- A
index=main sourcetype=login user=jsmith | where 'date_hour' > 18 | where NOT cidrmatch("10.0.0.0/8", src_ip)
Correctly uses `where` with `cidrmatch` and filters by hour.
- B
index=main sourcetype=login user=jsmith date_hour>18 | search NOT src_ip=10.0.0.0/8
Why wrong: `search` does not support CIDR notation; use `where` with `cidrmatch`.
- C
index=main sourcetype=login user=jsmith date_hour>18 | where not src_ip like "10.%"
Why wrong: Using `like` is not recommended for IP ranges; it may miss class A addresses like 10.x.x.x.
- D
index=main sourcetype=login user=jsmith date_hour>18 | where src_ip!=10.0.0.0/8
Why wrong: `!=` does not work with CIDR; use `cidrmatch` function.
Quick Answer
The correct answer is the search that uses `| where NOT cidrmatch("10.0.0.0/8", src_ip)` combined with `| where 'date_hour' > 18`. This is correct because `cidrmatch` is the only Splunk function that accurately evaluates CIDR notation, checking whether a source IP falls within the specified 10.0.0.0/8 subnet, while the `date_hour` field extraction with a greater-than comparison properly filters for events after 18:00. On the Splunk SPLK-1003 exam, this question tests your understanding of both CIDR matching and time filtering as separate but combinable search techniques—a common trap is trying to use string wildcards or inequality operators on IP addresses, which fail with subnet boundaries. Remember that `cidrmatch` expects the subnet first, then the field, and that `date_hour` returns a numeric value, so you must use `> 18` rather than a string comparison. A helpful memory tip: "CIDR needs a function, not a fraction"—always reach for `cidrmatch` when dealing with subnet ranges, never a wildcard or `!=`.
SPLK-1003 Advanced Searching and Statistics Practice Question
This SPLK-1003 practice question tests your understanding of advanced searching and statistics. Match the stated requirement to the specific cloud service, access model, or configuration option — many options are valid in isolation but not for this scenario. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
A security analyst needs to find all login events where the user 'jsmith' attempted to authenticate from an IP address outside the corporate subnet (10.0.0.0/8) after business hours (after 18:00). Which search correctly filters for these events?
Answer choices
Why each option matters
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
index=main sourcetype=login user=jsmith | where 'date_hour' > 18 | where NOT cidrmatch("10.0.0.0/8", src_ip)
Option A is correct because it uses the `cidrmatch` function to properly evaluate whether the source IP falls within the 10.0.0.0/8 subnet. The `where` clause with `date_hour > 18` correctly filters for events after business hours, and the `NOT cidrmatch` ensures only IPs outside the corporate subnet are included. This approach handles CIDR notation accurately, unlike simple string or inequality comparisons.
Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
- ✓
index=main sourcetype=login user=jsmith | where 'date_hour' > 18 | where NOT cidrmatch("10.0.0.0/8", src_ip)
Why this is correct
Correctly uses `where` with `cidrmatch` and filters by hour.
Related concept
Read the scenario before looking for a memorised answer.
- ✗
index=main sourcetype=login user=jsmith date_hour>18 | search NOT src_ip=10.0.0.0/8
Why it's wrong here
`search` does not support CIDR notation; use `where` with `cidrmatch`.
- ✗
index=main sourcetype=login user=jsmith date_hour>18 | where not src_ip like "10.%"
Why it's wrong here
Using `like` is not recommended for IP ranges; it may miss class A addresses like 10.x.x.x.
- ✗
index=main sourcetype=login user=jsmith date_hour>18 | where src_ip!=10.0.0.0/8
Why it's wrong here
`!=` does not work with CIDR; use `cidrmatch` function.
Common exam traps
Common exam trap: answer the scenario, not the keyword
The trap here is that candidates often assume simple string or inequality operators (like `!=` or `like`) can handle CIDR subnet matching, but Splunk requires the `cidrmatch` function for accurate network range evaluation.
Detailed technical explanation
How to think about this question
The `cidrmatch` function in Splunk evaluates whether an IP address falls within a specified CIDR block by performing bitwise comparison of the IP and subnet mask, ensuring accurate subnet membership. In contrast, string-based comparisons (like `like` or `!=`) treat the IP as a literal string, which fails for CIDR ranges because IP addresses are hierarchical and not lexicographically ordered. This distinction is critical in security monitoring, where precise subnet filtering prevents false positives or negatives in detecting unauthorized access attempts.
KKey Concepts to Remember
- Read the scenario before looking for a memorised answer.
- Find the constraint that changes the correct option.
- Eliminate answers that are true in general but not in this case.
TExam Day Tips
- Watch for words such as best, first, most likely and least administrative effort.
- Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Real-world example
How this comes up in practice
A network engineer segments a warehouse floor into three subnets: 20 scanners, 5 printers, and 2 management hosts. Picking the wrong mask wastes addresses or leaves too few usable hosts. Exam questions test whether you can apply CIDR notation, calculate block size, and identify the correct usable-host range for a given prefix.
What to study next
Got this wrong? Here's your next step.
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
- →
Advanced Searching and Statistics — study guide chapter
Learn the concepts, then practise the questions
- →
Advanced Searching and Statistics practice questions
Targeted practice on this topic area only
- →
All SPLK-1003 questions
500 questions across all exam domains
- →
Splunk Core Certified Power User SPLK-1003 study guide
Full concept coverage aligned to exam objectives
- →
SPLK-1003 practice test guide
How to use practice tests most effectively before exam day
Related practice questions
Related SPLK-1003 practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
Advanced Searching and Statistics practice questions
Practise SPLK-1003 questions linked to Advanced Searching and Statistics.
Macros, Saved Searches and CIM practice questions
Practise SPLK-1003 questions linked to Macros, Saved Searches and CIM.
Advanced Visualization and Lookups practice questions
Practise SPLK-1003 questions linked to Advanced Visualization and Lookups.
Transactions and Event Correlation practice questions
Practise SPLK-1003 questions linked to Transactions and Event Correlation.
SPLK-1003 fundamentals practice questions
Practise SPLK-1003 questions linked to SPLK-1003 fundamentals.
SPLK-1003 scenario practice questions
Practise SPLK-1003 questions linked to SPLK-1003 scenario.
SPLK-1003 troubleshooting practice questions
Practise SPLK-1003 questions linked to SPLK-1003 troubleshooting.
Practice this exam
Start a free SPLK-1003 practice session
Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.
FAQ
Questions learners often ask
What does this SPLK-1003 question test?
Advanced Searching and Statistics — This question tests Advanced Searching and Statistics — Read the scenario before looking for a memorised answer..
What is the correct answer to this question?
The correct answer is: index=main sourcetype=login user=jsmith | where 'date_hour' > 18 | where NOT cidrmatch("10.0.0.0/8", src_ip) — Option A is correct because it uses the `cidrmatch` function to properly evaluate whether the source IP falls within the 10.0.0.0/8 subnet. The `where` clause with `date_hour > 18` correctly filters for events after business hours, and the `NOT cidrmatch` ensures only IPs outside the corporate subnet are included. This approach handles CIDR notation accurately, unlike simple string or inequality comparisons.
What should I do if I get this SPLK-1003 question wrong?
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
What is the key concept behind this question?
Read the scenario before looking for a memorised answer.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Last reviewed: Jun 11, 2026
This SPLK-1003 practice question is part of Courseiva's free Splunk certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the SPLK-1003 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.