- A
`index=security | lookup malicious_ips.csv src_ip | search threat=*`
Why wrong: The lookup command without OUTPUT does not add any fields; 'threat' will not exist.
- B
`index=security | lookup malicious_ips.csv src_ip OUTPUT threat | where threat!=""`
Why wrong: The correct syntax is OUTPUTNEW, not OUTPUT, to avoid overwriting existing fields. In SPL, OUTPUT will overwrite an existing field; if threat doesn't exist, it's added anyway but the syntax is non-standard.
- C
`index=security [| inputlookup malicious_ips.csv | fields ip | rename ip as src_ip]`
Why wrong: Subsearch returns only matching src_ip values, but does not add the threat field; also may be inefficient.
- D
`index=security | lookup malicious_ips.csv src_ip AS ip | where isnotnull(threat)`
Why wrong: The lookup field mapping is wrong; it should map src_ip to ip, not the other way.
- E
`index=security | lookup malicious_ips.csv src_ip AS ip OUTPUTNEW threat | where isnotnull(threat)`
Correct: uses lookup with outputnew to add threat field, then filters where threat is not null.
Quick Answer
The answer is the search using `lookup malicious_ips.csv src_ip AS ip OUTPUTNEW threat | where isnotnull(threat)`. This is correct because `OUTPUTNEW` only populates the `threat` field when a match is found in the lookup table, leaving it null for non-matching events, and the subsequent `where isnotnull(threat)` command filters to retain only those enriched events. On the Splunk SPLK-1003 exam, this tests your understanding of the critical difference between `OUTPUT` and `OUTPUTNEW`—a common trap is using `OUTPUT` which would overwrite any existing `threat` field values even without a lookup match, breaking the filter. The search intent here is to "lookup with outputnew to filter matching events," which directly applies to enriching security data while isolating threats. Remember the mnemonic: "New means null until matched" to recall that `OUTPUTNEW` only writes on a successful lookup.
SPLK-1003 Advanced Searching and Statistics Practice Question
This SPLK-1003 practice question tests your understanding of advanced searching and statistics. Read the scenario carefully and evaluate each option against the stated constraints before committing to an answer. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
A security analyst wants to find all events where the field 'src_ip' matches any IP address in a lookup table named 'malicious_ips.csv'. The lookup has fields 'ip' and 'threat'. Which search correctly enriches events with the threat info and filters to only malicious IPs?
Answer choices
Why each option matters
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
`index=security | lookup malicious_ips.csv src_ip AS ip OUTPUTNEW threat | where isnotnull(threat)`
Option E is correct because it uses the `lookup` command with `OUTPUTNEW threat` to add the threat field only for matching src_ip values, and then `where isnotnull(threat)` filters to events that actually matched, ensuring only events with a known malicious IP are retained. The `OUTPUTNEW` clause is critical here as it only populates the threat field when a match occurs, unlike `OUTPUT` which would overwrite existing values.
Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
- ✗
`index=security | lookup malicious_ips.csv src_ip | search threat=*`
Why it's wrong here
The lookup command without OUTPUT does not add any fields; 'threat' will not exist.
- ✗
`index=security | lookup malicious_ips.csv src_ip OUTPUT threat | where threat!=""`
Why it's wrong here
The correct syntax is OUTPUTNEW, not OUTPUT, to avoid overwriting existing fields. In SPL, OUTPUT will overwrite an existing field; if threat doesn't exist, it's added anyway but the syntax is non-standard.
- ✗
`index=security [| inputlookup malicious_ips.csv | fields ip | rename ip as src_ip]`
Why it's wrong here
Subsearch returns only matching src_ip values, but does not add the threat field; also may be inefficient.
- ✗
`index=security | lookup malicious_ips.csv src_ip AS ip | where isnotnull(threat)`
Why it's wrong here
The lookup field mapping is wrong; it should map src_ip to ip, not the other way.
- ✓
`index=security | lookup malicious_ips.csv src_ip AS ip OUTPUTNEW threat | where isnotnull(threat)`
Why this is correct
Correct: uses lookup with outputnew to add threat field, then filters where threat is not null.
Related concept
Read the scenario before looking for a memorised answer.
Common exam traps
Common exam trap: answer the scenario, not the keyword
The trap here is that candidates often confuse `OUTPUT` with `OUTPUTNEW` or forget that `where threat!=""` does not catch null values, leading them to pick options that either fail to enrich or fail to filter correctly.
Trap categories for this question
Command / output trap
The lookup command without OUTPUT does not add any fields; 'threat' will not exist.
Detailed technical explanation
How to think about this question
The `lookup` command in Splunk performs a left outer join by default: it appends fields from the lookup table to events where the field values match. Using `OUTPUTNEW` ensures that the output field (threat) is only populated if the lookup key matches and the field does not already exist in the event, preventing accidental overwrites. The `where isnotnull(threat)` filter then leverages the fact that unmatched events will have a null threat field, effectively performing an inner join behavior to retain only matching events.
KKey Concepts to Remember
- Read the scenario before looking for a memorised answer.
- Find the constraint that changes the correct option.
- Eliminate answers that are true in general but not in this case.
TExam Day Tips
- Watch for words such as best, first, most likely and least administrative effort.
- Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Real-world example
How this comes up in practice
A practitioner preparing for the SPLK-1003 exam encounters this exact type of scenario on the job. The correct answer here is not the most general option — it is the best answer for the specific constraint described. Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option. Real exam questions reward reading the full scenario before eliminating options, because the constraint defines which answer fits.
What to study next
Got this wrong? Here's your next step.
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
- →
Advanced Searching and Statistics — study guide chapter
Learn the concepts, then practise the questions
- →
Advanced Searching and Statistics practice questions
Targeted practice on this topic area only
- →
All SPLK-1003 questions
500 questions across all exam domains
- →
Splunk Core Certified Power User SPLK-1003 study guide
Full concept coverage aligned to exam objectives
- →
SPLK-1003 practice test guide
How to use practice tests most effectively before exam day
Related practice questions
Related SPLK-1003 practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
Advanced Searching and Statistics practice questions
Practise SPLK-1003 questions linked to Advanced Searching and Statistics.
Macros, Saved Searches and CIM practice questions
Practise SPLK-1003 questions linked to Macros, Saved Searches and CIM.
Advanced Visualization and Lookups practice questions
Practise SPLK-1003 questions linked to Advanced Visualization and Lookups.
Transactions and Event Correlation practice questions
Practise SPLK-1003 questions linked to Transactions and Event Correlation.
SPLK-1003 fundamentals practice questions
Practise SPLK-1003 questions linked to SPLK-1003 fundamentals.
SPLK-1003 scenario practice questions
Practise SPLK-1003 questions linked to SPLK-1003 scenario.
SPLK-1003 troubleshooting practice questions
Practise SPLK-1003 questions linked to SPLK-1003 troubleshooting.
Practice this exam
Start a free SPLK-1003 practice session
Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.
FAQ
Questions learners often ask
What does this SPLK-1003 question test?
Advanced Searching and Statistics — This question tests Advanced Searching and Statistics — Read the scenario before looking for a memorised answer..
What is the correct answer to this question?
The correct answer is: `index=security | lookup malicious_ips.csv src_ip AS ip OUTPUTNEW threat | where isnotnull(threat)` — Option E is correct because it uses the `lookup` command with `OUTPUTNEW threat` to add the threat field only for matching src_ip values, and then `where isnotnull(threat)` filters to events that actually matched, ensuring only events with a known malicious IP are retained. The `OUTPUTNEW` clause is critical here as it only populates the threat field when a match occurs, unlike `OUTPUT` which would overwrite existing values.
What should I do if I get this SPLK-1003 question wrong?
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
What is the key concept behind this question?
Read the scenario before looking for a memorised answer.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Last reviewed: Jun 11, 2026
This SPLK-1003 practice question is part of Courseiva's free Splunk certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the SPLK-1003 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.