specificity of grouping but does not reduce memory usage; in fact, it may increase memory overhead by requiring more comparisons. Option D is wrong because increasing maxspan to 2 hours would allow longer time windows, potentially increasing the number of events grouped per transaction and worsening memory consumption, not reducing it.

288
Multi-Selectmedium

A Splunk administrator is troubleshooting a search that uses the `transaction` command. The search is taking too long to complete and returning incomplete results. Which TWO changes are most likely to improve performance and accuracy of transaction searches? (Choose TWO.)

Select 2 answers
A.Remove the `maxspan` parameter to allow transactions of any duration.
B.Use `mvcombine` to combine multivalued fields before the transaction.
C.Use `fields` before `transaction` to include only necessary fields.
D.Increase the `maxevents` value to allow more events per transaction.
E.Set an appropriate `maxspan` value based on the expected duration of correlated events.
AnswersC, E

Reduces data volume processed by transaction.

Why this answer

Option C is correct because using the `fields` command before `transaction` reduces the amount of data Splunk must process by retaining only the fields necessary for correlation and output. This minimizes memory and CPU overhead, directly improving search performance and reducing the risk of incomplete results due to resource limits.

Exam trap

Splunk often tests the misconception that increasing limits (like `maxevents` or removing `maxspan`) will improve results, when in fact it exacerbates resource exhaustion and incomplete data.

289
MCQmedium

A security analyst wants to find IP addresses that have attempted to access a specific URL more than 5 times in the last hour and also have a user agent string containing "curl". They need to use a subsearch to pre-filter IPs. Which search is correct?

A.[search index=web sourcetype=access useragent=*curl* | stats count by src_ip | where count>5] | fields src_ip
B.index=web sourcetype=access [search useragent=*curl* | stats count by src_ip | where count>5 | fields src_ip] | stats count by src_ip | where count>5
C.index=web sourcetype=access | search useragent=*curl* | stats count by src_ip | where count>5
D.index=web sourcetype=access ( useragent=*curl* ) | stats count by src_ip | where count>5
AnswerB

Correctly uses subsearch to filter IPs, then counts and filters.

Why this answer

Option B is correct because it uses a subsearch to first find IPs that have accessed the URL more than 5 times with a user agent containing 'curl', then passes those IPs to the outer search to filter the original data. The subsearch returns a list of src_ip values, which the outer search uses as a filter, ensuring only IPs meeting both conditions are counted again. This matches the requirement to pre-filter IPs using a subsearch.

Exam trap

The trap here is that candidates often confuse a subsearch with a simple filter or stats command, leading them to choose options that either omit the subsearch syntax or place it incorrectly, such as at the start without proper piping.

How to eliminate wrong answers

Option A is wrong because the subsearch is placed at the beginning without a leading pipe, making it a standalone search that does not feed into the outer search; it also lacks the outer search's index and sourcetype, so it returns no results. Option C is wrong because it does not use a subsearch at all; it simply filters and counts in a single search, which does not pre-filter IPs as required. Option D is wrong because it uses parentheses incorrectly and does not include a subsearch; it performs a single-pass filter and count, failing to pre-filter IPs.

290
MCQmedium

A security analyst needs to correlate login events from multiple authentication servers to track a single user session. The events share a common 'session_id' field but have different timestamps. Which transaction command option should be used to ensure the session is considered complete after 30 minutes of inactivity?

A.startswith=login endswith=logout
B.mvlist=session_id
C.maxspan=30m
D.maxpause=1800
AnswerD

maxpause=1800 seconds (30 minutes) closes the transaction after 30 minutes of inactivity.

Why this answer

Option D (maxpause=1800) is correct because it sets a maximum inactivity period of 1800 seconds (30 minutes) between events in a transaction. When no new events with the same session_id arrive within that window, the transaction is considered complete. This directly addresses the requirement to end a session after 30 minutes of inactivity, regardless of the total duration of the session.

Exam trap

The trap here is confusing maxspan (total duration limit) with maxpause (inactivity timeout), leading candidates to choose maxspan=30m when the requirement explicitly calls for an inactivity-based end condition.

How to eliminate wrong answers

Option A is wrong because startswith=login endswith=logout defines explicit start and end events for the transaction, but the requirement is to end based on inactivity, not on a specific logout event. Option B is wrong because mvlist=session_id is not a valid transaction command option; it is used with the stats or eventstats command to create a multivalue field, not to control transaction boundaries. Option C is wrong because maxspan=30m sets a maximum total time span for the entire transaction from first to last event, not a pause or inactivity limit; if events span more than 30 minutes, the transaction is forcibly split, which does not match the requirement of ending after 30 minutes of inactivity.

291
MCQmedium

A Splunk admin has created several macros to simplify complex search commands. One macro, named `time_filter`, is defined as `earliest=-7d@d latest=@d`. The admin also has a saved search that uses this macro. Recently, users have complained that the saved search reports data from the wrong time range: it appears to be showing data from the last 24 hours instead of the last 7 days. The admin inspects the saved search and finds that the search string is: `index=main | eval days=now() | where days > relative_time(now(), "-7d@d") | `time_filter`` The admin suspects the macro is not being expanded correctly. Which of the following is the most likely cause of the issue?

A.The macro definition includes arguments (`$earliest$`, `$latest$`), but the invocation does not pass any arguments; thus, the macro expands to nothing.
B.The saved search permissions are set to 'Private', so the macro does not apply.
C.The macro should be invoked with a pipe, like `| time_filter` instead of backticks.
D.The macro is disabled; the admin needs to enable it in the macros list.
AnswerA

Macros with arguments require argument passing; without them, the macro may expand to an empty string, causing the time filter to be missing.

Why this answer

Option A is correct because the macro `time_filter` is defined without any arguments (no `$arg$` placeholders), but the admin suspects it is not expanding correctly. However, the real issue is that the macro invocation uses backticks, which is the correct syntax for inline macro expansion in Splunk. The problem is that the saved search already includes an explicit `earliest` and `latest` time range via the `time_filter` macro, but the search also uses `relative_time(now(), "-7d@d")` in a `where` clause, which overrides the macro's time range.

The macro `time_filter` expands to `earliest=-7d@d latest=@d`, which sets the search time range to the last 7 days, but the `where` clause filters events to only those where `days > relative_time(now(), "-7d@d")`, which is effectively the last 24 hours because `now()` returns the current time and `relative_time(now(), "-7d@d")` returns the start of the day 7 days ago, so the condition `days > ...` is always true for any event, but the `days` field is set to `now()` for every event, so the filter does not actually restrict the time range; the real time range is controlled by the macro. The confusion is that the macro is expanding correctly, but the `where` clause is not needed and may be causing the perception of wrong data. However, the most likely cause of the issue is that the macro is not being expanded because the saved search is using backticks, which is correct, but the macro definition might be missing the required `$earliest$` and `$latest$` arguments if the admin intended to pass them.

But the question states the macro is defined as `earliest=-7d@d latest=@d` without arguments, so it should expand. The correct answer is A because the macro definition includes arguments (`$earliest$`, `$latest$`), but the invocation does not pass any arguments; thus, the macro expands to nothing. This is a common mistake: if a macro is defined with parameters, the invocation must supply values for those parameters, otherwise the macro expands to an empty string.

Exam trap

The trap here is that candidates often overlook the difference between a macro defined with parameters versus without, and assume backtick invocation always works, but if the macro expects arguments and none are provided, it expands to an empty string, causing the search to use default time settings.

How to eliminate wrong answers

Option B is wrong because saved search permissions (Private vs. Global) do not affect macro expansion; macros are resolved at search time regardless of the saved search's permissions. Option C is wrong because macros are invoked with backticks, not pipes; using a pipe would treat `time_filter` as a search command, which would fail because it is not a valid command.

Option D is wrong because if the macro were disabled, the saved search would fail with an error, not silently show wrong data; the admin would see an error message indicating the macro is not found.

292
Multi-Selecthard

Which THREE of the following are required steps to properly schedule a saved search for summary indexing that runs a macro?

Select 3 answers
A.The summary index must be created before the search runs.
B.Set a schedule for the saved search.
C.The summary index is automatically created when the search runs.
D.The macro must be defined in the same app as the saved search.
E.The macro must be accessible from the context in which the saved search runs.
AnswersA, B, E

The summary index must exist to store the results.

Why this answer

Correct answers: A, C, E. The saved search must be scheduled (A). The summary index must exist (C).

The macro must be accessible from the saved search's context (E). Option B is not required because the macro can be defined in a different app if shared. Option D is false because the summary index must already exist.

293
MCQmedium

A security analyst wants to calculate the average latency for each web server over the past hour, but only for requests where the status code is 200. The search result includes fields: server, latency, status. Which search correctly accomplishes this?

A.index=web sourcetype=access | eval good_latency=if(status=200, latency, null) | stats avg(good_latency) by server
B.index=web sourcetype=access | eventstats avg(latency) by server | where status=200
C.index=web sourcetype=access | stats avg(latency) by server | where status=200
D.index=web sourcetype=access status=200 | stats avg(latency) by server
AnswerD

Correctly filters only status=200 events before statistical aggregation.

Why this answer

Option D is correct because it filters events to only those with status=200 before the stats command, ensuring the average latency is calculated exclusively over successful requests. The stats command then computes the average latency grouped by server, which directly answers the requirement without needing conditional logic or post-filtering.

Exam trap

The trap here is that candidates often think they can filter after stats using where, but stats collapses events into summary statistics, so a subsequent where cannot filter the original events used in the aggregation.

How to eliminate wrong answers

Option A is wrong because it uses eval to set good_latency to null for non-200 statuses, but stats avg() ignores null values, so it effectively averages only over status=200 events; however, this is less efficient and less idiomatic than filtering first, and the question asks for the 'correct' search, where D is the standard best practice. Option B is wrong because eventstats calculates the average latency across all events (including non-200) and adds it to each event, then filters to status=200; this gives the overall average latency for all requests, not the average per server for only status=200 requests. Option C is wrong because it applies the where status=200 filter after the stats command, which has already aggregated data across all status codes, so the filter has no effect on the computed averages.

294
MCQhard

A security team notices that using `transaction` on a large dataset of firewall logs causes memory issues. Which alternative approach would most efficiently correlate events while reducing resource consumption?

A.Use `concurrency` command to group events
B.Increase `maxtransize` and `maxopentxn` in limits.conf
C.Use `append` with subsearch to join events
D.Use `stats` by session_id list(src_ip), list(dest_ip) with `bin` time
AnswerD

stats consumes less memory than transaction for grouping events.

Why this answer

Option A is correct because `stats` with `list()` and `values()` is more memory-efficient than `transaction` for correlating events. Option B (increasing limits) is a workaround but not efficient. Option C (concurrency) is not applicable.

Option D (`append`) is less efficient.

295
Multi-Selecthard

A security analyst is writing a search to detect lateral movement across servers by correlating authentication events from multiple domain controllers. Each event has a `user`, `src_ip`, and `dest_ip`. The analyst wants to group events where the same user authenticates from at least 3 different source IPs within 10 minutes. Which THREE components must be part of the search to achieve this? (Choose THREE.)

Select 3 answers
A.Use `transaction user` to group events by user.
B.After the transaction, use `where mvcount(src_ip)>=3` to filter transactions with at least 3 distinct source IPs.
C.Set `maxspan=10m` to limit the grouping window to 10 minutes.
D.Use `maxevents=3` to ensure at least three events per transaction.
E.Use `dedup user` before the transaction to reduce events.
AnswersA, B, C

Groups events by user for correlation.

Why this answer

Option A is correct because the `transaction` command groups events that share a common field value (in this case, `user`) into a single transaction. This is essential for correlating authentication events from multiple domain controllers where the same user appears, allowing subsequent analysis of the source IPs within each group.

Exam trap

The trap here is that candidates may confuse `maxevents` with the requirement for distinct source IPs, or think that `dedup` is needed to reduce data volume, when in fact it would break the correlation by removing necessary events.

296
MCQhard

During peak hours, a search that uses a KV Store lookup frequently times out. The search runs on daily data but the KV Store collection has millions of records. Which approach is most effective to reduce lookup time while maintaining data freshness?

A.Increase the KV Store collection's replication factor
B.Pre-compute the lookup results using a scheduled search and write to a CSV, then use the CSV lookup
C.Reduce the fields stored in the KV Store collection
D.Use the 'lookup' command with the 'local=t' option
AnswerB

This reduces the dataset size and improves lookup speed.

Why this answer

Pre-computing lookup results into a smaller CSV that is refreshed frequently can improve performance while keeping data up-to-date.

297
MCQmedium

A lookup definition includes the option 'batch_index_query=True'. What is the effect?

A.The lookup is populated from an index query when first used.
B.The lookup is batch-processed to reduce number of lookups.
C.The lookup is applied to all indexes at once.
D.The lookup is cached across all search heads.
AnswerA

This is the purpose of batch_index_query.

Why this answer

Option A is correct because batch_index_query=True means the lookup is populated from an index search when first used. Option B is wrong because it doesn't apply to all indexes. Option C is wrong because it doesn't batch-process lookups.

Option D is wrong because caching is separate.

298
MCQeasy

A dashboard shows a single-value visualization of total sales. The underlying search uses `| stats sum(sales)`. The dashboard refreshes every 5 minutes, but the value only updates when the page is manually reloaded. Which setting is MOST likely missing?

A.The 'Token delay' is too high.
B.The search is not scheduled or set to 'Auto' for the panel.
C.The time range picker is set to 'All time'.
D.The dashboard's 'Auto-refresh' interval is not set.
AnswerB

The panel's search must be set to run automatically to refresh data.

Why this answer

Option B is correct because the single-value visualization's search must be scheduled or set to 'Auto' to automatically re-execute on dashboard refresh. Without this setting, the search runs once when the dashboard loads and caches the result, so even with a 5-minute auto-refresh interval, the displayed value remains stale until the page is manually reloaded.

Exam trap

Splunk often tests the misconception that setting the dashboard's auto-refresh interval alone is sufficient to update panel values, when in fact each panel's search must also be configured to re-execute on refresh (via 'Auto' or a scheduled search).

How to eliminate wrong answers

Option A is wrong because 'Token delay' controls the debounce time for token changes, not the execution of the underlying search; a high token delay would affect how quickly a token-driven search runs after a user interaction, not the periodic update of a static search. Option C is wrong because setting the time range picker to 'All time' affects the time scope of the search, not whether the search re-executes on refresh; it would still return a static result if the search is not scheduled. Option D is wrong because the dashboard's 'Auto-refresh' interval (set in Dashboard Settings) triggers a page-level refresh, but if the panel's search is not scheduled or set to 'Auto', the refresh only reloads the cached result from the initial search, not a new computation.

299
MCQeasy

A user wants to calculate the average response time per user, but only for users who have more than 10 events. Which search approach is efficient?

A.index=web | eventstats avg(response_time) as avg by user | where count>10
B.index=web | stats avg(response_time) as avg, count as cnt by user | where cnt>10
C.index=web | where count>10 | stats avg(response_time) by user
D.index=web | stats avg(response_time) as avg by user | where count>10
AnswerB

Computes both statistics and filters correctly.

Why this answer

Option B is correct because it first uses `stats` to compute both the average response time and the event count per user, then filters with `where cnt>10` to keep only users who have more than 10 events. This ensures the average is calculated only after grouping, and the count condition is applied on the aggregated result, which is efficient and accurate.

Exam trap

The trap here is that candidates often confuse `eventstats` with `stats` and think they can filter on an aggregated field like `count` without first computing it in the same `stats` command, leading them to choose Option A or D.

How to eliminate wrong answers

Option A is wrong because `eventstats` adds the average and count to each raw event without reducing the dataset, and then `where count>10` filters events rather than users, so it does not correctly isolate users with more than 10 events. Option C is wrong because `where count>10` is applied before any aggregation, but `count` is not a field in raw events, so this will return no results or an error. Option D is wrong because `stats avg(response_time) by user` computes only the average per user, discarding the count, so `where count>10` cannot reference the count field, causing the search to fail or produce incorrect results.

300
MCQeasy

A Splunk administrator notices that a transaction command is consuming excessive memory and taking too long to complete. The transaction is defined on a field with high cardinality. Which of the following would most effectively reduce memory usage and improve performance?

A.Increase the maxspan value
B.Remove the maxspan constraint
C.Set keepevicted=false
D.Use a different field with lower cardinality for grouping
AnswerD

Lower cardinality means fewer transaction groups, reducing memory and computation.

Why this answer

Option D is correct because the transaction command groups events based on field values, and high cardinality fields create many unique groups, each requiring memory for state tracking. Using a lower-cardinality field reduces the number of concurrent groups, directly lowering memory consumption and processing time. This addresses the root cause rather than adjusting timeouts or eviction policies.

Exam trap

The trap here is that candidates often focus on adjusting time-based parameters (maxspan, maxpause) or output options (keepevicted) instead of recognizing that the fundamental issue is the cardinality of the grouping field, which directly drives memory and state management overhead.

How to eliminate wrong answers

Option A is wrong because increasing maxspan allows the transaction to span a longer time window, which can actually increase memory usage by keeping events in memory longer, not reduce it. Option B is wrong because removing the maxspan constraint removes any time boundary, causing the transaction to wait indefinitely for events, which can dramatically increase memory usage and completion time. Option C is wrong because keepevicted=false controls whether evicted (incomplete) transactions are returned, but it does not reduce the memory consumed by the active transaction groups themselves; it only affects output behavior.

Page 3

Page 4 of 7

Page 5

All pages