CCNA Macros, Saved Searches and CIM Questions

75 of 98 questions · Page 1/2 · Macros, Saved Searches and CIM · Answers revealed

1
MCQhard

A security team uses the CIM 'Authentication' data model to investigate failed logins. They have enabled acceleration on the data model and set a summary range of '1d'. After one week, searches against the data model are still slow and use the `search` command instead of `tstats`. What should they check first?

A.Confirm that the data model acceleration is built and that the search time range is within the summary range.
B.Verify that the 'Authentication' data model is assigned to the correct index.
C.Ensure that the 'Authentication' data model has the 'authentication' tag on relevant events.
D.Check that the data model acceleration has completed building for the exact time range of the search.
AnswerA

If the search time range exceeds the summary range, `tstats` cannot be used and Splunk falls back to search.

Why this answer

Option D is correct because acceleration must be built and the search time range must be within the summary range for `tstats` to be used. Option A is not a direct check; data models are not assigned to indices. Option B is important but not the first check if there are events.

Option C is less specific than D.

2
MCQeasy

A user reports that a macro named `my_macro` is not working in a search. The macro is defined with no arguments and uses a simple search string. What is the most likely issue?

A.The macro permissions are not shared to the user's role.
B.The macro is defined with wrong arguments.
C.The macro name is misspelled in the search.
D.The macro contains a subsearch that fails.
AnswerA

Correct: Macros require proper permissions to be usable by others.

Why this answer

Option A is correct because macros are by default only editable by the creator, and permissions must be set to allow other roles to use them. A misspelling would cause an error message, not silent failure. Wrong arguments would cause an error if used with arguments.

A subsearch failure would also produce an error.

3
MCQmedium

An administrator configures a saved search that uses a macro to generate a summary index every hour. The macro includes a time range argument with default value `earliest=-1h@h latest=@h`. The saved search does not pass any time range argument, so the default is used. After a few days, the summary index is missing data for the last hour of each day. What is the most likely cause?

A.The saved search schedule is set to run on the hour, but the macro's default time range covers the previous hour, creating an overlap.
B.The macro is defined in a private app, and the saved search runs in a different app, causing the macro default not to be used.
C.The saved search's summary index is configured with a summary range that is too short, causing old data to be aged out.
D.The macro definition used a static time range (e.g., `earliest=08:00:00 latest=09:00:00`) instead of a relative one.
AnswerD

Static time range does not update; after one day it will always refer to the same old hour.

Why this answer

Option B is correct because the default time range `-1h@h` to `@h` is relative to search time, which works correctly. But if the saved search schedule is set to run exactly on the hour, data indexed just after the hour will be included in the next hour's summary, so no gap. However, the issue is that the macro uses `now` in the default, which is evaluated at search time.

But if the saved search runs late due to load, the time range shifts. The real cause is that the saved search schedule is set to run on the hour, but the summary index time range should cover the previous full hour. Actually correct answer: The saved search schedule is set to run at every hour but the macro's default time range covers the last complete hour, which is correct.

The problem is more likely that the saved search is not using a sufficient summary range or the macro argument for time range is not being passed. Option B suggests that the macro's default time range is static because it was defined with a specific date/time. That is the most likely cause: the macro definition used a static time rather than relative.

4
MCQhard

What is the most likely reason for this behavior?

A.The 'max_time' setting limits the accelerated data to the last 1 day, so tstats only queries that time range.
B.The acceleration summaries are only generated at the 5-minute and 1-hour intervals, not daily.
C.The acceleration is disabled because 'enabled' is set to true incorrectly.
D.The acceleration automatically becomes outdated after 1 day and requires a rebuild.
AnswerA

max_time defines how far back the acceleration data goes, not the final search.

Why this answer

Option C is correct because the acceleration is enabled with 'max_time' set to 1 day, meaning the accelerated summaries only cover the last 24 hours. The 'earliest_time' of -7d sets the range for the initial data model but not the acceleration. Option A is incorrect because the summaries are defined for 5m and 1h.

Option B is incorrect because 'enabled' is true. Option D is incorrect because a 1-day acceleration limit is not 'never outdated'.

5
MCQmedium

A user reports that a macro named `my_macro` is not expanding in a search. The macro is defined in a private app called 'App_A'. The user is running the search in a different app called 'App_B'. What is the most likely cause of the issue?

A.The macro has a syntax error that prevents expansion.
B.The user does not have permission to view the macro.
C.The macro name is case-sensitive and the user used wrong case.
D.The macro is not shared to the global context.
AnswerD

Macros are local to the app unless explicitly shared globally.

Why this answer

Macros are confined to the app where they are defined unless shared to the global context. If the macro is not shared, it will not be accessible from other apps. Option B is correct.

Option A (syntax error) would cause a different error. Option C (permissions) is related but the primary issue is app context. Option D (case sensitivity) is not relevant as Splunk macro names are case-insensitive.

6
MCQmedium

A saved search is configured to run every hour and generate a summary index. The original search returns data that is then summarized. Which of the following best describes the purpose of summary indexing?

A.To reduce disk space usage by compressing raw data
B.To create real-time alerts based on historical data
C.To normalize data to the CIM
D.To speed up searches by pre-aggregating data into smaller datasets
AnswerD

Correct: This is the primary purpose.

Why this answer

Option B is correct: Summary indexing precomputes statistics from a search and stores them in a summary index, which can then be searched faster. Option A is not accurate; summary indexing doesn't compress raw data. Option C is about alerts.

Option D is about CIM.

7
MCQeasy

What is the most likely cause of this error?

A.The macro does not have read permissions for the administrator's role.
B.The macro is missing the '|' pipe in front of the rest command.
C.The macro definition should use curly braces {} instead of brackets [].
D.The endpoint "/services/authentication/users" is incorrect; it should be "/services/authentication/users". Actually the correct endpoint is '/services/authentication/users' but the admin might have a typo.
AnswerD

The endpoint path is likely misspelled or wrong; typical endpoint is '/services/authentication/users' but contains spaces? Actually the given endpoint seems fine but maybe the leading space? Let's assume the correct endpoint is '/services/authentication/users' and the error indicates not found.

Why this answer

Option B is correct because the '| rest' command requires the endpoint path, but the macro definition includes a space before the pipe, which can be parsed incorrectly. Additionally, the leading pipe inside the macro definition is generally not recommended; the macro should start without the pipe. However, the specific error is about URL not found, which suggests the endpoint path is wrong.

Option A is a possible cause but less direct. Option C is incorrect because braces are not needed. Option D is incorrect because permissions are not the error.

8
Multi-Selectmedium

Which THREE of the following are components of the Splunk Common Information Model (CIM)? (choose three)

Select 3 answers
A.Application State
B.Endpoint
C.Authentication
D.Change Analysis
E.Network Traffic
AnswersB, C, E

The Endpoint data model is part of CIM.

Why this answer

Option B (Endpoint) is correct because the Splunk Common Information Model (CIM) includes the Endpoint data model, which normalizes data from endpoint security solutions such as antivirus, EDR, and host-based intrusion detection. This data model covers processes, file system changes, registry modifications, and other host-level activities, making it a core component of the CIM.

Exam trap

The trap here is that candidates may confuse 'Change Analysis' with the CIM's 'Change' data model, or assume 'Application State' is a valid CIM component because it sounds like a logical category, but the CIM only includes specific named data models like 'Authentication', 'Endpoint', and 'Network Traffic'.

9
MCQhard

What is the most likely cause of the error?

A.The macro definition uses positional arguments but the call uses named arguments.
B.The macro name in the definition contains an invalid character (backtick).
C.The macro call is missing a closing parenthesis.
D.The macro call uses named arguments instead of positional arguments.
AnswerB

Backtick is not allowed in macro names; it causes parsing errors.

Why this answer

The error is caused by the backtick character in the macro definition name. In Splunk, macro names must consist only of alphanumeric characters and underscores; backticks are invalid and will cause a parsing error when the macro is defined or called.

Exam trap

Splunk often tests the specific rule that macro names must be alphanumeric with underscores only, and the trap here is that candidates focus on argument syntax (positional vs named) instead of recognizing the invalid character in the name.

How to eliminate wrong answers

Option A is wrong because the error is not about argument mismatch; the backtick in the name prevents the macro from being parsed at all. Option C is wrong because a missing closing parenthesis would produce a syntax error, but the backtick is the more likely cause given the name issue. Option D is wrong because the error is not about named vs positional arguments; the invalid character in the name is the root cause.

10
MCQeasy

A security analyst wants to create a macro that extracts IP addresses from a field named `src_ip` and returns a count of unique IPs per source. Which macro definition accomplishes this?

A.| stats count(src_ip) as unique_ips
B.| stats distinct_count(src_ip) as unique_ips
C.| stats unique(src_ip) as unique_ips
D.| stats dc(src_ip) as unique_ips
AnswerD

`dc` (distinct count) counts unique values.

Why this answer

Option D is correct because `dc(src_ip)` is the Splunk command for distinct count, which returns the number of unique IP addresses in the `src_ip` field. This macro definition directly fulfills the requirement to count unique IPs per source, as `dc` is the standard abbreviation for distinct count in Splunk's `stats` command.

Exam trap

Splunk often tests the distinction between `count` and `dc` (distinct_count), where candidates mistakenly choose `count` or invalid commands like `distinct_count` or `unique`, not knowing that `dc` is the correct and only valid syntax for distinct count in Splunk's `stats` command.

How to eliminate wrong answers

Option A is wrong because `count(src_ip)` counts all occurrences of `src_ip`, including duplicates, not unique IPs. Option B is wrong because `distinct_count` is not a valid Splunk command; the correct syntax is `dc`. Option C is wrong because `unique` is not a valid aggregation function in Splunk's `stats` command; it would cause a syntax error.

11
MCQmedium

Refer to the exhibit. An analyst executes the following search: `| filter_status(status_code=500)`. What will be the result?

A.The macro will run successfully, but it will use the literal string "status_code=500" as the argument value.
B.The macro will fail because the argument definition uses $arg1$ but the macro was called with "status_code=500".
C.The macro will run successfully, returning count of events with status=500.
D.The macro will fail because named arguments are not supported; Splunk macro arguments are positional.
AnswerD

Correct. Splunk macros only accept arguments positionally; named arguments cause an error.

Why this answer

Option D is correct because Splunk macros do not support named arguments; they use positional arguments defined by $arg1$, $arg2$, etc. In the search `| filter_status(status_code=500)`, the argument is passed as a named key-value pair, but the macro definition expects a positional argument. This mismatch causes the macro to fail, as Splunk cannot resolve the named argument to the positional placeholder.

Exam trap

Splunk often tests the distinction between positional and named arguments in Splunk macros, trapping candidates who assume macros support named parameters like commands or who think the macro will simply treat the input as a literal string.

How to eliminate wrong answers

Option A is wrong because the macro will not run successfully; Splunk will not treat 'status_code=500' as a literal string but will attempt to match it to a positional argument, leading to failure. Option B is wrong because the failure is not due to the argument definition using $arg1$ while the call uses 'status_code=500' — that is the surface symptom, but the root cause is that Splunk macros require positional arguments, not named ones. Option C is wrong because the macro will not return a count of events with status=500; it will fail to execute due to the named argument syntax.

12
MCQhard

An administrator defines a macro that calls another macro. Both macros are defined in the same app. The first macro works correctly, but when executed, it triggers an error: 'Recursive macro call detected'. What is the most likely cause?

A.The second macro is not shared to the global context.
B.The second macro calls the first macro, creating a circular reference.
C.The first macro has a syntax error that only appears when combined.
D.The first macro passes incorrect arguments to the second macro.
AnswerB

Splunk macros cannot be recursive; circular references cause this error.

Why this answer

Splunk detects and prevents recursive macro calls (a macro that directly or indirectly calls itself). The error indicates that the two macros form a circular reference. Option B is correct.

Option A (argument mismatch) would give a different error. Option C (permissions) is not relevant. Option D (syntax error) would also give a different error.

13
MCQeasy

A Splunk administrator wants to reduce maintenance effort when the same search logic is used in multiple saved searches. Which approach is most effective?

A.Define a macro that encapsulates the common search logic and reference the macro in each saved search.
B.Use the Common Information Model (CIM) to normalize the data and then search using data model commands.
C.Create a summary index that contains the output of the common logic and have each saved search reference that summary index.
D.Enable report acceleration on each saved search to improve performance.
AnswerA

Macros promote reuse and centralize changes.

Why this answer

Option C is correct because macros allow reusable search components. Option A (summary index) increases complexity. Option B (post-process) is for data models.

Option D (report acceleration) is for speeding up reports, not reuse.

14
Multi-Selectmedium

Which TWO of the following are valid ways to define macro arguments in Splunk? (Select exactly 2.)

Select 2 answers
A.`$arg$` without default
B.Using `| eval` to set argument values inside the macro
C.Defining arguments list in `args` field: `args = arg1, arg2`
D.`$arg$` with default value: `$arg$=default$`
E.Numeric argument: `$1$` in definition and usage
AnswersC, D

The `args` field specifies the names of positional arguments.

Why this answer

Options B and D are correct. Option A is not valid because `$arg$` alone does not assign a default. Option C uses numeric syntax correctly with `$1$`.

Option E is not a standard argument syntax.

15
Multi-Selecteasy

Which three of the following are benefits of using the Common Information Model (CIM)? (Choose THREE.)

Select 3 answers
A.Ensures consistent field naming across data sources.
B.Provides pre-built data models for common domains.
C.Reduces the need for custom field extractions.
D.Automatically generates reports for compliance.
E.Allows sharing of dashboards and searches across environments.
AnswersA, B, E

Correct: CIM defines common field names for normalization.

Why this answer

Options A, C, and E are correct. CIM ensures consistent field naming, allows sharing of dashboards across environments, and provides pre-built data models. It does not automatically generate compliance reports, and while it reduces the need for custom extractions, it does not eliminate them entirely.

16
MCQhard

A data engineer has defined a CIM data model for 'Network_Traffic'. They have also created field aliases using `| fieldaliases` to map custom fields like `src_ip` and `dest_ip` to the CIM fields. When running searches against the data model, some events do not appear. The engineer verified that the tags are correctly applied. What is the most likely remaining issue?

A.The field aliases must be defined within the data model itself, not via `| fieldaliases`.
B.The data model search is using a time range that excludes the events.
C.The custom fields are not indexed, so they cannot be used in data models.
D.The tags are applied only to a subset of events.
AnswerA

Data model acceleration uses the data model's field definitions; `| fieldaliases` is a search-time command and does not impact accelerated data models.

Why this answer

Option C is correct: field aliases defined with `| fieldaliases` are not applied to data model searches; instead, data model acceleration uses fields defined in the data model itself. Option A: tags are for inclusion, not mapping. Option B: time range would affect all events equally.

Option D: lookup table would not solve missing fields.

17
Matchingmedium

Match each Splunk macro to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

A reusable search snippet without arguments

A reusable search snippet with arguments

A search within a search, enclosed in brackets

A macro that performs a lookup

A macro that evaluates an expression

Why these pairings

Macros simplify complex searches by reusing common patterns.

18
Drag & Dropmedium

Order the steps to configure a field extraction using the Field Extractor (FX) in Splunk.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

The Field Extractor guides you through selecting sample data, defining extraction rules, testing, and saving.

19
MCQeasy

A team needs to create a saved search that runs automatically every Monday at 8 AM and emails a CSV file of the results. Besides configuring the search string, which steps are required?

A.Create a dashboard panel that runs the search on schedule and sends email.
B.Set the search to 'Summary Index' and run a separate alert on the summary.
C.Set a schedule (Cron: 0 8 * * 1) and add an email alert action with attachment format CSV.
D.Define the schedule and set the time range to 'Last 7 days'.
AnswerC

Scheduling and alert action are required for automated email delivery.

Why this answer

Option B is correct because a saved search must have both a schedule and at least one alert action (like email with CSV attachment). Option A is incorrect because the schedule time can be set directly. Option C is incorrect because CSV output is configured in the alert action.

Option D is incorrect because summary indexing is optional.

20
Drag & Dropmedium

Order the steps to create a dashboard panel using the XML source editor in Splunk.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Dashboard panels are defined in XML by adding a panel with a search query and visualization.

21
MCQhard

An admin created a macro `myfilter(host)` with definition: `host=$host$ | stats count`. When calling `myfilter(webserver)`, the search returns no results. What is the most likely cause?

A.The host field is case-sensitive.
B.The macro argument is not being treated as a literal string.
C.The host field is not indexed.
D.The macro is evaluated before the rest of the search.
AnswerB

Without quotes, the value is interpreted as a field value literal, but the correct syntax is `host="$host$"`.

Why this answer

The macro definition uses `host=$host$`, but when called with `myfilter(webserver)`, the argument `webserver` is passed as a literal string. However, the macro expands to `host=webserver | stats count`, which Splunk interprets as a field-value comparison where `webserver` is treated as a literal string value for the `host` field. The issue is that the macro argument is not being treated as a literal string in the context of the search; instead, it's being substituted directly, which is correct.

The real problem is that the macro definition uses `$host$` without quotes, so the argument is not being treated as a literal string value—it's being interpreted as a field name or search term. The correct syntax should be `host="$host$"` to ensure the argument is treated as a literal string. Option B is correct because the macro argument is not being treated as a literal string, causing the search to fail to match events.

Exam trap

Splunk often tests the misconception that macro arguments are automatically treated as literal strings, when in fact they are substituted as raw text and must be explicitly quoted to be treated as literal values.

How to eliminate wrong answers

Option A is wrong because while the host field is case-sensitive by default in Splunk, this is not the cause of the issue—the macro substitution does not change case, and the search would still return results if the case matched. Option C is wrong because the host field is a default indexed field in Splunk (part of the metadata), so it is always indexed; the problem is not about indexing. Option D is wrong because macro evaluation occurs before the rest of the search, but this is normal behavior and does not cause the issue; the problem is the lack of quotes around the argument, not the evaluation order.

22
MCQeasy

Which Common Information Model (CIM) data model is appropriate for standardizing authentication events?

A.Change Analysis
B.Network Traffic
C.Authentication
D.Endpoint
AnswerC

The Authentication data model covers login/logout, failed authentication, etc.

Why this answer

The CIM includes the 'Authentication' data model for authentication events. Option A is correct. Option B (Change Analysis) is for configuration changes.

Option C (Endpoint) is for operating system events. Option D (Network Traffic) is for network sessions.

23
Multi-Selectmedium

Which THREE are valid uses of macros in Splunk? (Choose three.)

Select 3 answers
A.Dynamically switch between different indexes at search time based on user input.
B.Enforce security by hiding sensitive parts of the search from users.
C.Modify the results of a search after the search completes (post-processing).
D.Reduce duplicated SPL in the search language by reusing common sub-searches.
E.Parameterize searches by passing arguments such as time ranges or threshold values.
AnswersB, D, E

Macros can be used to grant execute-only access without exposing the underlying SPL.

Why this answer

Options B, C, and D are correct. Macros can encapsulate complex SPL, accept arguments, and be used to enforce security policies by restricting access to parts of searches. Option A is wrong because macros cannot dynamically change the index at search time (they can, but not as a primary purpose; it's discouraged due to performance).

Option E is wrong because macros are not designed to modify search results; they generate SPL that runs against events.

24
MCQmedium

A Splunk administrator notices that a scheduled saved search titled 'Nightly_Threat_Report' is not completing on time. The search runs at 2:00 AM daily and typically takes 15 minutes, but recently it has been timing out after 30 minutes. The search query is complex, joining data from multiple indexes. The administrator checks the 'savedsearch.log' and sees entries like 'Search job terminated due to dispatch time limit' and 'Search job exceeded max time'. The administrator wants to resolve the issue without changing the search logic or increasing system resource limits. Which action should the administrator take first?

A.Change the scheduled time to 1:00 AM to avoid other concurrent heavy searches.
B.Increase the 'dispatch.max_time' parameter for the saved search in savedsearches.conf.
C.Increase the 'dispatch.earliest_time' and 'dispatch.latest_time' settings for the saved search to allow a longer execution window.
D.Reduce the search time range from 'last 24 hours' to 'last 1 hour' to speed up the query.
AnswerB

This directly increases the dispatch time limit, allowing the search to complete.

Why this answer

Option B is correct because the error messages 'Search job terminated due to dispatch time limit' and 'Search job exceeded max time' directly indicate that the search is hitting the 'dispatch.max_time' limit, which defaults to 600 seconds (10 minutes) for scheduled searches. Increasing this parameter in savedsearches.conf extends the maximum execution time allowed for the search job, allowing the complex query to complete without changing the search logic or system resource limits.

Exam trap

The trap here is that candidates confuse 'dispatch.max_time' (execution timeout) with 'dispatch.earliest_time'/'dispatch.latest_time' (time range), leading them to incorrectly adjust the search window instead of the timeout limit.

How to eliminate wrong answers

Option A is wrong because changing the scheduled time does not address the root cause of the timeout; the search is failing due to its own execution time limit, not due to resource contention from concurrent searches. Option C is wrong because 'dispatch.earliest_time' and 'dispatch.latest_time' control the time range of data searched, not the execution timeout; increasing these would actually expand the data volume and worsen the timeout issue. Option D is wrong because reducing the search time range changes the search logic and data scope, which violates the constraint of not changing the search logic; it also may not guarantee completion if the query itself is inefficient.

25
MCQmedium

A Splunk administrator is asked to create a dashboard that shows the top 10 source IPs by count of failed logins over the past week. The data is already CIM-compliant and uses the Authentication data model. Which search is most appropriate?

A.| tstats count from datamodel=Authentication where Authentication.action=failure by Authentication.src limit 10
B.| tstats summaryonly=true count from datamodel=Authentication where action=failure by src
C.| datamodel Authentication search | search action=failure | top src
D.| search sourcetype=* authentication action=failure | stats count by src | sort - count | head 10
AnswerA

Uses tstats on the accelerated data model with proper field and limit.

Why this answer

Option A is correct because it uses the CIM data model and the 'tag=authentication' to filter relevant events, then extracts the 'src' field (which is the CIM field for source IP). Option B uses '| datamodel Authentication' but does not use '| tstats' which is more efficient for accelerated data models. Option C uses '| tstats summaryonly=true' which loses detail.

Option D uses the Authentication data model correctly but does not sum by source IP.

26
MCQhard

A performance analyst notices that a saved search running a macro with multiple `| eval` statements takes significantly longer than expected. The macro includes conditions like `| eval status=if(success=="true", "OK", "Fail")`. Which change would most likely improve performance?

A.Reduce the number of arguments passed to the macro.
B.Increase the summary index range to reduce the number of events processed.
C.Replace the `| eval` with a lookup table that maps the conditions.
D.Add more `| fields` commands to limit output fields.
AnswerC

Lookups are faster than per-event eval evaluations.

Why this answer

Option A is correct: using a lookup to precompute the status field will offload processing from search time. Option B: reducing arguments does not affect eval complexity. Option C: adding more fields increases overhead.

Option D: increasing summary range does not help the search itself.

27
MCQmedium

The admin calls the macro as shown. What will be the expanded search string?

A.search index=main earliest=-1h latest=now | stats count by sourcetype | rename count as total
B.search index='main' earliest='-1h' latest=now | stats count by sourcetype | rename count as total
C.search index=-1h earliest=main latest=now | stats count by sourcetype | rename count as total
D.search index=main|earliest=-1h latest=now | stats count by sourcetype | rename count as total
AnswerA

Correct substitution: $index$ -> main, $time_range$ -> -1h.

Why this answer

Option A is correct because macro arguments are substituted: $index$ becomes 'main', $time_range$ becomes '-1h'. The brackets define the search inside. Option B incorrectly concatenates.

Option C uses single quotes. Option D swaps order.

28
MCQmedium

A Splunk admin created a macro named `filter_by_region` that takes one argument: the region code. The macro definition is: `index=main sourcetype=web region=$region$`. When a user runs the search `| `filter_by_region US`` they get no results, but when they replace the macro with the actual string `index=main sourcetype=web region=US`, they get results. What is the problem?

A.The macro definition does not specify an argument list.
B.The macro argument is not passed correctly because of quotation marks.
C.The user does not have execute permissions for the macro.
D.The macro uses double dollar signs incorrectly; it should be `$region$`.
AnswerA

Correct: Without an argument list, the macro does not recognize `$region$` as a variable.

Why this answer

Option A is correct: The macro definition does not include an argument list, so `$region$` is treated as literal text. The correct definition should be `filter_by_region(region)` in the definition name. Double dollar signs are correct for variable expansion.

Quotation marks are not an issue here. Permissions would cause an error message.

29
MCQhard

A Splunk admin is accelerating a CIM data model for the "Network_Traffic" dataset. After acceleration, some searches that use the data model are slower than expected. What is the most likely reason?

A.The acceleration uses too many fields
B.The data model acceleration is not compatible with the CIM
C.Searches are not using the `| datamodel` command correctly
D.The acceleration summary range is set too low
AnswerD

Correct: A low summary range excludes older data from acceleration.

Why this answer

Option A is correct: If the summary range (e.g., 60 days) is set too low, older data may not be accelerated, causing slower searches across older time ranges. Option B is false; CIM data models are designed for acceleration. Option C could be a reason but less specific.

Option D is not a typical issue; acceleration indexes specific fields.

30
Multi-Selectmedium

Which of the following are characteristics of the Splunk Common Information Model (CIM)? (Choose three.)

Select 3 answers
A.The CIM automatically renames all fields in incoming data to match its standard
B.It requires the installation of the Splunk Common Information Model Add-on
C.Data models defined in the CIM can be accelerated to improve search performance
D.It provides a set of standard field names and tags for different data sources
E.The CIM includes predefined dashboards and reports
AnswersB, C, D

Correct: The add-on must be installed.

Why this answer

Options A, B, and C are correct. A: The CIM provides standard field names and tags. B: The CIM requires the Splunk Common Information Model Add-on to be installed.

C: Data models defined in the CIM can be accelerated to improve search performance. D is false: The CIM does not automatically rename fields; it requires field aliases or other transformations. E is false: The CIM provides data models, not dashboards (though some apps may provide dashboards).

31
MCQeasy

A saved search is configured with a schedule but is not triggering at the expected time. The admin checks the "Job Inspector" and sees that the scheduled search is "skipped". What is a common reason for a scheduled search to be skipped?

A.The search time range exceeds the bucket's time range
B.There are too many concurrent searches scheduled
C.The search is configured as a real-time search
D.The search string has a syntax error
AnswerB

Correct: This is a common reason for scheduled searches being skipped.

Why this answer

Option C is correct: Splunk can skip scheduled searches if there are too many concurrent searches due to scheduling limits. Option A would cause failure, not skip. Option B might cause search to take longer but not skip.

Option D real-time searches are not scheduled.

32
MCQhard

A Splunk administrator uses a macro to normalize firewall logs into the CIM Network Traffic data model. The macro includes a field alias that maps `bytes_sent` to `bytes_out`. The mapping works in ad-hoc searches, but when the macro is used in a summary index search, the field is not populated. What is the most likely reason?

A.The alias creates a new field that is not included in the summary index output.
B.The summary index is accelerated and overrides the alias.
C.Field aliases are not supported in macros.
D.The macro is not shared to the global context, so it fails in summary indexing.
AnswerA

Search-time aliases create new fields; if the summary index only stores original fields, the aliased field may not be stored unless explicitly kept.

Why this answer

When populating a summary index, the search runs and then the summary indexer stores the results. If the alias is applied at search time, it may not persist in the summary index unless the alias is also applied at index time or the field is explicitly targeted. The macro applies aliases at search time, but summary indexes store raw events or fields based on the search output; if the alias field is not in the output, it won't be stored.

Option D is correct. Option A (macro not global) would affect ad-hoc too. Option B (alias not allowed) is false.

Option C (summary index acceleration) is unrelated.

33
Multi-Selectmedium

Which TWO of the following are valid ways to create a macro in Splunk? (choose two)

Select 2 answers
A.Add a macro definition to props.conf under a [source] stanza.
B.Use the CLI command `splunk add macro` with the macro definition.
C.Navigate to Settings > Advanced search > Search macros and click 'New'.
D.Create a macros.conf file in $SPLUNK_HOME/etc/system/local/ and add the macro definition.
E.Edit the macros.conf file in the app's default directory.
AnswersC, D

This is the UI method.

Why this answer

Option C is correct because Splunk provides a GUI-based method to create macros via Settings > Advanced search > Search macros, which is a standard and supported approach. Option D is correct because manually creating a macros.conf file in $SPLUNK_HOME/etc/system/local/ is a valid configuration method that Splunk reads at startup to define macros.

Exam trap

The trap here is that candidates may confuse the valid configuration file location (local directory) with the default directory, or mistakenly think a CLI command exists for macro creation, when Splunk only supports GUI or manual file-based methods.

34
MCQhard

A large organization uses Splunk to monitor its network infrastructure. They have a single saved search that runs every hour to create a summary index for each of the 50 network device sourcetypes. The saved search uses a macro named `build_network_summary` that accepts two arguments: `sourcetype` and `time_range`. The macro definition is: ``` [build_network_summary] definition = index=network sourcetype=$sourcetype$ earliest=$time_range$ latest=now | stats count by src_ip, dest_ip, protocol | collect index=network_summary args = sourcetype, time_range iseval = 0 ``` The saved search iterates over the 50 sourcetypes using a separate lookup or list. Recently, the security team noticed that the network_summary index is missing data for certain sourcetypes, specifically those with hyphens in their names (e.g., `cisco-asa`, `juniper-srx`). For other sourcetypes, the summary is complete. The saved search runs without errors in Splunk's job inspector. Which course of action should the administrator take to resolve the issue?

A.Increase the summary index range to cover all sourcetypes in one pass rather than iterating.
B.Modify the macro definition to enclose the `$sourcetype$` argument in quotation marks: `sourcetype="$sourcetype$"`
C.Change the macro's time_range argument to use a static time range to avoid relative time issues.
D.Enable acceleration on the network_summary index to improve data completeness.
AnswerB

Quoting prevents hyphens from being interpreted as search operators.

Why this answer

Option A is correct: the hyphens in sourcetype names are being interpreted as subtraction operators or search syntax modifiers because the macro argument is not quoted. Option B would increase load but not fix the parsing. Option C addresses time range, not sourcetype.

Option D is unrelated.

35
MCQeasy

A Splunk admin wants to create a macro named `filter_by_app` that accepts an application name as an argument and returns a search string filtering by that application. The application name may contain spaces. Which of the following correctly defines the macro's arguments and usage?

A.Definition: `filter_by_app(1)` and usage: `index=main app=$1$`
B.Definition: `filter_by_app($app$)` and usage: `index=main app=$app$`
C.Definition: `filter_by_app($app$)` and usage: `index=main app="$app$"`
D.Definition: `filter_by_app(app)` and usage: `index=main app=app`
E.Definition: `filter_by_app($1)` and usage: `index=main app=$1`
AnswerC

Correctly uses `$app$` in both definition and usage with quotes for spaces.

Why this answer

Option C is correct because macro arguments must be referenced with `$arg$` syntax and when the value contains spaces, it must be quoted. Option A uses `$app$` without quotes in usage, which fails for spaces. Option B uses `$1$` which is numeric syntax but missing trailing dollar? Actually B has `$1$` correct, but usage also uses `$1$` and no quotes, so fails.

Option D uses `app` without dollar signs, not valid. Option E uses `$1` missing trailing dollar.

36
MCQeasy

A Splunk admin is tasked with creating a set of macros that will be used by multiple app developers to standardize searches across the organization. The macros need to accept parameters such as index, sourcetype, and time range. Some macros will be complex and include subsearches. Which approach should the admin take to ensure maximum reusability and maintainability?

A.Create separate macros for each combination of parameters.
B.Embed all logic into a single macro and use conditional statements.
C.Use macro arguments with default values and include comments in the definition.
D.Define macros with no arguments and rely on the developers to modify the macro code.
AnswerC

Correct: Arguments with defaults allow flexible use, and comments improve maintainability.

Why this answer

Option C is correct: Using macro arguments with default values and comments provides flexibility and clarity. Defining macros without arguments forces users to edit for each use. Separate macros for each parameter combination create unnecessary duplication.

A single macro with conditionals becomes complex and hard to maintain.

37
MCQeasy

A Splunk admin wants to create a macro that extracts the username from a log line that always starts with 'User: <username>'. The macro should be reusable across searches. Which definition is correct?

A.`rex field=_raw "User: (?<username>\S+)"`
B.`eval username=extract("User: (?<username>\S+)")`
C.`rex field=_raw "User: (?<username>\S+)" | eval username=$result$`
D.`username = rex field=_raw "User: (?<username>\S+)"`
AnswerA

This is a valid macro definition for extraction.

Why this answer

Option A is correct because the `rex` command with `field=_raw` and a named capturing group `(?<username>\S+)` extracts the username into a field called `username`. This is the standard Splunk way to perform regex extraction in a search, and wrapping it in a macro makes it reusable across searches without additional syntax.

Exam trap

Splunk often tests the distinction between `rex` (a transforming command) and `eval` (a non-transforming command), and candidates mistakenly try to use `eval` with regex functions that do not exist in Splunk.

How to eliminate wrong answers

Option B is wrong because `extract()` is not a valid Splunk eval function; regex extraction must use `rex` or `replace` with `rex` mode, not `eval`. Option C is wrong because `$result$` is not a valid token in this context; `rex` directly populates the named field, and piping to `eval` with `$result$` is unnecessary and incorrect. Option D is wrong because `username = rex ...` is not valid SPL syntax; `rex` is a standalone command, not an assignment within an eval expression.

38
Multi-Selecteasy

Which TWO of the following are valid uses of the Common Information Model (CIM) in Splunk?

Select 2 answers
A.Defining user roles and permissions for data access.
B.Managing license usage across indexers.
C.Creating new indexes for faster search performance.
D.Defining tags and event types to categorize data.
E.Normalizing data from different sources to a common field naming convention.
AnswersD, E

CIM uses tags and event types to map data to models.

Why this answer

Option D is correct because the CIM provides a standardized set of tags and event types that allow you to categorize and classify data from diverse sources, enabling consistent searching and correlation across your Splunk environment. Option E is correct because the CIM defines common field names (e.g., src_ip, dest_ip, user) to normalize data from different technologies, ensuring that searches and dashboards work uniformly regardless of the original data source.

Exam trap

The trap here is that candidates often confuse the CIM with operational or administrative features (like roles, licensing, or index management) because they are all part of Splunk's ecosystem, but the CIM is strictly a semantic layer for data normalization and categorization.

39
Multi-Selecteasy

Which TWO of the following are valid ways to define arguments in a Splunk macro?

Select 2 answers
A.In the macro definition, use $arg1$, $arg2$ as placeholders for the arguments.
B.Arguments are defined by listing them in the 'args' attribute in macros.conf.
C.In the macro definition, use $1$, $2$ as positional placeholders.
D.Arguments are automatically inferred from the search string in the macro definition.
E.In the macro definition, use named placeholders like $error_code$.
AnswersA, B

Correct. $arg1$, $arg2$ are the standard positional placeholders.

Why this answer

Option A is correct because Splunk macros use named placeholders like $arg1$, $arg2$ in the macro definition to represent arguments. When the macro is invoked, these placeholders are replaced with the actual values passed by the user, allowing flexible and reusable search snippets.

Exam trap

Splunk often tests the distinction between named placeholders ($arg1$) and positional placeholders ($1$), leading candidates to mistakenly think positional placeholders are valid in Splunk macros when they are not.

40
Multi-Selecteasy

Which of the following are valid ways to define a macro in Splunk? (Choose two.)

Select 2 answers
A.Using the `macro` command in a saved search
B.Using the `| macro` command in a search
C.Using named arguments like $field$ in the definition, with the argument names defined in the macro properties
D.Using the `define` command in the search bar
E.Using positional arguments like $1$ in the definition
AnswersC, E

Correct: Named arguments require definition in properties.

Why this answer

Options A and B are correct: Macros can use positional arguments ($1$) or named arguments (with user-defined names) that are defined in the macro properties. Option C is invalid; there is no `define` command. Option D is invalid; macros are defined in the Macros section of Knowledge Objects, not via a command.

Option E is invalid; there is no `| macro` command.

41
MCQhard

A Splunk admin creates a macro named `lookup_user` that is defined as `| lookup user_lookup user AS $1$ OUTPUT full_name as user_name`. The macro is used in a search like `index=main | `lookup_user(user_id)`. However, the results show no matches even though valid user_id values exist. What is the most likely cause?

A.The macro is missing a closing parenthesis
B.The lookup file does not have a field named `user`
C.The lookup command should be `inputlookup` instead of `lookup`
D.The macro definition incorrectly includes a leading pipe
AnswerD

Correct: Double pipe causes the lookup to fail.

Why this answer

Option D is correct: Because the macro is invoked with a pipe (`| `lookup_user...), the definition should not include a leading pipe. If it does, the expanded search becomes `| | lookup...`, which causes a syntax error or unexpected behavior. Option A could be possible but less likely; if the lookup file lacks the field `user`, the lookup would fail silently.

Option B not likely. Option C inputlookup is for static lookups.

42
MCQhard

A Splunk admin notices that a saved search scheduled to run every 10 minutes is consistently taking 15 minutes to complete, causing overlapping runs. The search aggregates data across multiple indexes and uses a large time window. What is the best way to prevent overlap and ensure the search completes?

A.Set the search to 'Run on a timer' and increase the schedule interval to 20 minutes.
B.Enable the 'Schedule Priority' setting to 'Higher' and set 'Schedule Window' to 0.
C.Reduce the search time window to 5 minutes to decrease execution time.
D.Configure the search to 'Skip the next scheduled run if the previous run is still in progress'.
AnswerD

This prevents overlapping runs by skipping if still running.

Why this answer

Option D is correct because the 'Skip the next scheduled run if the previous run is still in progress' setting is specifically designed to prevent overlapping executions of a saved search. This ensures that if a search takes longer than its scheduled interval, the next scheduled run is skipped, avoiding resource contention and incomplete results.

Exam trap

The trap here is that candidates often confuse increasing the schedule interval or reducing the time window as a solution, but the correct approach is to use the built-in overlap prevention setting, which directly addresses the problem of overlapping runs without altering the search logic or data coverage.

How to eliminate wrong answers

Option A is wrong because simply increasing the schedule interval to 20 minutes does not guarantee the search will complete within that time; it only reduces the frequency of runs, but the search could still overlap if execution time varies. Option B is wrong because 'Schedule Priority' and 'Schedule Window' control when the search runs relative to other scheduled searches, not whether overlapping runs are prevented; setting 'Schedule Window' to 0 forces immediate execution but does not handle overlap. Option C is wrong because reducing the search time window to 5 minutes may not capture the required data and does not address the root cause of the search taking longer than the interval; it could also lead to incomplete or inaccurate results.

43
MCQmedium

A Splunk administrator needs to schedule a saved search to run every second Friday at 10:00 AM. Which cron expression should be used?

A.0 10 * * 5
B.0 10 8-14 * 5
C.0 10 */2 * *
D.0 10 * * *
AnswerB

This runs at 10:00 AM on Fridays that fall between the 8th and 14th of the month, which covers the second Friday.

Why this answer

The cron expression for 'every second Friday at 10:00 AM' is '0 10 * * 5' (every Friday at 10:00), but to run only on the second Friday, a combination with day-of-month is needed. The correct approach is to use '0 10 8-14 * 5' to run on Fridays between 8th and 14th (the second Friday typically falls in that range). Option C is correct.

Option A runs daily. Option B runs every Friday. Option D runs every second day.

44
MCQhard

A Splunk administrator notices that a scheduled saved search `Daily Summary` fails every day at 2:00 AM with the error "Search job expired due to inactivity." The search runs against a large index and takes about 30 minutes to complete. What is the most likely cause?

A.The user who owns the saved search does not have permissions to run it at that time.
B.The indexer has reached its license quota and stops processing.
C.The scheduled search is configured with a time limit shorter than 30 minutes.
D.The search is consuming too much disk space.
AnswerC

Search job expiration occurs when the time limit is exceeded.

Why this answer

The error 'Search job expired due to inactivity' indicates that the scheduled search was terminated before it could complete. In Splunk, saved searches have a configurable time limit (default 10 minutes) that specifies the maximum runtime before the search is killed. Since the search takes 30 minutes, the time limit must be set to less than 30 minutes, causing the premature termination.

Exam trap

The trap here is that candidates often confuse the 'inactivity' error with user permissions or license issues, but it specifically refers to the search job's runtime exceeding the configured time limit in the saved search's dispatch settings.

How to eliminate wrong answers

Option A is wrong because the error message is about job expiration, not permissions; Splunk's role-based access controls do not restrict execution time based on ownership. Option B is wrong because a license quota violation would cause indexing to stop or produce a 'license violation' warning, not a search job expiration error. Option D is wrong because disk space consumption would cause indexing or storage failures, not a search job timeout; the error is specifically about the search job being inactive, not about resource exhaustion.

45
MCQeasy

A Splunk admin wants to create a reusable macro that accepts a time range parameter and searches all indexes for events within that range. The macro will be used in dashboards and reports. Which macro definition is correct?

A.define my_search($timerange) [search index=* earliest=$timerange]
B.define my_search($timerange$) search index=* earliest=$timerange$
C.define my_search($timerange$) <search index=* earliest=$timerange$>
D.define my_search($timerange$) [search index=* earliest=$timerange$]
AnswerD

Correct macro definition with proper argument syntax and brackets.

Why this answer

Option A is correct because macros use $arg$ syntax for arguments and the definition must be enclosed in brackets. Option B uses incorrect angle brackets. Option C omits brackets.

Option D uses incorrect dollar sign placement.

46
MCQmedium

A security analyst sets up a saved search alert to trigger when more than 100 failed logins occur in 5 minutes. To avoid alert fatigue, they want to suppress the alert if the number of failed logins is the same as the previous evaluation. Which alert action setting should they configure?

A.Enable 'Alert throttling' based on the 'src' field.
B.Enable 'Alert suppression' and set 'Suppress if results are the same as the previous search'.
C.Set the 'Throttle' field to suppress alerts for a specified time window.
D.Configure 'Alert severity' to low and set a delay.
AnswerB

This option compares the result set to the previous run and suppresses if unchanged.

Why this answer

Option B is correct: Throttling suppresses alerts if the result count matches a previous condition. Option A is global throttling, not condition-based. Option C and D are not related to result count comparison.

47
Matchingmedium

Match each Splunk knowledge object to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Defines how to extract fields from raw data

Categorizes events based on a search query

Assigns key-value pairs to events for filtering

Maps field values to additional information

Provides a structured, normalized view of data

Why these pairings

Knowledge objects help organize and enrich data in Splunk.

48
MCQhard

A Splunk admin wants to create a saved search that triggers an alert when the average CPU usage across all servers exceeds 80% over a 5-minute window. The data is in a 'perfmon' sourcetype. Which search best fits this requirement?

A.index=os sourcetype=perfmon counter="% Processor Time" | timechart avg(Value) as avg_cpu by host | where avg_cpu > 80
B.index=os sourcetype=perfmon counter="% Processor Time" earliest=-5m latest=now | stats avg(Value) as avg_cpu by host | where avg_cpu > 80
C.index=os sourcetype=perfmon counter="% Processor Time" | streamstats avg(Value) as avg_cpu by host | where avg_cpu > 80
D.index=os sourcetype=perfmon counter="% Processor Time" earliest=-5m latest=now | bucket _time span=5m | stats avg(Value) as avg_cpu by host | where avg_cpu > 80
AnswerD

Correctly batches events into 5-minute buckets per host and filters where average exceeds 80.

Why this answer

Option A is correct because it accurately defines the requirements using events per second to ensure each server window, correct time command bucket, and stats to compute average. Option B does not use latest properly. Option C uses streamstats which is not necessary.

Option D uses timechart which creates multiple series.

49
MCQeasy

A security analyst needs to monitor failed login attempts across multiple Windows domain controllers. The environment has a custom sourcetype 'WinEventLog:Security' and the data is indexed under 'windows_security'. The analyst wants to create a saved search that runs every 10 minutes, searches for EventCode 4625 (failed logon), and triggers an alert if more than 10 failures occur from the same source IP within the last 10 minutes. The saved search should use the Common Information Model (CIM) to ensure compatibility with other security apps. Which of the following saved search definitions best meets these requirements?

A.`| from datamodel:Authentication.All_Authentication where Authentication.EventCode=4625 | search Authentication.app=windows | timechart span=10m count by Authentication.src | where count > 10`
B.`index=windows_security sourcetype=WinEventLog:Security EventCode=4625 | stats count by src_ip | where count > 10`
C.`| from datamodel:Authentication.Failed_Authentication | where EventCode=4625 | stats count by src_ip | where count > 10`
D.`index=windows_security EventCode=4625 | transaction src_ip maxspan=10m | where eventcount > 10`
AnswerA

Uses CIM data model, correct field, and timechart for aggregation.

Why this answer

Option A is correct because it uses the `from datamodel` command to query the CIM Authentication data model, specifically the `All_Authentication` dataset filtered for EventCode 4625 and Windows (`Authentication.app=windows`). The `timechart span=10m count by Authentication.src` then counts failures per source IP in 10-minute buckets, and the `where count > 10` triggers the alert only when the threshold is exceeded. This approach ensures CIM compatibility, uses the correct data model object, and respects the 10-minute sliding window required by the use case.

Exam trap

The trap here is that candidates often pick Option C because 'Failed_Authentication' sounds correct, but they miss that it may not expose the raw EventCode field and lacks a time-bounded aggregation, while Option A correctly uses the parent dataset `All_Authentication` with explicit filtering and `timechart` for the sliding window.

How to eliminate wrong answers

Option B is wrong because it uses `index=windows_security sourcetype=WinEventLog:Security` directly instead of the CIM data model, breaking compatibility with other security apps; it also uses `stats count by src_ip` without a time window, so it counts all-time failures rather than within the last 10 minutes. Option C is wrong because it queries `Authentication.Failed_Authentication` which is a child dataset that may not contain the raw EventCode field directly, and it uses `stats count by src_ip` without a time-bounded window, failing the 10-minute requirement. Option D is wrong because it uses `transaction src_ip maxspan=10m` which groups events into transactions but does not enforce a fixed 10-minute sliding window for counting; `transaction` can merge events across gaps and may produce inaccurate counts, plus it does not use the CIM data model.

50
MCQeasy

A user wants to create a macro that calculates the average response time for web requests. The macro should accept a field name as an argument and return the average. Which syntax is correct for defining the macro?

A.`stats avg($field$) | eval avg_response=$result$`
B."stats avg($field$) as avg_response"
C.`stats avg($field$) as avg_$field$`
D.`stats avg($field$) as avg_response`
AnswerD

This correctly uses the argument $field$ and returns a field named avg_response.

Why this answer

Option D is correct because in Splunk macro definitions, the argument placeholder syntax is `$field$` (with dollar signs), and the macro body must be a valid search string. The `stats avg($field$) as avg_response` correctly uses the argument in a stats command and assigns a static alias, which is the standard way to return a single computed value from a macro.

Exam trap

The trap here is that candidates often confuse macro argument syntax with eval variable syntax (e.g., `$result$`) or incorrectly assume that the macro definition must be quoted, leading them to pick options A or B, while the correct syntax uses unquoted search commands with `$argname$` placeholders.

How to eliminate wrong answers

Option A is wrong because it uses `$result$` which is not a valid macro argument placeholder; macros only recognize `$argname$` syntax, and the `eval` command is unnecessary since `stats` already produces the result. Option B is wrong because it encloses the macro definition in double quotes, which would cause Splunk to treat it as a literal string rather than a search command, breaking the macro. Option C is wrong because `as avg_$field$` dynamically names the output field based on the argument value, which is not the intended behavior — the requirement is to return a fixed field name 'avg_response' regardless of the input field name.

51
MCQmedium

An engineer wants to create a saved search that runs every hour and searches against 90 days of data. To optimize performance, they should...

A.Use a summary index to pre-compute results.
B.Set a time range relative to the search time.
C.Use the `| stats` command with `span` to aggregate.
D.Enable report acceleration on the saved search.
AnswerA

Correct: A summary index can pre-compute daily aggregates, but report acceleration is the more direct and supported approach for this scenario.

Why this answer

Option B is correct: report acceleration pre-computes results for the time range, reducing query time. Summary indexing is an alternative but more complex. Relative time range is already used.

Using `| stats` with span is a search technique, not an optimization method per se.

52
MCQmedium

An admin notices that a saved search with a scheduled alert is not triggering as expected even though the search returns results. The search uses a macro with arguments. Which troubleshooting step should the admin take first?

A.Ensure that the macro name does not conflict with existing commands or other macros.
B.Review the macro definition for syntax errors, such as missing brackets or incorrect argument references.
C.Verify the macro's permissions are set to global.
D.Check the search head's job inspector for the expanded search string.
AnswerB

Macro syntax errors are a common cause of search failure.

Why this answer

Option C is correct because the most common issue with macros is the definition syntax. Option A is not first step. Option B is not relevant if macro is defined.

Option D is too narrow.

53
MCQmedium

A saved search is configured to run every 5 minutes and send an alert when the count of failures exceeds 10. After several days, users report they are not receiving alerts even though failures are occurring. The saved search runs successfully and produces results. What is the most likely cause?

A.The saved search owner does not have permission to send alerts.
B.The alert action is not configured to send to the intended recipients.
C.Alert throttling is enabled and suppressing subsequent alerts.
D.The alert condition is set to trigger when count is less than 10.
AnswerC

Throttling stops alerts from firing again within a set time window, even if the condition is true again.

Why this answer

If the search runs successfully but no alerts are sent, the issue is likely with alert configuration. Option C (alert condition not met) could be if the condition is evaluated incorrectly, but the question says results are produced. Option A (throttling) could suppress alerts if they are triggered too frequently.

Option B (permissions) would prevent the search from running. Option D (action not configured) is plausible but less likely if alerts were working before. The most common issue is that the alert condition is set to fire only when the number of results is > 10, but if the search returns multiple rows, the alert might fire per result unless throttled.

However, given the wording, throttling after first alert might suppress subsequent ones. I'll go with A. But typical exam: alert condition is 'number of results > 10' but the search returns one row with count=15, so it fires once, then throttling prevents another alert within the throttle period.

So throttling can cause missed alerts. Option C is also plausible if condition is not met. I'll choose A.

54
MCQmedium

After upgrading Splunk to a new version, the Security team notices that the CIM Authentication dashboard is showing a much lower number of events than before. They verify that the data is still being indexed and that the sourcetype mappings to the Authentication data model are unchanged. The admin runs a search against the data model and sees some fields are missing. What is the most likely cause of the issue?

A.The data model acceleration needed to be rebuilt after the upgrade.
B.The upgrade changed the CIM field definitions, causing some extractions to fail.
C.The permissions on the data model were reset during the upgrade.
D.The index configuration changed, and the data is now in a different index.
AnswerA

Correct: Acceleration may become stale after an upgrade; rebuilding it can restore full data.

Why this answer

Option B is correct: After an upgrade, data model acceleration may need to be rebuilt to incorporate any changes; stale acceleration can cause missing fields and lower event counts. Field definitions rarely change between minor upgrades. Permissions would affect visibility, not data content.

Index configuration changes would affect all searches, not just data model.

55
MCQhard

A saved search alert is configured to run every 10 minutes and trigger when the count of error events exceeds 5. The search returns results when run manually, but the alert never triggers. The admin checks the alert history and sees entries for the previous runs but all show 'Trigger: False'. They also confirm that the search returns count > 5 for those periods. What is the likely cause?

A.The alert is disabled due to throttling or suppression settings.
B.The search uses a summary index that is not searchable by the alert system.
C.The time range in the saved search does not align with the alert schedule.
D.The alert condition is set to 'when number of results is greater than 5' but it should be 'when count field is greater than 5'.
AnswerD

Correct: The condition must evaluate the count field value, not the number of results.

Why this answer

Option A is correct: The alert condition is likely 'number of results > 5', but the search returns a single result with a count field. The condition should evaluate the count field value, not the number of results. Summary index not searchable by alerts is unlikely.

Time range misalignment would cause mismatch but the admin confirmed counts. Throttling only applies after a trigger.

56
MCQeasy

An analyst creates a macro that uses `| inputlookup` to validate a macro argument. Which statement about macro validation is true?

A.Macro validation is not possible; arguments are always trusted.
B.The macro can use `| inputlookup` to define a list of valid values for an argument.
C.Macro validation must be implemented in the saved search that uses the macro.
D.Macro arguments can be validated using regular expressions inside the definition.
AnswerB

This is a common pattern to ensure argument values are valid.

Why this answer

Option A is correct: macros support validation using `| inputlookup` to check argument values. Option B: macros do not have built-in regex validation. Option C: valid values can be specified with a lookup.

Option D: validation is optional.

57
MCQmedium

A security analyst wants to create a saved search that triggers an alert when more than 100 failed login attempts occur within a 5-minute window from the same source IP. The search should run every 5 minutes and alert only once per window. Which setting should be configured?

A.Enable 'Digest mode' with a time window of 5 minutes.
B.Configure the search to use a 'Real-time' window of 5 minutes and set 'Alert on' to 'Result count'.
C.Set the 'Alert condition' to 'Number of results > 100' and use a rolling time window of 5 minutes.
D.Enable 'Throttle' and set the throttle window to 5 minutes, throttling on the source IP field.
AnswerD

This suppresses duplicate alerts for the same IP within 5 minutes.

Why this answer

Option D is correct because enabling Throttle with a 5-minute window on the source IP field ensures that once an alert fires for a given source IP, subsequent alerts from that same IP are suppressed for the duration of the throttle window. This matches the requirement to alert only once per 5-minute window per source IP, preventing alert fatigue while still detecting the threshold breach.

Exam trap

The trap here is that candidates often confuse throttling with alert conditions or time windows, mistakenly thinking that setting a rolling time window or result count alone will prevent duplicate alerts, when in fact throttling is the specific mechanism designed to suppress repeated alerts based on field values.

How to eliminate wrong answers

Option A is wrong because Digest mode sends a single alert containing all results in a summary, but it does not suppress duplicate alerts for the same source IP across consecutive search runs; it also does not inherently throttle per IP. Option B is wrong because a Real-time window of 5 minutes with 'Alert on' set to 'Result count' would trigger an alert every time the search runs (every 5 minutes) if the condition is met, but it does not suppress repeated alerts for the same source IP within overlapping windows. Option C is wrong because setting 'Number of results > 100' with a rolling time window of 5 minutes will fire an alert every time the search executes and the condition is true, without any deduplication or throttling per source IP, leading to multiple alerts for the same incident.

58
MCQhard

A user defined a macro that includes a lookup command. The macro works correctly in ad-hoc searches. However, when the macro is used in a scheduled saved search, the macro fails to expand. Administration confirms the macro is shared globally. What is the most likely cause of this failure?

A.The macro expects arguments that are not provided in the saved search.
B.The lookup used in the macro is not accessible in the saved search's app context.
C.The macro is not shared to the global context despite confirmation.
D.The macro contains a syntax error that only appears at schedule time.
AnswerB

All knowledge objects used in the macro must be accessible from the saved search's app context.

Why this answer

Scheduled saved searches run under the context of the search user (owner) and the app where the saved search is defined. If the macro uses a lookup that is not accessible in that app context (e.g., the lookup is defined in a different app and not shared), the macro will fail at schedule time even though the macro itself is global. Option C is correct.

Option A (syntax error) would also fail ad-hoc. Option B (macro not global) is false as stated. Option D (macro arguments) is unlikely unless mismatch.

59
MCQeasy

A Splunk admin needs to schedule a search to run every day at 2 AM and send an email alert if more than 100 events are found. Which saved search configuration achieves this?

A.Set schedule to 'Daily' at 02:00, trigger on 'Custom condition' `search result count > 100`, action 'Send email'
B.Set schedule to 'Every day' at 2:00, trigger on 'Number of Events' > 100, action 'Send email'
C.Set schedule to 'Daily' at 02:00, trigger on 'Number of Events' > 100, action 'Email'
D.Set schedule to 'Daily' at 02:00, trigger on 'Result count' > 100, action 'Email'
AnswerC

Correct: Standard schedule, trigger, and action.

Why this answer

Option C is correct: Splunk schedules allow 'Daily' with a specific time, but the trigger condition is 'Number of Events' > 100, and 'Email' action. Option A uses 'Result count' which is not a standard trigger condition name. Option B uses cron with a custom condition string that is not valid.

Option D uses 'Custom condition' with incorrect syntax.

60
Multi-Selecthard

Which THREE of the following are true considerations when using CIM data model acceleration? (Select exactly 3.)

Select 3 answers
A.Acceleration only works on indexed fields; extracted fields are not accelerated.
B.When acceleration is built, searches using the data model may use the `tstats` command for faster retrieval.
C.Acceleration must be explicitly enabled on the data model.
D.You must set a summary range to define how much historical data to accelerate.
E.Acceleration uses summary indexes to store precomputed results.
.Acceleration requires that all data model constraints be defined with field aliases.
AnswersB, C, D

tstats reads the tsidx files directly.

Why this answer

Options B, C, and E are correct. Option A is false: acceleration uses `tsidx` files, not summary indexes. Option D is false: acceleration works on indexed and extracted fields.

Option F is not a primary consideration for acceleration.

61
MCQmedium

A company has over 2000 saved searches that are used across multiple teams. Each team has its own app, and many searches share common logic, such as filtering by a specific index or time range. The system is experiencing slow search performance and difficulty in managing changes. The administrator wants to improve maintainability and performance. Which action would best address these issues?

A.Increase the search head's memory allocation.
B.Create macros for common search fragments and update saved searches to use them.
C.Enable acceleration on all saved searches.
D.Consolidate all saved searches into a single app and use role-based access.
AnswerB

Correct: Macros reduce duplication, simplify updates, and improve performance.

Why this answer

Option B is correct because macros reduce duplication, simplify updates, and can improve performance by reducing parsing time. Consolidating into a single app does not reduce logic duplication. Increasing memory is a temporary fix.

Acceleration on all searches may consume resources and does not address logic duplication.

62
MCQmedium

A Splunk admin has created several macros to simplify complex search commands. One macro, named `time_filter`, is defined as `earliest=-7d@d latest=@d`. The admin also has a saved search that uses this macro. Recently, users have complained that the saved search reports data from the wrong time range: it appears to be showing data from the last 24 hours instead of the last 7 days. The admin inspects the saved search and finds that the search string is: `index=main | eval days=now() | where days > relative_time(now(), "-7d@d") | `time_filter`` The admin suspects the macro is not being expanded correctly. Which of the following is the most likely cause of the issue?

A.The macro definition includes arguments (`$earliest$`, `$latest$`), but the invocation does not pass any arguments; thus, the macro expands to nothing.
B.The saved search permissions are set to 'Private', so the macro does not apply.
C.The macro should be invoked with a pipe, like `| time_filter` instead of backticks.
D.The macro is disabled; the admin needs to enable it in the macros list.
AnswerA

Macros with arguments require argument passing; without them, the macro may expand to an empty string, causing the time filter to be missing.

Why this answer

Option A is correct because the macro `time_filter` is defined without any arguments (no `$arg$` placeholders), but the admin suspects it is not expanding correctly. However, the real issue is that the macro invocation uses backticks, which is the correct syntax for inline macro expansion in Splunk. The problem is that the saved search already includes an explicit `earliest` and `latest` time range via the `time_filter` macro, but the search also uses `relative_time(now(), "-7d@d")` in a `where` clause, which overrides the macro's time range.

The macro `time_filter` expands to `earliest=-7d@d latest=@d`, which sets the search time range to the last 7 days, but the `where` clause filters events to only those where `days > relative_time(now(), "-7d@d")`, which is effectively the last 24 hours because `now()` returns the current time and `relative_time(now(), "-7d@d")` returns the start of the day 7 days ago, so the condition `days > ...` is always true for any event, but the `days` field is set to `now()` for every event, so the filter does not actually restrict the time range; the real time range is controlled by the macro. The confusion is that the macro is expanding correctly, but the `where` clause is not needed and may be causing the perception of wrong data. However, the most likely cause of the issue is that the macro is not being expanded because the saved search is using backticks, which is correct, but the macro definition might be missing the required `$earliest$` and `$latest$` arguments if the admin intended to pass them.

But the question states the macro is defined as `earliest=-7d@d latest=@d` without arguments, so it should expand. The correct answer is A because the macro definition includes arguments (`$earliest$`, `$latest$`), but the invocation does not pass any arguments; thus, the macro expands to nothing. This is a common mistake: if a macro is defined with parameters, the invocation must supply values for those parameters, otherwise the macro expands to an empty string.

Exam trap

The trap here is that candidates often overlook the difference between a macro defined with parameters versus without, and assume backtick invocation always works, but if the macro expects arguments and none are provided, it expands to an empty string, causing the search to use default time settings.

How to eliminate wrong answers

Option B is wrong because saved search permissions (Private vs. Global) do not affect macro expansion; macros are resolved at search time regardless of the saved search's permissions. Option C is wrong because macros are invoked with backticks, not pipes; using a pipe would treat `time_filter` as a search command, which would fail because it is not a valid command.

Option D is wrong because if the macro were disabled, the saved search would fail with an error, not silently show wrong data; the admin would see an error message indicating the macro is not found.

63
Multi-Selecthard

Which THREE of the following are required steps to properly schedule a saved search for summary indexing that runs a macro?

Select 3 answers
A.The summary index must be created before the search runs.
B.Set a schedule for the saved search.
C.The summary index is automatically created when the search runs.
D.The macro must be defined in the same app as the saved search.
E.The macro must be accessible from the context in which the saved search runs.
AnswersA, B, E

The summary index must exist to store the results.

Why this answer

Correct answers: A, C, E. The saved search must be scheduled (A). The summary index must exist (C).

The macro must be accessible from the saved search's context (E). Option B is not required because the macro can be defined in a different app if shared. Option D is false because the summary index must already exist.

64
MCQhard

A large enterprise uses multiple Splunk search heads. An admin wants to create a saved search that automatically runs on all search heads and sends a single alert email per triggered result, not per search head. Which saved search setting should be configured?

A.Set the time range to 'Real-time' to capture events as they happen.
B.Enable 'Alert Suppression' to suppress duplicate alerts.
C.Set Alert Type to 'Per Result' to trigger an alert for each matching event.
D.Set the Schedule to 'Continuous' to avoid duplicates.
AnswerC

Per Result triggers an alert action for each search result; combined with throttling, you can limit emails.

Why this answer

Option B is correct because 'Per Result' alerting ensures each result triggers an alert action, but the challenge is to have one email per result across search heads. Actually, in a multi-search head environment, saved searches run independently. To deduplicate, you'd need to use summary indexing or a central index.

However, the question asks for the setting to achieve single email per result: the best is to set alert type to 'Per Result' and then use 'Throttle' to limit to one email per result. But among options, 'Per Result' is key. Option A is for scheduling.

Option C suppresses consecutive identical alerts. Option D is for time range.

65
MCQeasy

Refer to the exhibit. The macro `count_by_host` is defined as shown. The macro is invoked as `| `count_by_host`. What will the expanded search look like?

A.`| stats count by host, sourcetype`
B.`| `count_by_host`
C.`stats count by host, sourcetype`
D.`| | stats count by host, sourcetype`
AnswerD

Correct: Double pipe due to leading pipe in macro definition.

Why this answer

Option A is correct: Since the macro definition includes a leading pipe, invoking it with `| `count_by_host` results in two pipes – one from the invocation and one from the definition. So the expanded search becomes `| | stats count by host, sourcetype`. Option B would be missing one pipe, option C would be missing both, and option D shows the macro invocation unexpanded.

66
MCQhard

GlobalTech runs Splunk Enterprise Security with CIM compliance. Their security operations center uses a scheduled saved search named 'Brute Force Detection' that runs every 30 minutes. The search definition is: `| tstats count from datamodel=Authentication where Authentication.action=failure by Authentication.user, Authentication.src | where count > 5 | join type=outer user [search index=* sourcetype=linux_secure | stats count by user | where count > 5]`. This search has been working for months. Recently, after an upgrade to the Splunk environment, the saved search started returning no results. The administrator checks the search log and sees that the tstats portion runs fine but the secondary search (the subsearch) returns no events even though there are matching events in the index. The subsearch uses a macro named 'get_failed_users' defined as `search index=* sourcetype=linux_secure "Failed password" | stats count by user | where count>5` with no arguments. The administrator confirms that the macro's search works when run manually in the same time range. What is the most likely reason the subsearch returns no results?

A.The subsearch is not part of the data model acceleration and is limited by the time range of the main search.
B.The macro 'get_failed_users' is not defined in the same app context as the saved search.
C.The subsearch uses a macro, and macros cannot be used in subsearches.
D.The macro definition has a typo in the search command.
AnswerB

Correct. After an upgrade, the app context might have changed, causing the macro to be unavailable.

Why this answer

Option B is correct because macros are resolved in the context of the app where the saved search is defined. If the macro 'get_failed_users' is not defined in the same app context as the 'Brute Force Detection' saved search, the subsearch will fail to resolve the macro and return no results, even though the macro works when run manually in a different app context. Splunk's macro resolution depends on the app context of the search, not the user's current app.

Exam trap

The trap here is that candidates assume macros are globally available or that the subsearch's manual success implies it will work in the saved search, overlooking the critical role of app context in macro resolution.

How to eliminate wrong answers

Option A is wrong because the subsearch is not limited by the time range of the main search; subsearches default to the same time range as the main search unless explicitly overridden, and the tstats portion runs fine, indicating time range is not the issue. Option C is wrong because macros can be used in subsearches; there is no restriction preventing macros from being used within subsearches. Option D is wrong because the administrator confirmed that the macro's search works when run manually in the same time range, ruling out a typo in the macro definition.

67
Matchingmedium

Match each Splunk license violation type to its consequence.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Indicates usage is near the limit

Usage exceeds license quota, search may be limited

License has expired, functionality is restricted

License key is incorrect or corrupted

Usage is within license limits

Why these pairings

License management ensures proper usage of Splunk.

68
Multi-Selectmedium

Which TWO of the following are valid considerations when defining macros in Splunk?

Select 2 answers
A.Macros can be imported from other apps if they are shared globally.
B.Macros cannot contain transforming commands.
C.Macros can only accept a single argument.
D.Macro names must be unique within the app where they are defined.
E.Macro definitions can be created directly in the search bar.
AnswersA, D

Sharing to global makes macros available across apps.

Why this answer

Correct answers: A and D. Macros must be defined with a unique name within an app (A), and macros can be imported from other apps if shared globally (D). Option B is false because macros can accept multiple arguments.

Option C is false because macro definition is done in configuration files, not in the search bar. Option E is not a requirement; macros can contain any commands.

69
Multi-Selecthard

A saved search that runs every hour is showing 'No results' in its history, but the same search when run manually returns results. Which two of the following are likely causes? (Choose TWO.)

Select 2 answers
A.The saved search's acceleration is outdated.
B.The user who created the saved search has been deleted.
C.The saved search uses a macro that has a typo in its definition.
D.The index being searched is not available at the scheduled time.
E.The saved search uses a different time range than the manual search.
AnswersD, E

Correct: Temporary index unavailability at the scheduled time results in no data.

Why this answer

Options A and D are correct. Time range differences: scheduled searches use a 'last hour' window, while manual may use 'All time'. Index availability at schedule time can cause empty results.

A macro typo would cause an error, not empty results. Outdated acceleration would show old data, not empty. Creator deletion might cause a permissions error.

70
MCQhard

An organization uses Splunk CIM to normalize data from multiple sources. They have a custom data source that logs firewall events with a field 'action' containing values 'accept', 'deny', 'drop'. They want to map this to the CIM field 'action'. Which configuration is required?

A.Define a field alias in props.conf: `FIELDALIAS-action = action as action`
B.Use the 'calculatedfields' field in props.conf: `CALCULATED_action = if(action=="accept","allowed",if(action=="deny","blocked","dropped"))`
C.Create a custom data model that includes the field 'action' with the vendor values.
D.Add a tag 'action=accept' to events with action=accept, and similarly for deny and drop.
AnswerA

This maps the vendor field 'action' to the CIM field 'action'.

Why this answer

Option A is correct because the CIM field 'action' already exists in the CIM data model with the same name as the vendor field. A field alias in props.conf using `FIELDALIAS-action = action as action` simply creates an alias so that the vendor's 'action' field is recognized as the CIM 'action' field, allowing the CIM to normalize the data without any transformation. This is the simplest and most efficient method when the vendor field name and values already match the CIM field name and expected values.

Exam trap

The trap here is that candidates often overcomplicate the solution by choosing a calculated field or custom data model, not realizing that when the vendor field name and values already align with the CIM field, a simple field alias is the correct and efficient approach.

How to eliminate wrong answers

Option B is wrong because it uses a calculated field to transform the vendor values into different strings ('allowed', 'blocked', 'dropped'), which would break CIM normalization since the CIM 'action' field expects values like 'accept', 'deny', 'drop' (or 'allowed', 'blocked', 'dropped' depending on the CIM version, but the question states the vendor values are already correct). Option C is wrong because creating a custom data model is unnecessary and overly complex; the CIM already defines the 'action' field, and the goal is to map the vendor data into the existing CIM model, not create a new one. Option D is wrong because tagging is used for event type classification and search-time filtering, not for field value normalization; tags do not map field values to CIM fields.

71
MCQmedium

A team develops multiple dashboards that share common search logic. What is the best practice for managing these searches?

A.Create a saved search for each dashboard.
B.Use a single saved search that all dashboards reference.
C.Embed the search strings directly in each dashboard.
D.Use macros to define reusable search fragments.
AnswerD

Correct: Macros centralize common logic, improving maintainability and consistency.

Why this answer

Option C is correct: macros allow reusable code, reducing duplication and maintenance. Embedding search strings causes duplication. Saved searches per dashboard still duplicate logic.

A single saved search may not fit all dashboards.

72
MCQhard

A security team has a saved search that runs every 5 minutes and looks for 'FAILED' events in Windows Security logs. The search uses a macro 'failed_logins' defined as: `define failed_logins() [search index=windows sourcetype=WinEventLog:Security EventCode=4625]`. Recently, the team noticed that the search is returning no results even though there are failed login events. What is the most likely issue?

A.The macro definition includes empty parentheses 'failed_logins()' but is being called without parentheses, causing Splunk to treat it as a different macro.
B.The macro does not have read permissions for the security team.
C.The macro must be called with backticks like `failed_logins` instead of pipe.
D.The sourcetype field is using a wildcard, which is deprecated.
AnswerA

The macro is defined with parentheses, so it expects to be called with parentheses even if no arguments. Alternatively, define without parentheses.

Why this answer

Option D is correct because the macro is defined with a parameter list (parentheses) but no arguments are passed, so Splunk treats it as a macro with one empty argument, which can cause the search to not run correctly if the macro is called without parentheses. Option A is incorrect because wildcards are fine. Option B is incorrect because macros do not require backticks.

Option C is incorrect because permissions are set per macro, but if it worked before, permissions are likely not the issue.

73
MCQeasy

A team wants to create a dashboard that displays daily user activity over the past 30 days. The underlying data is voluminous (hundreds of millions of events per day). They need the dashboard to load quickly. The admin considers two options: using a summary index with a scheduled search to pre-compute the daily counts, or using data model acceleration on a CIM data model. Which approach is most appropriate for this specific requirement?

A.Use data model acceleration because it automatically updates and is easier to set up.
B.Use neither; instead, use report acceleration on the dashboard search.
C.Use both to ensure data availability.
D.Use a summary index because it allows custom summarization and reduces license usage.
AnswerD

Correct: Summary indexes pre-compute results, significantly reducing query time and resource consumption.

Why this answer

Option A is correct: A summary index pre-computes exactly the needed daily counts, reducing search time and license usage. Data model acceleration still queries the full dataset and may be less efficient for custom aggregation. Using both adds complexity.

Report acceleration on the dashboard search still queries the full data.

74
MCQeasy

A Splunk administrator wants to create a reusable search component that accepts a sourcetype and a time range. What is the correct method to define this in Splunk?

A.Create a saved search that uses tokens to parameterize the query.
B.Use an eval statement to define a variable that holds the query.
C.Define a macro with arguments using backticks and $arg$ syntax.
D.Use a lookup definition with parameters to filter results.
AnswerC

Macros with arguments allow a reusable search fragment with parameter substitution.

Why this answer

Macros are the correct way to define reusable search components with arguments. They use backtick syntax and $arg$ placeholders. Option B is correct because macros are designed for this purpose.

Option A (saved search with tokens) is for dashboards, not reusable search fragments. Option C (eval statement) does not create reusable search components. Option D (lookup definition) is for lookup tables, not search logic.

75
MCQeasy

A Splunk user wants to create a macro named `nunique` that takes a field name as an argument and returns the count of distinct values for that field. Which macro definition should be used?

A.`nunique($field$)` defined as `stats dc($field$) as distinct_count`
B.`nunique($1$)` defined as `stats dc($1$) as distinct_count`
C.`nunique($field$)` defined as `| stats dc($field$) as distinct_count`
D.`nunique($1$)` defined as `| stats dc($1$) as distinct_count`
AnswerB

Correct: Uses positional argument and no leading pipe.

Why this answer

Option A is correct because macro definitions should not include a leading pipe when the macro is invoked with a pipe. Positional arguments ($1$) are standard. Option B incorrectly includes a pipe.

Options C and D use a named argument without defining the argument name in the macro properties, which is less common and not standard practice.

Page 1 of 2 · 98 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Macros, Saved Searches and CIM questions.