- A
`index=security | lookup malicious_ips.csv src_ip | search threat=*`
Why wrong: The lookup command without OUTPUT does not add any fields; 'threat' will not exist.
- B
`index=security | lookup malicious_ips.csv src_ip OUTPUT threat | where threat!=""`
Correct. This uses `lookup` with `OUTPUT threat` to add the threat field only for matching src_ip values, and `where threat!=""` filters out events without a match, yielding only malicious IP events.
- C
`index=security [| inputlookup malicious_ips.csv | fields ip | rename ip as src_ip]`
Why wrong: Subsearch returns only matching src_ip values, but does not add the threat field; also may be inefficient.
- D
`index=security | lookup malicious_ips.csv src_ip AS ip | where isnotnull(threat)`
Why wrong: The lookup field mapping is wrong; it should map src_ip to ip, not the other way.
- E
`index=security | lookup malicious_ips.csv src_ip AS ip OUTPUTNEW threat | where isnotnull(threat)`
Correct. This uses `lookup` with `OUTPUTNEW threat` and `where isnotnull(threat)` to add the threat field for new matches and filter, achieving the intended result.
SPLK-1003 Advanced Searching and Statistics Practice Question
This SPLK-1003 practice question tests your understanding of advanced searching and statistics. Read the scenario carefully and evaluate each option against the stated constraints before committing to an answer. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
A security analyst wants to find all events where the field 'src_ip' matches any IP address in a lookup table named 'malicious_ips.csv'. The lookup has fields 'ip' and 'threat'. Which search correctly enriches events with the threat info and filters to only malicious IPs?
Answer choices
Why each option matters
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
`index=security | lookup malicious_ips.csv src_ip OUTPUT threat | where threat!=""`
Both options B and E are correct. Option B uses `lookup malicious_ips.csv src_ip OUTPUT threat | where threat!=""` which effectively enriches events with the threat field and filters to only events where a match occurred. Option E uses `lookup malicious_ips.csv src_ip AS ip OUTPUTNEW threat | where isnotnull(threat)` achieving the same result with minor syntax differences. The other options fail either to enrich properly or to filter correctly: A is inefficient and may not filter reliably, C does not enrich, and D has incorrect lookup syntax.
Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
- ✗
`index=security | lookup malicious_ips.csv src_ip | search threat=*`
Why it's wrong here
The lookup command without OUTPUT does not add any fields; 'threat' will not exist.
- ✓
`index=security | lookup malicious_ips.csv src_ip OUTPUT threat | where threat!=""`
Why this is correct
Correct. This uses `lookup` with `OUTPUT threat` to add the threat field only for matching src_ip values, and `where threat!=""` filters out events without a match, yielding only malicious IP events.
Related concept
Read the scenario before looking for a memorised answer.
- ✗
`index=security [| inputlookup malicious_ips.csv | fields ip | rename ip as src_ip]`
Why it's wrong here
Subsearch returns only matching src_ip values, but does not add the threat field; also may be inefficient.
- ✗
`index=security | lookup malicious_ips.csv src_ip AS ip | where isnotnull(threat)`
Why it's wrong here
The lookup field mapping is wrong; it should map src_ip to ip, not the other way.
- ✓
`index=security | lookup malicious_ips.csv src_ip AS ip OUTPUTNEW threat | where isnotnull(threat)`
Why this is correct
Correct. This uses `lookup` with `OUTPUTNEW threat` and `where isnotnull(threat)` to add the threat field for new matches and filter, achieving the intended result.
Related concept
Read the scenario before looking for a memorised answer.
Common exam traps
Common exam trap: answer the scenario, not the keyword
The trap here is that candidates often confuse `OUTPUT` with `OUTPUTNEW` or forget that `where threat!=""` does not catch null values, leading them to pick options that either fail to enrich or fail to filter correctly.
Trap categories for this question
Command / output trap
The lookup command without OUTPUT does not add any fields; 'threat' will not exist.
Detailed technical explanation
How to think about this question
The `lookup` command in Splunk performs a left outer join by default: it appends fields from the lookup table to events where the field values match. Using `OUTPUTNEW` ensures that the output field (threat) is only populated if the lookup key matches and the field does not already exist in the event, preventing accidental overwrites. The `where isnotnull(threat)` filter then leverages the fact that unmatched events will have a null threat field, effectively performing an inner join behavior to retain only matching events.
KKey Concepts to Remember
- Read the scenario before looking for a memorised answer.
- Find the constraint that changes the correct option.
- Eliminate answers that are true in general but not in this case.
TExam Day Tips
- Watch for words such as best, first, most likely and least administrative effort.
- Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Real-world example
How this comes up in practice
A practitioner preparing for the SPLK-1003 exam encounters this exact type of scenario on the job. The correct answer here is not the most general option — it is the best answer for the specific constraint described. Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option. Real exam questions reward reading the full scenario before eliminating options, because the constraint defines which answer fits.
What to study next
Got this wrong? Here's your next step.
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
- →
Advanced Searching and Statistics — study guide chapter
Learn the concepts, then practise the questions
- →
Advanced Searching and Statistics practice questions
Targeted practice on this topic area only
- →
All SPLK-1003 questions
500 questions across all exam domains
- →
Splunk Core Certified Power User SPLK-1003 study guide
Full concept coverage aligned to exam objectives
- →
SPLK-1003 practice test guide
How to use practice tests most effectively before exam day
Related practice questions
Related SPLK-1003 practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
Advanced Searching and Statistics practice questions
Practise SPLK-1003 questions linked to Advanced Searching and Statistics.
Macros, Saved Searches and CIM practice questions
Practise SPLK-1003 questions linked to Macros, Saved Searches and CIM.
Advanced Visualization and Lookups practice questions
Practise SPLK-1003 questions linked to Advanced Visualization and Lookups.
Transactions and Event Correlation practice questions
Practise SPLK-1003 questions linked to Transactions and Event Correlation.
SPLK-1003 fundamentals practice questions
Practise SPLK-1003 questions linked to SPLK-1003 fundamentals.
SPLK-1003 scenario practice questions
Practise SPLK-1003 questions linked to SPLK-1003 scenario.
SPLK-1003 troubleshooting practice questions
Practise SPLK-1003 questions linked to SPLK-1003 troubleshooting.
Practice this exam
Start a free SPLK-1003 practice session
Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.
FAQ
Questions learners often ask
What does this SPLK-1003 question test?
Advanced Searching and Statistics — This question tests Advanced Searching and Statistics — Read the scenario before looking for a memorised answer..
What is the correct answer to this question?
The correct answer is: `index=security | lookup malicious_ips.csv src_ip OUTPUT threat | where threat!=""` — Both options B and E are correct. Option B uses `lookup malicious_ips.csv src_ip OUTPUT threat | where threat!=""` which effectively enriches events with the threat field and filters to only events where a match occurred. Option E uses `lookup malicious_ips.csv src_ip AS ip OUTPUTNEW threat | where isnotnull(threat)` achieving the same result with minor syntax differences. The other options fail either to enrich properly or to filter correctly: A is inefficient and may not filter reliably, C does not enrich, and D has incorrect lookup syntax.
What should I do if I get this SPLK-1003 question wrong?
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
What is the key concept behind this question?
Read the scenario before looking for a memorised answer.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Keep practising
More SPLK-1003 practice questions
- A telecom company monitors call detail records (CDR). Each call has a unique call_id, and events are generated at each n…
- Which TWO statements correctly describe the behavior of the transaction command in Splunk?
- Which TWO of the following are valid reasons to use the Common Information Model (CIM) in a Splunk environment?
- Arrange the steps to create a new index in Splunk in the correct order.
- A Splunk admin wants to track the number of unique users who accessed a system each hour over the past 24 hours. Which s…
- A search returns many events, and the analyst wants to see a summary table of the top 5 values of the field `src_ip` alo…
Last reviewed: Jun 11, 2026
This SPLK-1003 practice question is part of Courseiva's free Splunk certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the SPLK-1003 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.